As I finish compiling this post, I’ve still got lots of AusCERT material to produce and Monday looks like being intense. So let’s just list everything and see what happens.

Podcasts

• Patch Monday episode 138, “Anonymous ‘crippled’: where to for hacktivism?”. Following last week’s conversation with Israeli information security researcher Tal Be’ery about hacktivists’ tactics, I spoke with former journalist and commentator Barrett Brown, who has worked with Anonymous for about a year and a half. He discusses Anonymous’ position in the wake of revelations that Sabu, a core member and informal leader of the offshoot hacking group LulzSec, had become an FBI informant.

Articles

These are just the first two articles from my AusCERT coverage. More will follow.

• AusCERT 2012: Russian crims evade transaction profiling, ZDNet Australia, 17 May 2012.
• AusCERT 2012: DNS poisoning the ‘thin end of a wedge’, ZDNet Australia, 17 May 2012.

Videos

• 5 Conference Tips for PR Professionals, an impromptu video message from Gold Coast airport.

Media Appearances

• On Monday I spoke about Facebook charging for highlighted posts and the company’s stock market float on ABC 702 Sydney.
• On Tuesday I spoke with journalism student Tom Davey about various attempts to regulate the internet. Should he choose to post the resulting radio report I’ll post a link here.
• On Friday night I spoke about AusCERT, cybercrime, cyberwar and claims that Apple is behind the pace on ABC Local Radio.
• On Sunday I spoke about the surveillance society at the Sydney Writers’ Festival. A link to the audio will appear here when it becomes available.
• On Sunday night I spoke about using Twitter to generate ideas on ABC Local Radio. A link to the audio will appear here when it becomes available.

Corporate Largesse

• AusCERT 2012 conference organisers and sponsors paid for various meals and drinks, but I didn’t keep track of that. While that means I can’t disclose who paid, it also means I can’t be influenced because I can’t remember who’s meant to be doing the influencing. Complete market failure, that.

The Week Ahead

There’s a couple of days of intense writing and production ahead. At the very least there’s two or three articles about AusCERT 2012 and the Patch Monday podcast. Then there’s a piece to do for CSO Online, and one for Technology Spectator.

I should be returning to Wentworth Falls this evening, but I plan to be back on Wednesday night to go to a paintball session with Eugene Kaspersky and other journalists. That could be weird. And I’ll probably be in Sydney again at the end of the week, but that hasn’t been planned out yet.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up) and via Instagram. The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Airbus A320-232 VH-VGY at Gold Coast airport, the aircraft I traveled in on Saturday. Check out the complete history of VH-VGY at FlightAware.]

This video was shot with a Nikon Coolpix S8100 compact digital camera, using the in-camera stereo microphone for the audio. The only post-production was to top and tail it, and compress it to a YouTube-optimised MP4 using iSkysoft Video Converter. Otherwise it’s exactly as it came out of the camera.

Should I list the tips themselves, here, in text form? Perhaps later. I simply couldn’t be arsed right now.

We spoke about the conference atmosphere itself, cybercrime, cyberwar, the risk of Cybergeddon (yes, I know), and the claim by Eugene Kaspersky that Apple is ten years behind Microsoft when it comes to security.

Not that Mr Kaspersky would ever, like, troll the entire planet.

What we didn’t talk about, really, was the two stories that have been published so far:

• Russian crims evade transaction profiling, which details a trans-national organised crime operation profiled by Mikko Hypponen.
• DNS poisoning the thin end of a wedge’, in which domain name system pioneer Dr Paul Vixie supports my argument that fiddling with the internet’s fundamental navigation systems probably isn’t such a great idea.

The audio is of course ©2012 Australian Broadcasting Corporation, but as usual I’m posting it here as an archive.

Here’s what I wrote last year when, just like this year, I was on the ZDNet Australia team:

• AusCERT 2011: Firms ignore ID theft risk, in which Bennett Arron explains that police forces don’t yet take this stuff seriously enough. Has this improved? I’m seeing talk but no action.
• AusCERT 2011: Son of Stuxnet within a year: expert, in which Eric Byres explains why the Stuxnet worm — the presumed US-with-Israeli-help anti-SCADA attack on Iran’s nuclear program — would spawn a wave of copycats. This didn’t happen. Why not?
• AusCERT 2011: Black hats and whitegoods, a story which was provided with the year’s best headline by CBS Interactive’s Brian Haverty where I discussed how the Internet of Things and a billion smart appliances would be the vector for a new wave of attacks. This hasn’t happened — yet — but is it still just around the corner?
• AusCERT 2011: Bank theft goes truly mobile, in which Amit Klein, chief technology officer at Trusteer, predicted third-generation anti-banking malware on smartphones by Christmas. Did this happen? Well, not really. Why not?
• AusCERT 2011: Silent victims thwart cybercops: Qld Police, in which Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service, bemoaned the lack of hard data. I know how he feels. Do we have any yet?

The feeling I get from scanning those headlines is that there’s always a lot of scaremongering but the threats often don’t materialise. Are the threats over-stated? Does pointing out the threats trigger an effort to counter them, thus defeating them? Is it all just a bit too screechy?

And over the last year there’s been so much talk of imminent cyberwar. Is that just this year’s fashionable scary thing on a stick? I intend to ask a few questions. And I’ll plug it again: Thomas Rid says we shouldn’t believe the hype.

I haven’t yet looked in detail at the conference program but will do so over the next few hours. What do you reckon I should be investigating?

[Update 16 May 2012, 0625 AEST: Changed second paragraph to emphasise that I am covering the event for ZDNet Australia this year as well as last.]

The numbers in the story don’t surprise me. Typically a Facebook user’s posts are only seen by around 12% of their followers, depending on whether Facebook’s secret-sauce algorithm decides whether you’re a sufficiently close friend or the topic is of sufficient interest to the viewer.

Why not let people pay money to change that?

I could tell from the tone of his voice that ABC 702 Sydney host Richard Glover did not approve.

The audio is of course ©2012 Australian Broadcasting Corporation, but as usual I’m posting it here as an archive.

The shoulder was repaired on Wednesday and is now slowly getting better, thank you. But despite the pain and the codeine haze, I did get a little work done.

Podcasts

• Patch Monday episode 137, “Removing the anonymity from Anonymous”. A conversation about the tactics of Anonymous, LulzSec and other hacktivists with Israeli information security researcher Tal Be’ery, web security research team leader at Imperva’s Application Defense Center (ADC), where he leads efforts to capture and analyse hacking data.

Articles

• IT: the opportunities, some lost, from a low-tech budget, Crikey, 9 May 2012.

Media Appearances

• On Friday I spoke at the inaugural Saasu Cloud Conference, with a presentation entitled Security and the Cloud: Hype versus Reality.

Corporate Largesse

None.

The Week Ahead

The current plan? A day of writing at Wentworth Falls on Monday. A day of travelling on Tuesday, taking the train to Sydney and then flying to the Gold Coast. Once there I’ll be covering the AusCERT 2012 information security conference for ZDNet Australia, flying back to Sydney on Saturday afternoon.

On Sunday afternoon I’m speaking about the total surveillance society at the Sydney Writers Festival.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Fuckin' art, innit, taken at the Hotel InterContinental, Sydney, on Saturday 12 May 2012.]

I’ll leave the article to explain itself once you click through, but to provide some Googlejuice here are the words hacking, infosec, cybercrime, cyberwar, information security, malware and cows.

“How do you think that tweeting your day plans affects your personal safety?” asked Ravneel Chand a short time ago. Overall, I reckon it actually increases my safety. Here’s why.

Background first. Here’s today’s “daily plan” tweet which, like those on pretty much every other day, is tweeted shortly before I settle down to work.

Thu plan: Bump out Waratah Cottage; 1032 train to Sydney; lunch (where?); errand Newtown/Enmore; write something; evening TBA.

Later in the morning I mentioned that I’d be catching a later train. And then, just as I left the house:

Mobile: Cab, shortly, to Wentworth Falls; 1132 train to Sydney Central; train to Town Hall station; 1335 walk to SEKRIT hotel and check in.

Clearly the fear being expressed is that by knowing my movements some bad person could more easily do me harm. But let’s do a proper risk assessment. You start one of those by enumerating the risks, and then you look at how this additional information might change those risks.

As I see it, my “personal safety” risks are someone deliberately wishing to do me harm, accidentally injury by something external to myself, or a medical emergency that isn’t triggered by anything external.

I’ll dispose of the last two first. Whether accident or medical emergency, nothing in my tweets will cause or stoop that happening. But if the world knows where I am then my safety is increased. If I can only fire off a tweet or SMS that says “I’ve been stabbed” of “chest pain” then emergency services have more information to go on. If I fire off no message at all and simply go missing, well again my steps can be retraced and I’m likely to be found more quickly.

The one people fear most is the violent assailant. An assailant will either know me and wish to harm me because of that association, or they’ll be a random.

If the assailant wants to harm me because they know me, then they’ll be motivated and put some effort into it. Given that my work, phone number, email address and plenty of photos are already online, they could easily find me by other means and follow me until I was somewhere alone.

They could even just contact me and arrange a meeting. Heck, I cover information security issues: they could just pretend to be a confidential source and ask to meet me somewhere and “tell no-one”.

Similarly for anyone else, it’s pretty easy to find out where they live or work, and just start a surveillance operation from there.

If this assailant is an amateur, they’ll have likely already drawn attention to themselves through some angry or threatening communication. I’ll already be taking steps to avoid them. If they’re a professional, well I’m screwed no matter what because they’re far better at this game than I am.

At the risk of over-stressing this point, if someone wants to do me harm because I’m me, then that’s unlikely to become more of a risk because they know which train I’m on. “Oh, Stilgherrian’s train arrives not long after mine. I think I’ll stab him then.” No, I don’t think that’s how things work.

If the assailant doesn’t know me, then why would they be wanting to harm me? Well now we’re talking something like mugging me for my wallet or phone, or getting into a fight somewhere. In which case the fact that I’ve told the internet where I am doesn’t change that risk. The risk is about where I am, who else is there — along in a dark alley while drunk is obviously bad here.

Twitter is a remarkably apt name for this social messaging service, because we can use it to maintain a continual ambient awareness of each other’s state of being regardless of location.

Against this negligible or perhaps even zero increase in risk, tweeting my movements provides remarkable utility.

Friends and colleagues can coordinate with me with minimal effort. Far more than once I’ve had someone join me for a meeting or a drink because the chance presented itself. PR minions — if they bother to look! — know when not to call me because I’m on a train. And so on. People have volunteered restaurant recommendations or travel tips.

I should say, though, that the risk profile might not be the same for everyone. These are the choices I’ve made with open eyes.

To understand these issues better, I can thoroughly recommend the work of Bruce Schneier, and in particular his book Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Indeed, every politician should read that book before opening their mouth about anything related to risk and security.

In 2008 I criticised Rudd’s slow digital revolution.

Dig into Budget Paper No. 2 and there’s a frustrating lack of detail and commitment.

Of $4.7b promised for the National Broadband Network [this was the original 12Mbps fibre to the node policy], only 0.16% has been committed: $2.1m this financial year and $5.2m next for “establishment and implementation”. The remaining 99.84% — you know, actually building the thing — is all “nfp”. Not for publication. We’ll get back to you…

The rest? All. Too. Slow. And. Vague.

In 2009 I complained that the machinery of Australian government is as outdated as the steam locomotive and the electric telegraph in The Budget? How quaint! They’re just made-up, you know.

Here we imagine that once a year we can produce a Big List of Numbers that’ll cover everything our “modern” nation-state will need to deal with for the next 365 days.

We proclaim it Good or Bad for this or that self-interested sector of the community on the basis of a quick glance, a gut reaction, and the need to create a narrative that’ll attract an audience or justify a pre-existing political zealotry.

We pretend to believe numbers like “$20 million over four years” when only a tiny part of that might be committed in the coming financial year and the rest, still to be confirmed in the next Budget, is therefore nothing but wishful thinking.

The reality, of course, is that the world moves faster than this. We experience a sudden global financial crisis, and must immediately tighten our belts by … um … giving away $900 cash to everyone.

In 2010 I complained of More NBN vagueness, border control and cyber-safety re-allocation. It’s not a bad read, but I’ll leave you to click through to that one.

And by 2011 I was clearly over the whole thing, writing Ritual shenanigans, but hey, this is government.

Riddle me this. What is the actual point of the federal budget process and all the lock-up shenanigans that go with it when the biggest bucket of money related to the technology sector by far, that National Broadband Network thing, isn’t even on the books?

What is the point when the way that NBN money is being spent – and is it $26 billion or $36 billion or $43 billion or that $50 billion scare-number that Malcolm Turnbull pulled out of some random orifice and keeps repeating unchallenged? – it is all SEKRIT thanks to those magic words “commercial confidentiality”…

What is the point of this annual ritual – built on the assumption that we can publish a set of numbers in May that will, in this complex and rapidly changing world, still be meaningful six months down the track – when the government has to respond to changing circumstances? Such as urgently building a fibre-to-the-premises network? Or responding to a global financial crisis? Or starting a land war in Asia? Or handing to every taxpayer $900 because, um, oh, shut up stop asking questions and buy a new TV.

I went on about “$20 million in suck-up-to-Tasmania funding” and “Labor’s half-arsed internet ‘filtering’ policy” and “loud-mouthed entrepreneur Ruslan Kogan” and noted:

Just be aware that all of this could be changed in an instant, budget process or not, if a minister gets on a plane with the Ranga-in-Chief with a few numbers scribbled on the back of an envelope.

So, what the fuck will I end up writing once the budget papers drop onto government websites tonight? Especially given that my shoulder is “out” and I won’t be able to get it fixed until tomorrow afternoon — my birthday! — and I’m scoffing codeine? Suggestions please!

I won’t go into the cancelled flight in detail just now. Either you saw it unfold via my Twitter feed or you didn’t. Not everything has to be recorded everywhere forever.

I got back to Wentworth Falls late on Tuesday and went to bed — and didn’t emerge until Friday, thanks to a nasty cold I seem to have picked up along the way.

Podcasts

• Patch Monday episode 136, “Blackhole crimeware as a service here to stay”. A discussion of the evolution of the Blackhole malware toolkit and other trends highlighted in the latest AVG Community Powered Threat Report (PDF) with Michael McKinnon, security advisor for AVG Australia and New Zealand, and Rob Collins, senior sales engineer for Asia-Pacific with WatchGuard.

Articles

• Street View Wi-Fi: is it Google’s News of the World moment?, Crikey, 30 April 2012.
• Facebook is profitable, but $86 billion is still speculation, Crikey, 4 May 2012.
• Anonymous hacktivists prefer penetration, but choose targets of opportunity, CSO Online, 4 May 2012.

Media Appearances

• On Wednesday I spoke about the risks of unsecured Wi-Fi on Adelaide radio 1395 FIVEaa.

Corporate Largesse

None.

The Week Ahead

The current plan is that I’ll be in Wentworth Falls until Thursday morning, writing a whole bunch of stuff and, with luck, getting rid of this cold. I’ll head to Sydney some time on Thursday, and then present a keynote on security at Friday’s Saasu Cloud Conference.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Waratah Cottage via Instagram. Waratah Cottage is one of the Bunjaree Cottages, where I've spent maybe three-fifths of my time over the past year. It's not the building I usually stay in, but it's likely that I'll be here until Thursday.]

Here’s the audio, and I reckon you can hear very clearly that I had a very bad cold.

The audio is ©2012 dmgRadio Australia, but here it is ‘cos it hasn’t been posted on the radio station’s website. Besides, this is a reasonable plug.

That’s Perth in the photo, with the Swan River just visible between the apartment buildings of East Perth. The photo was taken with my bashed-up HTC Desire phone and processed through Instagram.

Heck, if Zuckerberg reckons it’s worth a billion dollars I might as well have a look, right?

I’ll comment on Instagram itself later, and figure out a better way to integrate the photos into this website. Meanwhile, here’s a gallery of my Instagram photos, updated automatically.

And now on with the show…

Podcasts

• Patch Monday episode 135, “iiNet wards off AFACT, but what next?” A summary of the High Court’s decision in Roadshow Films and others versus iiNet Limited, the initial reactions, and a wide-ranging discussion with Dr Rebecca Giblin, a copyright academic and geek from Monash University’s law school, who literally wrote the book on this subject: Code Wars: 10 Years of P2P Software Litigation. Keywords for the other things we mention are SOPA/PIPA, peer-to-peer production,

Articles

• Blockbuster trial for a movie and TV industry in decline, ABC Drum Opinion, 23 April 2012.
• Security concerns over Australia’s e-health records, CSO Online, 23 April 2012.

Media Appearances

• On Wednesday I was interviewed about the cash for tweets demi-scandal by Adelaide newspaper The Advertiser and their website AdelaideNow. The cash for what? Well, ABC TV’s Media Watch covered it on Monday night. Basically the South Australian Department of Tourism paid “celebrities” $750 to tweet about Kangaroo Island — but the tweets weren’t disclosed as advertising.
• On Thursday I was interviewed by SBS News for the story Wi-Fi networks ‘too hackable’. Quotes from this article appeared in Your WiFi Used In Their Crimes at smarthouse.com.au, where I was billed as a “tech blogger”.
• On Friday I presented at the DigitalMe event in Perth. I’ll link to the video as soon as that’s posted. Meanwhile here’s Sara Culverhouse’s summary.
• Also on Friday I was interviewed on ABC 720 Perth about that DigitalMe presentation. Thanks to Perth’s endemic taxi shortage I ended up walking briskly to the ABC studios — but not briskly enough. I did the interview via phone from the street. That meant I couldn’t record it.
• And still on Friday I spoke about the Optus TV Now appeal on ABC Local Radio sort-of-nationally with Dom Knight, as well as some of the stuff I covered at DigitalMe.

Corporate Largesse

• I wasn’t paid to present at DigitalMe, they did cover travel from Sydney to Perth and one night’s accommodation at Aarons Hotel including breakfast. Wine by Brad provided booze for the welcome drinks, as well as a bottle to take home. Food was supplied by Sorrento Restaurant, Northbridge.

The Week Ahead

A busy week of writing lies ahead, including a story for CSO Online and my presentation for the Saasu Cloud Conference the following week. I’ll also continue work on the feature story I’m writing for ZDNet Australia

I believe I’ll be back in Wentworth Falls for most of the week, but this could change at short notice. The Dopplr widget on the left-hand side of every page of my website is usually updated within an hour of plans changing, so always check there first — but bear in mind it has odd ideas of what day it is.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.

This case has interesting implications. Originally, Justice Steve Rares said, effectively, that someone using a recorder-in-the cloud was still making a personal copy for domestic purposes. The fact that they’re using a recording device that’s provided as a service rather than sitting on the shelf under their television is irrelevant. The Full Court is saying, effectively, that the cloud provider is complicity in the action, which means it’s no longer personal, and in some cases may even be the sole actor.

This interpretation could have massive implications for providers of other cloud services. Could they be found to be copying data that they’re not entitled to? I’m no lawyer, so don’t ask me. But I can at least see that the law is having to deal with situations that are very different from the circumstances imagined when it was written.

Paragraph 100 of the Full Court’s decisions does say:

We should emphasise that our concerns here have been limited to the particular service provider-subscriber relationship of Optus and its subscribers to the TV Now Service and to the nature and operation of the particular technology used to provide the service in question. We accept that different relationships and differing technologies may well yield different conclusions to the “who makes the copy” question.

Will this decision be appealed? You bet.

Last night I spoke about the decision and its implications with Dom Knight on ABC Local Radio nationally — well, except for the analog transmitters that were broadcasting the cricket. I also spoke about the material I presented yesterday at DigitalMe in Perth.

[Update: I just noticed that there's a couple of little audio gaps. I was recording off the stream, y'see. I'll fix them later.]

Personally, I stand by what I said in the opinion piece I wrote for the Sydney Morning Herald in February: Sport has to think outside the box.

If you’re in Perth today, the DigitalFamily event starts at 1000 local time at Northbridge Piazza. It’s free.

The audio is of course ©2012 Australian Broadcasting Corporation, but as usual I’m posting it here as an archive.

They shall grow not old,
As we that are left grow old,
Age shall not weary them,
Nor the years condemn.
At the going down of the sun,
And in the morning
We will remember them.
Lest we Forget

[Photo credit: The rosemary sprig was taken from Matthew Hall's Twitter page from 2008. If I owe someone for that usage, I'll make good.]