Skip to content

Month: June 2019

10 Things I’ve Learnt About Querying Fiction

There’s a genre of opinion piece infesting the darker creative corners of the internet, where an unsuccessful artist lashes out and writes a diatribe about how the system is broken, and everyone is garbage, and how they’re striking out on their own. We all look at those petulant flameouts, and we shake our heads and wonder what drives somebody to that. I know I did. Now, four months into querying without a single partial, I get it. Every unanswered submission on my spreadsheet burns. Every form letter makes me feel worse about myself as a writer and as a person. Querying is a sandpaper whirlwind rubbing down my soul; querying is a little man with a big hammer gently tapping out an arpeggio at the base of my skull while I try to sleep; querying sucks ass. I think the reason I haven’t started shouting about FUCKING AGENTS is because I’ve been on the other side of the mirror and I know what it’s like. From the outside, the beast can seem callous and faceless. From the inside, it’s, well … let’s talk about it. 

Life in Wonderland 

I’ve run submissions inboxes for small magazines, major publishing houses, and everything in between. I’ve seen a lot of queries and drank a lot of instant coffee and let me tell you: the system consists of passionate, intelligent people who are monumentally fucking overloaded. I don’t think people really understand the volume these folks are seeing, and the sort of things that show up unsolicited. Here’s a list of things I’ve seen in slush piles: 

  • A Where’s Waldo with the author’s face photoshopped onto Waldo and almost no other changes. 
  • An extremely graphic childrens’ book complete with MSPaint illustrations, which aimed to teach kids about the author’s fertility cult. 
  • A novella about Adolf Hitler crying into Hess’ lap because he got booed by a Jewish man at an open mic, which leads to them planning the Holocaust. 

That Hitler story was three times the maximum length, the author wasn’t from a geographic location we accepted submissions from, and it seemed like the last 2k was hastily tacked on to fit our genre—it turns out it was virtual reality all along, so it was apparently SF/F. The unavoidable subtext was that the real Nazis are people who reject authors. Upon rejection, the author responded with an angry screed about how he was a big deal and we’d be sorry (he wasn’t and we weren’t). 

And it just keeps coming. Shimmer Magazine shut down submissions almost a year ago, and they post regular updates on their Twitter about the last time they received a submission. I don’t know when you’re reading this, but I bet you their last sub was less than a month ago. Shimmer locked their doors, and loudly announced they were locking their doors, and regularly remind folks that the door is locked, and they still get new content coming in every day. 

Think about that, then imagine what it’s like when the doors are open. It’s constant. It wouldn’t surprise me if some agents were getting triple-figure submissions some days. It’s a lot of work, and it’s not even their whole job: their actual money comes from selling books to publishers, and reading queries is just how they find books to sell. 

Look, there’s very little money in publishing. Most of us work other gigs, and do publishing on the side when we have time and when the work’s available.  Publishing is the coolest job in the world, but the pay is crap and the hours are long—you only do this work because you love it. It’s also precarious: one bad book could sink you. Neither agents nor publishers are part of some unfeeling machine—agents want to accept your MS, but they also want to pay off their student loans and sort out that downpayment on their mortgage and also get through a slush pile that just keeps getting bigger and bigger no matter how hard they work. They want to keep being agents, and that means making hard choices about what they accept.

Doing rejections sucks; you get the occasional angry screed, but most people who do respond are wonderful and gentle and heartbroken. It’s suburban dads who cried when they read Knausgaard, and teenage poets who need another ten years, and clever old women who run mystery-writing circles and whose current work is really very good but not what the market wants right now. I wish I could accept all of them, but if I did that I’d be the grim reaper of publishing houses. Just replying to everybody without using form letters would be a fulltime job. It’s a lot of work to keep your head above water, and the only reward is not drowning. 

So What Can I Do?

1) Follow instructions. I cannot overstate how important this is. Hitler guy is an outlier in how extreme he was, but a lot of authors break the rules and it’s an instant disqualifier. If you’re thinking you can be clever by explaining why you’re different then I regret to inform you that you’re not different, and you’re about to join the ten other people in the inbox this morning saying they’re different in the rejection pile. 

I know the temptation is real. I really wanted to query Dongwon Song with my current project. The dude’s got an amazing stable of authors, a great professional reputation, and I’ve heard he’s wonderful to work with. He sells books I love, and he seemed like a good fit. Two words on his MSWL sunk it: no cops. Now, my MS is best summed up as cops suck, be gay, do crimes, but the protagonist is a police officer and I knew that “I know you said no cops buuuuuuut” would send my query down in flames. Every day, there’s somebody in the inbox trying to tell you why they’re different in some way, and 90% of them are lying, and you don’t have the time or energy to figure out whether they’re not. 

2) Pace yourself. I had a moment a few weeks ago where I got fed up at all the silence and sent out 10 queries in 48 hours. They were very low-quality, because I was churning them out as fast as possible. It was a bad move, and I expect 100% rejection from them. If you got a bad pitch from me on June 16/17, then I’m sorry about that. A colleague sat me down and had some words with me, and I’ve subsequently slowed the fuck down and revised my query letter. I can’t take back those ten letters, though—that’s ten agents I’ve burned, whose time I’ve wasted. They probably won’t remember me, but they won’t be taking me on either. The job of an agent is to distinguish signal from noise, and if you don’t act like a professional then you go straight into the noise bucket.  

3) Pitch Parties are a clusterfuck. If you thought submissions inboxes are bad, wait until you attend a pitch party. They were apparently great a few years ago, but the internet has caught up with them and now the volume is ridiculous. The number of entrants has skyrocketed, but the number of agents has remained relatively stable, even often going down. I started tracking metrics during last month’s #pitdark and caught 60 pitches/minute at the top of the hour. That’s not to say don’t do them (it’s 30 mins work tops to set up Tweetdeck with scheduled pitches—if you’re smart, the work/potential result ratio is solid) but manage your expectations. 

4) be kind. I remember Hitler guy not because his content was uniquely bad (it honestly wasn’t: his prose was fine, it was the bizarre subject matter and broken rules at issue) but because of his flameout. There’s a human on the receiving end of that email, and one who has dedicated their life to sharing cool stories. They want to accept your manuscript. They’re not the villain, and they will remember that you blew up at them. Grizzling about rejections is fine and normal (they suck, from the bottom of my worn and fraying heart right now I absolutely know how much it all sucks), but for the love of christ don’t hit Send. I’m more sympathetic to the dude now, but I’m not even close to accepting more work from him. 

5) this is going to suck. Some authors get lucky on their first pick, but if you bet on being one of them, then you’re destined for a breakdown. Most published authors send out 40-60 pitches before they get accepted. I’m about halfway there, and I’ve developed a much stronger pitch, and I still feel like screaming. I arrogantly thought it would take about six weeks (I’m connected! I do books for a living! I’m just that good!), and we’re now on month 4 with only a tiny bit of headway. WorldCon is—for what is almost certainly the only time—coming to my home next year and I’d dreamed of walking the con floor as a novelist. That dream has come crashing down and it sucks, and querying sucks, and everything really just sucks right now. Querying is harder than writing the actual book—it’s the same sort of effort without any of the joy. You need the perfect book and the perfect pitch, going out to the perfect agent. You need to know how hard this is so you can properly brace for impact, because otherwise it’s gonna break your damned legs. 

What Does a Good Pitch Look Like? 

  • If something is in your first x pages, the pitch should explain why it’s there. My mistake in my early pitches was to lead with something that happens ⅓ of the way through the manuscript, and isn’t included in the first 5–20. The opening chapter, without explanation, comes off like a bad cold-open. As soon as I flipped my pitch to start at the start, I got more traction. 
  • Comp titles are gold. They contain a huge amount of information in a very small space. Don’t overdo it, but 2–3 solid comp titles are an absolute requirement. Talk to your beta readers and see what it reminded them of—Leviathan got suggested by one of my readers, so I read it and I wish I’d done it sooner: it was a great read, and it’s a great comp title. 
  • Don’t run long. Most submissions pages will say how long they expect the query to be, and it’s rarely more than 2 pages. If they don’t say, that means 1–2 pages. 
  • Who are you? Publishing credits, awards, formal qualifications. One paragraph max, demonstrate that you’ve put in your 10,000 hours. If you haven’t got any, there’s other things to do here, e.g. I’ve noticed a recurring pattern in that good pitches from non-authors often come from journalists, and I take journo bylines very seriously. 
  • Be professional. One of the things I most regret in my early pitches was being super informal under the belief it would make me seem fun and easy to work with. I should’ve known better: the average submissions inbox is filled with unprofessional people and you don’t want to put yourself in their company. You create a question: is this guy chatty and informal, or do they just not know what they’re doing? When an agent is going through a huge volume of submissions, they don’t have time to make that distinction. 

So Where Does That Leave Us? 

Well, at the time of writing I’m still querying. If you’re reading this in 2029, tell me how well it worked out and/or whether it’s smart to invest in beachside property. I reckon I’ve probably got another 3–4 months minimum. I hate it, and I’m constantly on the verge of self-pubbing but my little goblin heart keeps pushing me back towards trad. We’ll see how it shakes out. 

You? I can’t promise you’ll sell your book, but I want you to sell your fucking book. You did a cool thing and you deserve credit for it, but that’s just not how things work. You need to brace for impact, because this is going to suck.

Good luck. 

We’re both gonna need it. 

Poetry: June 2019

New Zealand Fiction

I issued a complaint to the Ministry of Lost Causes
They responded: tena koe %clientName we’re sorry to hear
you were upset, but our staff keep flying away; 
the earth is too heavy, their shoes are too light. 
Nga mihi,

All these stories by straight old white men;
we need new voices, new perspectives—
like me, a young gay white man.
The future is here: it is %currentGeneration.

I’m not sure I can tell you

It’s a sorta fucky thing
galloping, downwards 
indigent, collapsing 
welt-foot, bareback
fragments of bone 
we lost at night. 
Does that make sense? 

No but okay, there’s heat right? 
There’s this instra-us wiring
that bends when we walk; 
that skeletons the silence.
Flashbulbs and nitrate-stink 
and little pieces of the night
and all that, you know? 

Okay yeah sorta but more like— 
the smell of lightning/the taste of a nosebleed
illuminating our frames as we stumble forward. 
It’s not a thing I have words for. 
It’s just a thing, you know?

Milk and Honey

Callum sat with his guts in his hands, surrounded by gold bricks, scorched turf and Prussian corpses. They’d been absolute bastards to the man—the remnants of Von Tempsky’s old unit, scalp-takers and cannibals all—but nobody deserved to die in fucking Otago. Callum should’ve died in Scotland, like every man of his blood before him, but he’d cut the fuses half an inch too long. Timing wasn’t exactly an issue when you used the shit for mining: you made the fuses as long as possible, and if they took a long time to blow then you went out for a sandwich break with the lads. Half an inch of fuse, maybe ten seconds’ difference, and his belly was laid open on the turf. Half an inch, because it was cold and his hands were shaking and he barely had enough left to buy food, let alone gloves.

His skin was freezing cold, but his guts were burning hot. It was like all the heat in his body were pulling inwards, t’wards the heart, mounting a brave rearguard to keep the rest of his bits alive. It wasn’t working. He couldn’t feel his legs. He picked up a gold brick, and tapped it against his tooth. It went clink, like it should. The last shipment out of Otago before the mines closed, now spread out all across the highlands, mixed in with little bits of blast-grilled German savage; mercenaries, not paid nearly enough to find themselves spread out to the winds. They took scalps because they’d heard native folks did it. Wrong continent for that business entirely, but nobody felt the need to correct them.

Four hundred-thousand pounds worth of gold, destined for London, for the fingers and necks of lordly ladies. More money in one brick than Callum had seen in his lifetime. He spat, and it painted the turf red. The pain hollowed him out like rot inside a tooth. He panted and tried to stay conscious, but night was coming and there weren’t shit he could do about it. His da had come from the other highlands—the real highlands—after the clearances drove the family north, to Inverness. Otago wasn’t home, but it was close enough; the place was emptier than Am Fuckin Monadh Ruadh.

Like the highlands back home, there was nothing left. Not a nugget of gold: not above-ground, not in the rivers, not anywhere you could reach with a practicable quantity of dynamite. Boys like Callum had flooded south with gold in their eyes, and come out with dust in their bellies. Thousands of them, tens of thousands, all for it to dry up in less than ten years. Up north they were so pressed for land they were killing brown men for it, but Otago had empty town after empty town stretched out across the hills like so many winter flowers. There was plenty of space—maybe they just liked killing brown men. Some of the gold would stay in-country: make its way to Wellington, fund more bullets to fight more Māori. There weren’t enough land, apparently. He’d heard that one back home, when they started dragging families out of the highlands, pushing them to Inverness and Aberdeen and Glasgow—they needed more space. Now there was nothing but space and silence. Silence in the Waikato, silence in Am Monadh Ruadh, silence across the Otago highlands—boundless, monstrous silence filled only by the dull clinking of gold.

Callum had nothing left to do but die, but instead he sang. It sent a shudder through him, from his balls to his tailbone and then off up his spine, but he sang. He didn’t know many songs that fit right: it was mostly miners’ and sailors’ stuff about girlies back home and how very well they filled out their clothes. There was one though, that da had sung sometimes. Burns? Probably Burns. It was always fuckin’ Burns. His tenor came out through blood and foaming spit, liquid and sloppy, tinged purple by the ache in his guts.

Farewell to the mountains, high-cover’d with snow,
Farewell to the straths and green vallies below;

The Company would find the gold. They had a system in place for this sort of thing. Half the plan was about keeping the damned cart in one piece so he could ride it away. Rocks fall in front of Germans, Germans come to a stop, threaten Germans with further demolition unless they leave the gold and fuck off back to Dunedin. Best laid plans and all that. Callum didn’t know robbery: he knew mining. For a moment it had seemed like one could become the other but that moment had all gone up in cordite smoke. In the burning glare of hindsight, he knew it had never been a clever plan, but hell—when all you’ve got in dynamite, everybody looks like a goldmine.

It hadn’t blown when it was meant to of course, so he’d run—worthless fireheaded tin-cocked fool—to check on it. Saw the Germans actually moving through the pass un-stopped, run to check on the sticks, rounded the corner just in time to see the whole damn highlands come to pieces. The blast had taken out at least one of his eardrums, and sent a bullet-sized piece of rock into his stomach and out the other side. Shucked his belly like an old woman working wi’ peas, spilt him out over the stone. He was a dead man and he knew it—the message just hadn’t reached his heart yet.

With nothing better to do, in defiance of God and Country and the gold rush and the clearances and the bastard cannibal Germans and the Company, Callum sang while the light faded.

Farewell to the forests and wild-hanging woods,
Farewell to the torrents and loud-pouring floods.
My heart’s in the highlands, my heart is not—

What Hacking Actually Is

I want you to imagine a you just bought a second-hand car. Let’s say, a ‘91 Toyota Corolla. It drives fine, but when you check the internals … it’s a mess. Some madman has totally rewired it based on no plan known to god nor mechanic: there’s solder everywhere; there’s blowtorch burns so extensive you can smell them on a hot day; there’s a bunch of random LEDs that don’t seem to do anything, but if you take any of them out the car won’t start. You’re convinced that this whole thing is going to explode if you take it above 55km/h.

You spend weeks rewiring it. You can’t get it to look anything like a factory model, but when you’re done you’re at least convinced you can use the cupholder without cutting your hand off. Damn, you’re good—it was a pain in the ass and you had to disassemble a string of Christmas lights for some extra LEDs, but you’re proud of your work.

