Hacking has lost its allure as the digital world evolved. Photo/Getty Images
Hacking has lost its allure as the digital world evolved. Photo/Getty Images
Amazingly enough, it's 2019 and we're still arguing about the definition of hacking in the wake of the Treasury web server misconfiguration which National took advantage of to hurt the Government while shooting the moral high horse it rode in on stone dead.
To techies, being a hacker used tobe someone who took creative and sometimes ugly shortcuts to quickly solve coding and computer problems.
That was in the 80s and 90s and I was reminded of it after one of the original hacking groups, The Cult of the Dead Cow or cDc as the cool dads call it, sent a media release about the filmed preparations in 1999 for the release of the Back Orifice 2K (a crude pun on Microsoft's BackOffice) remote access software at the DEF CON 7 conference.
Ah yes; those were the days. Hacking often tested the boundaries of the allowable and ethical, which is why it attracted (mostly) young men. Sticking it to The Clueless Man from behind a hard-to-find computer screen and over a network was fun and exciting, and initially much safer than rucking it with riot cops in the streets.
Lots of good came out of hacking, like political awareness; cDc lays claim to be the first hacktivists for example.
Now though, hacking is synonymous with digital crime gangs and nation-state actors stealing intellectual property, crippling critical infrastructure and deploying ransomware to obtain forex to get around Western financial sanctions.
That's how the public defines hacking, a negative phenomenon. It's been like that for years and years now. Getting hacked can be devastating.
The negative association is why stories appeared about Democratic presidential candidate Beto O'Rourke, a former cDc member. As youthful indiscretions go, it's probably less controversial to admit having done Class A drugs than a hacker past.
This despite Beto's activities having been nothing more than hanging out in discussion forums, bit of phone phreaking and T-files publishing. As a related aside, Beto is the second cDc hacker to aim for the highest office in the United States. The first was the late Tequila Willy who was probably never as electable as Beto.
In that vague and uncertain context, politicians and civil servants dropping the H-bomb on others have to make sure it's armed and ready to blow or they'll risk being hoist on their own petard.
Hacking malfeasance is covered by computer crimes amendments to the Crimes Act introduced in 1999. In the new laws, it was defined as intentionally accessing a computer system without authorisation.
Geek lawyer Rick Shera and InternetNZ helped provide a crash course in how computers and networks operate for our politicians around the new millennium so as to craft the new laws.
In these uncharted legal waters lurked unexpected mines like the Muldoon-era Government Communications Security Bureau, which had been working so much in the shadows that hardly anyone knew about the sigint spy agency.
GCSB was very secret indeed. At the time, GCSB was operating without any statutory authority, and was therefore possibly in breach of the proposed computer crimes law along with the NZ Security Intelligence Service and the police, Shera told me.
A standing order paper hacked out exemptions for our spies and police in the new law and GCSB got its own act in 2003 which was updated and renamed in 2017. Now everyone knows about GCSB and they even comment in media.
The computer crimes laws the spy agencies are exempt from are less than straightforward however.
Plenty of cases have been dealt with under S249 which carries severe maximum penalties of five to seven years for accessing computer systems for dishonest purposes.
That's not hacking though, but access misuse. High profile lawyer Felix Geiringer, who analysed reported S249 decisions in mid-2015, found that almost none involved anything that could be commonly construed as hacking.
Shera noted that Kim Dotcom and the Megaupload trio were found to have broken S249 as "access" is defined as "use". This even though they used Megaupload's computers, a notion that should give everyone pause for thought.
The Dotcom court battle has also led to the High Court extending the notion that digital files are property to every section of the Crimes Act and it's difficult to disagree with Shera when he says "the whole thing is a mess".
Internet entrepreneur Kim Dotcom in court. Photo/Getty Images
"Go through the Crimes Act and substitute "digital Budget material" for "property". You'll find plenty of weird crimes that now potentially apply I'm sure," Shera added.
Where's the hacking or unauthorised access statute though? That seems to be section 252, which carries a mere two years behind bars maximum penalty.
However, InternetNZ submitted a clause for S252 that ended up as "to avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access."
Shera agrees that it seems to say that once you're allowed in, you can grab whatever you want. As would be the case with a public web server like the Treasury's one. That's for the courts to decide though. With vague and overly broad laws that carry disproportionate penalties, the best advice is to stay away from anything to do with hacking.
