It just happened to 20-year-old reporter Ben Grubb, who found himself briefly detained after writing a story for the Sydney Morning Herald about a security flaw in Facebook.
Grubb was reporting the findings of security researcher Christian Heinrich, who demo’d his hack attack at the AusCERT security conference. Using essentially a brute force attack on external servers employed by Facebook to deliver media, Heinrich managed to obtain photos marked “private” from the wife of rival security wonk Chris Gatford.
Presumably, Gatford didn’t like that his wife was the unwitting subject of Heinrich’s demo. Somebody called the cops. And the cops decided, for reasons unknown, to detain and question Grubb, and to confiscate his iPad as “evidence.”
The illogic of this is beyond stunning. Per Queensland Police Detective Superintendent Brian Hay:
“Someone breaks into your house and they steal a TV and they give that TV to you and you know that TV is stolen,” he said.
“The reality is the online environment is now an extension of our real community and if we go into that environment we have responsibilities to behave in a certain way.”
Except that this isn’t like receiving stolen goods. It’s more like somebody demonstrating that a Best Buy store is not properly secured against burglars by breaking in, taking a picture of a TV they could have stolen, putting that photo into a slide show, then giving it to a reporter as proof.
And then you arrest the reporter? Seriously? In what universe does that make sense?
Grubb, being 20 and a techie, tweeted as he was being detained, which aroused a lot of support among his 5K or so followers. He’s also written an account of his arrest and posted an edited transcript of his exceedingly polite if baffling interrogation by the police, which both he and the cops recorded.
What’s weirder: Heinrich, who at the very least broke ethical boundaries if not legal ones by making private photos public without permission, says in a tweet that he was never detained, arrested, or questioned by the police.
I am not a lawyer — and I’m certainly not an Australian lawyer. But WTF?
Lost in all of this is the thing that’s probably most important to most people: “Private” Facebook photos really aren’t. A determined enough hacker (or a security wonk with an ax to grind) can get at them. That’s the lesson Heinrich was arguably trying to teach.
Instead we learned other lessons: Be very wary of the Australian police. If you go to Australia for a tech conference, leave your iPad at the hotel. And if you’re going to share other people’s Facebook photos, you might as well steal a few TVs while you’re at it. It’s all the same to the cops.
Source: pcworld.com