From LeakDirectory

Revision as of 21:33, 28 August 2011 by Anonymous (Talk | contribs)
Jump to: navigation, search


General Notes

New Zealand Security Intelligence Service (NZSIS)

Who are we? The NZSIS is a government agency, responsible for giving the Government advice about matters relating to New Zealand’s security. The Service has approximately 200 staff, comprising:

   intelligence officers
   support staff, and
   specialists (including linguists, technicians, legal and accounting staff and information professionals).

Our offices The Head Office is in Wellington and there are regional offices in Auckland, Wellington and Christchurch.

Our role The NZSIS is a civilian intelligence and security organisation. Its threefold roles are:

   to investigate threats to security and to work with other agencies within Government, so that the intelligence it collects is actioned and threats which have been identified are disrupted
   to collect foreign intelligence, and
   to provide a range of protective security advice and services to Government.

The Public Contribution Form

is SSL / TLS encrypted and it also seems to use a GnuPG generated PGP Public Key hidden in the javascript, however this PGP Key is not published per se.

Unfortunately this web form also logs the IP address and other browser details

The rest of the NZ SIS website , for no good reason, tracks visitors using the US based commercial Google Analytics system, so these visitor statistics and web browser and IP address details are also available to at least the US Government as well as the New Zealand one.

The Public Contribution Form does generate unique reference number on completion.

Update 28th August 2011

Matthijs Koot updated his blog post to point out that

UPDATE 2011-08-25: it appears that NZSIS removed the PGP key [2] from the source of

They are still, however tracking the remote_addr and http_user_agent web browser environment variables within this form and they are still using Google Analytics on the rest of the website.

Contact Details


Press Enquiries


General Enquiries

  • telephone: Free phone 0800 SIS 224 (0800 747 224)

Postal Address:

Wellington Head Office

Defence House, 2-12 Aitken Street, Wellington

Postal Address:

PO Box 900, Wellington


Phone: (04) 472 6170
Fax: (04) 472 8209

Social Networking publicity

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.







Financial Donation methods

Not Applicable - New Zealand taxpayers

Currently accepting submissions of whistleblower leaks ?


Explicit promises about Anonymity, Privacy or Security

Any information you choose to supply through this website (including personal details) will be kept confidential. This is subject to the NZSIS’ statutory mandate to communicate information to any persons in the interests of security. The NZSIS is also permitted to provide information to the New Zealand Police or any other persons for the purpose of preventing or detecting serious crime.

Under no circumstances will the NZSIS provide your name or contact details to any private or commercial organisation.

Restrictive legal Terms & Conditions


Practical Advice on preserving Whistleblower Anonymity


Leak Submission Encryption

Digital Certificate fingerprints published on their website:


Qualsys SSLLabs SSL Server Test rating:

Overall rating: **A [85]**

Certificate: 100

Protocol Support: 85

Key Exchange 80

Cipher Strength: 90

Strong RSA / 4096 bit private key but only SHA-1 digital signature No major cipher suite protocol weaknesses

Appears to be running on a DSL internet connection ?

PGP Public Encryption Key

The Public Contribution Form is SSL / TLS encrypted and it also seems to use a GnuPG generated PGP Public Key hidden in the javascript, however this PGP Key is not published reliably by NZSIS per se, it is now available via public PGP keyservers

email address: Virtual Walk-In [Public Submissions] <>



Expires: Never

Type: RSA 4096/4096

Cipher: AES 256 bit

PGP Fingerprint: DF53 D60E 492D 969E 8132 7D77 6076 35D9 ADE8 3D5F

TOR Hidden Service


I2P eepsite



Hushmail Secure Form


Leak Submission Anonymity

TOR users blocked from access


3rd Party or persistent tracking cookies or graphics


CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha

The web form does use a CAPTCHA but this is pulled safely from the same SSL / TLS encrypted web server

Mixed mode non-SSL graphics or style sheets


Embedded video clips etc. from another website e.g. YouTube


Flash file uploader class


Communications / Acknowledgement back to the whistleblower via the website

The Public Contribution Form does ask for optional details such as: Home Address, Telephone Number, Mobile Phone Number, Email Address and Preferred Contact Details/Arrangements

If you choose to submit information to us, we may take steps to contact you if follow up is required.

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?


Thank you. We appreciate your assistance towards supporting New Zealand's security.

Please record the reference number nnnnnn. This number is unique to your contribution and should be referenced in circumstances where further communication is required. The nature of the information you have provided will determine whether we seek further contact.

For security reasons we recommend closing this webpage browser.

Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?


Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.


Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which emulators should take note of:

Domain Name Registrar

New Zealand Domain Name Registry Limited

Government Registrar, Department of Internal Affairs

Extremely unlikely that will be any legal injunctions etc. which affect this New Zealand government website

Multiple Internet Service Providers, in different legal jurisdictions ?


TelstraClear Ltd

New Zealand

Domain Name Server(s) & jurisdiction(s)

New Zealand

Alternate Domain Name aliases


Actual Physical Mirrors of the website:


Content available via BitTorrent etc P2P etc.


Personal tools