If the car were a piece of software, the correct way to describe your repairs would be hacking a hack. And if somebody else managed to gain remote-control of your car using an issue in the old wiring that you missed (who installs a mini-microwave under the engine? Why does the microwave have wifi?) and proceeds to plow it into a nanna crossing the road at 10am, then they’ve hacked your hacked hack.  

Do you see why this is a problem?

Here’s an incomplete list of things I have heard developers call ‘a hack’:

  • Intentional unauthorised access
  • Unintentional unauthorised access
  • Any malicious code inserted into any device
  • Any exploit whatsoever
  • Good, clever, well-made code (written by you)
  • Terrible, no-good, jerry-rigged code (written by somebody else)
  • Any code whatsoever (written by anybody at all)

If it helps, consider lifehacks. We’ve all seen them: stuff like putting a rubber band around a paint can so you can wipe your brush on it. They’re probably the closest the general public gets to the tech definition of ‘hacking’—No.8 Wire solutions that look a bit janky but can do a good (or better) job than using the tool in the intended fashion. And, like software hacks, a lot of them are profoundly worthless and will make your microwave explode. An intentional hack that results in unauthorised access is, well, hacking the code—using the tools available to improvise a way into a secure area. The very first hackers were folks in the 1950s who figured out you could ‘hack’ phone lines by playing the right sounds at them to make free telephone calls. Often it involved using a high-tech “blue box” but sometimes all it took was a 5c tin whistle tuned to the right note.

I briefly mentioned ‘cracking’ in the original budget piece, and that’s a more common (if a little dated) term among developers and InfoSec folks to refer to intentional malicious penetration of a system. Some hacks are cracks, but not all cracks are hacks. Using a specific tool designed to penetrate a secure system is cracking, and probably best fits the public understanding of a ‘hack’. It isn’t a hack, though—it’s using the tool for its intended purpose.

OR Hacking and Cracking are the same and both only refer to unauthorised access, but one is good and one is bad OR it’s actually Hacking and Cracking and Packing, which is about politics and gerrymandering and not about tech, unless you decide it isn’t and start a fight about it in the Burger King parking lot OR it’s a sort of random gapfiller that helps to give shape to vague tech ideas that don’t have a name. The public definition has bled into the professional one and now it’s hard to tell what anybody is talking about. It’s a rubber band of a word: a wibbly, stretchy, useful fix in your day-to-day, but not great as a permanent solution. The word ‘hack’ is, ironically, a bit of a hack.

It gets even more complicated when—like it did with the 2019 NZ budget breach—the word crashes into the public sphere. While developers use the term too broadly, the discourse uses it far too narrowly. We’ve seen this over the last few weeks: people arguing over whether it means Intentional Unauthorised Access Against A Perfectly Secure System or whether we’re allowed to broaden it as far as Intentional Unauthorised Access Facilitated By Poor Information Security Practises and meanwhile developers are in the corner shouting “Shit, this whole network layer is just a bunch of hacks. I hacked their hacks and now I’ve just gotta hope we don’t get hacked.”

Although just for the record, if you’re in that former camp re what hacking is, how good does security have to be before something counts as a hack? Because no encryption is perfect. One of the better forms of encryption—often used by governments and the intelligence community—is called PGP, or “Pretty Good Privacy”. The name is partly a joke, but it’s also a tacit admission to what everybody in this business knows: everything has got a back door somewhere, even PGP. Quinn Norton’s wonderful essay Everything is Broken is absolutely required reading here; there’s back doors everywhere. Even if the code is perfect (which it ain’t—even the best developers in the world have bad days), that back door is a curious intern who picks up a USB in the carpark, or a security guy new enough to not know all the faces, or an IT guy with a porn addiction.

Perfect protection is impossible, and “good enough protection” by the standards of politicians and pundits is a goalpost that moves depending on who’s doing the kicking.

Which is a big part of the reason all this debate around hacking has made the actual InfoSec community so annoyed: people who don’t know what they’re talking about are using words they don’t understand to score political points. It’s also not surprising when they do it: Makhlouf and Robertson weren’t wrong when they called it a hack, nor were National wrong for saying it wasn’t. I’m not one of those “both sides have a point” guys (God forbid) but both sides in this case are right, but they’re right because the discourse sucks. They weren’t lying when they used it that way, because that’s how it’s used: to mean a different thing depending on what you need from it. They’re right because they’re haggling over the definition of an incredibly vague term that not even the people using it professionally can agree on.

