Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search

 

Lyndon Hood: Better Analogies for National Pilfering Budget Data

From the Hood : J'Hackuse

First published on Werewolf

"Imagine you've got a room in which you have placed important documents that you feel are secure, are bolted down with a lock and key, but unknown to you one of those bolts has a weakness, and someone who attacks that bolt deliberately, persistently and repeatedly finds that it breaks and they can enter and access those papers. That's what's happened here."

"It wasn't an instance of someone stumbling into the room accidentally, it wasn't an instance of someone attacking the bolt and finding it broke immediately."

— Gabriel Makhlouf, sounding quite scary but mostly confusing computer people.

simon bridges, but
he's the hobbit hold the palantir from lord of the
rings

The Secretary of the Treasury, who had thoughtfully resigned to go to Ireland some time ago, is under investigation. The State Services Commission is looking into the breach of Budget data, and also his response. The response included offering up a terrible and fairly misleading analogy about "locks" and "entering", and having the teremity to go to the police merely on the say so of some outfit called the National Cyber Security Centre.

The clearest lesson at this point is that no public servant should ever use the word "hack" (which, whatever it means, apparently plenty of people have some vague idea but definitely know it doesn't mean whatever we're talking about), although it would also have helped if he'd been quicker to mention the NCSC's advice that Treasury was "not compromised" (which, whatever that means, apparently a lot of people think it means "not hacked").

Treasury's subsequent statement made things clearer. Their search engine had unintentionally indexed the private budget documents. The documents themselves could not be reached, but they could show up in search results and a crafted advanced search could display some of the budget numbers in the preview. Which someone seemed to have tried a couple of thousand times.

The Treasury Secretary's initial remarks were, if we go purely on the reaction raised in delicate circumstances, inflammatory enough to be a mistake. Something the police were perhaps more careful about. Despite their previous over-enthusiastic investigation of hacking-related cases, despite a natural preference for slowness in non-emergencies, and despite actual legal uncertainty over whether this could be a crime, they seem to have dropped Treasury's complaint as quickly as they could type "does not appear to be unlawful" without their hands shaking.

National leader Simon Bridges had seemed even more put out than usual. He thundered darkly that Makhlouf had accused National of hacking (at least as much of an exaggeration as anything Makhlouf said). National's actions were "entirely appropriate behavior", he said, and, somehow quadrupling down, declared it was National's duty to access the information. He was quick to announce they had neither broken the law nor used "any definition" of hacking. They were so sure of this that they hadn't bothered to check.

It struck me that, to judge that properly, we lack a waypoint for our moral compass. After the Treasury Secretary's tragically doomed effort provide a metaphorical image for the data breach, and the rash of media attempts that followed, we never got an analogy that really covers all the bases.

Until now.

***

It's like the documents were accidentally left sitting out right in front of the Treasury building. But under a very firmly fixed paperweight labelled 'secret'. But some National Party staffers still managed to see some numbers when the wind caught the edges. And the wind was National Party staffers blowing on it.

It's as "entirely appropriate" as seeing movement while walking past a street-level house window then having good look inside to see if there's something cool you can tell your friends about.

It's like finding you sister's birthday present in the place your parents always hide the presents and then saying it was your "duty" to put posters up around the neighbourhood about how you would have chosen something better.

It's like the Budget estimates were sitting there in the Treasury search engine right where anyone could find a very very tiny bit of it, and anyone with common levels of ingeniousness, and less usual levels of determination, could see many more tiny bits they actually wanted to see.

It's like hacking, but a TV news audience can almost understand how it was done.

It's like running a BASH script that sends a high latency stream of GET commands which cause a misconfigured server to return fragmentary chunks of private information, until you've extracted enough data to use against your target. But by hand.

It is surely not better than looking at the documents someone has left on their desk when you are invited into their office which, oh boy, let me tell you, will at least get you shouted at.

It's like wandering into someone's back garden, and when you get caught explaining it's fine because the gate had swung open.

It's like what Keith Ng did to Work and Income. But malicious.

It's like the documents were "on display" in the bottom of a locked filing cabinet (which you could still kind of see into a bit), stuck in a disused lavatory with a sign on the door saying "Budget Documents".

It's like two thousand 'extremely normal web searches' when all you need is a 'hack'.

It's like an actual data breach where someone published government information and we all agree that's a bad thing and there will be an investigation into the breach but not an investigation into the someone.

It's like hacking, but the person doing it was wearing a suit.

