The court file for Nicky Hager's case against the police raid on his house, supposedly to ferret out the Dirty Politics book source "Rawshark", has been released and it contains some real doozies from a tech perspective.

To recap, this is indeed interesting stuff, laden with hackers, information dumps online, and more. It's very 2015, very techie and, by the looks of it, the authorities are pretty clueless on how to handle it.

At the centre of the complaint, which the police acted on by raiding Hager's home to search for evidence, are one or more of Cameron "Whale Oil" Slater's computers and servers which were supposedly hacked.

Political roundup: Libertarians against dirty politics
Dirty Politics: Police clear blogger


The hacking of Slater's computers and servers constituted a criminal act, and formed the basis of the police raid on Hager's house.

But the hacking itself wasn't done by Hager. He said he received the leaked information on a memory stick.

A computer forensics expert who reviewed the police investigation into the hack confirmed as much:

The examination of Mr Hager's electronic storage devices was to locate evidence of a crime. It was not suspected that these items had been used to commit the crime itself.

The same expert said there was no point in trying to investigate the virtual private server hosted at Linode that ran, or name registries and other hosting services which may have provided clues as to who, or where, Rawshark is.

That server is the scene of a crime, and as an IT security expert testifying for Hager made clear, it should've been the focus of the investigation. Rawshark accessed and most probably used information from that site to get into Google Gmail and Facebook accounts held by Slater and there may have been traces of that activity.

Likewise, Slater's personal computer was cloned - a full copy of the data on it was taken - but did anyone search it for evidence that showed the Mac laptop had been compromised somehow?

Rawshark used the Tails (The Amnesic Incognito Live System) - a Linux-based operating system that starts up a computer, hides the user while on the internet and leaves no trace of activity on the device - to communicate with media.

Edward Snowden uses Tails precisely because it leaves no trace. Yet the police expert thought that Rawshark and Hager might have made some mistakes like typing text into a window that wasn't protected by Tails, and suggested that as Windows uses temporary files, there could be some incriminating information left on the devices the police investigated.


Only problem is, Tails does not start up Windows, nor does it use temporary files. It was highly unlikely that police would find any evidence of Tails' use on Hager's computers, or data left on them that could've led them to Rawshark.

Police asked social network site Twitter to produce information as to who was behind the Whaledump account (now suspended); Twitter told the police to go through the official channels and make a Mutual Legal Assistance Treaty (MLAT) request, which the police didn't do.

Police asked social network site Twitter to produce information as to who was behind the Whaledump account (now suspended); Twitter told the police to go through the official channels and make a Mutual Legal Assistance Treaty (MLAT) request, which the police didn't do.

Likewise, Google wanted a US court order to release information and, again, the police seemed to not have gone through with that. Vodafone and Trade Me wanted production orders from the police to release information, but these were not produced.

There are some comic elements around the raid too. As part of cloning of one of Hager's laptops, the police took a photo of it to record the information on the screen.

This was apparently because the police needed internet access because they didn't have a 3G/4G mobile data connection with them. You'd think that a mobile data connection would be standard issue so that the police don't have to obtain internet access via the systems they're investigating.

I always thought it odd that a "denial-of-service attack" (my emphasis) was behind the hack. As the name implies, such an attack stops servers from serving, or responding, making them rather hard if not impossible to access. Somehow, gigabytes of data were copied while the whaleoil website was inaccessible. It's hard to see how that even begins to make sense.

Other possibilities, such as seeing if the site was hacked through a flaw in the notoriously insecure Wordpress publishing platform, appear not to have been considered either, nor the possibility it was an inside job.

Did an insider leak the information to Hager?

Did that person supply Rawshark with login details?

Those are surely questions that needed to be answered before the police raid on Hager.

Most curiously, the Prime Minister claimed to know who Rawshark is. If so, why didn't he tell the police the name - and why didn't the police ask him for it? That could've avoided the raid on Hager, which in any case turned up no evidence at all as to Rawshark's identity, or the hack itself.

There seems to be something totally askew in how the investigation into how the material behind Dirty Politics came into Hager's hands, with no plausible explanation as to why it was done in the manner it was.

I think we deserve an explanation as to why Hager was raided when any evidence was likely to be contained not on his computer systems, but on others.

Related to the above, Keith Ng's excellent summary on how Cameron Slater was taken for a ride by one of the sideshow actors in the Whaledump and Dirty Politics saga, Ben Rachinger, is a absolutely worth reading over at Public Address. It's almost material for a movie, in fact.

PS. Slater's suggestion that I was involved in the Whaledump saga, as suggested in one of the chat transcripts that Rachinger copied and gave to Ng, is wrong. I simply did not wish to have anything whatsoever to do with that particular mess but it seems I was drawn into it anyway.