It falls to us as people who actually pay attention to these things to elevate the discourse, or we’re again going to have to deal with the spectacle of the most powerful people in the country flicking rubber bands at each other and claiming they’re bullets.

Alexander Stronach is an author and editor from Wellington, New Zealand. You can find him raising hell on Twitter @understatesmen, or on the roadside shouting at passing cars.


Henry Tavit tore out his own brain. That’s an abstraction, but abstraction is everything.

Look, let’s talk about computers. In 2006, a single bit flip in a Toyota Camry glued the accelerator pedal to the floor and took the car into a tree, killing the passenger instantly. The onboard computer between the pedal and the engine had over 10,000,000 lines of code. I bet you didn’t even know there was a computer there, cars are barely mechanical any more—they haven’t been for decades. It took three years to find the bug, and it was one solitary bit flip: 0 → 1, and a car goes into a tree.

Bookout v Toyota Motor Company took eight years. Toyota was found guilty of negligence, ordered to pay three million dollars: eighteen hours of their global profit, and significantly less than the cost of a Camry recall. The ‘05 Camry is still on the market. It’s a popular car; you probably pass at least one every day on the way to work, and every single one has—lurking somewhere in a gnarled grey matter of its codebase—the bug that killed Barbara Schwarz. This really happened. If you don’t believe me, ask your phone.

I don’t want to go into the details of how a Trimplant works so here’s the short version. There are about forty million lines of code in a chip the size of a grain of rice. It perches on the occipital lobe. You turn it on, and you trip balls.

The problem is, it’s always on. It’s not always active, but the difference killed Henry Tavit. When it’s on, it’s still processing data. The human brain is electric: neurons are pushed along their routes by tiny charges of bioelectricity. They factored it into the design, of course: the Trimplant leeches tiny microelectric charges to keep itself running, never more than it needs. Over the nine months, its spiderweb wiring dug into Henry’s occipital meat, and the electricity changed it. Piece by piece, in imperceptible fragments until—nine months after implantation, while he was in his apartment kitchen, knife in hand—a 0 turned into a 1.

The Trimplant was not poorly-designed. It was a marvel. The engineers knew the risks of putting hardware into a human brain, and they spared no expense in development. It hurts to say, because we want villains in these things, but the team who made the Trimplant were highly competent. They accounted for almost everything but they—like the engineers at Toyota, like the engineers who run our power grid, like every engineer for the last hundred years—weren’t gods. They didn’t think it would be a problem. Nobody worries about drowning in a stream but given enough time, streams will carve canyons from bedrock. The almost-imperceptible flow of bioelectricity took nine months, but it changed a 0 into a 1.

Standing in his kitchen at 3am—half-sober, half-awake, making himself a grilled cheese—he started to trip. You ever had a New Certainty? Sometimes, when it leads us into the light, we call it an epiphany. Sometimes though, you wake up with red-eyed demons standing around your bed and your chest so tight it’s about to break open and disgorge your guts and you go oh, okay, I guess this is my reality now. Henry had the second type. He realised—as the drip-drip of water opened up a critical weakness and the ocean rushed in—that his house was alive, and hateful. He was in its belly, being slowly digested. The walls moved in and out, the rough timpani of a monstrous heart.

Henry was a clever man. On some level, he knew what was happening. On another, a dark wave crashed down on him. The cameras in his home caught almost nothing: just a twitch, and a stillness. He stood in his underwear with his knife halfway into a block of cheese, almost comical. His two halves fought in silence. Then, without speaking, he smashed his head against the kitchen window. Once, twice, cracks spiderwebbing out like a cruel echo of the wiring in his brain. Three times, and he opened up a hole. He gulped at the cool autumn air like a fish on the dock, opened up gashes on his chin, his cheeks. Sliced open the soft cartilage of his nose. His expression remained fixed: dead-eyed, staring into the distance.

