Skip to content

Category: Nonfiction

Umbrella Academy: what if Suicide Squad, but good?

Umbrella Academy is really fucking good. A loose adaptation from My Chemical Romance frontman Gerard Way’s comic series of the same name, it follows the Hargreeves siblings: a group of seven kids who are adopted by a cold and eccentric scientist after being born simultaneously, all over the world, to women who weren’t pregnant. He tries to train them as a superhero team, but it ends in calamity. The gang breaks up and goes their separate ways. Years pass, then they get a message—their adopted father is dead. One by one, they return home to mourn, rage, or steal his silverware.  

It’s hard to avoid comparisons to infamous bomb Suicide Squad: it’s a comic book movie about a team of antiheroes who must overcome their collective neuroses in order to fight a greater existential threat, with a bombastic classic pop soundtrack and so much stylisation it gives the viewer a contact high. It’s hard to pin down why Umbrella Academy works and Suicide Squad doesn’t. Yeah, there’s Squad’s troubled development history and last-minute recut, but a lot of UA’s best moments are similar to the worst moments from the Squad recut, like an extended sequence of the Hargreeves dancing alone to Tiffany’s 1987 banger I Think We’re Alone Now, a choice so on-the-nose that it rockets through obvious all the way to brilliant. It’s hard to say it’s in-keeping with the aesthetic of the comics (who would be? The Dresden Dolls? Nick Cave? The Mountain Goats? That weird shanty-punk band your mate with a beard insists will change your world?) but it’s in-keeping with the vibe, which is an altogether trickier thing to puzzle out. 

And that might be the secret: though Gerard Way wasn’t involved in the show, his source material is fertile ground for wonderful, wonderful melodrama. My Chemical Romance was never a subtle project—it was romantic in the classical sense: emotional in velocity and emotional in volume: reckless, weird and powerful. Suicide Squad was trying to balance David Ayer’s sombre, realistic antihero tale with Trailer Park’s bombastic phantasmagoria and got, well, a mess. Umbrella Academy knows exactly what it is and goes for broke. It’s packed with raw, unashamed emotion, much like those classic MCR tracks we were too cool to admit we loved back in high school. Which is why a very, very obvious pop song choice enhances the scene instead of distracting from it. 

The cast are revelling in the madness, with Kate Walsh’s Noir-Fatale-Meets-Middle-Management turn as The Handler being a standout. It’s also good to see Robert Sheehan getting some juicier roles: Mortal Engines—which looked set to be his big break—was a dud, and he’s been mostly wasted since Misfits. He can’t do a US accent to save himself, but failing to make the Oscar-Wilde-esque Klaus Hargreeves Irish was a mistake anyway. Cameron Britton and Sheila McCarthy have an unexpectedly sweet and gentle subplot—it’s lovely to see an older couple kinda just doing their thing. The melodrama crashes into it at 100km/h in the later episodes, but by then everything is hurtling downwind, glorious and fun and on fire. 

If you’re looking for restraint, this is not the show for you. This is a show where a character gets so mad that all the lamp-posts in the street bend towards them, because their emotions have the power to reshape the world. This is a show where a character threatens to electrocute another in a heart-shaped spa pool. This is a show where the main cast—each isolated by their own damage, desperate for human connection, trying to reach out to each other and failing because they haven’t yet learnt to stop lashing out in their pain—dance alone to I Think We’re Alone Now, then the camera pans out to show a cross-section of the house to show they’re all dancing together. It spits on subtle, and comes out with something so ridiculous that it makes its way back around to beautiful. 

Also, Robert Sheehan kisses another man and it’s fucking hot

Umbrella Academy is currently available on Netflix NZ. 

How to Lose a Million Bucks in Bitcoin: an Aro Valley Love Story

I don’t know whether I’m a millionaire. It’s a disgraceful state of affairs. 

This might take some going back through time. 18-21 were rough years for me. I was a bogan nerd, newly moved to Wellington, who wanted to be a writer and was struggling to admit to himself that he also liked boys. I drank. I initially drank rum because I thought it made me seem like a cool pirate, then I moved onto $10 red wine when I realised that I couldn’t keep up a respectable sustained BAC on anything that cost $40 a bottle. I was a Kiwi at uni, which meant I could lie to myself that my drinking was a personality and not a disease. I don’t know whether it’s the booze or the depressed brainfog but parts of those years just aren’t there. Somewhere in those three years, I fell into 100 bitcoin. Maybe. 


