The publication of allegedly stolen, private photographs by Fairfax Online was eclipsed in stupidity only by the QLD Police Service's decision to seize the iPad of journalist Ben Grubb at the AusCERT conference on Tuesday.

Every time the coppers raid media organisations to seize computers and documents in order to track down, say, the source of an embarrassing political leak, it pisses me off something awful.

The lack of respect shown to the media and its sources by governments in this country, both state and federal, is pretty astonishing.

The Australian Federal Police (AFP) actually investigates public service leaks that harm nothing more than the incumbent's polling figures. It's ridiculous. A media that operates freely of this sort of intimidation is vital to maintaining a healthy democracy.

As for the Ben Grubb incident, it's my view that police should simply not have the powers at their disposal that enabled them to seize his iPad in connection with an investigation into the alleged theft of private photos from a Facebook account.

Background on that is here if you need it.

Despite the fact there's an argument brewing about whether QLD Police actually acted within the law in seizing Ben's gadget, the action, in my view, was categorically the wrong thing for the police to do.

Some of you out there on teh Twitters got up me yesterday over my failure to discuss the media freedom aspect of this whole AusCERT-gate thingamajig.

I didn't bother because the police were just acting like police. The whole thing was just so predictable. It's what happens in any jurisdiction that hasn't passed shield laws.

In this instance, it seems likely the intention of the officers in seizing the device was to obtain evidence to use against another individual. In fact, the coppers likely knew the evidence was on the iPad because Ben may have showed it to them himself! It's not explicitly stated in his piece, but you get the impression it's possible he pulled up some correspondence on his tablet.

It's likely that when they realised that a treasure-trove of evidence was likely stored on the iPad (correspondence between Ben and his source pertaining to a security conference presentation that may have crossed a few lines), they asked Ben to surrender it and he refused.

That's when they arrested him in a meeting room at AusCERT for a short time and seized his iPad.

The police claim they were within their rights to seize the iPad because it had allegedly stolen photos on it; tainted goods.

It's a clumsy argument, but it's a great example of coppers doing what coppers do -- taking the shortest path from A to B. Should they be allowed to do that? Absolutely not. Can you understand why they did? Absolutely!

It's also a bit difficult to defend Fairfax chose to publish allegedly stolen private photos. It gets REALLY difficult to defend Fairfax when you find out that the subject of the allegedly stolen photo contacted the editorial team and asked them to remove the private photo and they refused.

I know this because the subject of the photo told me.

It gets IMPOSSIBLE to defend Fairfax when we hear its justification for publishing the photos: It had legal advice that as the photos were published "on the Internet" they were fair game, regardless of whether they were posted to a private photo album on Facebook.

(NOTE: It's possible that the image in question was obtained by Fairfax via a Facebook Content Distribution Network URL that had been brute-forced during the research done during for Sunday's presentation. Technically that would mean the image was "on the Internet" and available without authentication, so probably fair game legally, but ethical questions remain.)

Legal advice aside, I'm amazed they didn't realise what 24-karat knobs they were being. Needlessly publishing private material is just a really shitty thing to do. One of the photos featured the subject and his young child. Sure, they blurred the child's face, but it was a private photo.

To keep the photos up there AFTER the subject and owner of the image copyright has asked you to remove it is tabloid asshattery at its most extreme. Sure, they cropped out the kid after an angry phone call, but they left the allegedly private picture identifying the subject up.

So are the laws that allowed the coppers to seize Ben's iPad daft? Yes. Were the coppers themselves acting like supreme dopes when they briefly detained Ben? Yes.

But really, if you had the ringside view I did when this whole thing played out, you'd find it a bit tough to muster up much sympathy for Fairfax and its now iPadless journalist Ben Grubb.

The nice side affect of the big hoo-ha is it's brought up a debate on press freedom in Australia. If anything, this whole episode will nudge proposed shield laws along quite nicely.

We need those shield laws to pass to prevent this sort of idiocy.

So to end with the same summary that accompanied yesterday's piece: Meh.

Well, hasn't this been an interesting AusCERT...

If you haven't heard by now, Fairfax IT journalist Ben Grubb was briefly detained by QLD police yesterday afternoon in connection to a BSides Australia security presentation delivered on Sunday.

The presentation, by Christian Heinrich, demonstrated a brute-force attack against Facebook's Content Distribution Network. I didn't see the presentation myself, but the long and short of it is the vulnerability demonstrated allows the attacker to obtain Facebook users' private photos.

So how did the police become involved?

Well it's no secret that Christian doesn't particularly enjoy the company of Chris Gatford, a security consultant who runs a small outfit called HackLabs.

I should point out right now that I, myself, don't particularly enjoy Christian's company. In the past he has been a very vocal critic of the Risky Business podcast and me in particular. I don't like him, and I'm fairly certain he doesn't like me.

Where the presentation became an issue for police is when Christian demonstrated the attack against Gatford's wife's Facebook account. He brute-forced some of her photos and displayed a photo of Chris with his young son to the BSides attendees.

I believe he may have blurred out the child's photo, but I haven't confirmed that.

Chris Gatford was livid.

Most of the journalists attending the conference were aware of the presentation but chose not to pursue it as a story. It looked like a case of rivalry between two guys who don't particularly like each other. The Facebook bug is a good one and I planned to mention it in the show, but the angle around the photos, in my view, just wasn't worth bringing to the world's attention.

Sydney Morning Herald online reporter Ben Grubb took a different view.

He published this story, along with the photo of Chris Gatford and his son.

