Qld cops denounce 'ethical hacking'

Qld cops denounce 'ethical hacking'

Summary: Police have spoken out strongly against so-called "ethical hacking" in the wake of the demonstration of a Facebook privacy hack at the BSides Australia conference being held in conjunction with the AusCERT 2011 information security conference. The incident has already seen a journalist arrested and his iPad seized.


Police have spoken out strongly against so-called "ethical hacking" in the wake of the demonstration of a Facebook privacy hack at the BSides Australia conference being held in conjunction with the AusCERT 2011 information security conference. The incident has already seen a journalist arrested and his iPad seized.

Brian Hay

Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service (Credit: Munir Kotadia/ZDNet Australia)

"I think cultures have built up where hacking, in the past, has been a part of a competition, and you have black hat conferences around the world. The technical reality is that on those occasions crimes may well have been committed," said Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service.

"It's probably quite sad, really, that we may have people out there that think it's their right to just go in, and it's a game, and it's not serious. The reality is, the online environment is now an extension of our real community, and if we go into that environment we have responsibilities to behave in a certain manner and not break the laws, just as we would walking down the street of our local neighbourhood."

In the demonstration, Christian Heinrich had shown how he obtained from Facebook photographs of security contractor Chris Gatford and his family, including a child. His technique used a brute-force attack to guess the URLs of privacy-protected images stored on Facebook's content distribution network.

Fairfax technology journalist Ben Grubb had then published one of those photographs in his story on the Sydney Morning Herald and other Fairfax websites. ZDNet Australia believes that the child's face had been obscured in the published photo. Fairfax later cropped the child out of the photograph and eventually deleted it entirely.

Last night Queensland Police arrested Ben Grubb and seized his iPad. Initially, police said that Grubb had not been arrested but "interviewed briefly". However, this morning they issued a correction via their official Twitter stream @QPSmedia.

"Our bad @bengrubb was arrested for questioning briefly. Our tweet last night was based on information provided at the time. Apologies #Auscert," they tweeted.

Speaking at a press conference held a short time later, Hay said that under relatively new powers Queensland Police may arrest someone for questioning as well as for suspicion of having committed an offence. "People can participate willingly in an interview, and at any time that they want to divert from that preparedness to be interviewed we have a lawful process where we can arrest for questioning," he said.

Grubb's iPad was seized under related powers. "If the item was in a vehicle or in a premise, then we would need a warrant," Hay said.

The iPad is still being held by the police. "The police believe that it will afford evidence of the commission of an offence," Hay said, although he would not be drawn on the question of specific offences. "Matters are continuing under the investigation process," he said, although he confirmed that the investigation was instigated after a complaint was made. "The complaint was in respect of an alleged hacking incident that saw the private material being obtained unlawfully."

Asked whether he considered URL-manipulation techniques to be unlawful under Queensland and federal cybercrime laws, Hay replied, "You're right in what you're saying," he said. "We are investigating issues of that nature."

As for Grubb's iPad, "We don't want the information that's in the possession of a journalist unless it pertains, we believe, to the commission of an offence," Hay said. "The purpose is not to take property just for the sake of taking property to find out what's on it. What we seek is the information that we're looking for to an offence provision."

"Someone breaks into a house, and they steal a TV, and they give that TV to you, and you know that TV is stolen, and you apply it to your own use ... that's all I'll say," he said. "Obviously you're clearly focused on information you know. Obviously we have more information, and I can assure you that other actions have been in train from the outset, so, that's all I'll say about it."

Topics: Security, AUSCERT, Social Enterprise


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well done to the boys in blue they have no idea of the digital world and the only defence we have is the white hats let's just annoy them and see what happens ask Sony if u need to know more they can fully understand why ethical hacking is nessary
  • Clueless twits in positions of power like this are what is wrong with Australia, just fire their incompetent asses.
    Hubert Cumberdale
  • What happened to innocent until proven guilty?
  • Nothing has "happened" to innocent until proven guilty. Arrested is not guilty. And certainly "arrested for questioning" is not guilty. Arrested is just arrested.

    The next steps would have to be "arrested on suspicion of [specific, stated offence]" and then "charged with [specific, stated offence]" and then a trial in a court of law in front of a magistrate or judge, potentially with a jury, before you are found guilty beyond reasonable doubt. You are assumed to be innocent every step along the way until that final step.

    None of this was changed by the introduction of arrest for questioning. Indeed, you could argue that it's better for the police to have a softer form of arrest to allow them to compel someone to answer questions without the time-consuming paperwork of a "full" arrest, allowing to get the questioning out of the way and get on with other things.
  • As per normal the police abuse the powers they have. These thugs can't be trusted, it's time to reign them in.

    As for this idiot looking after cybercrime in Queensland, heaven help us all. No need for white hats? Copying a photo like stealing a TV? Where do they find these people, turning tricks for their next hit in the back alleys of Brisbane?
  • Its a smokescreen...they actually think the iPad might have a film of Homer Simpson swinging Maggie around and around (Russian circus family style), or something really criminal of that increasingly common variety. Can't be careful enough these days with that sort of filth (no mid sixties slang reference to the old bill intended by 'filth' either)...
  • Mmm how does one apply the annalogy that Detective Superintendent Brian Hays uses: "Someone breaks into a house, and they steal a TV, and they give that TV to you, and you know that TV is stolen, and you apply it to your own use ... that's all I'll say," So by rights the TV hasn't been stolen as it's still sitting on the TV stand, but a digital copy of it has been taken. So by their reckoning it's still stolen! So how do they know about this copy of a TV that's stolen? Have they viewed it online or bought a copy of the paper in which the article is in? If so they too have taken posession of the same stolen goods. Now they are applying that copy for their own use too. Have they been charged too? Sorry Detective Superintendent but if I was a lawyer I would have a field day with this. Oh and who is pressing charges? Is it security contractor? If so, by rights he doesn't own the image any more under the terms of Facebook. You may want to check the T&C of Facebook!
  • An analogy: You and friends have a conference - Topic? "Home Security". One of you gain access (not break in ok?) into a home using sophisticated methods to obtain the house keys (ie. the owner left it under the flower pot). So you open the home because the home was apparently secure but really there's holes in the security system. You take a TV and tell the owner you tested their home security and finally you give recommendations to improve security. The owner learns from that and so does the entire security industry. Then you get locked up by the incompetent cops. What has the world learnt from locking up geniuses? Nothing.
  • Pity the journalist, obviously being misled. But they should remove the term ethical hacking from this article. Whatever the bloke did WAS NOT ethical hacking. By phrasing it this way, and publicly condemning EH, it show ignorance. More education is needed.
    • Rebuttal to EC-Council


      Since you have gone "underground" after http://www.securityweek.com/ec-council-investigating-insider-embezzlement I have given up expecting a public apology to http://cmlh.id.au/post/26744669153/rebuttal-ec-council
  • I've listened to the audio from the press conference several times now — it's over on my personal website — and I still think "denouncement of ethical hacking" is a reasonable description of Det Supt Hay's comments. It's unfortunate that he talks generally about "black hat conferences" when the specific local incident relates to Security BSides Australia, since BSides ain't black hat. But in an unstructured media conference the conversation tends to go all over the place in response to journalists' questions and contexts get muddled.

    Whether Heinrich's actions were ethical hacking or not is a question I won't address, because this is a live investigation and I'm old-school enough to remember that you tread carefully when writing about such things.
    • Ethical Hacker:
      A term used to denote a person with exceptional skills in computer security that uses them to hack into systems with legitimate reasons and with permission.
      ....urban Dictionary dot com

      Day in and day out, researchers find flaws in all things digital. And more often than not, they properly and ethically disclose their findings to the rightful owner for resolution.

      Let’s keep the Ethical Hackers around a while... Apparently law enforcement needs fertile phishing grounds [like BSides] to make quota.
  • A better analogy:
    You know a person has posted a picture of themselves on a billboard in a large city, only problem you don't know which street its on. You drive up and down all the streets in the city until you find it.

  • @richard41 I don't think that's a good analogy at all, because it completely ignores the intent of the poster. If the poster intended the image not to be visible publicly, and someone expends effort to see if the image can nevertheless be seen through some mistake or a fault in the design of the system to prevent public viewing, then they are actively trying to subvert the intention of the poster for the image to be private.

    Talking about posting a picture on a billboard is a nice attempt to make it sound like the poster wanted the image to be public.

