A leading Australian computer law and privacy researcher says Queensland Police’s “daft” decision to confiscate a journalist’s iPad last week could be a blessing in disguise. Visiting Professor at the University of NSW's Cyberspace Law & Policy Centre Roger Clarke said: “On the surface of it, the plods who did the arresting may …
Qld police are not just a joke, they are thugs who think they are the best thing that ever happened to the world.
Useless pieces of s**t!!
"Qld police are not just a joke, they are thugs who think they are the best thing that ever happened to the world."
Just replace "Qld" with "The" at the start there and you're all set.
So who you're gonna call?
Let's say you run into something like this:
A Facebook page feigning a link to a Victorian ticketing system downloads child porn on your computer! Okay, I'm a little suspicious of the particulars of they article (how can it download porn onto "My Computer" when you're on Mac or Linux?), but let's say it is broadly true. You run into the hack. If you are any sort of decent person, you want to stop it.
Now if you are Joe or Jane Public, you might think the best way to stop it is to report it to the plods. "We're just reporting it. Look, it's on my son's computer, the bastards". Because they have some faith (no one has 100% faith in the cops anymore) that the cops are competent, and that "helping the police with their inquiries" is the civil thing to do. And that reporting a crime is not the same as _committing_ it.
The problem with Detective Superintendent Brian Hay (as with so many other people before him) is that his actions weakens the good faith between public and the plod that is one of the biggest weapons in the police arsenal of crime-fighting. If you report child porn, are you going to be charged with it, because the hack loaded files on your PC? Are you going to be given the perp walk, to the outrage of your neighbours, and the shame of your family? Then you're not going to report it, are you?
I live in Queensland. Fortunately, I have the alternative of complaining to the Australian Federal Police if such a paedo scam crossed my way. But even then I would be very careful - get affidavits of friends and family about the crime before reporting on it. Because I still don't trust THEM to be competent.
". If you report child porn, are you going to be charged with it, because the hack loaded files on your PC?"
In Hungary, the answer is unfortunately YES. Great place for criminals, eh?
Qld Police don't do irony
“It was disappointing that the Queensland police would then act in such a heavy handed and intimidating way towards someone reporting on information which had already been shared with a large number of people," Gillies said.
The Qld police have been using "...heavy handed and intimidating..." tactics since before Joh Bjelke-Petersen in the '60s, and the Fitzgerald Enquiry only made them go underground.
As mentioned in the article, hopefully some good might come from this, but Qld's finest aren't generally known for either high IQs or actually knowing what they're talking about.
Anon and black helicopters for rather obvious reasons.
Something to hide?
Methinks the superintendent was afraid people would guess the URL of some of his private pictures.
as long as it's not pictures of his privates.
Will Qld Police pay his costs?
Any reasonable person would believe that the Qld police have placed spyware on his iPad (which is why it took ages for them to return it). Hence, it would be reasonable for the journalist (and his employers) to require that a professional computer security person give it a thorough check and 'cleaning'. The Qld police should pay for these services.
placed spyware on his iPad
yeah that's right break a few more laws... not likely, a forensic investigation will copy data from a device only. You're confusing the QLD police with Mosad.
And then they wonder
why so many use the word "plod" to describe policemen (no disrespect to the better policemen out there intended).
Wikipedia - in this instance corresponds to my understanding,
"Plod or P.C.Plod is a British slang term used to refer to a police officer, particularly one slow-witted or dull. A more recent variant is the plod, meaning the police force in general. The term originates from the character Mr. Plod, a police officer in the Noddy stories written by Enid Blyton. A variant is MOD PLOD, referring to the British Ministry of Defence Police clearly resulting from the above civilian slang."
...in the 70's and 80's Queensland Police used to arrest people for walking on the street....
"It was disappointing that the Queensland police would then act in such a heavy handed and intimidating way"
"It was utterly unsurprising that the Queensland police would then act in such a heavy handed and intimidating way"
There, fixed that for you.
Isn't that special
Don't you just love when nineteenth century jurisprudence meets twenty first century technology. Of course the whole concept of arresting for questioning is a bit of a farce. "Hey you, with the nice car, you're under arrest for questioning while we flog the rubber off that ride." Nope, no chance of abusing authority there.
Best bit; "It is unclear whether Facebook was told of the security flaw prior to the presentation."
Said almost as if Facebook would care if they were told. Well, I suppose they would care if they were told this security flaw meant they were losing 9 cents to a rival spam promoter.
Finally, daft; a beautiful little word that applies so well to laws, lawmakers and Zuckerberg.
Realised their error?
Perhaps they realised that they were stretching things somewhat in accusing him of a crime and that confiscating the iPad was, in fact, theft. Or maybe someone pointed out to them that a "tech hack" is actually a writer on technical matters, not a 'hacker'.
The first step to colour the grey...
... is to stop using the term "hacking" for everything from "being overly creative with computers" via "anything more clever than this reporter understands" to outright criminal abuse.
For perhaps right after recognising the problem comes naming it. And here, various parties in or close to computing have consistently misapplied the relevant terms, causing lots of confusion.
There's an art and beauty to the thoughtforms we pour in programs that when done well enough there's a special word for it. And we shouldn't muddle it with criminal behaviour or not quite criminal things done for gain or really anything other than pushing the limits of making computers run with our thoughts, say as programs.
There's a word for hacking gone black hat, and it's cracking. Even the half-literate bunch of wannabe hackers that style themselves with various hat colours would do well to stop doing that, because it confuses the media and law enforcement. To the detriment of everyone else except criminals.
There's a reason you're not a hacker until, like Writers of Literature or heck Kentucky Colonels, the real hackers welcome you into their select club. Most of those popping up in the media with the monniker, and in fact most of the bunch in the IT security industry, are not members of that club.
This is pretty bad because plenty of jurisdictions have laws agains "hacking", which when taken at face value outright outlaws "too creative" innovation and invention in computing. It leads to bad precedents and worse IT security. It also does the reputation of computing as a whole no good at all.
Thus, those laws should go and be replaced by laws that draw a line at "criminal action" not "hacking", so that even judges will come to understand just what it is that they're trying to stamp out and what parts they really need to leave alone. Right now, it's too haphazard for anything but more confusion and conflict down the road. As a community, IT does have interest in this not going awry more than it already has, so it's time to reach out to lawmakers and tell them what is and what isn't acceptable within computing.
And thus we can't afford to confuse the issue by using one word that means anything from the most admirable inventing to the worst possible criminal damage. At a bare minimum we need to draw a line and give it a name. Lo and behold, we already have such a term: When it's punishable it's cracking, not hacking.
Dear el reg hacks, pray too take note.
"There's a word for hacking gone black hat, and it's cracking."
No, the word for 'hacking gone black hat' is 'hacking'. 'Cracking' is to remove copy protection or feature limitation from software.
"There's a reason you're not a hacker until, like Writers of Literature or heck Kentucky Colonels, the real hackers welcome you into their select club."
Yes, until you get your union card and/or have done your postgraduate hacking studies, you're not in the club. Get a clue, hacking is a knowledge based game. If you know enough, you know enough.
"There's an art and beauty to the thoughtforms we pour in programs that when done well enough there's a special word for it."
Presumably, this is 'hacking' you refer to? The original, and still commonly used meaning of 'a hack' is 'a quick job that produces what is needed, but not well'. I think most hackers would recognize that sentiment.
Kudos for missing the point by a mile. Instead of running out of red ink trying to correct I'll suffice with this: Please do your homework.
Think you may need to read up, though the OP isn't 100% on the mark either.
Hacking is _not_ the same as "a quick hack"
Cracking does not necessarily relate to cirumventing copy protection etc.
In the good ole days (sigh)
Hacking - Gaining access to protected info/files/etc for the purpose of making it public (because you believe it should be so)
Cracking - Doing the same, but for personal gain (and not necessarily publishing the data)
I think the club he refers to is probably the true elite, those that don't need to Google for vulns, they know enough to actively search out undocumented vulns.
His original point is correct though, hacking means something very different based on context, but people always assume the worst based on the word!
As a completely pointless tangent (related to your 'hacking' definition). Do you know the true etymology of 'bodge'? Everyone refers to a quick hack as a bodge, but in days-gone-by the Bodgers were true craftsmen proud of their work!
Weird how definitions of words can change so dramatically.
Bob didn't hit 100% either
Personally I think that the "(you believe it should be so)" part is a bit too easily abused, ranging from the straight-up selfish gain "(I believe it should be so for it makes me monies!)" to the ideological (that others easily think is off the mark).
An example of the latter is RMS' rant at the end of info su, which I happen to think is rather bonkers, but then I'm an admin and he clearly isn't. He could've had his academic friends put monies together and buy their own system, allowing them to set their own rules.
Breaking the rules --to me anyway-- in hackerdom is about them being needlessly in the way, not because of ideological outlook. That easily descends into holy war anyway, much the same risk we're running here.
I request commentards read the jargon file, entries hack, hacker, and hacker ethic at minimum, before commentarding further. And yeah, I just did (again).
HOWEVER, my original point was that whatever the exact definion of "hack", "hacking", and such, we should take care to remove the mainstream assumption that it's always outright criminal at worst or highly suspect at best. It invites unprovoked stop-and-searches and other such nonsense. In a way that's all the more reason to try and get rid of goons like the TSA, and they should go, but that still leaves an enormous vulnerability to the wrath of the law.
And sometimes you just can't afford to ignore the legalistic and other non-technical consequences of what you do. (Hi Dan!)
The reason you do need peer acknowledgement beyond merely "having done your homework" is that more than half the people believe they're over average, and similar things. We've all known the over-eager 16 year old who claims to've been writing basic since he was 12 and therefore "know's what hes doing". Yeah, well, no.
Such kids are to be treasured and taught more, not derided, and even less made media heroes or villains or even both. The first thing to teach them is to not meddle in other people's systems without permission.
But attitude and a sliver of knowledge alone aren't enough to be "a hacker". And a tech rag hack isn't enough peer review ("so you're one of them 'hackers' now, aren't you?" *takes notes for a nice sensational piece excitedly*), much less respectable rags' hacks. Half a clue or no clue is both short of a full clue.
And the point here is to try and improve overall clue levels.
Most of the b&w hats gang are stuck there and, when you get down to it, live off security scares and associated media coverage. They do not have the incentive to be part of any real solution, it's their daily bread to stand on the legal side of the eternal tug-of-war and make a good buck in the process.
I'm saying it's time to clean the stables. To make at least the parts the rest of the world cares about understandable, "hacking" is to be on the law-abiding side of the law, even if no hacker will shirk from breaking the law if they feel it justified for unselfish reasons. Breaking the law is not the goal of hacking.
All the rest is more or less malicious and "cracking". If this means I've implicitly labeled most of the IT security industry "malicious", including the parts that aren't quite illegal, well, then they'll just have to work harder. Like I said, there's lots of work to be done there and no incentive to do so--quite the contrary. If not monetary, then social pressure will have to substitute. No more funny hats guys, get to work!
It's ironic that so many alleged techies misuse the word hacker so much. They are literally decimating the English language.
Adapting old methods
At the time, Queensland Police justified the confiscation by stating they believed it contained evidence of an alleged offence. However, Heinrich – who committed the alleged offence – has yet to be questioned.
Plods sit the iPad in a chair and shine a light at its screen: "Well, are you going to talk? I've got all day!". Technically, you could have an iPad or laptop voice activated and install speech synthesis on it. Which would be a bad move as it could then snitch on you.
I now have a wonderful image of iPad plus ELIZA meeting Qld Police plus stupidity; I think Andrew Orlowski had the resulting confusion to a tee when he described "...holding up a highly-reflective idiot in front of an idiot mirror - the result has been infinite recursion of stupidity, as far as the eye can see.". It just HAS to be done...
decided to "target another researcher, Chris Gatford, with whom he has a long-running feud."
And in that title lies the argument.
Expose security problems all day long, that's a good thing. any work which can be done to secure systems and data is great.
However, as soon as you demonstrate security issues by targetting an individual who has not given you their permission to do so, you are on dodgy ground.
By all means demo the flaw by setting up a facebook account in your name, or an alias, but do not hack someone else's details.
That's akin to saying you have found a flaw in your local banks security, and you are going to demonstrate the problem by robbing an associates secure deposit box.
So to recap. Exposing security flaws = good. Targetting a competitor with said flaw = bad.
Ah! Here's the bit I missed from the original article:
ongoing public feud between hackee and hacker. That puts things in a bit of a different light.
Unless the hackee has agreed to allow his account to be used for the demonstration, he has been hacked, and the journalist is in possession of evidence of the crime. After that things get murky very quickly and I'd want a full team of lawyers to advise me before confiscating or returning the equipment. And one of the key questions there is unanswered in the article: is the hackee pressing the complaint.
I also think there's a good bit of confusion introduced by the changes in terminology for taking someone in for questioning.
But none of that explains why they arrested a journalist instead of the alleged hacker.
From original article on the story
The sequence of events seem to have been:
Hacker demos security flaw by hacking fellow hackers Facebook and gaining access to photo of said hackers wife.
OUCH! This is done in front of an audience. Much hilarity ensues, aren't we clever, ha ha.
Complaint is made to the police. "Hey, this guy has hacked my account and popped a photo of my wife up on the big screen. Please beat him forthwith"
Police investigate, and find that a nice journo has documented the whole deal.
Now, this bit is speculation but:
Copper: "Hey there nice journo, we are investigating this complaint, and we hear you might have evidence documenting what went on"
Journo :"Yeah, what about it."
Copper: "Can we see what you have"
Journo: "No. BTW, this is starting to look like a good story for me"
Copper: "Come on. play ball. Let us see the info so we can get this cleared up"
Journo: "No. You ain't got nuffin on me copper"
Copper: "Your coming in for questioning sun shine. Your nicked"
Journo: "get IN! This is a much better story for me than this pesky conference"
Meanwhile, photo of hackers wife is still doing the rounds. And Hacker number 1 has jumped on a plane.
I think many commenters have missed the point of the original complaint.
Wrong phone book
I think the Qld police realised that the phonebook contained in the ipad was useless for laying across the chest of the suspect and beating the crap out of him with a mag light till he confessed. They gave up and left moaning how paper 20th century phone books were so much better for using when interrogating citizens.
Room for some nuance
Yeah - we used to have that - the nuance was called intent and it used to appear in all good laws.
Problem is zero-tolerance makes for better sound-bites while completely failing to address the actual problems.
And as we all know - no-one gets elected these days by prioritising substance over style.
A title is required
What's the problem?
If you're a plod, then the first thing you need to do is secure **potential** evidence. Any **potential** evidence on a computer is easy to wipe out or change, so the only way to secure it is to impound said device.
The plods need to secure the evidence early, before any suspects, or even what the hell is going on, are established. As such, they cops might not have questions etc. As a clearer picture emerges of what has happened they might then decide that such **potential** evidence is low quality or not evidence at all.
This is a media beat-up non-story fanned by a numptie trying to get 15 minutes of stardom.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth