"Imagine you've got a room in which you have placed important documents that you feel are secure, are bolted down with a
lock and key, but unknown to you one of those bolts has a weakness, and someone who attacks that bolt deliberately,
persistently and repeatedly finds that it breaks and they can enter and access those papers. That's what's happened
"It wasn't an instance of someone stumbling into the room accidentally, it wasn't an instance of someone attacking the
bolt and finding it broke immediately."
— Gabriel Makhlouf, sounding quite scary but mostly confusing computer people.
The Secretary of the Treasury, who had thoughtfully resigned to go to Ireland some time ago, is under investigation
. The State Services Commission is looking into the breach of Budget data, and also his response. The response included
offering up a terrible and fairly misleading analogy about "locks" and "entering", and having the teremity to go to the
police merely on the say so of some outfit called the National Cyber Security Centre.
The clearest lesson at this point is that no public servant should ever use the word "hack" (which, whatever it means,
apparently plenty of people have some vague idea but definitely know it doesn't mean whatever we're talking about),
although it would also have helped if he'd been quicker to mention the NCSC's advice that Treasury was "not compromised"
(which, whatever that means, apparently a lot of people think it means "not hacked").
Treasury's subsequent statement
made things clearer. Their search engine had unintentionally indexed the private budget documents. The documents
themselves could not be reached, but they could show up in search results and a crafted advanced search could display
some of the budget numbers in the preview. Which someone seemed to have tried a couple of thousand times.
The Treasury Secretary's initial remarks were, if we go purely on the reaction raised in delicate circumstances,
inflammatory enough to be a mistake. Something the police were perhaps more careful about. Despite their previous over-enthusiastic investigation of hacking-related case
s, despite a natural preference for slowness in non-emergencies, and despite actual legal uncertainty
over whether this could be a crime, they seem to have dropped Treasury's complaint as quickly as they could type "does
not appear to be unlawful" without their hands shaking.
National leader Simon Bridges had seemed even more put out than usual. He thundered darkly that Makhlouf had accused
National of hacking (at least as much of an exaggeration as anything Makhlouf said). National's actions were "entirely
appropriate behavior", he said, and, somehow quadrupling down, declared it was National's duty to access the information. He was quick to announce they had neither broken the law nor used "any definition" of
hacking. They were so sure of this that they hadn't bothered to check.
It struck me that, to judge that properly, we lack a waypoint for our moral compass. After the Treasury Secretary's
tragically doomed effort provide a metaphorical image for the data breach, and the rash of media attempts that followed,
we never got an analogy that really covers all the bases.
It's like the documents were accidentally left sitting out right in front of the Treasury building. But under a very
firmly fixed paperweight labelled 'secret'. But some National Party staffers still managed to see some numbers when the
wind caught the edges. And the wind was National Party staffers blowing on it.
It's as "entirely appropriate" as seeing movement while walking past a street-level house window then having good look
inside to see if there's something cool you can tell your friends about.
It's like finding you sister's birthday present in the place your parents always hide the presents and then saying it
was your "duty" to put posters up around the neighbourhood about how you would have chosen something better.
It's like the Budget estimates were sitting there in the Treasury search engine right where anyone could find a very
very tiny bit of it, and anyone with common levels of ingeniousness, and less usual levels of determination, could see
many more tiny bits they actually wanted to see.
It's like hacking, but a TV news audience can almost understand how it was done.
It's like running a BASH script that sends a high latency stream of GET commands which cause a misconfigured server to
return fragmentary chunks of private information, until you've extracted enough data to use against your target. But by
It is surely not better than looking at the documents someone has left on their desk when you are invited into their office which, oh boy, let
me tell you, will at least get you shouted at.
It's like wandering into someone's back garden, and when you get caught explaining it's fine because the gate had swung
It's like the documents were "on display" in the bottom of a locked filing cabinet (which you could still kind of see
into a bit), stuck in a disused lavatory with a sign on the door saying "Budget Documents".
It's like two thousand 'extremely normal web searches' when all you need is a 'hack'.
It's like an actual data breach where someone published government information and we all agree that's a bad thing and
there will be an investigation into the breach but not an investigation into the someone.
It's like hacking, but the person doing it was wearing a suit.
It's like you've got a room in which you have placed important documents that you feel are secure, are bolted down with
a lock and key, but unknown to you there is a little sort of peephole that was made accidentally while installing the
viewing gallery (there is a public viewing gallery in this room outside the locked room, let's say it's some kind of
weird library). And now a guy in the gallery has been leaning over the rails and holding his phone up at odd angles
trying to see if there was anything in the locked room that might embarrass your boss. And then he demands you resign
when you complain about this with the wrong words.
It's like doing a naughty thing, but possibly in the public interest, and kind of a bit to the public detriment, and
noticeably in your own interest, except the public isn't very interested.
It's not like they weren't releasing it in two days anyway.
It's like uncovering a security flaw and, rather than reporting it, methodically exploiting that vulnerability to access
data you knew was supposed to be confidential, and then using that information for your own purposes.