Whatever part of him stayed cogent kicked in. It knew what was happening. It could stop it, or die. It had a kitchen knife, and very little time. Henry Tavit died performing neurosurgery on himself at 3AM, in his kitchen, with a model of the human brain open on his laptop. He opened a slit on the back of his neck—close, to access the occipital lobe, but inches-as-miles from where it needed to be—and struck his spinal column with the blade. Collapsed to the floor, gasping, no feeling below the neck. He broke his neck when he fell, and blood flowed into his airway and lungs. The dishwasher grumbled, as though the whole house were laughing. Henry Tavit died on his kitchen floor, surrounded by demons.

The Trimplant is still on the market. The next bit-flip might happen to a surgeon, or a pilot, or a president. A recall of installed units is almost impossible, and a recall of units on shelves is costly enough that the accountancy department quietly nodded to themselves and made the company forget. The court case is ongoing. The story appeared on newsfeeds as a suicide. It didn’t last a day before the tide carried it away.

The 2019 NZ Budget Leak: what actually happened

EDIT: This piece has gone much bigger than expected. I’m blown away. I was editing during the day to add clarifications onto the end, but I’ve gone back and worked them into the body of the text.

The Treasury data breach has been a shitshow. I don’t think I’ve ever seen a bigger disconnect between the experts and the pundits, and I don’t say that lightly. I’m not a security guy, for what it’s worth: I’m a writer at a tech firm, but I’m fascinated by security and over the last few days I’ve been talking to people who actually know their stuff. Almost unanimously they’re calling this a breach. Almost unanimously, the pundits are off shouting that it’s “not a hack!”.

Right from the start, I’m setting a rule: we’re not going to talk about “hacking”. It means totally different things to the IT sector (anything from coding at all to randomly kludged spaghetti code that really shouldn’t work) and the public (a man in a trenchcoat saying “I’m in!”), and most InfoSec types shy away from it anyway. I’m not going to bore you with the whole hacking vs cracking debate, but we’re going to call this thing what it is: a data breach.

So what happened?*¹ This is a web server:

Its job is to display web content. Every time you go online, you’re accessing content from web servers. Simple enough? This is a staging server:

It serves as a testing environment. Content intended for the public but not yet released goes on the staging server to make sure it runs smoothly for when the time comes to make it public. Some staging server content never goes live: it either didn’t work as expected or it wasn’t meant to be there, or something changed and it got pulled.

Treasury cloned their web server, put it in the staging server, then added the budget to it for testing. The problem is, they also cloned the index configuration: the instructions that the search used to store search data for later use. Both web and staging server stored their search information in the same place and SOLR—the program running the search function—wasn’t properly instructed to avoid the staging server. That gave the web server access to the search information about documents on the staging server via the search bar, though not the staging documents themselves.

To illustrate, here’s the Spinoff today:

See how you get the title and the first few lines? Using the exploit on the Treasury’s site, somebody pulled snippets of the budget like that from the staging server. Critically, to do this, you would need to know the title of the section. You search for a specific heading in the web server, and it comes up with the title and the first 4-5 lines. It was, all things considered, a pretty small hole:

  1. It required the attacker to know the content was on the staging server
  2. It required the attacker to know the specific wording on the staging server
  3. Even then, it only gave them snippets

So what happened? Well, a leak. The actual leak. The budget didn’t leak: the budget’s search index leaked. That’s essentially a table of contents. The budget ToC being out in the open covered points 1 and 2 above: the fact the budget was ready to go public (thus, probably on the staging server) and a list of searchable titles and subtitles.

“Leak” is a strong word, too: it used the same headings as the 2018 budget. I’m still a little fuzzy on whether the actual index leaked (as in, got sent to the wrong place/got left out somewhere irresponsible/got made public too early) or whether somebody just heard it was the same as last year’s via the Thorndon grapevine and started punching in queries.

What about #3? Well, that’s why there were 2000 searches. They pulled 2000 snippets and put the budget together like a jigsaw. It’s not “just a search”: it’s using a leaked search index to perform 2000 searches, to take advantage of an exploit that pulled small pieces of content from a staging server, then stitching that content together in post. It’s not something Johnny Q Public could do by accident. It’s not an “open door” at all. That’s also why National got some details wrong: they didn’t have a complete picture. They had a very good outline, though. All the titles and subtitles, and the first few lines after each.

It’s all a bit rubbish but—to quote InfoSec luminary Adam Boileau—”it’s not rubbish if it works“.

Metaphors about the door being unlocked do us no favours, unless we really want pundits to be better-equipped to twist the actual events. Whether or not it’s a “hack” doesn’t really matter: it’s an intentional attempt to gain access to private data. It utilised an exploit to pull content that wasn’t meant to be public. It’s a breach. More than that, there are established protocols for what happens if somebody finds an exploit in government software. These rules were written by the National Party in 2014, and National failed to follow them. Their failure to follow protocol merits investigation: they let the particular use of an exploit go undetected for their own political gain. Even if the content was delivered to them anonymously by a no-good samaritan, they bear at least partial responsibility for this because they went public instead of reporting it.

Where did the Treasury fuck up?

  • They should’ve considered their SOLR configuration when they cloned their data to the staging server.
  • They probably shouldn’t have cloned their web server to begin with—making a staging server from scratch with the same dependencies might have been a pain in the ass (I’m honestly not sure: I don’t know what their dependencies look like) but it would’ve been a lot safer.
  • They could’ve been jazzier about this year’s subtitles.

Where did the National Party fuck up?

  • They identified an exploit but—instead of following CERT protocol—they used it for their own personal gain.

I’m not gonna lie, it’s bad. Somebody dropped the ball, and somebody else put a knife into it.

Still, I do not believe Simon Bridges has committed a crime, nor has he committed Breach of Confidence. He has violated his CERT obligations, which at worst means he’ll get a strongly-worded nonbinding letter from MBIE telling him not to do it again. He did a bad thing, but not all bad things result in him being removed from Parliament in a paddy wagon. To quote one of my anonymous sources: “he’s an asshole, not a criminal.”

It’s still ridiculous that pundits are calling for heads to roll. At the end of the day, it wasn’t a big deal. Grant Robertson shrugged and moved on. The Treasury were right: what harm could somebody actually do by using that exploit? Release a half-complete version of the document a day early?

By the by, it’s not dodgy or extreme that anybody called it a ‘hack’. If there’s a problem with the word, it’s not that it doesn’t mean this, it’s that it does mean this because it’s a vague word that means wildly different things to different people. Not all hacking is a man in a trenchcoat typing into a green/black Linux CLI then saying “I’m in!”—It’s not rubbish if it works. Makhlouf and Robertson could’ve maybe been more precise with their language but that’s not a crime either.

And then, of course, the pundits got to it. Either the Treasury were little angels who did no wrong, or they were cringing fools who dropped a box of printed budgets off at the top Lambton Quay. What we actually have here is a pattern pretty typical of data breaches: a small screwup like improper SOLR config let an attacker access to data they shouldn’t have had. I’m sure somebody is going to shout at me that it wasn’t a small mistake, but unless they can explain how to correctly configure Apache SOLR in a Drupal installation so it doesn’t allow partial read access to cloned data in a staging server then they can fuck right off with their piety and condescension. It’s a screwup for sure, but the people talking about “open doors” need to pull their heads in.

What’s really happening is that the pundits smell blood in the water, and they don’t care what actually happened—they just want an excuse to sink their teeth in.

Same old NZPol, I guess.

If you like what you’re reading, stick around and check out some of my fiction, or follow me @understatesmen on Twitter.

*¹ most of this is coming through various DMs and actually talking to people. I am willing to admit I might’ve muddied the details, though I’ve done my best and at the very least—talking to actual experts and having a tech background—I’m doing a better job than the lukewarm tech reckons of blokes who struggle to operate a washing machine.

Credit for assistance to Sana Oshika, and the others who preferred to go unnamed.