Written By:
mickysavage - Date published:
7:30 am, May 30th, 2019 - 168 comments
Categories: Economy, grant robertson, journalism, labour, making shit up, Media, national, Simon Bridges, the praiseworthy and the pitiful -
Tags: Budget 2019
So yesterday we had peak media angst day and the media spent all day talking about how Simon Bridges said Grant Robertson said one thing and Grant Robertson said he said no such thing.
Why couldn’t they just actually analyse the evidence and make a call on it. Instead of going through the he said he said charade. After all what was said was pretty clear.
Tuesday night Gabriel Makhlouf said this:
Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked.
The Treasury has referred the matter to the Police on the advice of the National Cyber Security Centre.
The Treasury takes the security of all the information it holds extremely seriously. It has taken immediate steps today to increase the security of all Budget-related information and will be undertaking a full review of information security processes. There is no evidence that any personal information held by the Treasury has been subject to this hacking.
In response Grant said this:
This is extremely serious and is now a matter for the Police.
We have contacted the National Party tonight to request that they do not release any further material, given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a Police investigation.
What New Zealanders care about are the issues that will be dealt with in the Wellbeing Budget on Thursday, and that is what we continue to be focussed on.”
So yeah Grant accused National of being in possession of hacked material. This seems clear.
But yesterday morning Simon went all troppo on it and accused Labour of accusing National of being the hacker.
From Radio New Zealand:
Simon Bridges says the National Party has not been involved in any computer hacking and the government is “lashing out in a witch hunt”.
…
He said Finance Minister Grant Robertson was lying and smearing the National Party.
“Grant Robertson has made scurrilous, false allegations.”
Asked if he would resign if National was found to have hacked Treasury systems, Mr Bridges said: “That is not going to happen. You have my categorical assurance about that.”
Mr Bridges said it was “not his intention” to release any more information from the Budget today.
Well feck me. Can someone point to where Robertson said that National had been involved in computer hacking? Or sheep shagging for that matter. Either claim has an equivalent amount of legitimacy.
This matters. The media do us all a real disservice by engaging in this “he said, he said” stuff. The world’s environment is being crushed because a tiny number of climate change deniers’ views is being presented as just as valid as those of a significant scientific consensus.
This morning Simon has promised to reveal how his party came into possession of the information. It looks like he may not have to. The police have confirmed that a criminal hacking has not occurred.
From Radio New Zealand:
Treasury has confirmed that a feature in its website search tool was exploited by an unknown person or persons, but police have concluded this did not break the law.
The investigation found one of the IP addresses involved in the searches belonged to the Parliamentary Service.
In a statement released this morning, Treasury said a police investigation had concluded and they were not planning any further action.
But Treasury said the evidence showed “deliberate, systematic and persistent searching of a website that was clearly not intended to be public”.
“Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information. Three IP addresses were identified that performed (in the Treasury’s estimation) approximately 2000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.
“The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus.”
The screen shots presented by Idiot Savant are the secret and confirm that parts of documents lodged in preparation of a go live application were visible through using the search function on the Treasury Website.
Makhlouf’s description of what happened needs to be reviewed. He gave the clear impression that what had happened was continuous attempted log ins by someone without legitimate credentials. He did not mention that the Treasury’s website’s search function was being used. This was a major omission and gave an incorrect impression of what had happened.
Of course National’s behaviour is all grandstanding. I would prefer to be hearing about what improvements to education, health and the environment the Government was planning to do. Watching a couple of male politicians engage in a pissing competition seems to be a total waste of time.
But Simon is in the clear on this one.
Out in voter land do people care? Most of us would prefer to hear about how the Government is addressing some pretty major problems, like child poverty, the health underspend, mental health or teachers’ salaries.
But I am sure that Simon will prefer that we concentrate on what was or was not said about him.
The current rise of populism challenges the way we think about people’s relationship to the economy.We seem to be entering an era of populism, in which leadership in a democracy is based on preferences of the population which do not seem entirely rational nor serving their longer interests. ...
The server will be getting hardware changes this evening starting at 10pm NZDT.
The site will be off line for some hours.
Makhlouf should now resign or be fired.
Wonder if the Irish will withdraw his appointment?
'Makhlouf should now resign or be fired.'
Heh…I remember the old days when people took responsibility. Long gone those days in most cases. He won't take any responsibility and you wonder if before going live with his comment he was instructed to do so ?
Regardless he's off to another trough soon in Ireland so I doubt anything will happen to him.
On a different note is it just me or do we seem to have an extraordinary number of what appear to be non NZ citizens heading up our ministries and QANGOs ?
Appointed in 2010 I believe.
Cultural cringe by our previous govt.
Don’t be stupid, someone with obvious malicious intent performs a dedicated 2000 searches to glean summary search results from a website and the head of the agency should lose their job?!
I’ve worked on web design and work with a web team to update content in my current role. It’s obvious this “hack” relied on the intricacies of how the website indexing and switching from mock-up to live site functioned, something most people other than those directly doing the web updates wouldn’t be aware of.
Not to mention we’re losing sight of the bigger picture here – so National gets to “announce” details of the budget, some of which were correct, some not, and do a few days before it was released anyway, just so they could try and put their own spin on it. Seriously, what’s the point? Even my partner, who doesn’t follow NZ politics too closely said it just seemed stupid and diminished National’s standing in her eyes. National don’t seem to realize their petty hits actually alienate potential voters.
Haven't watched the video from national have you?
Sooooo intricate replacing "2018/2019" with "2019/2020"
Damn those delicately artistic file indexing protocols that change their pattern so regularly no one can keep up.
It could only be someone with advanced hacking skills who had a full keypad on their laptop keyboard
TP it has been a real joy sitting back and watching a range of contributors here making absolute arses of themselves. I've particularly enjoyed those who claim some IT knowledge pretending this was some vast international conspiracy. Well the joke they all look now.
the dirty politics spread from grant robertson with accusations flying around of hacking.
National couldn’t organise a meme properly, now they’re super l33t hackers who cracked through a government departments security. Pretty sure the gcsb would have something to say about that over and above lprents musings
I guess the natsies lacked the public spirit to let treasury know about this weakness tuppers.
According to this article switching years in the url isn’t what happened: https://www.rnz.co.nz/news/national/390846/budget-breach-didn-t-break-the-law-treasury
They relied on searches turning up preview information in the search results, not switching years in the urls.
soooooooo intricate.
It required them to do 2000 searches over 48 hrs to glean and paste together enough detail. Pity there’s no reporters with half a brain who thought this through and asked Bridges how many person-hours of labour went into their amazing “scoop” of revealing somewhat accurate information which was going to be revealed in full 48 hrs later anyway.
" I’ve worked on web design and work with a web team to update content in my current role. It’s obvious this “hack” relied on the intricacies of how the website indexing and switching from mock-up to live site functioned, something most people other than those directly doing the web updates wouldn’t be aware of."
you've been proven wrong and now you're complaining that someone put the effort in?
I haven't been proven wrong – a mock-up website, used as a backup and as a sandbox for making web edits, can often use the same indexing system as the live site. I've worked on websites with this same set-up.
According the public info, this is how the Treasury website was set up. So that searches on the live site would bring up small snippets of preview info in the search results (because this is the index info shared by the mock-up and live site). National* therefore had to conduct enormous numbers of searches and collate all the small snippets into one in order to have enough info to "scoop" the release. It must have taken hours.
* because let's face it, despite Bridges initially claiming they had nothing to do with the "hack" and got their info from a leak, later it became obvious from Bridges own admissions that wasn't the case at all
I think he's going anyway so will probably be resigning and just leaving a bit earlier.
Rubbish
Stuff's story adds that the SSC is now involved: https://www.stuff.co.nz/national/politics/113109311/no-further-police-action-on-budget-leaks
Did you happen to see this other story on "leaks" in the Herald?
https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12235784
Treasury officials were dishing out copies of the Budget to journalists before the lock-up even started. Will they be describing all the journalists as criminals receiving stolen property?
I used to deal with Treasury years ago. That was back in the days when they had a very good Secretary in Dr Graham Scott. They always seemed to be very professional. Clearly the standards have slipped badly.
Was Makhlouf’ leaned on by Robertson?
Going by this Newshub article everyone in Treasury knew the 'Hack" was bullshit so why did Makhlouf’ run the hack story?
My guess is governmental pressure, to try and shut down Bridges.
https://www.newshub.co.nz/home/politics/2019/05/exclusive-human-error-that-led-to-treasury-budget-information-access-well-known-source.html
As I noted on the other thread, verifying who owned the IP addresses may have been easier for Police to do promptly without revealing the capabilities of DPMC's own IT security team – who are the ones who recommended Treasury bring in the police.
Tova adds:
Yep. Someone did not do their job properly, and others did not catch the mistake.
So a treasury IT team accidentally published a web-page containing budget summaries? Someone outside treasury discovered this & spread it around? Treasury misdiagnosed their publication as a hack? Seems somewhat Alice in Wonderland.
Perceptions of wrong-doing by curious members of the public &/or the Nats now seem to have no connection to reality…
The indexing was wrongly linked with the public-facing search function. Then that function was used 2000 times in 48 hours from 3 different IP addresses, two of which are with home internet providers.
Hmm. I'd like to see what LPrent makes of this. 2000 attempts is clear evidence of organised hacking to me, when only from three origins. Still, unless technical evidence proves that Treasury did not publish the info, I will keep suggesting that it looks like they did so!
Hacking means deliberately trying to break through a software defense to get protected info, eh? If public servants did indeed fail to put the info behind software protection, those who got it did not hack…
Using a site's own search function is not really regarded as hacking, but it does not excuse the way the Nats handled this situation.
Yeah, even the folk discussing it on the AM show thought it made Bridges seem inadequate (the sports guy kept quiet at the time).
From a wrong-doing perspective, looks like one or more public servants are guilty of acting in breach of whatever rules & ethics apply to pre-budget secrecy. Focus on the Nats for exploiting their incompetence &/or immorality looks like a distraction strategy.
Having spent a lifetime watching the left collude with the right in their ongoing attempt to cover-up such behaviour, I'll watch with interest to see if the wrong-doers are held accountable. I suspect the coalition will apply the traditional cover-up, due to Labour's preference for operating a double standard: punish such behaviour when the public does it, but protect public servants who do it. Call it the Cave Creek syndrome…
"one or more public servants are guilty of acting in breach of whatever rules & ethics apply to pre-budget secrecy."
No, they are merely guilty of bad IT design and implementation. Nothing unethical there. Just incompetent.
Odds on you being correct. However, some public servants vote National. I'm wondering if one or more was on the IT team, and made that page searchable by the public deliberately, not accidentally. Claiming it was an accident, of course.
And tipped off a few like-minded friends to go looking. Shit like this happens, always has. Insiders, gaming the system. In espionage, double-agents, and insiders with tribal loyalties, are part of the furniture.
I imagine the police would have been able to investigate any such possibility – though perhaps not quite so fast. NZ’s spy agencies would already have dossiers on anybody working in that team and their affiliations.
If it was one search and they found the data accidently then even-stevens. They should have notified Treasury immediately. Once they realised that they got confidential information via this method and then went on to do it 2000 times then that doesn't sound legal.
sounds very like the accessing of Labour Party records by National people. If I had to put money on it I would say this has been a Treasury practice for 10 years or so and someone in opposition staff previously worked at Treassury.
Judging by his perspicacious analysis of Simon Bridges’s breaches of the Crimes Act yesterday, his advice would be worth what you paid for it.
Yes, that sounds about right. I saw that there was a post yesterday claiming that Bridges had received stolen information etc. I stopped reading at about line 3.
Many years experience taught me that if you want reliable information on the Law you find a competent, disinterested Lawyer and ask them. Relying on the opinion of an layman with a strong interest in the matter is crazy.
Well, I'm glad to see that I was right and that I haven't wasted half an hour of my life reading something that appears to have all been wrong. If that is a misrepresentation of what the author actually said I will now apologise to Lprent. The impression I got from the first few lines was that he thought Bridges had committed a crime though.
Well, I guess that the start of the Budget speech is likely to be a bit delayed this afternoon. National will probably bring a point of order accusing Robertson et al of misleading the House and Trevor will have to go into full attack mode in refusing to allow Grant to be referred to the Privileges Committee
It was. And thank you.
There are two parts to receiving. First is if a crime was committed to obtain the property. Then if the property was received. The second was clear in this case. The first was likely to be true – and I still think that it was.
Basically stealing accidentially unprotected property from a computer (if that is what happened) is no different than someone saying that “I didn’t steal from that shop because it was unlocked at the time”.
Perhaps you should try to explain to me why you might think that it is different?
My apology was if you were not claiming a crime was committed. I didn’t want to misrepresent that fact if in fact you had said that there hadn’t been any crime by Bridges. It appears that you were however saying that.
The other thing I learned in my youth was that, insomuch as I am not a Lawyer, my own opinions on the subject are no better than anyone else who didn't qualify in the field. The only part of the law I learnt fairly well was the legislation relating to New Zealand tax law for oil production companies. Even there I always checked my assumptions with a Lawyer who was an expert in the field.
So no, I'm not going to give my own opinions on the topic. I will defer however to the views of Professor Geddis as expressed on Morning Report today and to the fact that the Police have dropped their inquiry so quickly. Both seem to be of the view that no crime has been committed. But what would they know?
Nope. You're going for a binary choice for something that is currently a grey area in local legal terms.
I didn’t say that there WAS a crime. What I was saying was that several crimes may have been committed, one consequent on another. If grabbing accidentally unsecured files from a computers system for a dishonest purpose is a crime or if the files had been removed by someone unauthorised – then receiving copies of those files is also a crime.
The problem is that s249 and s252 haven't been fully tested in the courts. For the question of files or private areas that were accidentally left unsecured – currently it is the wild west out there. What is 'benefit'. What is a 'dishonest purpose'.
I'd like to get a court case in to test that because it would be of great benefit for the entire computer industry here (and overseas). The reason that I'm so aware of this particular area of the law is because it is always coming up in my profession. I spend my life producing content (ie code) for computers.
I'll have a look at what Prof Geddis said.
But the police? Don't make me laugh. Their main criteria for charging has little to do with legal issues. It mostly has to do with having enough evidence to be very confident sure that they can secure a conviction in court.
When it comes to any area of the statute that is grey and untested the risk levels go up pretty and they usually won't take such cases to court. Which is why we have had these clauses about computer crimes in the Crimes act for so long in a legally ambiguous state.
Not to mention that generally the police would have to be regarded as being computer illiterates at just about every level – including the computer forensics place just up the road from my place in Grey Lynn.
Of course if that did result in Simon Bridges getting charged with receiving them I'm got going to shed any tears. After all he is a lawyer and should be aware of the risk in that this is a grey area.
Well we now know what happened.
The documents were not actually available. The search engine indexed part of the documents and displayed that data in a search result. This answers why so many searches were done, to get that part of the document.
So, was anything recieved?
I agree with Lprent. When the National Party received the budget material by whatever means they had the choice to hand it back or break the budget embargo and use it to attempt to embarrass the government. So they continued to unlawfully disseminate it. Bridges is now cynically on the attack to divert from that reality. Dirty tricks of the worst kind and a planned strategy from beginning to end by constructing a mud bath to sully the budget announcements that Labour was to make. Trumpian strategy in its purest form and of the same class that Joyce and English used to lose the election for National with their budget hole lies. The people aren't just that stupid.
'Judging by his perspicacious analysis of Simon Bridges’s breaches of the Crimes Act yesterday, his advice would be worth what you paid for it.'
I'd pay exactly zilch for any legal advice from Lyn not that I believe he's taken an interest in making money in this area.
Did the person who found the material also attempt to hack the site in search of further material? That would be easy to ascertain. Is "attempted hacking" a thing?
Hammering the search engine is a different skillset than hacking.
I suppose so, Sacha, but a person my have both skills. In any case, the issue lies with Bridges, in my opinion. His action in exploiting the 'found' material is sub-standard, in my view.
Any hacker will be able to use a search form, yes. Not so much the other way around.
Hammering the search engine is a different skillset than hacking.
