Social Items

TPQ
Stanley Cohen May 19, 2025.

Hamilton Vagi - OIC/Head

PNG NCSC, Data Governance & Standards
National Cyber Security Centre
By email to: hamilton.vagi@ncsn.gov.pg

Dear Mr. Vagi:

I am writing as an attorney on behalf of and in response to your recent email to the “DDoSecrets Team” in which you formally “asked” my clients to undertake the “immediate removal of compromised data related to the Mineral Resources Authority (MRA), which has been published on your platform.”

Although my clients respect your request, in keeping with age-old tradition and practice as journalists and publishers of information even, at times, sensitive embarrassing information, for use and republication by other journalist’s, DDoSecrets understands well its place and obligation to assist in the growth and protection of a robust and widespread marketplace of ideas … even one in which controversial, if not painful, political concepts and practices are exposed, examined and debated among the body politic as a whole.

In that light, I can assure you that my clients are not “hackers” and play no role, direct or otherwise, in identifying, seeking or obtaining information from repositories be they state or private entities concerning information and/or internal communications regarding their activities. That is to say at no time does DDoSecrets identify targets or systems to be breached or the manner and means by which to do so in order to access material from any state or private entity. So, too, as journalists living up to the highest of that profession’s age-old standards, DDoSecrets takes all necessary steps to protect/redact any and all collateral personal data it might receive that if published could pose a direct threat to individuals and or their families be it personal or economic in nature. Quite frankly, that a person, entity or a state may prove to be embarrassed by virtue of a 21st century political expose of their intent and activity is of no dispositive or controlling moment to DDoSecrets or, for that matter, any other journalist or publication … it comes, after all, not just with the turf, but the profession.

My client is a bit shocked, but not intimidated, by your undisguised threats to retaliate against DDoSecrets for what proved to be the publication by it and others of embarrassing political data retrieved from the Mineral Resources Authority (MRA) of Papua New Guinea (PNG). I can assure you DDoSecrets played no role whatsoever in the manner and means by which the MRA material was obtained and neither requested nor directed others to do so when it was apparently “hacked” more than two years ago. Moreover, that the MRA publication contains political information that falls very clearly within the reach, responsibility and safeguard of DDoSecrets as journalists is beyond dispute.

As uncomfortable to state actors in PNG as it may be, one would be hard-pressed to argue that that the mere publication of data that raise questions concerning the good faith and motivation of entities involved with it constitute a violation of the intended reach of any law. For example, among the PNG related data release was an exchange of 2013-05-06 between “Mineral Government PG” and several dozen others affiliated with MRA. Entitled “Consultation Meeting- Involuntary Resettlement Policy” the exchange goes on to say:

DMPGM has engaged a consultant under the WBTA2 to develop an Involuntary Resettlement Policy for the Mining industry in PNG. As part of the interagency consultation, we will like to have a discussion session with MRA on the issues, challenges and progress so far on resettlement programs in the mining industry. (emphasis provided).

Another release within the subset of related DDoSecrets publications is an announcement that the “Mineral Policy and Legislation Division (MPLD) invites the pleasure of your company for the Dinner with the Consultant for the Involuntary Resettlement Policy at 7pm this afternoon at the Daikoku Restaurant.” In yet another related DDoSecrets publication, the public obtains access to an explosive 17-page primer for the forced displacement of indigenous communities to serve the economic thirst of local corporate vultures. In relevant part in its introduction it states:

This Policy is developed to guide and assist the State, the Developer (mining project company), the mine project affected people and other stakeholders to address the resettlement issues. The policy will assist the State team or the lnvoluntary Resettlement Committee (lRC) to assess investigations, land surveys, socio-economic information and data and the lnvoluntary Resettlement Plan for the mine project affected or displaced families.


Most recently in 2020 in another exchange initiated by the Mineral Resources Authority published by DDoSecrets we learn ….

Your email is acknowledged. I am in Porgera with inspectors at the moment recording/shooting video. I will write a response tonight. Having said that, my thoughts are that, for the most part, the allegations are levelled against OTML. Not against MRA. Hence OTML should respond separately, likewise MRA…. I’m not sure if we want to be seen to be collaborating with OTML as an entity that we regulate… My thoughts only… Our response will be from perspective as the regulator.

