A few months ago an email arrived from Russel Norman, the Greenpeace NZ boss and former Green Party leader. "Hi there," it read. "Russel wants to share some files with you via Dropbox."

I wasn't expecting anything from him, but I clicked on the "View folder" link to the cloud-storage service all the same. It took me to a Dropbox-headed page inviting me to log in by clicking on my email service provider and entering my "details", for, you know, "security purposes".

The page was smartly laid out, though the URL was a mysterious "vwinnotebooks.com". I double checked that the original email was from Norman's real address.

It was. I replied: "This doesn't seem to go to a Dropbox link - something phishy??" Three minutes later, a response: "Hi Toby, Thank you for checking with me. The message is safe, go ahead and check it. Log in with your email and password for verification to view the files. Thanks, Russel."


An impressive effort. But, though I don't know Norman well, it didn't seem very much like the sort of sentence he'd write. So I pinged him a direct message via Twitter. The actual Russel Norman replied confirming it was a case of phishing (a dodgy attempt to extract confidential details), and their IT people were looking into it.

A Greenpeace spokesperson later told me that one of their accounts was compromised, though "it wasn't Russel's account directly, it was his assistant. We don't know if the message was sent to everyone in their contacts list, but we do know it went to a good number so it is likely that it went to everyone".

For many of us, sharing files via cloud services is a daily occurrence; and we're habitually tapping in a password to one site or another that wants to check credentials.

In this case, the response to my emailed query, whether sent by a human in a far-flung phishing factory or a bot, suggests a reasonably advanced operation. Greenpeace advised that any of their accounts compromised were reset "and all (potentially) affected users were informed".

At the time, the scandal around possible links between Team Trump and the Russians and the hacking of Democratic National Committee servers ahead of the election - those being the ties that were under investigation by FBI director James Comey, whom US President and human souffle Donald Trump fired this week - was raging away.

Could that phishing attack on Greenpeace have been part of some nefarious attack by foreign state actors? It might have been, said information security consultants I spoke to. Equally, it could have been a bog-standard attempt at theft for financial gain.

It is, however, an increasingly commonplace, and often sophisticated, strategy. Tempting though it is to imagine hacking as some shadowy figure (preferably in a hoodie, maybe even fingerless gloves) charging through squillions of lines of programming code, armed with nothing but a can of energy drink and a zero-day exploit, more often that not it's likely to involve comparatively banal phishing attempts, targeted or not, which hinge on the greatest cyber-vulnerability: human error.

Almost certainly that's what happened with the DNC emails published in the leadup to the United States election by WikiLeaks.


According to a New York Times report, an email sent to Hillary Clinton's campaign chairman was identified by an aide as a phishing attempt, but a slip of the finger saw it flagged as "legitimate" instead of "illegitimate".

Over the weekend, nine gigabytes stolen via phishing from the campaign team for French presidential candidate Emmanuel Macron were dumped on to the internet, and quickly disseminated via a network of alt-right Twitter accounts and WikiLeaks.

They were published on the eve of the Sunday's deciding round of voting, just as France's electoral prohibition on media coverage of politics kicked in, which only added to claims of outside interference.

Moscow, it was widely reckoned, was at it again, getting behind the right-wing authoritarian chaos candidate, Marine Le Pen.

This time, however, it seemed that the victims of the attacks were on to it. Having been deluged with phishing missives, the Macron campaign reportedly outfoxed the hackers by furnishing them with bogus information. It might even have helped Macron, who won by a bigger margin than expected.

Foreign meddling in elections and political affairs is nothing new, of course. The CIA can boast a particularly voluminous record. Leaks, including anonymous leaks, are not new, either: journalists have always had to assess authenticity of information and the motives, if known, of the source.

When you combine, however, the sheer volume of material in a "dump", the emergence of non-traditional media by which to distribute it, the breathless race to be first in breaking news, and the increasing sense that information may have been hacked by parties who, in stark contrast to the idealised figure of the courageous whistleblower, are pursuing their own nefarious ends, it makes for a minefield.

Following the French email dump, US sociologist and commentator Zeynep Tufekci urged French media not to "get played the way the US press got played". Brookings fellow Susan Hennessey went further, suggesting to the press: "Do not cover the substance of emails. At all. Refuse on principle to take part."

That's going too far. There are limits: no one can plausibly defend, for example, the News of the World hacking phones in pursuit of celebrity scandal. There are circumstances where information proffered should be rebuffed - as in, say, recent examples in the US of hacked data being fed as part of a blackmail plot.

It is incumbent on those reporting such leaks to be as transparent and clear as possible about the motives of information sources. A shutdown on reporting information that might have been stolen or come from vested interests, however, would in itself be democratically unhealthy.

It is interesting, certainly, to wonder how Dirty Politics would be received were it to be published in the leadup to the 2017 New Zealand election.

Author Nicky Hager made it very clear in the book, which draws on stolen emails and online messages, that he is satisfied with the hacker's motives, and he applied a public interest test in determining which to use in the book. Some of the materials published directly to the internet by the hacker, via the alias "Whaledump", were less discriminating.

There have already been rumours, absent any evidence, that an almighty two-terrabyte hack of New Zealand government data is lurking in the shadows, ready to pounce.

If that were to happen, it would probably be approached with considerable caution after what happened in the US and France.

Don't hold your breath for it, though. Bill English was probably right when asked about the potential for cyber-armed foreign powers to interfere in the campaign.

Unlikely, he reckoned, they'd care enough to bother.