It's like you've got a room in which you have placed important documents that you feel are secure, are bolted down with a lock and key, but unknown to you there is a little sort of peephole that was made accidentally while installing the viewing gallery (there is a public viewing gallery in this room outside the locked room, let's say it's some kind of weird library). And now a guy in the gallery has been leaning over the rails and holding his phone up at odd angles trying to see if there was anything in the locked room that might embarrass your boss. And then he demands you resign when you complain about this with the wrong words.

It's like doing a naughty thing, but possibly in the public interest, and kind of a bit to the public detriment, and noticeably in your own interest, except the public isn't very interested.

It's not like they weren't releasing it in two days anyway.

It's "hackesque".

It's like uncovering a security flaw and, rather than reporting it, methodically exploiting that vulnerability to access data you knew was supposed to be confidential, and then using that information for your own purposes.

© Scoop Media

 
 
 
Top Scoops Headlines

 

Gordon Campbell: On The Use Of Existing Drugs To Reduce The Effects Of Coronavirus

So now, we’re all getting up to speed with the travel bans, the rigorous handwashing and drying, the social distancing, and the avoidance of public transport wherever possible. Right. At a wider level…so far, the public health system has ... More>>

Gordon Campbell: On Oil Market And Regulation Crusades

Safe to say, Vladimir Putin did not expect the response he has received amidships from the Crown Prince of Saudi Arabia. Earlier, Russia chose to walk away from the OPEC talks in Vienna that were aimed at reaching an agreement on how to reduce world oil production (and protect oil prices) in the light of the fall in demand being caused by the coronavirus. No doubt, Russia and its allies in the US shale industry probably glimpsed an opportunity to undercut OPEC and seize some of its customers. Bad move. In reply, Saudi Arabia has smashed the oil market by hugely ramping up production, signing up customers and drastically cutting the oil price in a fashion designed to knock Russia and other oil suppliers right out of contention. More>>

Gordon Campbell: On 22 Short Takes About Super Tuesday

With obvious apologies to the Simpsons….Here’s my 22 short takes on the 14 Super Tuesday primaries that combined yesterday to produce a common narrative –Bernie Sanders NOT running away with the nomination, Joe Biden coming back from the dead, and the really, really rich guy proving to be really, really bad at politics. In the months ahead, it will be fascinating to see if the real Joe Biden can live up to the idea of Joe Biden that people voted for yesterday – namely, the wise old guy who can save the country from the political extremism of the right and the left... More>>

Gordon Campbell On Shane Jones: A Liability No-One Needs To Bear

New Zealand First has needed a diversion after weeks of bad coverage over its dodgy handling of donations, but it really, really doesn’t need what Shane Jones has chosen to provide. According to Jones, New Zealand has ... More>>

Binoy Kampmark: Strong Man Legacies: Burying Mubarak

Reviled strongmen of one era are often the celebrated ones of others. Citizens otherwise tormented find that replacements are poor, in some cases even crueller, than the original artefact. Such strongmen also serve as ideal alibis for rehabilitation ... More>>

Caitlin Johnstone: Humanity Is Making A Very Important Choice When It Comes To Assange

The propagandists have all gone dead silent on the WikiLeaks founder they previously were smearing with relentless viciousness, because they no longer have an argument. The facts are all in, and yes, it turns out the US government is certainly and undeniably working to exploit legal loopholes to imprison a journalist for exposing its war crimes. That is happening, and there is no justifying it... More>>

Gail Duncan: Reframing Welfare Report

Michael Joseph Savage, the architect of the 1938 Social Security Act, wouldn’t recognise today’s Social Security Act as having anything to do with the kind, cooperative, caring society he envisioned 80 years ago. Instead society in 2020 has been reduced ... More>>


Gordon Campbell: On The Addiction To Chinese Student Fees

Last week, Australian PM Scott Morrison extended its ban on foreign visitors from or passing through from mainland China – including Chinese students - for a third week. New Zealand has dutifully followed suit, with our travel ban ... More>>

Gordon Campbell: On Coronavirus, And The Iowa Debacle

As Bloomberg says, the coronavirus shutdown is creating the world’s biggest work-from-home experiment. On the upside, the mortality rate with the current outbreak is lower than with SARS in 2003, but (for a number of reasons) the economic impact this time ... More>>

Gordon Campbell: On Dodging A Bullet Over The Transport Cost Over-Runs

As New Zealand gears up to begin its $6.8 billion programme of large scale roading projects all around the country, we should be aware of this morning’s sobering headlines from New South Wales, where the cost overruns on major transport projects ... More>>


 
 
 
 
 


 
 
 
  • PublicAddress
  • Pundit
  • Kiwiblog