To understand Bitcoin, you first need to understand blockchain. Bitcoin is a currency that is built on a blockchain. They’re often used interchangeably but they’re not the same thing, any more than a ‘98 Toyota Corolla is an engine. The Bitcoin Blockchain is the largest and best-known, so it’s often referred to just as “The Blockchain”, which is where a lot of the confusion comes from. A blockchain is a distributed ledger. Which is exactly what it sounds like. You’ve seen a ledger before: 

Or not—I don’t think I’ve ever seen a physical ledger for years, but you get the idea. Whenever a transaction happens, it gets written down. Because it’s written down, you can refer back to it whenever there’s a dispute about who did what and who owns what. This is critical because—if there was no ledger—you could get one bitcoin, copy it 100 times, and become a millionaire. The bitcoin ledger records a unique code for your transaction, as well as the specific amount of money that changed hands. Each time a new user is involved in a transaction, the chain gets one block longer.  

The ledger is distributed in that it’s available to anybody who wants to access it. You can see a copy of the Bitcoin Blockchain in action right now, if you want. Each block in the blockchain must match every other block: if the transaction data in a particular block is different from the other thousands and thousands of blocks, then it’s immediately obvious that it’s fraudulent. 

The actual details of the transaction (such as details that would let somebody try to clone or steal the bitcoin) are hidden, but that it took place is available to anybody with access. This is why—according to a persistent rumour—MI5 were talking about having spies communicate on an internal blockchain: you’d have a record that two parties met without having to compromise the details of their meeting. Don’t get me wrong, it’s an awful idea, an aggressively unwise idea, it’s just not quite as bad as it looks from the outset. You have a record of a meeting, but no names, no details. It would make it much more difficult for counterintelligence to interfere. It would also produce a massive amount of metadata all in one centralised place that becomes a huge target for anybody looking to compromise your operation. A single exploit, and you’re screwed. Which, being fair, is the case for a lot of encryption. 


In 2010, I took a writing gig on a bbcode geek forum. Somebody wanted me to write a poem for his girlfriend. It was their anniversary. At the end of it, he told me he didn’t have any cash, but he had bitcoin. I was furious. I sucked it down. He told me they’d be worth more in a year. I didn’t have the storage space for them, so I went out and bought a drive. It was the cheapest one I could find and it cost me $200, because external storage costs in 2010 were a motherfucker. I was even more furious. I was $200 in the hole because this asshole was paying me with monopoly money, on the promise it would turn to gold. I put the bitcoin (and, critically, the private key) on the drive, stowed it quietly away somewhere, and lost it. 

That drive, if the heat and damp or the elements haven’t got to it, is currently worth $1,764,885 NZD, less $200 for the cost of the drive. I have searched everywhere for it. I’ve probably spent a solid two months in lost weekends trying to follow my own dead, erratic trail. Maybe I sold the bitcoin in a blackout, or maybe the drive got eaten by the couch cushions, shuffled away into the realm of lost socks. From the bottom of my heart, I hope that dude had a great anniversary, because he paid a million bucks for it. 

Maybe. 

Like I said, I was drinking a lot. I’m not willing to confirm anything that happened between 2008 and 2011 with any degree of certainty. But I remember the colour of the drive (red, a sort of deep plum-red, like old blood or bad wine), the place I got it (the Dick Smith off Lambton Quay, the one I had a fight with my girlfriend in), and the motherfucking weird flat two-pronged proprietary input that kept coming out for no reason and wasn’t compatible with any other device known to god or man. 


Who regulates bitcoin? Well, nobody. That’s sort of the point, and that’s why your libertarian friend will never shut up about it. No bank nor government controls bitcoin. The Blockchain does, in that transparency regulates it. You can’t cheat the blockchain; if you got money, it’s because somebody agreed to give it to you. It is pure capitalism: capitalism totally without restriction or outside influence. That’s also why it has constant massive peaks and troughs of value—the only people regulating it are the people buying it. It’s the sort of thing that would’ve made Rothbard wake up at 3am with damp sheets. That’s why people are getting rich, and that’s why people are losing everything. It seems like chaos from the outside, but to those riding the lightning, that’s just how it goes. That’s part of the reason the price is so elevated: what’s called noise trader risk.

Noise traders are people buying stocks not based on their actual value (the signal) but all the random bullshit around it (the noise). Usually, if something is overvalued and a bubble is about to burst, stock traders go crazy shorting it—they’re betting that it’s going to fail, so they make money when it goes down. Shorting is seen by a lot of economists as a critical process for finding the ‘real price’ of something, that is to say, the price that lines up with its actual value. Noise traders complicate that, because bubbles that should burst often don’t, or at least don’t when you’re expecting them to. If you short too early you can lose a lot of money, and if the community around a particular stock or item aren’t acting on the same assumptions you are then, well … it becomes scary to short. If your only contact with this idea is The Big Short, then it might’ve suddenly clicked why Christian Bale’s character freaked the fuck out when the housing market didn’t crash as predicted: because the ratings agencies were lying about its actual value, it didn’t go down when it should’ve, and the real trader (Michael Burry) lost his company billions. Bitcoin has some of the noisiest traders in the world, and that meant that nobody was willing to try and bring the price down. The absence of that, it ballooned wildly.


I think the most likely case is that I sold the bitcoin to buy more wine. I don’t remember doing that, but memory is a rickety machine at the best of times. There’s no transaction code anywhere I can find but that’s no surprise—I probably deleted it like the first one. The whole wallet was worth less than $20, and who keeps a receipt for $20? It was a decent year, the one where things finally started to look up. I was living in tumbledown borer-infested flat which was $200 a week and falling to pieces, but close to work, so it was a gem. 

Taika Waititi would be out and about sometimes. I was 20 and wanted to be a writer. He was famous; he’d just come back from the US after filming a TV show. Brett and Jermaine were cool and all, but Taika was a writer. I never spoke to him, but I’d pass him in the street and act like a total starstruck weirdo. He had nice eyes. I remember very little from 2010 but I remember that Taika had nice eyes and they made me ask questions, and the questions made me drink. I would’ve paid 100 bitcoins for a coffee with Taika in a heartbeat. Even today, it’s a coin flip. 


Why would you want a blockchain? Well, because you want a simple, deep ledger that records whenever a transaction takes place. I’m sure you can think of legitimate uses for that. Hell, I’m sure the accountants among you are crossing your legs under the desk, trying to pretend you’re not seeing a whole universe of possibilities unfold like a blossom in spring. Undeniably, blockchain can be a force for good. 

It’s also, unfortunately, a buzzword beloved of cranks and grifters, and every slick second son who dreams in dollar signs. It’s a fiscal wild west: the folks back east hear about gold and adventure, and all the detail gets flattened out. I’m not going to lie and tell you I’m a devoted capitalist—once you’ve read The Conquest of Bread, there’s no going back. I do however understand why there’s so many Bitcoin devotees out there: it is pure, chaotic, joyful freedom. It’s freedom that could take you to the stars or put you face-first in a ditch and you only get to find out which after you get there.

What’s really bizarre about my story is how common it is. While researching it, it took less than an hour to find a friend who said “oh yeah, me too. Huh. Wild.” Not the drinking or the sadness or Taika’s wonderful eyes, but the fortune in bitcoin that they shrugged their shoulders at, and lost. Sold for beer money because they didn’t know what to do with it. 2010 was like that: the world wasn’t on fire yet; Nazis only existed in video games; we were kids playing with grenades. That drive would pay my student loan 30 times over. It’s almost Auckland house money. I went back to the tumbledown flat a few years ago, and the place was gone. It got demolished at some point, and it was a vacant lot. I spent an afternoon looking for red, and found nothing. They’ve built a new house there now. Maybe one day the drive will come back to me, red like old wine and bad blood. Until then, I get to wonder about what could’ve been. 

In another life, I’m a millionaire. In the next life down, I’m friends with Taika. 

It’s a coin flip. 


Some locations and details in this article, as well as some part of the timeline, have been fudged to prevent identification; I don’t want to be the guy who gets a treasure hunter killed rooting around a construction site.

Andre ‘Jay’ Bourlin, one year on

CW: this piece discusses depression, and the suicide of a friend.

It’s coming up a year since my friend Andre died. Hindsight can be cruel: I knew he suffered from depression and chronic pain, and in the weeks leading up to his death he became increasingly combative and withdrawn. I knew he was having a hard time, I just didn’t realise how bad it really was; it felt like a stepping back, but not an end—he’d been working on a new manuscript and we’d been going over his opening chapters together. It didn’t seem like something you’d do if you wanted to die. 

I know from personal experience that it’s more complicated than that—people rarely plan these things. The black dog is a persistence hunter: it chases you for years, until your legs give out. 

The news hit slow. Somebody messaged me around lunchtime and I didn’t really process it. Piece by piece, over the course of the day, it broke me down. I went to a party that night, and a sudden tightness in my chest forced me outside; I ended up crying on a colleague’s balcony. I went home and wrote a letter to him that I never intend to publish, not even here—it’s an angry, selfish thing. I’m still here motherfucker, why aren’t you? You were writing a book. 

I’ve still got that manuscript sitting in Google Drive. Shared with you, trapped in amber. I tried to look at it the day afterwards, and couldn’t bring myself to do it. I’ve been told by the rest of the writing group that the last short story he wrote is genius—that it brings insight into his pain, and reading it helped them to understand and heal. I can’t bring myself to read it either. I’ve tried a few times, but can never bring myself to click the link. I don’t know what to do with either of them; they’re not going anywhere. 

There’s a lot of thinkpieces about mental health online, but whenever I try to write one, I come to the same painful answer: sometimes, things hurt and people leave. It’s been a year, and I thought with that distance there might be some peace. Instead, I ended up trying to hold back tears at my desk, going off on my lunchbreak to find somewhere safe to cry. Writing normally brings me catharsis, but this brought me nothing. I want to bring you catharsis, but I can’t. Some things just end. 

A quick update on querying

Just popping in to say: I got my first full MS request yesterday. Even if it turns out to be a dead end, it’s the confidence boost I needed right now. Keep chipping away at that mountain, fam.

10 Things I’ve Learnt About Querying Fiction

There’s a genre of opinion piece infesting the darker creative corners of the internet, where an unsuccessful artist lashes out and writes a diatribe about how the system is broken, and everyone is garbage, and how they’re striking out on their own. We all look at those petulant flameouts, and we shake our heads and wonder what drives somebody to that. I know I did. Now, four months into querying without a single partial, I get it. Every unanswered submission on my spreadsheet burns. Every form letter makes me feel worse about myself as a writer and as a person. Querying is a sandpaper whirlwind rubbing down my soul; querying is a little man with a big hammer gently tapping out an arpeggio at the base of my skull while I try to sleep; querying sucks ass. I think the reason I haven’t started shouting about FUCKING AGENTS is because I’ve been on the other side of the mirror and I know what it’s like. From the outside, the beast can seem callous and faceless. From the inside, it’s, well … let’s talk about it. 

Life in Wonderland 

I’ve run submissions inboxes for small magazines, major publishing houses, and everything in between. I’ve seen a lot of queries and drank a lot of instant coffee and let me tell you: the system consists of passionate, intelligent people who are monumentally fucking overloaded. I don’t think people really understand the volume these folks are seeing, and the sort of things that show up unsolicited. Here’s a list of things I’ve seen in slush piles: 

  • A Where’s Waldo with the author’s face photoshopped onto Waldo and almost no other changes. 
  • An extremely graphic childrens’ book complete with MSPaint illustrations, which aimed to teach kids about the author’s fertility cult. 
  • A novella about Adolf Hitler crying into Hess’ lap because he got booed by a Jewish man at an open mic, which leads to them planning the Holocaust. 

That Hitler story was three times the maximum length, the author wasn’t from a geographic location we accepted submissions from, and it seemed like the last 2k was hastily tacked on to fit our genre—it turns out it was virtual reality all along, so it was apparently SF/F. The unavoidable subtext was that the real Nazis are people who reject authors. Upon rejection, the author responded with an angry screed about how he was a big deal and we’d be sorry (he wasn’t and we weren’t). 

And it just keeps coming. Shimmer Magazine shut down submissions almost a year ago, and they post regular updates on their Twitter about the last time they received a submission. I don’t know when you’re reading this, but I bet you their last sub was less than a month ago. Shimmer locked their doors, and loudly announced they were locking their doors, and regularly remind folks that the door is locked, and they still get new content coming in every day. 

Think about that, then imagine what it’s like when the doors are open. It’s constant. It wouldn’t surprise me if some agents were getting triple-figure submissions some days. It’s a lot of work, and it’s not even their whole job: their actual money comes from selling books to publishers, and reading queries is just how they find books to sell. 

Look, there’s very little money in publishing. Most of us work other gigs, and do publishing on the side when we have time and when the work’s available.  Publishing is the coolest job in the world, but the pay is crap and the hours are long—you only do this work because you love it. It’s also precarious: one bad book could sink you. Neither agents nor publishers are part of some unfeeling machine—agents want to accept your MS, but they also want to pay off their student loans and sort out that downpayment on their mortgage and also get through a slush pile that just keeps getting bigger and bigger no matter how hard they work. They want to keep being agents, and that means making hard choices about what they accept.

Doing rejections sucks; you get the occasional angry screed, but most people who do respond are wonderful and gentle and heartbroken. It’s suburban dads who cried when they read Knausgaard, and teenage poets who need another ten years, and clever old women who run mystery-writing circles and whose current work is really very good but not what the market wants right now. I wish I could accept all of them, but if I did that I’d be the grim reaper of publishing houses. Just replying to everybody without using form letters would be a fulltime job. It’s a lot of work to keep your head above water, and the only reward is not drowning. 

So What Can I Do?

1) Follow instructions. I cannot overstate how important this is. Hitler guy is an outlier in how extreme he was, but a lot of authors break the rules and it’s an instant disqualifier. If you’re thinking you can be clever by explaining why you’re different then I regret to inform you that you’re not different, and you’re about to join the ten other people in the inbox this morning saying they’re different in the rejection pile. 

I know the temptation is real. I really wanted to query Dongwon Song with my current project. The dude’s got an amazing stable of authors, a great professional reputation, and I’ve heard he’s wonderful to work with. He sells books I love, and he seemed like a good fit. Two words on his MSWL sunk it: no cops. Now, my MS is best summed up as cops suck, be gay, do crimes, but the protagonist is a police officer and I knew that “I know you said no cops buuuuuuut” would send my query down in flames. Every day, there’s somebody in the inbox trying to tell you why they’re different in some way, and 90% of them are lying, and you don’t have the time or energy to figure out whether they’re not. 

2) Pace yourself. I had a moment a few weeks ago where I got fed up at all the silence and sent out 10 queries in 48 hours. They were very low-quality, because I was churning them out as fast as possible. It was a bad move, and I expect 100% rejection from them. If you got a bad pitch from me on June 16/17, then I’m sorry about that. A colleague sat me down and had some words with me, and I’ve subsequently slowed the fuck down and revised my query letter. I can’t take back those ten letters, though—that’s ten agents I’ve burned, whose time I’ve wasted. They probably won’t remember me, but they won’t be taking me on either. The job of an agent is to distinguish signal from noise, and if you don’t act like a professional then you go straight into the noise bucket.  

3) Pitch Parties are a clusterfuck. If you thought submissions inboxes are bad, wait until you attend a pitch party. They were apparently great a few years ago, but the internet has caught up with them and now the volume is ridiculous. The number of entrants has skyrocketed, but the number of agents has remained relatively stable, even often going down. I started tracking metrics during last month’s #pitdark and caught 60 pitches/minute at the top of the hour. That’s not to say don’t do them (it’s 30 mins work tops to set up Tweetdeck with scheduled pitches—if you’re smart, the work/potential result ratio is solid) but manage your expectations. 

4) be kind. I remember Hitler guy not because his content was uniquely bad (it honestly wasn’t: his prose was fine, it was the bizarre subject matter and broken rules at issue) but because of his flameout. There’s a human on the receiving end of that email, and one who has dedicated their life to sharing cool stories. They want to accept your manuscript. They’re not the villain, and they will remember that you blew up at them. Grizzling about rejections is fine and normal (they suck, from the bottom of my worn and fraying heart right now I absolutely know how much it all sucks), but for the love of christ don’t hit Send. I’m more sympathetic to the dude now, but I’m not even close to accepting more work from him. 

5) this is going to suck. Some authors get lucky on their first pick, but if you bet on being one of them, then you’re destined for a breakdown. Most published authors send out 40-60 pitches before they get accepted. I’m about halfway there, and I’ve developed a much stronger pitch, and I still feel like screaming. I arrogantly thought it would take about six weeks (I’m connected! I do books for a living! I’m just that good!), and we’re now on month 4 with only a tiny bit of headway. WorldCon is—for what is almost certainly the only time—coming to my home next year and I’d dreamed of walking the con floor as a novelist. That dream has come crashing down and it sucks, and querying sucks, and everything really just sucks right now. Querying is harder than writing the actual book—it’s the same sort of effort without any of the joy. You need the perfect book and the perfect pitch, going out to the perfect agent. You need to know how hard this is so you can properly brace for impact, because otherwise it’s gonna break your damned legs. 

What Does a Good Pitch Look Like? 

  • If something is in your first x pages, the pitch should explain why it’s there. My mistake in my early pitches was to lead with something that happens ⅓ of the way through the manuscript, and isn’t included in the first 5–20. The opening chapter, without explanation, comes off like a bad cold-open. As soon as I flipped my pitch to start at the start, I got more traction. 
  • Comp titles are gold. They contain a huge amount of information in a very small space. Don’t overdo it, but 2–3 solid comp titles are an absolute requirement. Talk to your beta readers and see what it reminded them of—Leviathan got suggested by one of my readers, so I read it and I wish I’d done it sooner: it was a great read, and it’s a great comp title. 
  • Don’t run long. Most submissions pages will say how long they expect the query to be, and it’s rarely more than 2 pages. If they don’t say, that means 1–2 pages. 
  • Who are you? Publishing credits, awards, formal qualifications. One paragraph max, demonstrate that you’ve put in your 10,000 hours. If you haven’t got any, there’s other things to do here, e.g. I’ve noticed a recurring pattern in that good pitches from non-authors often come from journalists, and I take journo bylines very seriously. 
  • Be professional. One of the things I most regret in my early pitches was being super informal under the belief it would make me seem fun and easy to work with. I should’ve known better: the average submissions inbox is filled with unprofessional people and you don’t want to put yourself in their company. You create a question: is this guy chatty and informal, or do they just not know what they’re doing? When an agent is going through a huge volume of submissions, they don’t have time to make that distinction. 

So Where Does That Leave Us? 

Well, at the time of writing I’m still querying. If you’re reading this in 2029, tell me how well it worked out and/or whether it’s smart to invest in beachside property. I reckon I’ve probably got another 3–4 months minimum. I hate it, and I’m constantly on the verge of self-pubbing but my little goblin heart keeps pushing me back towards trad. We’ll see how it shakes out. 

You? I can’t promise you’ll sell your book, but I want you to sell your fucking book. You did a cool thing and you deserve credit for it, but that’s just not how things work. You need to brace for impact, because this is going to suck.

Good luck. 

We’re both gonna need it. 

What Hacking Actually Is

I want you to imagine a you just bought a second-hand car. Let’s say, a ‘91 Toyota Corolla. It drives fine, but when you check the internals … it’s a mess. Some madman has totally rewired it based on no plan known to god nor mechanic: there’s solder everywhere; there’s blowtorch burns so extensive you can smell them on a hot day; there’s a bunch of random LEDs that don’t seem to do anything, but if you take any of them out the car won’t start. You’re convinced that this whole thing is going to explode if you take it above 55km/h.

You spend weeks rewiring it. You can’t get it to look anything like a factory model, but when you’re done you’re at least convinced you can use the cupholder without cutting your hand off. Damn, you’re good—it was a pain in the ass and you had to disassemble a string of Christmas lights for some extra LEDs, but you’re proud of your work.

If the car were a piece of software, the correct way to describe your repairs would be hacking a hack. And if somebody else managed to gain remote-control of your car using an issue in the old wiring that you missed (who installs a mini-microwave under the engine? Why does the microwave have wifi?) and proceeds to plow it into a nanna crossing the road at 10am, then they’ve hacked your hacked hack.  

Do you see why this is a problem?

Here’s an incomplete list of things I have heard developers call ‘a hack’:

  • Intentional unauthorised access
  • Unintentional unauthorised access
  • Any malicious code inserted into any device
  • Any exploit whatsoever
  • Good, clever, well-made code (written by you)
  • Terrible, no-good, jerry-rigged code (written by somebody else)
  • Any code whatsoever (written by anybody at all)

If it helps, consider lifehacks. We’ve all seen them: stuff like putting a rubber band around a paint can so you can wipe your brush on it. They’re probably the closest the general public gets to the tech definition of ‘hacking’—No.8 Wire solutions that look a bit janky but can do a good (or better) job than using the tool in the intended fashion. And, like software hacks, a lot of them are profoundly worthless and will make your microwave explode. An intentional hack that results in unauthorised access is, well, hacking the code—using the tools available to improvise a way into a secure area. The very first hackers were folks in the 1950s who figured out you could ‘hack’ phone lines by playing the right sounds at them to make free telephone calls. Often it involved using a high-tech “blue box” but sometimes all it took was a 5c tin whistle tuned to the right note.

I briefly mentioned ‘cracking’ in the original budget piece, and that’s a more common (if a little dated) term among developers and InfoSec folks to refer to intentional malicious penetration of a system. Some hacks are cracks, but not all cracks are hacks. Using a specific tool designed to penetrate a secure system is cracking, and probably best fits the public understanding of a ‘hack’. It isn’t a hack, though—it’s using the tool for its intended purpose.

OR Hacking and Cracking are the same and both only refer to unauthorised access, but one is good and one is bad OR it’s actually Hacking and Cracking and Packing, which is about politics and gerrymandering and not about tech, unless you decide it isn’t and start a fight about it in the Burger King parking lot OR it’s a sort of random gapfiller that helps to give shape to vague tech ideas that don’t have a name. The public definition has bled into the professional one and now it’s hard to tell what anybody is talking about. It’s a rubber band of a word: a wibbly, stretchy, useful fix in your day-to-day, but not great as a permanent solution. The word ‘hack’ is, ironically, a bit of a hack.

