Once it was clear that there was was a leak of confidencial information, he should have taken what was required as minimal evidence (a few screenshots?) and then contacted the Acting Privacy Commissioner.
Did he really need to go through files related to Doctors/Radiology, Debt Collectionn, Fraud Investigations, Care and Protection, HCN? Snooping through the servers beyond what was necessary was wrong.
The bigger story is the lack of security on the New Zealand servers. However, what he did was wrong and possible illegal IMHO.
Going that extra mile was necessary to make this a big story instead of having it brushed under the carpet. It seems that the leak was known about as much as a year ago (http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&obj...), MSD were informed, but nothing was done because there was no media firestorm. By showing what was exposed, Keith Ng made the horrific impact of the leak understandable to the public and media and greatly increased the likelihood that something will get done.
This department clearly doesn't value security (multiple levels of deep failure) and the only way to make it important is political pressure via the public and the media.
Only by revealing the breadth of the failure, and doing so publically, could any effective change occur.
It is obvious they could (and did) shut down or secure the kiosks quickly.
If he took a week to consult legal, decide best course of action, make up his mind on risking his neck, or WHATEVER, that is his right and fine by me.
Armchair criticism is easy. Kieth has taken a ballsy action as an individual and he gets my respect.
I thought same thing, but read more and realized it was open for awhile, and no one seem to care. It took the breath of his examples to make everyone shock enough to notice.
The only thing that should be illegal is the way all that information was not secured.
In addition, the author claimed he spent a week preparing the story. Yet he only contacted the Acting Privacy Commissioner yesterday. He blog was published before the government had a chance to fix the issue. I find this irresponsible.
"You haven't explicitly licensed your code under any license and so, to be conservative, third parties should operate under the assumption that the code is proprietary"
I would have guessed that without an explicit license, open source is free for anyone to take/modify/reuse. After all, it is open source.
In other words, the default would be the most permissive license. You suggest it is the opposite - that without a license, the code should be considered proprietary. Can anyone more familiar with open source licenses clarify?
Creative work (including source code) automatically falls under "all rights reserved" bucket unless the author specifically states other licensing terms.
In this case the author didn't so his work is still "all rights reserved" and no-one can use it.
You're confusing "source code available" with "open-source".
"Open source" is a shortcut for: "source code available and under open-source license".
Wikipedia says "A typical software license grants an end-user permission to use one or more copies of software in ways where such a use would otherwise potentially constitute copyright infringement of the software owner's exclusive rights under copyright law." http://en.wikipedia.org/wiki/Software_license
You may be basing your prior belief on e.g. Wikipedia's claim (scroll down) that "A primary consequence of the free software form of licensing is that acceptance of the license is essentially optional — the end-user may use, study, and privately modify the software without accepting the license." IANAL, but this statement seems dangerously incorrect to me. It may be technically correct that you do not "have" to accept the license terms--but then if you are downloading the software, or creating derivative works without a license, you would be violating the law. E.g.
Uploading or downloading works protected by copyright without the authority of the copyright owner is an infringement of the copyright owner's exclusive rights of reproduction and/or distribution. - http://www.copyright.gov/help/faq/faq-digital.html#p2p
It is true in the sense that there are conceivable ways to use FOSS without accepting the licence. There are common ways like dual-licensing (if the license is GPL and the company has all the copyrights they can still sell me a different license) or even fair use (someone could create a parody of FOSS and publish it).
How do you know it is open source without a license? Sure you can see the source code, but I wouldn't have said that is what makes it open - its the license that does.
I am not sure why this is on Github? Typically, I applaud when anything is shared on Github. But why this? What positive value is it to anyone other then script kiddies?
(Certainly, most any adequate web developer with nefarious intensions would be able to reproduce this quite easily. But why make it point-and-click easy for them?)
Did he really need to go through files related to Doctors/Radiology, Debt Collectionn, Fraud Investigations, Care and Protection, HCN? Snooping through the servers beyond what was necessary was wrong.
The bigger story is the lack of security on the New Zealand servers. However, what he did was wrong and possible illegal IMHO.