How can something as basic as typing into the Treasury search box be hacking? Herald data journalist and WINZ kiosk hacker Keith Ng explains.
I am a rubbish hacker. I am such a rubbish hacker, in fact, that a hacker conference awarded me with a joke prize for my "hack" of the Work & Income kiosks in 2012. This "hack" used the Microsoft Word "open file" window, combined with a few clicks and lot of patience. It resulted in me walking out with a USB drive containing the personal information of vulnerable individuals, including children in state care, from MSD's internal network.
As an award-winning rubbish hacker, let me tell you: Hacking which is lacking in sophistication, even crude to the point of embarrassment, is still hacking.
In the popular imagination, "hacking" is virtually indistinguishable from magic. It's an incomprehensible craft which results in unimaginable havoc. That's why when it's so easily comprehensible – like obtaining Budget files through a browser – we cannot believe it's the same thing.
In reality, a lot of hacking is laborious and repetitive, equivalent to walking down a street trying the door on every house. Hackers do this because they are not magical, they can't breach the unbreachable. But they don't have to, they just have to find something that's easy to breach. Somewhere, there's a server which is misconfigured. Somewhere, there's a person who will click on their malware link. Somewhere, there's a file which is supposed to be locked down, but wasn't. They just have to keep trying.
Imagine if you only saw the last part of the process. Imagine you didn't see the first 200,000 times where the security system blocked access, and you just saw the 200,001st attempt. You would simply see the hacker walk in and succeed at accessing the information. You might think there was no security at all.
In Treasury's case, we can imagine ourselves typing some letters and numbers into the browser. How can something that we do all the time possibly be circumventing security? But we need to wind back, and consider all the times where it didn't work. Those first 2000 attempts that failed is where the real hack took place.
While Treasury Secretary Gabriel Makhlouf tried to make "more than 2000 attempts in 48 hours" seem like a serious attack, it's actually a very low number which signalled it was being done by hand, by someone who was quite a rubbish hacker. But its rubbishness doesn't matter. That it was done through a browser doesn't matter. What makes it hacking is that the Budget documents are clearly not supposed to be available. Even if you didn't know the rules around Budget secrecy, most people would take the hint after failing to obtain the information the first 2000 times.
This was an intentional effort to get around the access controls. That makes it a hack.
But "hacking" is not the same as "illegal". After my own hack of the WINZ system, journalists and politicians mused about whether I should be prosecuted. The law against unauthorised access of computer systems says it doesn't count "if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access".
Did that mean I was off the hook? I didn't know, and my lawyer couldn't say for sure either. But if I was charged, at least I had a defence.
I conducted the hack as a journalist to expose the problems with MSD's computer system. It was in the public good because the safety and privacy of very vulnerable people were at stake, and MSD had shown apathy towards information security (it was later revealed that they had a security report alerting them to the exact problem, but they ignored it).
MSD needed a swift kick to sort it out, and documenting the hack was the only way to detail exactly how bad the problem was and what its consequences were. Some people believed it was unethical, and I understand their position. It was an ethically thorny decision, at best.
It really was a "hack". It was information which I had no right to. It needed a damn good reason to justify it, and it came with very serious responsibilities to not abuse that information.
I told the Privacy Commissioner and asked for advice. I promised not to release personal details and to destroy the files afterwards. I gave MSD a heads-up so they could shut down all the kiosks before the vulnerability was made public, and provided as much information as possible about what the vulnerability was.
If Simon Bridges just wanted to highlight how insecure Treasury's information system was, why was it necessary to release the content of the hack? If the security of Treasury's information was really so important to him, why didn't he tell Treasury or the public what the problem was?
These are not unreasonable standards to hold ourselves to. If it's good enough for a rubbish hacker like me, it should be good enough for the leader of our opposition.