That you now seek to bully DDoSecrets into removing, nay, censoring explosive embarrassing information essential to an informed body politic of the People of Papua New Guinea, regarding the pernicious relationship between the mining industry and, at times, PNG is not just an affront to the role of journalism, but a dramatic about face from an earlier outreach by others holding themselves out to be representative of MRA. Thus, in a series of earlier text messages, one self-identifying as an “ISMS consultant” working for the “Mineral Resources Authority of Papua New Guinea” focused not on content but carrier. One such exchange is telling:

ISMS: “Either take the data being publicised, down and/or letting us know if it was an insider attack.”
DDoSecrets: “I mean what would happen to him? Or her?”
ISMS: “Nothing. This is all about ensuring that future risks can be mitigated. We are just interested in making the MRA more secure so this doesn’t happen again”
DDoSecrets: “Ok”
ISMS: “Can you at least confirm whether it was an insider?”
DDoSecrets: “I don’t know what to say”
ISMS: “if you can confirm it was an insider, then we can strengthen our insider security and our awareness training”
DDoSecrets: “What if I don’t?”
ISMS: “If it wasn’t an insider, then we will spend our efforts securing the perimeter.”[1]

Finally, I would like in brief to comment on your red herring of potential state and international criminal exposure by my client for nothing more than publication of politically sensitive material. Preliminarily, to the extent you rely upon the Budapest Convention as the basis to demand that DDoSecrets remove its expose on various protocols and activities of the Mineral Resources Authority (MRA) of Papua New Guinea, as constructed and applied your interpretation is little more than a palpable wishful shout … an argument here lacking any relevant application as to DDoSecrets. Without analyzing in full the intended reach of the Convention, in relevant part, its clear intent is not to silence publication of materials received by journalists and publications who played no role whatsoever in the activity that led to its acquisition, but rather to address “cybercrimes” such as hacking or conspiracy to hack by those who engaged in that very activity. Indeed, on this point, unless I am in need of a stronger reading glasses, I found no part of the Convention which specifically sets forth a lawful basis to prosecute not those who hacked otherwise “secure” data bases of information, but rather those who subsequently published it … here some two years later and only after taking reasonable steps to redact the information in such a way as to safeguard sensitive personal information contained therein.

Likewise, while I have reviewed the Papua New Guinea Digital Government Act 2022 and the National Cyber Security Policy 2021 and found them to reflect a powerful commitment by the state to enter the increasingly interconnected world of the 21st century, at days end neither is on point as to your demand of DDoSecrets. Thus, while these Acts clearly express a strong commitment to the establishment of a proactive and far-reaching strategy to ensure state cybersecurity by, inter alia, safeguarding digital infrastructure each fails to address let alone criminalize, as here, third party publication of embarrassing state information.

So, too, I would note that your threat to seek criminal law intervention and enforcement through various international entities including INTERPOL is likewise a bark without bite. Having litigated and prevailed at INTERPOL on the basis of the “political” exception, I am well aware of what is necessary to obtain a Red Notice against a given identified and criminally charged individual by INTERPOL, as well as its political exemption rule. In this case, your ignored demand of DDoSecrets would, in any event, fail to satisfy the requisite charging predicate for triggering a Red Notice, and most certainly presents activity well within the clear reach and intent of INTERPOL’s political immunity clause.

In conclusion, DDoSecrets has a long and storied history of publishing what some call “compromised data” in their palpable and pernicious drive to own the marketplace of ideas, while many others across the globe see such information as essential to an informed body politic that can make knowing decisions about their world going forward. In that effort, as journalist’s, DDoSecrets respectfully rejects your request to silence knowledge. As has been its practice since it took a much-needed place in the marketplace of ideas, simply put, DDoSecrets had nothing to do with targeting the data you wish to silence, nor did it play any role whatsoever in the manner and/or means by which the data was obtained. No less true, as is its practice, it took any and all necessary steps to ensure that the data release could not in itself adversely impact or injure, physically or otherwise those referenced within its publication.

I close with apt sage words penned long ago. Although centuries may have come and gone and the medium “grown” since, the message nonetheless transcends the narrow confines of time and place … “The mind once enlightened cannot again become dark.”[2]

Very truly yours,

___________________

Stanley L. Cohen, Esq.


[1] The ISMS author continues on concerned not with content, but process … “There are many different types of insider threats and malicious is just one. If it was an unintentional error then that allows us to focus on different areas like adequate training of the staff.”

[2] ― Thomas Paine, A Letter Addressed to the Abbe Raynal on the Affairs of North America

Stanley L. Cohen is lawyer and activist in New York City.

Compromised Data

Stanley Cohen May 19, 2025.

