Wednesday, 18 May 2011

What happened to Ben Grubb and Christian Heinrich at Auscert 2011?

There is lots of buzz about Ben Grubb getting 'arrested' at Auscert yesterday:

I've been arrested by Queensland Police for a story I wrote today. They've also seized my iPad. #AusCERT

So what actually happened?

On Sunday, before the start of Auscert, Security B-Sides was held at Royal Pines resort. The B-Sides were a series of short presentations that weren't part of Auscert, were independently run and were free to attend. Only about 20 people attended these.

Christian Heinrich @cmlh gave a presentation entitled "For God Your Soul... For Me Your Flesh". In the presentation Christian disclosed some vulnerabilities affecting Myspace, Flickr and Facebook. In the case of the Flickr and Facebook vulnerability, Christian was able to demonstrate the accessing of private images. Christian deliberately chose to compromise photos belong to Chris Gatford's wife... photos of Chris. One of the photos Christian accessed had Chris's child in it and Christian had obscured the child. Chritian and Chris aren't on good terms... Christian explained this, he also said that he'd told Chris that he was going to target his account. A number of people (including myself) tweeted the presentation.
As a 'test subject' @cmlh gained access to photos belonging to @ChrisGatford on Flickr and Facebook #bsidesau #auscert

My recollection is that Ben Grubb, a journalist for didn't attend the presentation by Christian, but arrived after it was finished. After the presentations were finished for the day Ben interviewed Christian for an article that would be published on on Tuesday.

That article now has no image associated with it, but when it was initially published it contained the image that Christian had obtained from Chris Gatford wife's Facebook account, the child was obscured in this photo also.

Christian Heinrich left Auscert around lunch time on Tuesday.

Late in the afternoon of Tuesday, after the conference sessions had finished, Queensland Police approached Ben Grubb. I didn't see it. I don't know what was said. I don't know if Ben was arrested, detained, or questioned or for how long.

After Ben sent out the tweet saying he had been arrested the #auscert hashtag went crazy with lots of questions being asked about Ben. As I was still at the auscert conference venue I wandered down to the media room to find out what had happened. Ben wasn't aware of the concerns or the questions on Twitter as his phone, that he'd previously tweeted from, was flat and his iPad had been taken by Queensland Police. Ben was visibly shaken and clearly under the impression that he had been arrested (if only temporarily) and released; he didn't talk about what he had discussed with Queensland Police. From my judgement of Ben and others demeanour it didn't seem that Queensland Police just had some friendly questions for him.

I imagine there is more to happen in this story when police catch up with Christian Heinrich.

Was what Christian did ethical? In my mind, no.
Was it legal? Probably not.
Did QPS intimidate Ben Grubb? It would seem so to me.
Should Ben Grubb have a case to answer to police? To me, it seems like QPS are shooting the messenger.
Can police just sieze someones iPad like that? They seem to think so.

Monday, 25 October 2010

Auto Start Hulu and VPN from Windows 7 Media Center

The info below will give you the necessary information to add a button to Media Center to start Hulu, but do some other nice stuff along the way (like start a VPN and change the power scheme)

I run Windows 7 Media Center on my primary TV & enjoy using it to watch Hulu, but unfortunately every time I want to start Hulu I've got to reach for the keyboard because I'll typically want to run a VPN connection first, so I created a short batch file to perform the necessary tasks for me. My batch file looks like this:

taskkill /IM "ehshell.exe"
ping -n 20 -w 1000 > nul
powercfg -s 90729505-f061-4a2d-9304-adb0f3b267ab
rasdial "StrongVPN" username password
start /WAIT %LOCALAPPDATA%\HuluDesktop\instances\\HuluDesktop.exe
rasdial "StrongVPN" /disconnect
powercfg -s 381b4222-f694-41f0-9685-ff5bb260df2e
start C:\Windows\ehome\ehshell.exe

Stepping through the file, this is whats happening:

taskkill /IM "ehshell.exe"
This juts kills Windows 7 Media Center - I don't want it to run in the background or else it will steal focus.

ping -n 20 -w 1000 > nul
This pauses for 20 seconds (maybe there is a better way to add a wait command to a batch file, but this works) while Media Center shuts down.

