Posted on 29/05/2019 by Michael Oliver
When’s a hack not a hack?
If someone takes an established URL – let’s say www.website.com/2018/importantdocument.pdf – and changes the “2018” to “2019,” magically accessing an unreleased document, have they “hacked” it?
What if the document wasn’t assigned the correct read permissions and was found by a simple Google search?
Or what if someone attained the document through some kind of digital subterfuge, ideally while wearing a hooded sweatshirt surrounded by falling numbers? Well, yeah, that’s pretty much the dictionary definition of hacking – and the plot of every hacking film ever produced.
Folks, welcome to the blistering ten minute guitar solo known as New Zealand politics.
Scandal has erupted in the Land of the Long White Cloud following news the opposition National Party gained copies of sensitive Treasury documents about the Government’s upcoming Wellbeing Budget.
New Zealand Government budgets are very secret squirrel. On Budget Days, the Government invites the media and other analysts to register for the “Budget Lock-up,” a 3.5 hour briefing and Q&A with the Finance Minister at Parliament.
The terms and conditions are a bit intense. Attendees agree not to transmit any information until the embargo is lifted, mobile phones must be switched off or turned to flight mode, and all loo visits are escorted.
So, when National Party leader Simon Bridges told media that he had sweet, sweet budget deets, it sent alarm bells ringing.
The stakes were raised when the Treasury secretary, Gabriel Makhlouf, issued a statement saying:
“Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked.” Treasury reported that “someone” had tried to access the documents more than 2000 times.
The matter has since been referred to the police. The proverbial spreadsheets hit the fan.
As of Tuesday NZT, it seemed that the “hack” was probably someone having a peek and prod around the directories of the Treasury’s website. A blogger took to Twitter to show that most of the material released by the National Party was all over Google. That stuff has since had 403 status slapped on quick-smart.
But fair questions have popped up about what the hack is going on at Treasury. Journalist Toby Manhire asked:
“[Are] the Treasury’s cybersecurity measures up to scratch? If Makhlouf and/or [Finance Minister] Grant Robertson have gone histrionic to cloak basic infosec sloppiness, one or both will be in the firing line.”
There are a myriad of legal implications at play, to say nothing of the prospect someone uploaded a bunch of files without giving them the right permissions. Whoopsie doodle. But the definition of hacking feels steadfast, right?
But does scanning for open ports seem like hacking? How about URL spamming? What about accessing a computer system without authorisation while knowing you’re not authorised to do so? What’s the difference between brute force access and just punching in a bunch of URLs until you get a hit?
It’s all a bit of a hack job, whatever screen you look at it.