    Here's a different analogy. You planted a tree outside your bathroom window to obscure it from passers-by, so you feel comfortable taking a shower without closing the frosted glass. However someone walking past wonders if they could get a view in by crouching in an awkward position. They try, and succeed. They can see you naked in the shower. Now a person having that initial thought, "Could I see in?", is just curious. Following through on that thought and, perhaps, staying to watch a while, makes them a Peeping Tom.

    To go back to the original issue, the attitude I see a bit too often for my liking is, "Your privacy protection / security has holes in it, that's your fault, so it gives me the right to ignore your intention." If nothing else, that strikes me as very poor manners. And when it's "I stole your car because you left it unlocked," well, that's no defence at all.
  • You don't even need a brute force attack in some cases.

    Facebook privacy has a couple more holes - imagine you take a photo of yourself and have that set to "friends only". Only your friends can see it right? Imagine you post this photo on a friend's wall......again, it's only your friends that can see it right?

    Well if your friend's wall is open, then literally anyone visiting their wall can see your photo - because their "open" wall overrides your "friends only" setting on the pic. If they click through to get to your full album, then the privacy setting will kick in and no photos will be seen.

    Any old stalker can check out your pics of you in a pair of Stubbies on a bean bag, if you post the image on a wall, irrespective of privacy settings.
  • Typical Labor government.

    Scraqtch a Lefty, find a fascist.

    Every. Single. Time.

    Think it's going to be any different with them in charge of both your blessed NBN and the secret mandatory Internet blacklist?

  • Dearest Craig...

    I see your many similar comments this morning, spread throughout ZD...!

    You are obviously either a n00b here, or one of the (under yet another new alias) totally out-debated and humiliated anti-Labor (and thus anti-NBN) posters, out for retribution at all costs, looking for a fight to save the ego...LOL!

    But you have come to the wrong place. Because pro-NBNers are from all walks of politics.
    Of course there are Labor voters who are as biased Labor as you are the Coalition, but even those from the Coalition, swinging voters such as myself, greens, independents etc support the NBN. As well as "big business" who have traditionally always sided with the Coalition. So to pull the standard lefty ploy, is quite laughable... but go your hardest, on your crusade...

    However, in case you are a n00b, just a little friendly advice.

    In online debating their is unwritten etiquette, that deals with taboo topics. Topics such as accusing others of Nazism, Fascism and using expletives personally towards others...

    Whilst you may not be aware, do not care or are as I said above, just in any way you can, trying for payback... as soon as someone mentions these taboo topics, they are automatically declared a/the loser and considered the lowest of lowly trolls!

    Looking at your multiple posts doing exactly that, guess what? Congratulations!!!!

    But I'm sure I will be hearing a lot more of the same in reply, soon...sigh!
  • The points being raised here are not about Labor, Liberals, NBN or anything political views.

    To the story at hand, the whole purpose of ethical hacking is of pre-emptive defence (finding out how and what can be accessed by an attack), and that is what was being demonstrated. Of course, permission and documentation are required and mandatory to differentiate between penetration testers and hackers, but what Hay is saying is that this is equal to "stealing to see if it can be stolen".

    Without the penetration testing process, the only way to see what bugs or holes are in a system is by damage control (determining what HAS ALREADY BEEN ACCESSED by malicious hackers, and working back through how it might have been done). This is no way that security should be tested at all.
  • As an addition, what the journalist did (public disclosure of a personal image obtained through the ethical hacking process) was definitely a bad if not stupid move. The hack had been done under carefully controlled conditions, and had been performed with the knowledge and agreed to by the "victim". It was used as a demonstration. Mr Grubb had then, by whatever process, obtained the photo and used it for his own coverage of the conference.
  • Clearly some law enforcement organizations are have less or no knowledge at all in the difference between 'black hat' & 'white hat'. I've read the whole article & it is very sad to know that the enforcers only know of 'black hat'. It's just the same concept, 'Good cop - Bad cop' & 'White hat - Black hat'. Duhhh! Just because you are not open to system vulnerability checking of any method, doesn't mean others will follow. Take a look at other country's government, banks of the world, Fortune 500 organizations who resolve to the 'White Hat's to identify the loop & strengthen their system. This article is so over-rated just because it's a press conference by the police. I think they don't even have a team of Computer Forensics!