powercfg -s 90729505-f061-4a2d-9304-adb0f3b267ab
This changes my power saving settings so that my screen doesn't turn off while I'm using Hulu (usually it will turn off after 15 minutes and Hulu doesn't stop it from doing so). To get the guids for your power saving settings for your computer use "powercfg -l" - create a new power saving profile that doesn't turn off the screen or computer first.

rasdial "VPN" username password
This starts the VPN connection.

start /WAIT %LOCALAPPDATA%\HuluDesktop\instances\\HuluDesktop.exe
This starts Hulu - I have to use the .exe in the instance folder rather than the one in the HuluDesktop folder as all the one in the HuluDesktop folder does is run the one in the instance folder (and then the start /wait part of the command doesn't wait properly). I think I will have to update this location in the batch file whenever Hulu updates. The "start /wait" part of the command means the batch file doesn't continue until Hulu closes.

rasdial "VPN" /disconnect
Disconnects the VPN.
powercfg -s 381b4222-f694-41f0-9685-ff5bb260df2e
Returns the power saving settings to my normal power setting.

start C:\Windows\ehome\ehshell.exe
Start Media Center again now that it's all finished!

All I did then was store that file somewhere and create a shortcut to it in the C:\Users\MY USERNAME\AppData\Roaming\Media Center Programs folder. A crude looking shortcut now appears in the Media Center's Extras folder!

Thursday, 19 August 2010

You think you'd get something for $43b

You'd think if you spent $43,000,000,000 on something you'd actually get something from your money, even if the project delivery wasn't really spot on - but ironically, the $43b the Australian Labour Government is proposing to spend on Australia's Internet will leave all Australian's with lower speed broadband with higher monthly costs.

Don't get me wrong - just like everyone else, I want the fastest Internet I can get & I know that the best way for me to get that is to have a piece of dedicated fiber running into my home serving me, in Stephen Conroy's words, data at the speed of light "and you can't get faster than that".

Two things could happen with NBN: (a) it is fabulously successful, is delivered under budget and achieves everything it sets out to achieve and (b) it stuffs around for several years, provides lightning-fast Internet to a few pockets of people (particularly in the second quarter of 2010 and a similar timeframe in 2013), but eventually dies in a burning heap of flames and is bought up by Telstra for far less than the $50b+ that was spent on it.

I really hope (b) happens and not (a).

You see if (a) happens then it means:
  • The Government will have paid Telstra $11,000,000,000 to switch off the copper network that practically all Australian's are currently using to access the Internet (yes, even if you're not with Telstra as your ISP) and make their home phone calls. Yes, this network that is serving 20Mbps+ Internet to many Australians, or around 2-5Mbps to a vast majority of Australians, meeting their needs quite adequately, will be turned off. We will not wring every last bit out of this network, we will not transition off of it through a gradual rollout of new technologies - instead we'll pay Telstra, a public company, $11 billion dollars to just turn it off!
  • You will have NBN fiber connected to your house. The Government will have legislated to require you to allow them to enter and install it. You see, they can't afford to roll it out according to demand - instead, they'll need to install it in each and every house as they make their way down your street, they can't come back and do your house next month or next year, it's too expensive to do that.
  • You'll be paying about $100/month for your Internet access, which you'll get from someone like iiNet or Internode. The price will be so high because they're paying NBN Co not much less than that for the wholesale service. This will be the base service available.
  • You won't be able to get Internet from anyone other than NBN Co because the copper network you used to get your modest Internet from will have been shut down.
  • Pensioners and other welfare recipients will get a subsidy as otherwise they won't be able to afford to have the Internet which is, of course, a basic entitlement just like electricity or a phone line.
  • You'll be stuck with this model for a long, long, long time. With a Government owned Monopoly delivering your Internet, any competitor who actually tries to innovate and deliver new, cost-effective services in medium and high-density city and suburban areas will be actively discouraged by the Government - after all, a return is required on those Infrastructure Bonds that were issued to pay for half of it! NO NEW SERVICES WILL BE ABLE TO COMPETE.
  • NEW SERVICES WILL COMPETE. Inevitably, new services will compete in this uncompetitive market. They will be wireless, they won't make use of fiber, as there's not enough subscribers left to warrant rolling it out, and they won't be on copper as they aren't allowed to use that, even though it's still in the ground. The wireless will be faster than we have now, not as fast as the NBN network, but it will be sufficient. Most importantly, this new, cost effective Internet will be WELL BELOW THE CURVE - much slower than users in other countries get on their commercially-delivered & demand-driven fiber networks & much slower than we could have had under a similar model. USERS IN REGIONAL AREAS WILL HAVE NO OPTIONS - just like in the days of Telecom, they'll get the expensive Government service.
Of course, eventually the NBN mess will be mopped up. The Liberal party will be running the country, they'll blame it on Labour, sell the NBN off to Telstra and we'll start building our real Internet.

