Recordkeeping Roundtable’s website has the raw transcript as supplied, but I’ve decided to edit it up a little to make it more readable. Enjoy.

CASSIE FINDLAY: So our first speaker, who has been launched into first position, and I don’t know we’ll just see if I can remember. I have a whole… like a proper, formal bio for Stil but he told me an abbreviated one that I’m going to remember now, which is Stilgherrian is a journalist and — you’ll just have to remind me — information security expert, journalist, blogger, troublemaker, speaker and shall be our first speaker tonight. Thank you.

[APPLAUSE]

STILGHERRIAN: Thanks Cass, thanks everyone. Yes, it’s somehow appropriate we start this, I think, with the disorderly side of accessing information. What I’d like to tell you about tonight, to kick this off, is the fact that we hear about all these information tools available to us as being something that will democratise access to information, and I think it’s more it’s going to “anarchise” that access, if I can put it in those terms. Because the tools are available now not just to the rational actors of government and parties and organisations and so on. These tools are now available to the rational actors of smaller groups or individuals, they’re now also available to the irrational actors — and I don’t mean crazy peopl,e although add them into the list too if you want, I mean actors large and small who do not necessarily have a well-defined or coherent aim for what they’re doing. And I will put Wikileaks and the random people who put the label ‘Anonymous’ on themselves under that label of irrational actors.

And if you think that’s unfair I’m not, again, I must stress, I’m not calling those people crazy. They’re often very sharp and very focused people. But if you stop and think about what is the actual aim here? What is the purpose of their activity? And it’s a little hard to pin down, particularly with the people who label themselves ‘Anonymous’. It seems to be ‘something big business, government, secret, awful, stop them, ha-ha-ha’. Well that’s perhaps unfair, but if you’ve got a better one, by all means publish it.

And the problem for existing holders of information — which by definition therefore means existing holders of power — is that what on earth are these people going to do next? And who is going to do it next? Because, as I say, the tools are now available to everyone, and it’s like the kiddies are loose in the chocolate factory — and again, “kiddies” because they are not part of what the existing powers consider to be, well, I suppose the ‘old boys’ club’.

If we hark back to something like the Cold War, and we were all in very, very grave danger of something going seriously wrong and we would be vapour the next morning. You know, we ran very close to the edge on a number of occasions over a 40 year period, let’s say, to pick a number from the air. The thing that stopped us going all the way, the thing that stopped the button being pressed, was that along the way there were actual rational people who said “No, actually, let’s not blow up the entire world, that might be a bad thing.” And that’s why we hear now about rogue states and nuclear terrorism and so on, because maybe not everyone has that same approach to pressing the button.

The same is the case in the battle for information. Now we’re not going to get vapourised because someone gets a copy of an email, but what happens is that a government party might lose power, an organisation such as a business might thoroughly go out of business — so in a sense it’s vapourisation for them — although, again, I don’t want to push that analogy too far because I find that whole equation of terrorism and nuclear things, it’s wrong. We’re talking about information. No-one physically gets hurt.

And that’s why the whole recent Stratfor thing is an interesting case, because although Stratfor is not a government organisation, it has strong links to government, it operates with information that’s the kind of information that governments have, and the kind of mistakes they made and the impact the breach has had upon them is perhaps similar.

Now the points I guess I want to make — and Cass has asked me to do a quick run through of this — who before all this news had ever heard of Stratfor, anyone? One, two… Okay, that’s… and Dr Dorling. That’s actually a really high proportion. