Hacking the Treasury, or not

New Zealand’s media enjoyed a day where computer, or maybe cyber, hacking made the headlines.

Here’s the RNZ take:

There is a lot to unpack in the story. You can find that elsewhere. One thing that needs clarification is what is meant by the word ‘hacking’.

Hacking is a term that’s meaning changes depending on who uses it.

Hacking once meant one thing…

It means one thing to old school computer programmers — kids note that’s what people who wrote computer software were called before the job description was upgraded to developer.

For those people a hacker can be someone who cuts a piece of code.

It can mean someone who writes good code or it can mean someone who writes bodged code. I never quite caught the nuance there but definitely heard it used both ways in different contexts.

You may argue, but for most people this meaning of hacker is now archaic.

… it then meant another thing

It means another thing to people who work in and around computer security. Most of the time they take care not to use the word hacker. I assume that’s at least in part because there can be slightly glamorous connotations.

Or it could be they are language pedants who don’t want to get in a fight.

Many modern computer security folk prefer terms like bad actor, which makes me think of Tom Cruise.

Or maybe they talk about attackers. At one industry event, some high flying US security experts kept referring to hostiles.

Whatever. The key here is that in some security and enterprise system circles the word hacker can, but doesn’t always, refer to a person who manages to breach a system’s perimeter security and get inside.

Once again there are nuances.

Media see hacker another way

For the more excitable parts of the media, a hacker is someone who wears a balaclava while using a computer. They might also wear military fatigues.

You don’t often get to see the computer, but if you do, it’s often an old fashioned-looking computer, never a tablet or a phone, which seems odd to me, but there you go.

Another feature of this kind of hacker is they often work with green, text-based screens. What they do may be advanced and scary, but their computer hardware seems to come from the cold war era. More Trabant than Tesla.

Much of the media and the general public think of hackers as people who do bad things with computers. It’s not just newspapers, radio and TV journalists. When you see computer crime in movies or TV shows, the bad guys are hackers.

Far be it for me to cast aspersions on my colleagues, but there is something a tad click-baity about hacker.

As an aside, I’ve written before about how the word cyber now seems to be related to hacker. In a nutshell, when something computery is good, the prefix is computer. When it’s bad the prefix is cyber.

Which explains why the great unwashed now understands the term hacker in this context.

Guilty your honour

I’ve found myself using the term, most likely incorrectly in your eyes, on TV and radio precisely because it is a shortcut to explaining things to the audience.

You might only have 120 seconds to explain something complicated. If you spend that qualifying terms defining the attack like a crusty old classics academic deconstructing Ancient Greek texts you’ve lost the audience.

It’s all Greek to them anyway.

Treasury hack

So, was this week’s Treasury Hack actually a hacking attack or was it something else? It appears that someone found some data that was stored on a web page or series of pages that had not yet been made public.

You can, I sometimes do, stumble over things like this by accident.

Now that’s not necessary hacking as we know it in 2019. It might well have been described as hacking in 1999.

You can sometimes get to these pages using spiders. This is something Google does every day. No-one thinks of that as hacking.

Dozens, even hundreds of pages on this site are spidered every day. This can include deleted pages, draft posts and posts that will never formally see the light of day,

Hostiles everywhere

If I look at the weblogs there are also thousands of probs every day where people — let’s call them hostiles, after all, it starts with an H — are looking for ways to compromise my security.

Some are easy to spot as they are calling URLs that don’t exist on my site, but might exist on some sites and can contain known vulnerabilities.

I just checked. This site, had 1486, let’s say, dubious, calls in the last 24 hours.

If I’m getting that. And trust me, there is no information on here worth stealing, then a government system like Treasury will be getting an order of magnitude more probes. At least.

Another aside: There might not be anything worth stealing, but it could be worth gaining access to launch a bot attack or other mischief.

Is that hacking? Not in the sense computer professionals and geeks use the term. But it is in the sense that the media use the term and the sense the general public has come to understand the word.

You don’t have to like seeing the word used this way, but you don’t have any control over it. Those people speak a different language to you. They know what it means to them.