So I guess we'll get the mess of (b) after all... I just wish we could have had it sooner.

Monday, 14 June 2010

Why paywalls makes free news better

Almost a year ago Rupert Murdoch started talking about how News Limited would start charging for news content online. It's interesting that he started doing this, not in a time of record profits for News Limited, but at a time when they were suffering record losses - this is the first hint that his idea may not be a good strategy, i.e. that it didn't come out of some noble concept of how to make news better, but rather out of a desperation in trying to turn a buck.

But the trouble with Murdoch's idea of paid news is that in simply setting up your business model, you help your competitors.

You see, at the moment, there are lots of free news services - and they're all competing for advertising dollars, which comes from eyeballs on websites. If Murdoch puts his quality content behind a paywall then that means more eyeballs for his competitors, who will then be able to offer better quality news.

Traditional media is struggling to turn a dollar in the online world, yet strangely enough new media companies seem to be quite comfortable with their online ventures - maybe the problem is not with the ability to turn a dollar in online news, but simply the expectations and preconceptions from old media moguls as to how online works.

Wednesday, 9 June 2010

Dropbox Security Problem - Data Leakage

Dropbox has an issue with the way it handles link sharing that could potentially lead to data leakage.

The problem is fourfold:
  • Files outside of the Public folder can be shared
  • Shared files leak data about the file structure
  • Deleting and replacing the shared file with another allows the new file to be leaked
  • Shared files can’t be revoked

This security problem is demonstrated below.

First of all I start by creating a file called ‘PrivateFiles’ in the ‘My Dropbox’ folder. I’m going to use this to store my most private of data.

Inside that folder I’ll store ‘MyPrivateFile.txt’:
As you can see, it has some very personal data in it:

I’ve got to use my iPad for the next step, because the PC or Mac client won’t let me share a file from anything other than the Public folder (in fact I’m not sure if allowing sharing from other than the Public folder on the iPad is an oversight or not – regardless, this is the first security concern – the sharing of files from outside of the Public folder on the iPad when other clients won’t let you).

So when I look at my iPad I see the PrivateFiles folder:

And inside that I can see MyPrivateFile.txt, including the correct contents of that file:

Next, I’ll share the file by emailing a link of it:

The link that is sent is actually a short link – in this case, which redirects to

This demonstrates the next data leakage problem – i.e. that I can see the path ‘PrivateFiles’ – I didn’t choose to share this, I only chose to share the file – this path may not be something you wish to reveal.'

The major problem happens for me after I create new file in the same directory, in this case ‘AnotherFile.txt’…

Then delete the original file…

And now rename the second file to have the same name as the original.

Note that copying a replacement file into the directory will also work, all that matters is there be a file there with the same name as the original. Now when I open the file using the link I was emailed before I get:

I get the replacement file!! Is that what anyone expects to happen? I guess I did share a link to the file, not a copy of the file, but it still doesn’t feel right – it’s not the original file!!

What makes this problem worse is that Dropbox won’t allow me to revoke shared links. That means that I’ve now published a permanent copy of whatever file ends up sitting in that folder with that name. What if it is something like resume.doc where I don’t want people to see me editing the file? Or what if it is Whatever it is – it is now permanently out there, permanently shared for anyone to access – no dropbox account required to access it!

Anyone want to try running through filename combinations for that domain? You don’t need to have had it shared with you as no authentication is required, you just need to hit the right URL!

Friday, 28 May 2010

Australian Internet Filtering - what we should be doing

There's so much spin and mis-information about the Internet Filtering debate in Australia, and unfortunately many of those debating the current issues don't understand what is being proposed and why it won't work.