Hamilton Vagi - OIC/Head

PNG NCSC, Data Governance & Standards
National Cyber Security Centre
By email to: hamilton.vagi@ncsn.gov.pg

Dear Mr. Vagi:

I am writing as an attorney on behalf of and in response to your recent email to the “DDoSecrets Team” in which you formally “asked” my clients to undertake the “immediate removal of compromised data related to the Mineral Resources Authority (MRA), which has been published on your platform.”

Although my clients respect your request, in keeping with age-old tradition and practice as journalists and publishers of information even, at times, sensitive embarrassing information, for use and republication by other journalist’s, DDoSecrets understands well its place and obligation to assist in the growth and protection of a robust and widespread marketplace of ideas … even one in which controversial, if not painful, political concepts and practices are exposed, examined and debated among the body politic as a whole.

In that light, I can assure you that my clients are not “hackers” and play no role, direct or otherwise, in identifying, seeking or obtaining information from repositories be they state or private entities concerning information and/or internal communications regarding their activities. That is to say at no time does DDoSecrets identify targets or systems to be breached or the manner and means by which to do so in order to access material from any state or private entity. So, too, as journalists living up to the highest of that profession’s age-old standards, DDoSecrets takes all necessary steps to protect/redact any and all collateral personal data it might receive that if published could pose a direct threat to individuals and or their families be it personal or economic in nature. Quite frankly, that a person, entity or a state may prove to be embarrassed by virtue of a 21st century political expose of their intent and activity is of no dispositive or controlling moment to DDoSecrets or, for that matter, any other journalist or publication … it comes, after all, not just with the turf, but the profession.

My client is a bit shocked, but not intimidated, by your undisguised threats to retaliate against DDoSecrets for what proved to be the publication by it and others of embarrassing political data retrieved from the Mineral Resources Authority (MRA) of Papua New Guinea (PNG). I can assure you DDoSecrets played no role whatsoever in the manner and means by which the MRA material was obtained and neither requested nor directed others to do so when it was apparently “hacked” more than two years ago. Moreover, that the MRA publication contains political information that falls very clearly within the reach, responsibility and safeguard of DDoSecrets as journalists is beyond dispute.

As uncomfortable to state actors in PNG as it may be, one would be hard-pressed to argue that that the mere publication of data that raise questions concerning the good faith and motivation of entities involved with it constitute a violation of the intended reach of any law. For example, among the PNG related data release was an exchange of 2013-05-06 between “Mineral Government PG” and several dozen others affiliated with MRA. Entitled “Consultation Meeting- Involuntary Resettlement Policy” the exchange goes on to say:

DMPGM has engaged a consultant under the WBTA2 to develop an Involuntary Resettlement Policy for the Mining industry in PNG. As part of the interagency consultation, we will like to have a discussion session with MRA on the issues, challenges and progress so far on resettlement programs in the mining industry. (emphasis provided).

Another release within the subset of related DDoSecrets publications is an announcement that the “Mineral Policy and Legislation Division (MPLD) invites the pleasure of your company for the Dinner with the Consultant for the Involuntary Resettlement Policy at 7pm this afternoon at the Daikoku Restaurant.” In yet another related DDoSecrets publication, the public obtains access to an explosive 17-page primer for the forced displacement of indigenous communities to serve the economic thirst of local corporate vultures. In relevant part in its introduction it states:

This Policy is developed to guide and assist the State, the Developer (mining project company), the mine project affected people and other stakeholders to address the resettlement issues. The policy will assist the State team or the lnvoluntary Resettlement Committee (lRC) to assess investigations, land surveys, socio-economic information and data and the lnvoluntary Resettlement Plan for the mine project affected or displaced families.


Most recently in 2020 in another exchange initiated by the Mineral Resources Authority published by DDoSecrets we learn ….

Your email is acknowledged. I am in Porgera with inspectors at the moment recording/shooting video. I will write a response tonight. Having said that, my thoughts are that, for the most part, the allegations are levelled against OTML. Not against MRA. Hence OTML should respond separately, likewise MRA…. I’m not sure if we want to be seen to be collaborating with OTML as an entity that we regulate… My thoughts only… Our response will be from perspective as the regulator.