It gets even more complicated when—like it did with the 2019 NZ budget breach—the word crashes into the public sphere. While developers use the term too broadly, the discourse uses it far too narrowly. We’ve seen this over the last few weeks: people arguing over whether it means Intentional Unauthorised Access Against A Perfectly Secure System or whether we’re allowed to broaden it as far as Intentional Unauthorised Access Facilitated By Poor Information Security Practises and meanwhile developers are in the corner shouting “Shit, this whole network layer is just a bunch of hacks. I hacked their hacks and now I’ve just gotta hope we don’t get hacked.”

Although just for the record, if you’re in that former camp re what hacking is, how good does security have to be before something counts as a hack? Because no encryption is perfect. One of the better forms of encryption—often used by governments and the intelligence community—is called PGP, or “Pretty Good Privacy”. The name is partly a joke, but it’s also a tacit admission to what everybody in this business knows: everything has got a back door somewhere, even PGP. Quinn Norton’s wonderful essay Everything is Broken is absolutely required reading here; there’s back doors everywhere. Even if the code is perfect (which it ain’t—even the best developers in the world have bad days), that back door is a curious intern who picks up a USB in the carpark, or a security guy new enough to not know all the faces, or an IT guy with a porn addiction.

Perfect protection is impossible, and “good enough protection” by the standards of politicians and pundits is a goalpost that moves depending on who’s doing the kicking.

Which is a big part of the reason all this debate around hacking has made the actual InfoSec community so annoyed: people who don’t know what they’re talking about are using words they don’t understand to score political points. It’s also not surprising when they do it: Makhlouf and Robertson weren’t wrong when they called it a hack, nor were National wrong for saying it wasn’t. I’m not one of those “both sides have a point” guys (God forbid) but both sides in this case are right, but they’re right because the discourse sucks. They weren’t lying when they used it that way, because that’s how it’s used: to mean a different thing depending on what you need from it. They’re right because they’re haggling over the definition of an incredibly vague term that not even the people using it professionally can agree on.

It falls to us as people who actually pay attention to these things to elevate the discourse, or we’re again going to have to deal with the spectacle of the most powerful people in the country flicking rubber bands at each other and claiming they’re bullets.

Alexander Stronach is an author and editor from Wellington, New Zealand. You can find him raising hell on Twitter @understatesmen, or on the roadside shouting at passing cars.

The 2019 NZ Budget Leak: what actually happened

EDIT: This piece has gone much bigger than expected. I’m blown away. I was editing during the day to add clarifications onto the end, but I’ve gone back and worked them into the body of the text.

The Treasury data breach has been a shitshow. I don’t think I’ve ever seen a bigger disconnect between the experts and the pundits, and I don’t say that lightly. I’m not a security guy, for what it’s worth: I’m a writer at a tech firm, but I’m fascinated by security and over the last few days I’ve been talking to people who actually know their stuff. Almost unanimously they’re calling this a breach. Almost unanimously, the pundits are off shouting that it’s “not a hack!”.

Right from the start, I’m setting a rule: we’re not going to talk about “hacking”. It means totally different things to the IT sector (anything from coding at all to randomly kludged spaghetti code that really shouldn’t work) and the public (a man in a trenchcoat saying “I’m in!”), and most InfoSec types shy away from it anyway. I’m not going to bore you with the whole hacking vs cracking debate, but we’re going to call this thing what it is: a data breach.

So what happened?*¹ This is a web server:

Its job is to display web content. Every time you go online, you’re accessing content from web servers. Simple enough? This is a staging server:

It serves as a testing environment. Content intended for the public but not yet released goes on the staging server to make sure it runs smoothly for when the time comes to make it public. Some staging server content never goes live: it either didn’t work as expected or it wasn’t meant to be there, or something changed and it got pulled.

Treasury cloned their web server, put it in the staging server, then added the budget to it for testing. The problem is, they also cloned the index configuration: the instructions that the search used to store search data for later use. Both web and staging server stored their search information in the same place and SOLR—the program running the search function—wasn’t properly instructed to avoid the staging server. That gave the web server access to the search information about documents on the staging server via the search bar, though not the staging documents themselves.

To illustrate, here’s the Spinoff today:

See how you get the title and the first few lines? Using the exploit on the Treasury’s site, somebody pulled snippets of the budget like that from the staging server. Critically, to do this, you would need to know the title of the section. You search for a specific heading in the web server, and it comes up with the title and the first 4-5 lines. It was, all things considered, a pretty small hole:

  1. It required the attacker to know the content was on the staging server
  2. It required the attacker to know the specific wording on the staging server
  3. Even then, it only gave them snippets

So what happened? Well, a leak. The actual leak. The budget didn’t leak: the budget’s search index leaked. That’s essentially a table of contents. The budget ToC being out in the open covered points 1 and 2 above: the fact the budget was ready to go public (thus, probably on the staging server) and a list of searchable titles and subtitles.

