I’m bored, AusCERT: Kick it up a notch


blog Consider us vastly amused by the storm in a teacup currently embroiling the AusCERT security conference in Queensland this week, which — while it is the nation’s premier security confab — has lacked a decent scandal for years. Thank God — it’s about time!

This one ticks all the right boxes … feuding security experts, a break-in to the Facebook profile of one of their wives (what, precisely, were the scandalous photos of?), public demonstrations of semi-illicit security techniques and most of all, the botched arrest of an attending technology journalist and confiscation of his incriminating iPad. As the Germans would say, drama, baby, drama! The complete story can be found at The Sydney Morning Herald:

“In a presentation entitled “For God Your Soul… For Me Your Flesh” at the AusCERT security conference on the Gold Coast, security expert Christian Heinrich demonstrated how he had gained access to the privacy-protected Facebook photos of the wife of HackLabs director Chris Gatford.”

And, as it houses the journalist who was arrested, you can find Fairfax’s high-minded defence of its right to practice journalism here. A somewhat feeble defence of Queensland Police’s actions can be found on video here and a statement is also planned on — oh, the irony — Facebook here.

Now the first thing we think about this whole event is how amusing the incessant attention on such a small issue is. Security conferences have a long history of featuring borderline illegal talks, but only in Queensland — and only at the watered down AusCERT conference — would it be possible for the hacking of someone’s wife’s Facebook page to rate a mention. Heard about Black Hat in the US, for instance? Sure you have. Let’s quote from Wikipedia:

“Black Hat is known for the antics of its hacker contingent, and the disclosures brought in its talks. Conference attendees have been known to hijack wireless connections of the hotels, hack hotel TV billing systems, and even hack the Automatic Teller Machine in a hotel lobby. In 2009, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and sensitive documents were exposed on the vandalized site of Dan Kaminsky, days before the conference.

In the past, companies have attempted to bar researchers from disclosing vital information about their products. At Black Hat 2005, Cisco Systems tried to stop researcher Michael Lynn from speaking about a vulnerability that he said could let hackers virtually shut down the Internet.”

Yup. You can bet the Feds are watching that one. In this context, to the international security community, Heinrich and Gatford’s little spat (I’ve spoken with both over the years, and they’re great guys, by the way) would appear to be little more than a college prank. And that’s how the broader technology industry and the authorities should see it too.

It truly shows how far away from addressing really serious security threats the Queensland Police’s vaunted fraud squad is if it can be bothered making the effort to harass Heinrich and Gatford over the issue … and their botched attempt to seize the evidence from SMH journalist Ben Grubb could also be described as amateurish at best. Haven’t they got anything better to do than menace a journalist for his iPad?

As for Grubb and Fairfax, well you would expect any media outlet which has had one of its journalists arrested to make a huge stink about it, although the Sydney Morning Herald’s reaction has been fairly moderate. But the instant attention the issue has received from the rest of the media — shocked that “a journalist” has been arrested, smells of an attempt to rally the wagons around the dying fire of idealistic journalism, before the encroaching horde of book burners and censorship Nazis marches in in their black trenchcoats.

If Grubb had been arrested uncovering a corruption scandal, such a response would be justified. But I think even the Queensland Police realised straight away after they picked Grubb up that the story wasn’t worth making this much of a fuss over.

Now what I would really like to see from AusCERT next year is a much bigger scandal. Let’s see Gatford demonstrate how encryption software can be broken through with brute force, by hijacking all of the University of Queensland’s computer laboratories with a massive, Russian-backed botnet and using it to crack Heinrich’s personal laptop, thereby exposing his scandalous Hello Kitty-branded stocking fetish to the world in a glorious retaliation, before being dragged off in chains, with the leather jackboot of Queensland Police fraud chief Brian Hay pinioning his neck to the ground, the whole lot to make the front page of every newspaper and mouthy blog in the land. That would be satisfyingly high-profile.

Please note: Before you send the police to the Delimiter HQ, Brian, keep in mind that this article is not incitement — it comes under the heading of satire. I don’t seriously expect or want actual crimes with actual injured parties to be committed at AusCERT.

But if AusCERT truly does aspire to become an international security conference of note and take pride of place amongst Black Hat and the others … we should at least expect to be entertained.

Image credit: Jim Crossley, Creative Commons


  1. There seems to be two issues here, one the arrest, the second is the obtaining of a digital copy of something that was lifted from a ‘public’ url, that had no encryption around it and could be found by knowing (or guessing) the url

    • Arguably the facebook CDN URL did contain an encryption (albeit, a weak one). It did take the ‘hacker’ a few days to brute force the ‘key’.

      • I can go into facebook, view a private photo and copy the url for it and paste it out and you’ll be able to see the image.

        So by me being allowed to view the photo you mean I’m already unlocking the encryption and I’m posting an unencrypted photo?

        • If you view a ‘private’ photo which you already have authority and choose to publish it outside using the URL with the embedded key, its not ‘hacking’.

          No different from taking a screen capture of the photo and posting it in your own website.

          But what happened in the conference was that someone obtained access to a private photo in which he did not have the authority.

  2. PointZeroOne, there is a third issue. The ethically dubious use of an image by a journalist when the Privacy section of the SMH/Fairfax media company suggests that it is a clear case where the image should not be used.

Comments are closed.