That you now seek to bully DDoSecrets into removing, nay, censoring explosive embarrassing information essential to an informed body politic of the People of Papua New Guinea, regarding the pernicious relationship between the mining industry and, at times, PNG is not just an affront to the role of journalism, but a dramatic about face from an earlier outreach by others holding themselves out to be representative of MRA. Thus, in a series of earlier text messages, one self-identifying as an “ISMS consultant” working for the “Mineral Resources Authority of Papua New Guinea” focused not on content but carrier. One such exchange is telling:

ISMS: “Either take the data being publicised, down and/or letting us know if it was an insider attack.”
DDoSecrets: “I mean what would happen to him? Or her?”
ISMS: “Nothing. This is all about ensuring that future risks can be mitigated. We are just interested in making the MRA more secure so this doesn’t happen again”
DDoSecrets: “Ok”
ISMS: “Can you at least confirm whether it was an insider?”
DDoSecrets: “I don’t know what to say”
ISMS: “if you can confirm it was an insider, then we can strengthen our insider security and our awareness training”
DDoSecrets: “What if I don’t?”
ISMS: “If it wasn’t an insider, then we will spend our efforts securing the perimeter.”[1]

Finally, I would like in brief to comment on your red herring of potential state and international criminal exposure by my client for nothing more than publication of politically sensitive material. Preliminarily, to the extent you rely upon the Budapest Convention as the basis to demand that DDoSecrets remove its expose on various protocols and activities of the Mineral Resources Authority (MRA) of Papua New Guinea, as constructed and applied your interpretation is little more than a palpable wishful shout … an argument here lacking any relevant application as to DDoSecrets. Without analyzing in full the intended reach of the Convention, in relevant part, its clear intent is not to silence publication of materials received by journalists and publications who played no role whatsoever in the activity that led to its acquisition, but rather to address “cybercrimes” such as hacking or conspiracy to hack by those who engaged in that very activity. Indeed, on this point, unless I am in need of a stronger reading glasses, I found no part of the Convention which specifically sets forth a lawful basis to prosecute not those who hacked otherwise “secure” data bases of information, but rather those who subsequently published it … here some two years later and only after taking reasonable steps to redact the information in such a way as to safeguard sensitive personal information contained therein.

Likewise, while I have reviewed the Papua New Guinea Digital Government Act 2022 and the National Cyber Security Policy 2021 and found them to reflect a powerful commitment by the state to enter the increasingly interconnected world of the 21st century, at days end neither is on point as to your demand of DDoSecrets. Thus, while these Acts clearly express a strong commitment to the establishment of a proactive and far-reaching strategy to ensure state cybersecurity by, inter alia, safeguarding digital infrastructure each fails to address let alone criminalize, as here, third party publication of embarrassing state information.

So, too, I would note that your threat to seek criminal law intervention and enforcement through various international entities including INTERPOL is likewise a bark without bite. Having litigated and prevailed at INTERPOL on the basis of the “political” exception, I am well aware of what is necessary to obtain a Red Notice against a given identified and criminally charged individual by INTERPOL, as well as its political exemption rule. In this case, your ignored demand of DDoSecrets would, in any event, fail to satisfy the requisite charging predicate for triggering a Red Notice, and most certainly presents activity well within the clear reach and intent of INTERPOL’s political immunity clause.

In conclusion, DDoSecrets has a long and storied history of publishing what some call “compromised data” in their palpable and pernicious drive to own the marketplace of ideas, while many others across the globe see such information as essential to an informed body politic that can make knowing decisions about their world going forward. In that effort, as journalist’s, DDoSecrets respectfully rejects your request to silence knowledge. As has been its practice since it took a much-needed place in the marketplace of ideas, simply put, DDoSecrets had nothing to do with targeting the data you wish to silence, nor did it play any role whatsoever in the manner and/or means by which the data was obtained. No less true, as is its practice, it took any and all necessary steps to ensure that the data release could not in itself adversely impact or injure, physically or otherwise those referenced within its publication.

I close with apt sage words penned long ago. Although centuries may have come and gone and the medium “grown” since, the message nonetheless transcends the narrow confines of time and place … “The mind once enlightened cannot again become dark.”[2]

Very truly yours,

___________________

Stanley L. Cohen, Esq.


[1] The ISMS author continues on concerned not with content, but process … “There are many different types of insider threats and malicious is just one. If it was an unintentional error then that allows us to focus on different areas like adequate training of the staff.”

[2] ― Thomas Paine, A Letter Addressed to the Abbe Raynal on the Affairs of North America

Stanley L. Cohen is lawyer and activist in New York City.
DDoSecrets Papua New Guinea Stanley Cohen

No comments

Subscribe to: Post Comments (Atom)