Hammering the search engine was just the means they used to exploit the security hole they'd found. Finding the security hole and figuring out how to exploit it was the "hacking" part. The skill sets and tools involved are less important than the intent and the outcome. In this case, the intent was to find and exploit a hole in Treasury's IT security, and the outcome was that one was found and exploited. To me, that's hacking. And to the organisation that has the data stolen, it doesn't matter how the thieves stole it.
The other side of the coin: the info was on a treasury web-page. A web-page is public media, unless protected by software designed to make it private, right? Seems to me treasury published that page – even if it was unintentional. So, you can't say the info was stolen, can you? No crime involved.
Based on the news reports:
Treasury did not publish the pages, the mistake was that their search engine indexed them. The search engine displays a small amount of text from the document either side of the search term it found, and that was the security hole that was exploited.
A person would have to go to some effort to discover that the documents have been indexed by the search engine, would then find that access to the documents was blocked because they were confidential, and would then have to figure out that they could exploit the search engine's text display to 'reconstruct' the confidential document by bombarding the search engine with relevant search terms and collating the brief bits of text from the search results.
People are saying "Oh, that's not hacking," but those people are operating an overly-complicated definition of hacking. A security mistake was exploited to get unauthorised access to private data, and for my money that's hacking. Who cares how difficult it was for the hacker?
Or the hole they knew about already from a natsy stay behind operative in treasury.
TBF, skulking in a back yard going window to window seeking an unfastened one to enter is rather like using a rock to break one to enter.
edit: I see Adrian has made the point. But hey, intent.
Is it fair enough to ask if this security weakness has been around for a long time, as in say, pre 2016?
I heard someone grill Bridges on this a bit, and it sounded very much to me, like he was in there, boots and all, digging this stuff up.
Good question. I guess their review of this will consider that.
I have very little idea of how IT works but if one was to go around and try every single door , window and loose board on a house until a way in was found and entered and took something from that house you were not supposed to have then I presume that must be illegal.
Or even trying every possible combination on a lock until one worked surely that is also breaking and entering.
Does IT work on different laws.
* Last line is in reference to using last year's budget words or phrases to find a way in.
This is more like the front door was set up to open for anybody who asked, for a few seconds at a time, so you could see a glimpse inside. Someone opened it 2000 times.
I don't think thats a good analogy because theres a difference between trying to get into someones house where theres no implied invitation whereas a website is basically open to all
It's more like this: you go into the public library and there are signs telling you you're allowed to use the computers. Turns out one of the computers has been left logged in by a library staff member, so you decide this is a good opportunity to rummage through the library's data. Yes, you as a member of the public were invited to use the computers, and yes, you are a data thief exploiting a security hole created by human error to obtain unauthorised access to information. I'm surprised it's not illegal, because it should be.
Actually its like going to a website and using the search function to…search
Crazy I know 😉
It's like going to a web site, using the search function to search, finding that the documents you're interested in are unavailable because they're confidential, and deciding that actually the organisation's error in making the documents searchable means you can exploit that error and use the search engine's context display to extract the confidential documents' text. It's called data theft, for the excellent reason that it's theft. If there's a loophole in our legislation that allows that theft, let's fix the loophole.
Yes browsing trademe is now a crime apparently or is it just when a National MP does it.
12 hours ago:
SIMON BRIDGES CRIMINAL RECEIVER
Today:
We weren't REALLY jizzing our pants at the prospect of Bridges' imminent conviction! Honest!
Just LOL. You guys spin and manage the truth even harder than Jacinda.
Turns out exploiting a system's security flaws to obtain confidential information isn't illegal in this country after all. Who knew? Clearly, National's dirty politics crew did, but they're an unusually duplicitous bunch of people.
Duplicitous?
The budget and everything in it belongs to us already.
Once the embargo is lifted, yes it does, til then, it doesn't. That's the nub of it. Even journalists bide by the embargo.
Its a self imposed embargo on the government and Treasury. It is not a legal embargo.
If a third party obtains the information legally, they are not in breach of any embargo.
There is an Insider Trading like effect here. Releasing the info early has profound effects on the stock market, unlike a pre-arranged release.
The budget and everything in it belongs to us already.
No doubt the wazzock who took the rifles from the PN cop shop told himself the same thing. "Owned by the public" != "owned by me personally."
Check out this video of the security flaw being exploited
https://twitter.com/henrycooke/status/1133851000836542464
Nope it turns out it wasn't the Russians after all, just normal incompetence, no scary boogeymen,and just the 'opposition' using some mishandled information exactly like any political party would …at least this discovery didn't take some people two years to work out.
Well Poots and co are flat out
bombingbutchering Syrian civilians so they are rather busy.I thought, well according to your past comments on the subject anyway, that Putin was quite capable of bombing civilians and undermining our western democracies all at the same time…he must be slipping.
Actually Adrian thornton it is likely the "weak link" in Treasury's system has been around for years, but when Labour/Greens and NZ First were in Opposition they made no attempt to exploit it. I doubt they even tried because you know… they have a few ethical principles.
Why hasn't anyone offered their resignation over the stuff up?
Mahklouf must be in the firing line but maybe not until tomorrow.
I doubt it. Almost certainly what was done was standard practice for years and some National operative who understood this has exploited their inside knowledge to obtain information they knew perfectly well they had no right to.
David Farrar boasted that he did something similar when he worked directly for the National Party.
He denies it but I'm sure some of his old tricks make their way into the National Party manual on how to snoop.
