The big BSides Facebook hoo-ha

Written by

Patrick Gray
Patrick Gray

CEO and Publisher

Well, hasn't this been an interesting AusCERT...

If you haven't heard by now, Fairfax IT journalist Ben Grubb was briefly detained by QLD police yesterday afternoon in connection to a BSides Australia security presentation delivered on Sunday.

The presentation, by Christian Heinrich, demonstrated a brute-force attack against Facebook's Content Distribution Network. I didn't see the presentation myself, but the long and short of it is the vulnerability demonstrated allows the attacker to obtain Facebook users' private photos.

So how did the police become involved?

Well it's no secret that Christian doesn't particularly enjoy the company of Chris Gatford, a security consultant who runs a small outfit called HackLabs.

I should point out right now that I, myself, don't particularly enjoy Christian's company. In the past he has been a very vocal critic of the Risky Business podcast and me in particular. I don't like him, and I'm fairly certain he doesn't like me.

Where the presentation became an issue for police is when Christian demonstrated the attack against Gatford's wife's Facebook account. He brute-forced some of her photos and displayed a photo of Chris with his young son to the BSides attendees.

I believe he may have blurred out the child's photo, but I haven't confirmed that.

Chris Gatford was livid.

Most of the journalists attending the conference were aware of the presentation but chose not to pursue it as a story. It looked like a case of rivalry between two guys who don't particularly like each other. The Facebook bug is a good one and I planned to mention it in the show, but the angle around the photos, in my view, just wasn't worth bringing to the world's attention.

Sydney Morning Herald online reporter Ben Grubb took a different view.

He published this story, along with the photo of Chris Gatford and his son.

The face of Chris's child was definitely blurred for publication, but I believe posting it was a poor decision on Fairfax's behalf. The Herald editors eventually cropped Gatford's child from the picture, then pulled the picture in its entirety later.

So why was Ben detained?

Well it seems he had been in communication with Heinrich in regard to the attack against Gatford's wife's Facebook account. It is my belief that Ben was detained and his iPad seized so the police could obtain evidence from the iPad in order to consider the preparation of a prosecution brief against Heinrich. This is just my suspicion -- I don't have any solid evidence at all to suggest that a prosecution brief is being prepared or that Heinrich has broken any laws.

If the police decide to pursue the matter, it's possible there could be some issues around unauthorised access to data. A solicitor also might have an opinion on whether cyber-bullying laws apply here -- using a carriage service provider to stalk, intimidate or harass -- that sort of thing. Those offences are taken quite seriously under Australian law. To be clear, at this point no one has suggested that Heinrich has used the Internet to stalk, intimidate or harass anyone.

The reason it was easy for the coppers to seize Ben's iPad is it may be possible for the police to argue he had committed an offence that's in some way equivalent to being in possession of stolen goods, the photos. I sincerely doubt he will be charged with anything, and it remains to see if a prosecution is brought against Christian. It may not be.

And that's pretty much it. Brian Hay of QLD police did a press conference this morning that I didn't bother attending. Of course this whole event is getting way more attention than it should.

It's also important to note that Heinrich's presentation was to BSides Australia, a pre-AusCERT event. It wasn't an AusCERT talk as has been reported.

I haven't approached anyone to ask them for a response to this post. It's just a summary of what I believe to be the case. I'm sick with a cold, jetlagged as hell, and frankly there's other work I'd rather be focussing on.

To sum up: Meh.