Unfortunately one-size never fits all and even more so when it comes to Internet Filtering. The Internet presents us with many content and law-enforcement challenges, that require different solutions to solve - this is a fact that seems to escape the current Australian Government, with Stephen Conroy and Kevin Rudd wanting to plow ahead with a single, mandatory, ISP-based Internet filter.

What I've identified below are the problems that (some people think) we need to solve, why the currently proposed Conroy solution won't work, and what will work.


Why Conroy’s Solution Won’t Work

What Will Work

Children accidentally finding inappropriate content (porn)

Only the worst-of-the-worst pornography sites will be blocked by the filter

PC-based filtering. Government should pay the ISP $x per month, per client that has it installed – let the ISPs profit from it & it will get rolled out

Children deliberately finding inappropriate content (porn)

See above – under Conroy’s solution, children will still be able to browse porn sites

Voluntary ISP-based filtering that all ISPs must offer to their users. Funded by the Government, parents will be able to opt-in at no cost. Note: A determined, Internet-savy child, will still be able to bypass this, so an education campaign (for parents) is vital as well.

Child pornographers accessing child pornography

Child pornographers don’t visit normal websites to access and share material; they get it from peer-to-peer networks, private networks, or hacked websites. This material will not be able to be found or blocked by the Conroy filter.

Law enforcement. Undercover agents. Raids in the middle of the night. People smashing down doors.

People accessing refused-classification (RC) material

First of all – it isn’t illegal to create or to view RC material, you’ll only get in trouble from distributing it. But this material will only get classified as RC once its submitted to the classification board. The classification board doesn’t have enough reviewers to review the entire, dynamically changing Internet.

But the stuff they review and classify as RC will be blocked.

But bypassing the block will be as easy as buying a $50/year VPN connection to the United States, or visiting an anonymising site before you look at the RC material.

Nothing will work will well. The Conroy filter will be able to block RC material, but then all the provider of that material needs to do is change the content to to and the entire 3-month review cycle with the classification board will start again.

Of course, in the real world, RC material continues to get distributed anyway from friend-friend (i.e. peer-to-peer)

So my 3-step plan for cleaning-up the Internet in Australia is:

1. Net Alert: Continue to provide filtering software for people’s PCs. The Government pays the ISP enough to allow the ISP to make a profit & the ISP will then be incentivized to make people know about it.

2. Government funded ISP filters: ISPs will be required to implement them, but users can opt-in or opt-out to particular content.

3. Law enforcement: We’ll always need the police to bash down bad guy's doors

Friday, 21 May 2010

Auscert 2010 IBM USB Key Malware email message headers

Microsoft Mail Internet Headers Version 2.0
Received: from xxxxx ([xxxxx]) by xxxxx with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 21 May 2010 16:31:28 +1000
Received: from xxxxx ([xxxxx]) by xxxxx with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 21 May 2010 16:31:15 +1000
Received: from xxxxx (xxxxx [xxxxx])
by xxxxx (Postfix) with ESMTP id 9858F2120B2
for ; Fri, 21 May 2010 16:31:32 +1000 (EST)
Received: from ([])
by xxxxx with ESMTP; 21 May 2010 16:31:11 +1000
Received: from ( by
( with Microsoft SMTP Server (TLS) id 14.0.694.0; Fri, 21 May
2010 16:31:04 +1000
Received: from ([fe80::755b:17ce:21aa:a1e7]) by ([fe80::755b:17ce:21aa:a1e7%14]) with mapi; Fri, 21 May
2010 16:31:56 +1000
From: AusCERT
Subject: AusCERT Important Information - Malware on IBM USB
Thread-Topic: AusCERT Important Information - Malware on IBM USB
Thread-Index: Acr4rxjUKocJyYVwR1+gPZTcHpAWOg==
Importance: high
X-Priority: 1
Date: Fri, 21 May 2010 06:30:25 +0000
Accept-Language: en-AU, en-US
Content-Language: en-US
Content-Type: multipart/alternative;
MIME-Version: 1.0
X-OriginalArrivalTime: 21 May 2010 06:31:15.0495 (UTC) FILETIME=[36BF4370:01CAF8AF]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


Recent Geocaching Logs

Stuff I"ve read lately