“Leak” is a strong word, too: it used the same headings as the 2018 budget. I’m still a little fuzzy on whether the actual index leaked (as in, got sent to the wrong place/got left out somewhere irresponsible/got made public too early) or whether somebody just heard it was the same as last year’s via the Thorndon grapevine and started punching in queries.

What about #3? Well, that’s why there were 2000 searches. They pulled 2000 snippets and put the budget together like a jigsaw. It’s not “just a search”: it’s using a leaked search index to perform 2000 searches, to take advantage of an exploit that pulled small pieces of content from a staging server, then stitching that content together in post. It’s not something Johnny Q Public could do by accident. It’s not an “open door” at all. That’s also why National got some details wrong: they didn’t have a complete picture. They had a very good outline, though. All the titles and subtitles, and the first few lines after each.

It’s all a bit rubbish but—to quote InfoSec luminary Adam Boileau—”it’s not rubbish if it works“.

Metaphors about the door being unlocked do us no favours, unless we really want pundits to be better-equipped to twist the actual events. Whether or not it’s a “hack” doesn’t really matter: it’s an intentional attempt to gain access to private data. It utilised an exploit to pull content that wasn’t meant to be public. It’s a breach. More than that, there are established protocols for what happens if somebody finds an exploit in government software. These rules were written by the National Party in 2014, and National failed to follow them. Their failure to follow protocol merits investigation: they let the particular use of an exploit go undetected for their own political gain. Even if the content was delivered to them anonymously by a no-good samaritan, they bear at least partial responsibility for this because they went public instead of reporting it.

Where did the Treasury fuck up?

  • They should’ve considered their SOLR configuration when they cloned their data to the staging server.
  • They probably shouldn’t have cloned their web server to begin with—making a staging server from scratch with the same dependencies might have been a pain in the ass (I’m honestly not sure: I don’t know what their dependencies look like) but it would’ve been a lot safer.
  • They could’ve been jazzier about this year’s subtitles.

Where did the National Party fuck up?

  • They identified an exploit but—instead of following CERT protocol—they used it for their own personal gain.

I’m not gonna lie, it’s bad. Somebody dropped the ball, and somebody else put a knife into it.

Still, I do not believe Simon Bridges has committed a crime, nor has he committed Breach of Confidence. He has violated his CERT obligations, which at worst means he’ll get a strongly-worded nonbinding letter from MBIE telling him not to do it again. He did a bad thing, but not all bad things result in him being removed from Parliament in a paddy wagon. To quote one of my anonymous sources: “he’s an asshole, not a criminal.”

It’s still ridiculous that pundits are calling for heads to roll. At the end of the day, it wasn’t a big deal. Grant Robertson shrugged and moved on. The Treasury were right: what harm could somebody actually do by using that exploit? Release a half-complete version of the document a day early?

By the by, it’s not dodgy or extreme that anybody called it a ‘hack’. If there’s a problem with the word, it’s not that it doesn’t mean this, it’s that it does mean this because it’s a vague word that means wildly different things to different people. Not all hacking is a man in a trenchcoat typing into a green/black Linux CLI then saying “I’m in!”—It’s not rubbish if it works. Makhlouf and Robertson could’ve maybe been more precise with their language but that’s not a crime either.

And then, of course, the pundits got to it. Either the Treasury were little angels who did no wrong, or they were cringing fools who dropped a box of printed budgets off at the top Lambton Quay. What we actually have here is a pattern pretty typical of data breaches: a small screwup like improper SOLR config let an attacker access to data they shouldn’t have had. I’m sure somebody is going to shout at me that it wasn’t a small mistake, but unless they can explain how to correctly configure Apache SOLR in a Drupal installation so it doesn’t allow partial read access to cloned data in a staging server then they can fuck right off with their piety and condescension. It’s a screwup for sure, but the people talking about “open doors” need to pull their heads in.

What’s really happening is that the pundits smell blood in the water, and they don’t care what actually happened—they just want an excuse to sink their teeth in.

Same old NZPol, I guess.

If you like what you’re reading, stick around and check out some of my fiction, or follow me @understatesmen on Twitter.

*¹ most of this is coming through various DMs and actually talking to people. I am willing to admit I might’ve muddied the details, though I’ve done my best and at the very least—talking to actual experts and having a tech background—I’m doing a better job than the lukewarm tech reckons of blokes who struggle to operate a washing machine.

Credit for assistance to Sana Oshika, and the others who preferred to go unnamed.