Photo kiosks in Big W stores are allegedly infecting customers with USB-borne viruses.

The Windows-based Fuji photo kiosks located in the company's stores apparently don't run antivirus software, so lovely little bits of malicious software like Trojan.Poison-36 are winding up on customers' USB keys, according to Risky Business listener and blogger Morgan Storey.

On its own, an isolated incident of a photo kiosk infecting a USB device might not be newsworthy. But what makes this item stick out is Big W's reply to Morgan after he notified the company of the issue:



That's right folks, Big W, a subsidiary of Woolworths, didn't think it necessary to install antivirus on its photo printing kiosks. Sure, they're evaluating AV now, but blind Freddy could have seen this problem coming last year when the kiosks were installed.

What the hell were they thinking?

It's not just the lack of AV that's the problem. As Morgan points out it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers USB devices as read-only? Why allow the kiosks to write to them at all?

Risky.Biz has so far been unable to confirm Morgan's post with Big W. According to the company's HQ the PR guy doesn't like being phoned and only takes media requests via e-mail. Seems an odd way to conduct PR, but hey, each to their own.

Risky.Biz e-mailed a series of questions to Big W at lunchtime today but as yet they remain unanswered.

It would be interesting to find out which company -- Fuji, Big W or even some other third party -- is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning.

WARNING: This week we missed some bad language during the edit... so hide this filthy podcast from your children's innocent ears.

I've followed with great interest Wired.com's coverage of the arrest of Private Bradley Manning, the young American soldier who allegedly leaked reams of classified US military material to Wikileaks.

I've also watched in disbelief as Wikileaks has lashed out at Wired.com journalist Kevin Poulsen, suggesting he somehow acted unethically in his reporting of the arrest.

In my mind all he did was scoop other outlets with the news of Manning's troubles. That's not unethical, that's just good journalism.

The Wikileaks Twitter account disagreed, suggesting there's a "special place in hell" for journalists like Poulsen and Adrian Lamo, the one-time greyhat hacker who turned Manning in.

Wikileaks founder Julian Assange is most likely the author of those infantile tweets.

Poulsen's reporting was excellent. My guess is Assange just didn't like the story. But instead of turning the other cheek, Wired.com has apparently fired back.

This piece by the Website's journalist Ryan Singel -- it would look bad if penned by Poulsen, after all -- breaks the news of Wikileaks apparently broken submission process.

While unquestionably newsworthy, the article reads like a classic attack piece, dripping with sarcasm. It's mocking.

In my view it is intended, clearly, to go beyond describing the broken submission process and portray Wikileaks as an unprofessional organisation undeserving of the "mostly-laudatory media portraying Wikileaks as a fearless, unstoppable outlet for documents that embarrass corporations and overbearing governments".

My guess is if Wikileaks is indeed sitting on 260,000 leaked diplomatic cables that describe, in painstaking detail, every example of skulduggery the US government has inflicted upon the Middle East in the last decade, a broken SSL cert is probably the last thing on its mind.

They might be more worried about, you know, the CIA death squads on their ass.

If Wired wants to hold the high ground in this little pissing contest it needs to be much more careful. The article makes no mention of the spat between Wired.com and Wikileaks and that's a big pile-o-fail, right there. That sort of thing needs to be disclosed to readers.

While we might expect this sort of behaviour from a pseudo-activist organisation like Wikileaks, we deserve better from a professional media organisation.

As for Wikileaks, keep 'dem docs coming.

We'll ignore your ridiculously biased contextualising of leaks if you keep giving us unedited source material.

You're not a professional news organisation that needs to be held to the same standard as Wired. Be as infantile as you want on Twitter.

(Wikileaks has denied the Wired story, saying its submission process is being upgraded to "deal with growth".)

Click here to listen to Risky.Biz's interview with former grey-hat hacker Adrian Lamo about his decision to turn in Manning.

What do you think? Comment below.

In this week's show we have a chat with iDefense threat analyst Kimberly Zenz.

On this week's show we take a look at Australia's CERT wars. The Australian government has more or less declared AusCERT dead. It says its new group, CERT Australia, which is run out of the Attorney General's Department, will act as the sole point of contact for organisations in Australia when seeking CERT services or coordination.

In this week's feature interview we chat with Adrian Lamo. Best known as the "homeless hacker," Lamo is in the news again over his decision to inform on US Army Specialist Bradley Manning, the alleged leaker of the so-called "Collateral Murder" video published by Wikileaks in April.

On this week's show we take a look at reports that Google is set to banish Microsoft Windows from its operating system over security concerns.

RB2 is brought to you exclusively by Symantec.

Our feature guest this week Azimuth Security's Mark Dowd.

The following is a longer, uncut version of a story that appeared on the front pages of The Age and Sydney Morning Herald yesterday.

Facebook's woeful relationship with law enforcement bodies is hampering police investigations and putting lives at risk, the Australian Federal Police says.

AFP assistant commissioner and head of high tech crime operations Neil Gaughan will fly to Washington DC today for a high level meeting convened by the US Department of Justice in which senior law enforcement officials from around the world will discuss their concerns with the social networking website.

Both state and federal police have told The Age the company has been unwilling to provide police with the intelligence they need for investigations. They want Facebook to appoint a dedicated law enforcement liaison in Australia who can match user accounts suspected of criminal activity to physical Internet addresses, for example.

