Scoop has an Ethical Paywall
Work smarter with a Pro licence Learn More
Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search


Lyndon Hood: Better Analogies for National Pilfering Budget Data

From the Hood : J'Hackuse

First published on Werewolf

"Imagine you've got a room in which you have placed important documents that you feel are secure, are bolted down with a lock and key, but unknown to you one of those bolts has a weakness, and someone who attacks that bolt deliberately, persistently and repeatedly finds that it breaks and they can enter and access those papers. That's what's happened here."

"It wasn't an instance of someone stumbling into the room accidentally, it wasn't an instance of someone attacking the bolt and finding it broke immediately."

— Gabriel Makhlouf, sounding quite scary but mostly confusing computer people.

simon bridges, but
he's the hobbit hold the palantir from lord of the

The Secretary of the Treasury, who had thoughtfully resigned to go to Ireland some time ago, is under investigation. The State Services Commission is looking into the breach of Budget data, and also his response. The response included offering up a terrible and fairly misleading analogy about "locks" and "entering", and having the teremity to go to the police merely on the say so of some outfit called the National Cyber Security Centre.

Advertisement - scroll to continue reading

Are you getting our free newsletter?

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.

The clearest lesson at this point is that no public servant should ever use the word "hack" (which, whatever it means, apparently plenty of people have some vague idea but definitely know it doesn't mean whatever we're talking about), although it would also have helped if he'd been quicker to mention the NCSC's advice that Treasury was "not compromised" (which, whatever that means, apparently a lot of people think it means "not hacked").

Treasury's subsequent statement made things clearer. Their search engine had unintentionally indexed the private budget documents. The documents themselves could not be reached, but they could show up in search results and a crafted advanced search could display some of the budget numbers in the preview. Which someone seemed to have tried a couple of thousand times.

The Treasury Secretary's initial remarks were, if we go purely on the reaction raised in delicate circumstances, inflammatory enough to be a mistake. Something the police were perhaps more careful about. Despite their previous over-enthusiastic investigation of hacking-related cases, despite a natural preference for slowness in non-emergencies, and despite actual legal uncertainty over whether this could be a crime, they seem to have dropped Treasury's complaint as quickly as they could type "does not appear to be unlawful" without their hands shaking.

National leader Simon Bridges had seemed even more put out than usual. He thundered darkly that Makhlouf had accused National of hacking (at least as much of an exaggeration as anything Makhlouf said). National's actions were "entirely appropriate behavior", he said, and, somehow quadrupling down, declared it was National's duty to access the information. He was quick to announce they had neither broken the law nor used "any definition" of hacking. They were so sure of this that they hadn't bothered to check.

It struck me that, to judge that properly, we lack a waypoint for our moral compass. After the Treasury Secretary's tragically doomed effort provide a metaphorical image for the data breach, and the rash of media attempts that followed, we never got an analogy that really covers all the bases.

Until now.


It's like the documents were accidentally left sitting out right in front of the Treasury building. But under a very firmly fixed paperweight labelled 'secret'. But some National Party staffers still managed to see some numbers when the wind caught the edges. And the wind was National Party staffers blowing on it.

It's as "entirely appropriate" as seeing movement while walking past a street-level house window then having good look inside to see if there's something cool you can tell your friends about.

It's like finding you sister's birthday present in the place your parents always hide the presents and then saying it was your "duty" to put posters up around the neighbourhood about how you would have chosen something better.

It's like the Budget estimates were sitting there in the Treasury search engine right where anyone could find a very very tiny bit of it, and anyone with common levels of ingeniousness, and less usual levels of determination, could see many more tiny bits they actually wanted to see.

It's like hacking, but a TV news audience can almost understand how it was done.

It's like running a BASH script that sends a high latency stream of GET commands which cause a misconfigured server to return fragmentary chunks of private information, until you've extracted enough data to use against your target. But by hand.

It is surely not better than looking at the documents someone has left on their desk when you are invited into their office which, oh boy, let me tell you, will at least get you shouted at.

It's like wandering into someone's back garden, and when you get caught explaining it's fine because the gate had swung open.

It's like what Keith Ng did to Work and Income. But malicious.

It's like the documents were "on display" in the bottom of a locked filing cabinet (which you could still kind of see into a bit), stuck in a disused lavatory with a sign on the door saying "Budget Documents".

It's like two thousand 'extremely normal web searches' when all you need is a 'hack'.

It's like an actual data breach where someone published government information and we all agree that's a bad thing and there will be an investigation into the breach but not an investigation into the someone.

It's like hacking, but the person doing it was wearing a suit.

It's like you've got a room in which you have placed important documents that you feel are secure, are bolted down with a lock and key, but unknown to you there is a little sort of peephole that was made accidentally while installing the viewing gallery (there is a public viewing gallery in this room outside the locked room, let's say it's some kind of weird library). And now a guy in the gallery has been leaning over the rails and holding his phone up at odd angles trying to see if there was anything in the locked room that might embarrass your boss. And then he demands you resign when you complain about this with the wrong words.

It's like doing a naughty thing, but possibly in the public interest, and kind of a bit to the public detriment, and noticeably in your own interest, except the public isn't very interested.

It's not like they weren't releasing it in two days anyway.

It's "hackesque".

It's like uncovering a security flaw and, rather than reporting it, methodically exploiting that vulnerability to access data you knew was supposed to be confidential, and then using that information for your own purposes.

© Scoop Media

Advertisement - scroll to continue reading
Top Scoops Headlines


Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.