The face of Chris's child was definitely blurred for publication, but I believe posting it was a poor decision on Fairfax's behalf. The Herald editors eventually cropped Gatford's child from the picture, then pulled the picture in its entirety later.

So why was Ben detained?

Well it seems he had been in communication with Heinrich in regard to the attack against Gatford's wife's Facebook account. It is my belief that Ben was detained and his iPad seized so the police could obtain evidence from the iPad in order to consider the preparation of a prosecution brief against Heinrich. This is just my suspicion -- I don't have any solid evidence at all to suggest that a prosecution brief is being prepared or that Heinrich has broken any laws.

If the police decide to pursue the matter, it's possible there could be some issues around unauthorised access to data. A solicitor also might have an opinion on whether cyber-bullying laws apply here -- using a carriage service provider to stalk, intimidate or harass -- that sort of thing. Those offences are taken quite seriously under Australian law. To be clear, at this point no one has suggested that Heinrich has used the Internet to stalk, intimidate or harass anyone.

The reason it was easy for the coppers to seize Ben's iPad is it may be possible for the police to argue he had committed an offence that's in some way equivalent to being in possession of stolen goods, the photos. I sincerely doubt he will be charged with anything, and it remains to see if a prosecution is brought against Christian. It may not be.

And that's pretty much it. Brian Hay of QLD police did a press conference this morning that I didn't bother attending. Of course this whole event is getting way more attention than it should.

It's also important to note that Heinrich's presentation was to BSides Australia, a pre-AusCERT event. It wasn't an AusCERT talk as has been reported.

I haven't approached anyone to ask them for a response to this post. It's just a summary of what I believe to be the case. I'm sick with a cold, jetlagged as hell, and frankly there's other work I'd rather be focussing on.

To sum up: Meh.

You're about to hear a full presentation recorded at the AusCERT conference. Scott McIntyre is a recent immigrant to Australia... he used to work for XS4all in the Netherlands, but these days he works as the Senior Technology Architecture Specialist in Security Operations for Telstra in Melbourne. His presentation is all about his views though, not those of Telstra. Disclaimer. Etc.

You're about to hear a full presentation recorded at the AusCERT conference: a great presentation by Mark Newton, an engineer with Internode, all about IPv6 security.

Our coverage of the conference is brought to you by the fine folks at Microsoft -- without their support, there would be no AusCERT podcasts, so big thanks to MS!

This podcast is an AusCERT talk by Ian Appleby. He's the Information Security Manager at Endeavour Energy and he's responsible for the security of its Corporate and SCADA Systems.

In this interview we hear from Tim Hudson, an independent cryptography dude, who, as you'll hear, may or may not have worked on Queensland's Smart Card drivers license project. Absurdly, on legal advice, he can't actually tell us if he worked on that project.

You're about to hear a presentation by Jason Larsen, a security researcher at the Idaho National Laboratory. The INL is run by the US Department of Energy and is home to the National SCADA Testbed (NSTB) and the Industrial Control System CERT(ICS-CERT).

You're about to hear an excerpt from the opening keynote from the AusCERT conference by comedian Bennett Arron.

In this interview we're chatting with Wade Alcorn. By day he's NGS Security's general manager for Asia Pacific, but by night he's out there maintaining BeEF -- the browser exploitation framework.

This week's show was cut together from Johannesburg, South Africa!

This week's show is a bit shorter than usual. We'll check in with Adam Boileau to discuss the week's news headlines and catch up with Tenable Network Security CEO Ron Gula in this week's sponsor interview.

On this week's show we're taking a look at Verizon Business Security Solutions' annual Data Breach Investigation Report. We'll be joined by both Bryan Sartin for a global perspective on the report, and by his Australian counterpart Mark Goudie, who'll give us a local perspective.

This is something I haven't seen picked up much by the tech press writ large: Invisible Things Lab, headed by Joanna Rutkowska, has released a new Linux distro called Qubes.

UPDATE: Qubes has been around in alpha form for a bit, but this is the first beta release...

It uses hypervisor partitioning to give you that warm, fuzzy feeling that comes with operating in a virtualised environment. Heise Online has a nice little writeup here and you can find the beta here.

This is a really interesting release. If this OS turns out to be workable I suspect major software developers will take a bit of notice. I've been prattling on about the need for desktop operating systems to make use of virtualisation for greater security for yonks. Now we get to see what that looks like.

If you've had a play with it, let me know what you think.

This week's show is a doozie!

Risky Business has been judged Australia's Best Technology Audio Program for a second year in a row.

The Lizzies, Australia's awards for technology journalism, are run by media services company MediaConnect, with each gong judged by a panel of three technology journalists.

Risky.Biz edged out entries from Sydney-based radio station 2GB, CNet/ZDNet and others.

Big thanks to the listeners, sponsors, guests and everyone who's helped out since the podcast launched back in early 2007.

Episode 190 of the Risky Business podcast is brought to you by our good buddies at Astaro.

This week's show is brought to you by NetWitness.

On this week's show we're mostly focussing on news! It's been a massive week in news -- we've had AT&T users' Facebook data being re-routed through China, we've had more speculation on the RSA hack, Comodo has been busted dishing out trusted SSL certificates for gmail.com to a box in Iran, there's a stack of SCADA 0day being dropped, there's people going to prison, giant rats eating entire data centres.... ok, well I made the last bit up, but the rest of it, if you can believe it, is true!

It's episode 187, the homicide edition, and RSA conveniently falls victim to a drive by. Thanks guys!