''This [current] situation could lead to loss of life, there's no doubt about that at all,'' Mr. Gaughan told The Age. ''It's just a matter of time.''

However Facebook doused expectations of such a hire in a statement issued to The Age. ''Facebook does not put [law enforcement] people in every country where Facebook has users; it's just not the way companies scale,'' the statement said.

A senior investigator with a state police service said Facebook was prepared to assist officers when someone's life was in danger, but otherwise ''they give you the bird,'' he said.

''They only comply to subpoenas issued by a US court,'' said the investigator, who did not wish to be identified.

Police services have also demanded Facebook's law enforcement guidelines document be brought into line with Australian law and legal terminology. Mr Gaughan said that in one case Facebook had ignored an Australian warrant because it was issued by a judicial officer rather than a court as its current guidelines require.

''Information was not provided and it slowed down our ability to... obtain a search warrant for a premises,'' Mr. Gaughan said. ''In this instance we still got the result but much slower than should have been the case.''

Facebook has recently faced criticism over the vandalism of tribute pages set up to honour the victims of crime. Pages dedicated to slain teenagers Elliot Fletcher, Michele Morrissey and murdered child Trinity Bates among others were defaced.

On Monday night Senator Stephen Conroy lambasted the site over its ''complete disregard'' for its members privacy during a senate estimates hearing, and the company is facing intense media scrutiny following the death of Sydney teenager Nona Belomesoff two weeks ago, who met her alleged killer, a man posing as a wildlife carer, via Facebook.

The trial of Melbourne man Ron Felicite, who killed his wife over her involvement with a man she met via the social networking site, has also made headlines and the company is weathering a grassroots backlash over controversial changes to its privacy policy.

''It's not only Australia where we're having these issues with Facebook,'' Mr. Gaughan says. ''I know it's a significant problem in the UK... what I'm hearing from my US and Canadian counterparts is this is also issue for them.''

Senior law enforcement representatives from the UK, USA and Canada will also attend the meeting in Washington on Thursday, which will be chaired by the US Department of Justice National Coordinator for Child Protection and Interdiction Ms. Francey Hakes.

Facebook's rival social networking site MySpace did have a dedicated law enforcement liaison in Australia, Mr. David Batch. He was made redundant last year following the site's decline in market share.

Mr. Batch, a former AFP agent, said he had worked closely with police. ''The only service I could provide was an intelligence service... but that was enough to keep law enforcement on side and happy,'' he says.

''Nine times out of 10, intelligence would be enough to get [investigations] over the line.''

Police can use such intelligence to locate suspected offenders and then to apply for search warrants to gain access to the suspect's computer, for example. But such intelligence cannot be used as evidence in a trial -- only evidence collected via the Mutual Assistance in Criminal Matters Act of 1987 can be used in court.

Under the complicated mutual assistance regime police requests for correctly formatted, admissible evidence are funnelled between the Attorneys General in each country.

Mr. Batch says a typical request via the mutual assistance act typically takes 6-18 months to be returned.

In a written statement Facebook said it works closely with the Attorney General's Department and the AFP to make ''our law enforcement requests as efficient and helpful as possible''. The company said it dedicated ''significant resource to Australian law enforcement relationship building and information processing''.

In this presentation you'll hear Tor project leader Roger Dingledine talking all about Tor. Who uses it? Why? What's it good for?

In this presentation, Cisco's Vice President and Chief Security Officer John Stewart tries to pin down where we're going to be in 2012. More devices doing more things! Malware embedded in video streams! All sorts of funky stuff!

In this podcast you'll hear an interview I did with ZScaler's Michael Sutton. In it he expresses frustration that criminals are able to so easily manipulate Google's search results for trending topics.

In the following interview, Microsoft's Steve Adegbite joins me for this interview about the potential for a nanny state operating system.

What you're about to hear is the speed debating panel from AusCERT's 2010 conference.

In this interview you'll hear me having a quick chat to Stratsec's Ben Mosse about vulnerability mitigation in Windows. Cutting a long story short, he reckons measures like DEP and ASLR work quite well, and it's only a matter of time before more, similar protections are introduced.

Risky.Biz has confirmed IBM staff distributed malware-infected USB drives at the AusCERT security conference this week.

In a highly embarrassing admission, the company has sent a broadcast e-mail to all AusCERT attendees warning them of the security lapse.

"At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth," the message reads. "Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."

IBM is not the first company to distribute malware at AusCERT -- Australian telco Telstra did exactly the same thing in 2008.

Risky.Biz confirmed the authenticity of the e-mail message with IBM.

For all Risky.Biz coverage of AusCERT, click here.

For Risky.Biz podcast feeds click here.

The following is a recording of a presentation by Zscaler's Michael Sutton. The topic is Security risks in the next generation of offline Web applications. Basically the talk looks at persistent client side storage, as brought on by stuff like Google Gears and the Database Storage functionality included in HTML5.

In this presentation you'll hear Scott McIntyre talking about maintaining proportionality when dealing with matters of digital security.

In this podcast you'll hear Marcus Ranum's keynote speech from day two of the conference. Marcus is Tenable Network Security's Chief Security Officer and he's widely credited as an early pioneer in firewall technology.