Police have spoken out strongly against so-called "ethical hacking" in the wake of the demonstration of a Facebook privacy hack at the BSides Australia conference being held in conjunction with the AusCERT 2011 information security conference. The incident has already seen a journalist arrested and his iPad seized.
Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service (Credit: Munir Kotadia/ZDNet Australia)
"I think cultures have built up where hacking, in the past, has been a part of a competition, and you have black hat conferences around the world. The technical reality is that on those occasions crimes may well have been committed," said Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service.
"It's probably quite sad, really, that we may have people out there that think it's their right to just go in, and it's a game, and it's not serious. The reality is, the online environment is now an extension of our real community, and if we go into that environment we have responsibilities to behave in a certain manner and not break the laws, just as we would walking down the street of our local neighbourhood."
In the demonstration, Christian Heinrich had shown how he obtained from Facebook photographs of security contractor Chris Gatford and his family, including a child. His technique used a brute-force attack to guess the URLs of privacy-protected images stored on Facebook's content distribution network.
Fairfax technology journalist Ben Grubb had then published one of those photographs in his story on the Sydney Morning Herald and other Fairfax websites. ZDNet Australia believes that the child's face had been obscured in the published photo. Fairfax later cropped the child out of the photograph and eventually deleted it entirely.
Last night Queensland Police arrested Ben Grubb and seized his iPad. Initially, police said that Grubb had not been arrested but "interviewed briefly". However, this morning they issued a correction via their official Twitter stream @QPSmedia.
"Our bad @bengrubb was arrested for questioning briefly. Our tweet last night was based on information provided at the time. Apologies #Auscert," they tweeted.
Speaking at a press conference held a short time later, Hay said that under relatively new powers Queensland Police may arrest someone for questioning as well as for suspicion of having committed an offence. "People can participate willingly in an interview, and at any time that they want to divert from that preparedness to be interviewed we have a lawful process where we can arrest for questioning," he said.
Grubb's iPad was seized under related powers. "If the item was in a vehicle or in a premise, then we would need a warrant," Hay said.
The iPad is still being held by the police. "The police believe that it will afford evidence of the commission of an offence," Hay said, although he would not be drawn on the question of specific offences. "Matters are continuing under the investigation process," he said, although he confirmed that the investigation was instigated after a complaint was made. "The complaint was in respect of an alleged hacking incident that saw the private material being obtained unlawfully."
Asked whether he considered URL-manipulation techniques to be unlawful under Queensland and federal cybercrime laws, Hay replied, "You're right in what you're saying," he said. "We are investigating issues of that nature."
As for Grubb's iPad, "We don't want the information that's in the possession of a journalist unless it pertains, we believe, to the commission of an offence," Hay said. "The purpose is not to take property just for the sake of taking property to find out what's on it. What we seek is the information that we're looking for to an offence provision."
"Someone breaks into a house, and they steal a TV, and they give that TV to you, and you know that TV is stolen, and you apply it to your own use ... that's all I'll say," he said. "Obviously you're clearly focused on information you know. Obviously we have more information, and I can assure you that other actions have been in train from the outset, so, that's all I'll say about it."