Yes indeed, using the web sites search function is snooping. All web sites should get rid of their search function because searching is snooping.
Translation: entered “budget 2019/2020” into a search field on the Treasury website
Knowing that it would work is the critical point. It's not something the average punter would anticipate.
"Almost certainly what was done was standard practice for years and some National operative who understood this has exploited their inside knowledge to obtain information they knew perfectly well they had no right to"
Almost certainly? On what basis have you come to that conclusion? You do remember this is the second budget under this government, but somehow your "standard practice" was not exploited last year.
Wasn't Mahklouf the guy there for the last 8 years or so?
Have we ever had a leak like this before when National were doing budgets?
So what has changed?
As I said repeatedly yesterday, it doesn't matter how Bridges obtained the documents, it's what he did with them that matters.
He knew perfectly well it was confidential information, and that no-one releases Budget documents before the embargo is lifted.
This is politics. The Opposition had an opportunity to mess with the release of the Budget and took it. Some might regard that as bad form and others might regard it as fair game. What is clear is it isn't going to move the polls much at all.
I'm bookmarking that comment Gosman. It will come in handy.
Spoken like a true moral vacuum.
jAbsolutely. If anyone should resign or be dismissed it should be the staffer who did the exploit.
Could you, from this forum?
The government should have a good look into existing legislation to establish why this wasn't illegal and make sure that it is in future. What Makhlouf describes is someone probing the Treasury's site for a security flaw, finding one and spending time and effort exploiting that flaw to obtain confidential data. That, apparently, is "not hacking" under our current legislation.
Any organisation that has confidential data in its systems should be concerned about a loophole that says, no, the hackers didn't do anything illegal because your staff made a mistake and didn't secure the data properly. It's on a par with saying that the thieves who stole stuff from your car didn't do anything illegal because you forgot to lock it.
Exposing content through your site's own public search function is different from someone having to use technical knowledge and skills to access it. There are other aspects of law that already cover what someone does with confidential material they have secured access to.
Such a shit analogy the unlocked car one.
This is published information. Just because it isn't being advertised on a banner on the main screen, doesn't make it theft to find it by using the sites own search engine. I mean, what else it there for?
If the IRD could take a leaf out of the treasury playbook it might be easier to get more information of their website.
The analogy is not a shit one. The data was clearly not intended to be accessible (access to the documents themselves was blocked), but was because someone forgot to stop the search engine from indexing it. The thieves were then able to reconstruct parts of the documents from the snippets available via the search engine.
That is exactly the same as the bag you left in your car being clearly not intended to be accessible but is because you forgot to lock the car, and thieves are then able to access your property by opening the door. Someone who wants to take your bag/the Treasury's data has to ignore that clear intent that the items should not be accessible.
Keep all valuables locked up while around National Party supporters.
A different analogy, that might be differently useful, is if a bank mistakenly deposits a $million in your account. You did nothing illegal – completely someone else's mistake. But if you then go on a spending spree and refuse to pay the money back, you're going to be in big trouble.
How ever you look at it National was resposable for the data leak. The Bad management and penny pinching of the last National Govenment ment the security on that system was about a secure as if a copy of the budget was sitteing on a desk in a looked office with multiple books open to difrent pages viewable from an outside window .
And yet Labour has had two years to sort out any short fall in funding on data security.
No, this is purely on the IT people serving Treasury. Not a matter of funding.
'penny pinching' ..is that what Labour call being 'fiscally responsible'
Well in this instance I feel theres no blame on National, they did what any opposition should do and I don't see any blame on Labour as they did what any government should do as well
Gabriel Makhlouf on the other hand has a few questions to answer about this, like what evidence did he base his assertion on and was there any political pressure to say what he said
Bullshit. Bridges has outed himself as an utter hypocrite here. He launches an investigation into his own leaked expenses with high indignation and then smugly turns about and leaks the Budget himself and claims that's perfectly OK.
It's precisely NOT what 'any opposition should do'.
So what do you suggest Bridges do, bring nothing up ever again?
National did nothing wrong, Labour did nothing wrong but Treasury and its head certainly did some things wrong
Treasury and its head certainly did some things wrong
Maybe, but I’d also suspect Treasury has been managing the Budget web release in a similar fashion for some years. It’s been an adequate arrangement up to this point where some National Party operative determined to exploit the vulnerability.
What you’re doing is the classic ‘blame the victim’ game here.
So what do you suggest Bridges do, bring nothing up ever again?
Preferably … but there is value to left in him staying on a bit longer.
Agreed RL. The most likely scenario is that some National-friendly IT contractor (most of them are) spotted the simple vulnerability and told National. A National operative then scripted lots of searches to hammer the search engine 2000+ times to look for any new content appearing. They got some not very interesting skeleton documents.
So far, – just mildly grubby and juvenile and technically not illegal, but borderline.
Then they released the documents – and this is the really mind-blowingly stupid and vulgar thing that you'd expect from Bridges/Bennett because:
– there is no public interest component in seeing documents that are going to be released anyway, and they contain no element of wrongdoing that could invoke the whistle-blower defence
– the release undermines the convention of budget confidentiality that is objectively important and is something that National itself will expect to see respected when it is back in government (sometime)
The word I'd use to describe how the Nats look from is this is "vandals". Pathetic, vulgar, bitter little vandals.
Golfclap to Jacinda for smelling this from a mile away and throwing Treasury under the bus nice and fast.
Yes she did very well in distancing herself from this, maybe a bit more techhy savvy then the usual politician perhaps
He could have netted himself a lot of credit by announcng he'd identified a security problem and informed treasury of it puckers. He'd've looked a lot less like a big baby that way.
As opposed to making Treasury (and by extension Labour) foolish…yeah I can see why you'd prefer that
He should have followed Keith Ng's example with the WINZ web kiosks: establish the hole exists, inform the organisations concerned, then make a big song and dance about it.
As opposed to going "I shouldn't know this, now everyone does", "I shouldn't know that, now everyone does", or in the case of WI data "Jane's DPB income is $632 per week", "Jim got an emergency needs grant to fix his car", etc.
Depends on who hired the it guys puckers.
Well obviously they were National stooges planted their to embarrass the government…
Something about not ascribing to malice that which can be explained by stupidity comes to mind
Puckish Rose – of course you are seeing National as a pure angel here but they are stupid as they were setup by treasury to find the budget to make them appear "loose mouthed"
You are seeking the treasury Secretary's explanation???
Ha ha ha; – He had already tended his resignation before this all hit the fan;
Oh oh; – of couse you didnt know this?
he has taken another overease post and soon departs from NZ for a job in Ireland.for their treasury.
Ask Derek Handley if job offers can be withdrawn before you start your new role
https://www.stuff.co.nz/business/107080064/derek-handley-receives-compensation-after-being-dumped-as-chief-technology-officer
Some IT person fucks up. Well this can happen. Not good enough, but someone who is really interested in serving N Z interests, would notify about the flaw, not leak the documents. Simon and the Nats are more interested in winning, than the interests of NZ.
It’s just possible said IT person was employed under national, but either way that is not the issue.
Treasury secretary seems to have lied. But in alerting the police he effectively shut down Nationals leaking of the budget. That needed to happen.
Now the IT breach being investigated by state services etc"……..
now back to the budget.
Bridges explains exactly how the National Party did it (https://www.stuff.co.nz/national/politics/113076613/live-leaks-ahead-of-government-releasing-its-wellbeing-budget)
From Henry Cooke: "Bridges says the information was accessed by using Treasury's search engine and inputting "2019/2020" along with a budget bid. No further clicks were needed."
"Any member of the New Zealand public could have done this," Bridges says. This matches what was revealed as the mistake by Treasury earlier this morning. The National Party have recorded a short video of the search happening."
So the publication by treasury of the budget info seems to have made the 2000 hacking attempts look like a waste of time. However the Nat leader has upped the ante:
“National leader Simon Bridges says Treasury has known exactly what happened since Tuesday but has “sat on a lie. They covered it up to hide their own incompetence,” Bridges said. He says he knows they knew what had happened because they fixed the issue with precision and that he has talked with sources within Treasury.”
The search engine displayed excerpts of the Budget. If you search for the title of the document, it might display the title and the first three sentences of text. Now knowing what the third sentence is, you search for the third sentence and the search engine displays the third, fourth, and fifth sentences. Now knowing what the fifth sentence is, you search for the fifth sentence and the search engine displays the fifth, sixth, and seventh sentences.
I guess it took close to 2000 searches to reconstruct the entire Budget.
Oh, I see. Thanks for that technical insight, very helpful. If correct, it eliminates the hacking scenario – replaces that with diligent exploration.
lets say each page of search results contains fifty images. (logos, buttons, icons). Each of those is a resource that must be served up by the website. Every time a page loads that’s 50 requests for data.
oops I mean “hacking attempts”
"Any member of the New Zealand public could have done this," Bridges says.
Well not just NZ. Worldwide in fact.
So tell me, Why has no-one else worldwide out of billions of people not done it.
The odds of one in billions seems unbelievable to me.
Do you think anyone in the world actually gives a damn? After all, Minister's in the current Government have been routinely breaching confidentiality for months while they tell us what is going to be in the Budget.
Even very junior Ministers like Willie Jackson have been leaking like colanders. For example on Morning Report today he told us that "The co-chair of Labour's Māori caucus says there will be targeted funding for Māori and Whānau Ora can expect a boost in the 2019 Budget."
Is that not a totally unethical leak? Personally I don't think so but anyone who rabbits on about Simon Bridges should be condemning Willie.
Treasury has never thought very cleverly have they?
Remember when treasury said in John Key and Steven Joyce’ time that our whole rail system should be shut down’??????
https://www.rnz.co.nz/news/political/278359/close-down-rail,-advised-the-treasury‘
6:08 pm on 9 July 2015
New Zealand
World
Politics
Brent Edwards, Political Editor – brent.edwards@radionz.co.nz
The Labour Party has accused the Treasury of being “nuts” for suggesting the country’s rail network should be closed because it costs too much.
In Budget documents released today the Treasury estimated the net social cost of supporting KiwiRail at between $55 million and $170 million a year.
In the paper the Treasury recommended the Government just fund KiwiRail for one more year while undertaking a comprehensive study to look at closing the rail company.
It said the study should be done publicly so that people were informed of the costs of running the rail network compared with any benefits it provided.
The Government rejected the idea.
Labour’s transport spokesperson Phil Twyford criticised the Treasury for even raising the suggestion.
“This proposal by Treasury for the Government to consider actually shutting down the rail network is just nuts and it shows that Treasury doesn’t really understand transport economics and they certainly don’t get rail.
“You know rail should be for decades and decades to come, it should be alongside the road system, the backbone of New Zealand’s transport system … To shut down, even to contemplate shutting down this valuable part of our nation’s infrastructure is barmy,” Mr Twyford said.
While government ministers rejected the idea initially they only intended providing money for KiwiRail for this financial year.
“the media spent all day talking about how Simon Bridges said Grant Robertson said one thing and Grant Robertson said he said no such thing”
This is exactly why I’ve increasingly turned away from mainstream NZ media. There’s absolutely zero thought process involved or analysis on the part of the “journalists”. You can guarantee that as soon as Jacinda/Labour/The Greens day one thing, the very next part of the report will be “but Bridges/National say that’s wrong”. Here’s an idea, why don’t journalists line up what people say against facts and figures to show who’s most likely to be correct and who isn’t. Honestly, they add zero value whatsoever – so the opposition party says the government’s wrong, well, I’m shocked, shocked I tell you!
I think Bridges this morning was asked how his release of info was in the Public Interest.
He predictably launched into the usual tirade about incompetence of Government and Treasury. But that doesn't answer the question does it?
If the Budget diverts money away from Health and Education to use as bribes to NZ First, knowing about it is in the public interest.
A Capital Gains Tax would have helped.
At last, something on which we agree.
If that was even true, it would become known today after 2pm. A garbled version from your mate Simon would do no good at all – unless all he wanted was people to notice him at any cost.
Treasury are already advertising for a new web editor on LinkedIn:
https://www.linkedin.com/jobs/view/1291709381/
you couldn't make this shit up, people would say it was just a piss take!
Thought you we're taking the Michael before I clicked on the link….as you say you couldn't make this shit up.
Any one got a pin sharpener, they are getting awfully blunt with all the dancing
The question that no one has asked that really should be answered by National:
Did they or anyone else use their knowledge of what happens on budget day when they were in power to perform this circumvention of the website security?
If they did it's highly unethical at the very least.
Treasury : Looking after
NZ citizensthe NZ economy's theoretical heaven since the early 1980's. Motto – Efficiency and Effectiveness; with low Externalities. Mission – To be economical (with the truth) and be rich in imaginative scenarios and fitting up society, and in rewards to those immersed in finance (including themselves).Bridges’ demand the morning that the Finance Minister resign ain’t going to happen. It was basically overreach that will allow the government to frame this as the Leader of The Opposition crashing around trying to save his own position. NZers might ask themselves has anything National has done here material to them? Meanwhile the government an get the budget back on track by stressing that it is all about the country’s interests and well being
Danyl writes that Treasury is "conducting a review into what happened, which will doubtless absolve themselves of any responsibility, instead blaming systems and processes and organisational deficiencies, another time honoured tradition shared by politicians and public servants and IT staff alike." https://thespinoff.co.nz/politics/30-05-2019/the-treasury-hack-and-the-time-honoured-tradition-of-desperate-arse-covering/
As I suggested earlier this morning in my comment about Labour's double standard. It puzzles me that the left are always trying to cover up public service wrong-doing. Do they not grasp that people prefer to see a functional moral compass operating in government??
For all the goodwill this Labour led Govt had upon its arrival, it's certainly demonstrating a startling incompetence.
JP how has Labour been incompetent in this situation?
Well, asking one more question than they did – 'how did this happen' – would have prevented a Minister going to the press and looking like a dumbass when it turns out by 'hacking' they meant 'using the search function'.
They may have asked the question and been fibbed to jaysy peesy.
This whole saga id definitely Simons way of getting revenge for his spending being released 2 days early.
That's exactly how his petty mind works.
Typical schoolboy stuff to a tee.
The relevant part of the Crimes Act 1961 is this:
249 Accessing computer system for dishonest purpose
(1) Every one is liable to imprisonment for a term not exceeding 7 years who,
directly or indirectly, accesses any computer system and thereby, dishonestly or
by deception, and without claim of right,—
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or
valuable consideration; or
(b) causes loss to any other person.
(2) Every one is liable to imprisonment for a term not exceeding 5 years who,
directly or indirectly, accesses any computer system with intent, dishonestly or
by deception, and without claim of right,—
(a) to obtain any property, privilege, service, pecuniary advantage, benefit,
or valuable consideration; or
(b) to cause loss to any other person.
(3) In this section, deception has the same meaning as in section 240(2).
Hacking by claiming to be someone else (eg using someone else's log-in) is the "by deception" part; but that is an alternative to "dishonestly", which means without a belief in permission or consent (section 217) – and exploiting a vulnerability seems to amount to dishonesty because it does not involve consent or permission. If a benefit has been obtained – which raises the question of whether that word is limited to financial benefit or is more broadly construed – then there may have have been an offence.
and without claim of right
In my opinion this is the critical line National have stepped over. Just because the documents were partially accessible via a public search tool, does not imply they had 'a claim of right' to them.
It does rather cast the Police decision in a dubious light.
Thinking about Bridges' shenanigans from Labour's point of view, am guessing that someone senior had a quiet word (at arms length) to the police to drop it.
It's in Labour's best interests to sustain Bridges' leadership for as long as possible.
'I wonder if Winston is thinking of taking a civil case against them?'
Gawd I wish that smelly old stain on NZ politics would cast of his mortal coil so we no longer had to suffer his dementia and the dubious behaviour of his caucus.
He loves you too highlystunted.
Yes, I do agree with all that. Such priorities are indeed more important, to serve the public. However the double standard on ethics is an endemic problem requiring solution.
Why didn't national tell the government the problem instead of trying to score points from a mistake?
Sheesh what happened to being honest?
What happen to doing the right thing?
Oh that right, 40 years of hard right economics has made almost every politician a selfish wanker; into petty point scoring, smug flippancy, and cheap aggrandisement.
As if Labour would have if they had been in opposition.
From "Labour did it too!" to "Labour would have done it too!"
Personified.
Definition of duplicity
1 : contradictory doubleness of thought, speech, or action
https://twitter.com/normnz/status/1133661628229013504
THAT is interesting. So Eyebrows was in the know.
😂
Wellington and the Beehive particularly will have to clean up its act or it will be rivalling Auckland for the Duplicity of NZ Award.
There may have to be a new award – Dual-Duplicities for Malicious Attrition of Democracy Dreams (MADD). Doubly mad!
Justice hacker sparks police probe. This could be the opportune time to call in Council cleaning experts and do a sewer probe, there is possibly a ton of important shredded paper in a fatberg under Wellington.
I think Bridges has made a donkey of himself. That idiot that shares a couples' secret with the entire room…"Guess what everyone, Paul and Mary are having a baby!"
Not Joseph and Mary?
This is starting to look like the Keystone Cops have been hired down in Wellington to run Treasury..
Another Budget blunder: Treasury give journalists early copies by mistake
https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12235784
This is the discrepancy between Police discretion and what the Law actually says.
That the Police did nothing aligns with their historical reluctance to bring charges against (or even investigating) politicians.
I guess they imagine the court of public opinion will do the job.
https://i.stuff.co.nz/business/industries/113111605/nationals-budget-leaks-go-against-security-agencys-advice-and-treasury-breach-was-unlawful-lawyers-say
It was said this morning that the contents of the Budget does not have legal protection. Only the custom to the secrecy, but with each Government "leaking" bits to the public to spark interest.
It seems to me that most previous Budgets were pretty uninteresting. Thus an English Budget was Ho-Hum. But this one will generate heightened interest as the Opposition have to spike Government being approved by Public against next year's Election.
That's interesting. Could be an instance of lawyers opining in defiance of common sense – unless the law specifies that providing a web page to the public is not publication!
However Stuff failed to specify which law was being broken. The police presumably got legal advice that prosecution would fail. Assertions of illegality really do need to be proven, to show they aren't just hot air.
It's illegal.
Crimes Act 1961 no 43 Section 252
Accessing computer system without authorisation
(1)
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
I would love to see someone argue that the leader of the National party was not aware that he was not authorised to access documents before an embargo.
https://www.paknsaveonline.co.nz/product/5216883_ea_000pns?name=2-ply-facial-tissues
I found this product by using the search engine at the Pak n Save website…they might be helpful for you to wipe away your tears. Of course you may argue I did not have authorisation to use the Pak n Save search engine.
How childish.
well said
Cool heads have pointed out that the public have access to Treasury information as a matter of course. They just didn't keep their important stuff secure. It confirms my opinion that this demand that we do everything through computers and the web is stupidly mistaken.
In the Treasury case, there was a show of a page giving an idea of what would follow, a taste of say a heading and three sentences. If you then took the last sentence and fed that into the search box, it would give you that and the next two sentences, or similar. So if one kept at it with 2,000 searches, much of the document would build up. Few would have expected that the Budget document would be accessable from that. But finding out how it worked would act as a challenge for an anti-authoritarian young male, as so many are now.
….public have access to Treasury information as a matter of course. They just didn't keep their important stuff secure.
Eggsactly. For the the past nearly decade, in anticipation of the Budget, I have spent a wee while on the Treasury website reacquainting my self with previous years' efforts…especially for Vote Health.
More than once I have merely deleted the year from the URL thingy and replaced it with the next year I want to revisit. I did one year accidentally put in the current year….
Someone stuffed up. Shit happens. Stupid people tried to capitalise on the snafu and wound up looking like fwits.
It is, I'll wager, pure luck this hasn't happened at this level sooner.
Betcha it won't be happening again.
They just didn't keep their important stuff secure.
Like it or not, many organisations hold confidential information about you, and the security of that information is in the hands of fallible humans. You may feel blase about it being entirely legal for people to exploit the mistakes of those fallible humans to gain unauthorised access to that confidential information, but your society and its legislators should not be.
Exactly, I think this is the pin the RW are dancing on.
PM
I said
They just didn't keep their important stuff secure. It confirms my opinion that this demand that we do everything through computers and the web is stupidly mistaken.
I think I made my point. But you are so fond of being preachy and right that you like to jump in with your points.
Simon not quite out of the shadows yet?
"National's Budget leaks go against security agency's advice and Treasury breach was unlawful, lawyers say."
"Ingram said if someone found something online that they believed they shouldn't be able to access, they could report it to the site owner or get advice from Cert in confidence."
"Media lawyer Steven Price said National had acted unlawfully by obtaining and distributing unauthorised information."
https://www.stuff.co.nz/business/industries/113111605/nationals-budget-leaks-go-against-security-agencys-advice-and-treasury-breach-was-unlawful-lawyers-say
Of course I mean its not like a lawyer would want to try to drum up some business over this
Well, now the actual budget is out, who cares about Bridges leak (apart from Bridges himself of course).
Which comes back to what was the whole point of that fiasco anyway – revealing a few tidbits of information that were going to be made public (in fact, very public) a mere 48 hrs later, then jumping up and down that everyone else had to resign because Bridges got his hands on information he probably shouldn’t have been able to get, but did anyway after putting what must have been a fairly sizable chunk of person-hours into obtaining it…. when they could have been doing something useful for society instead. Meanwhile, back in the real world, real people have actual real work to get on with.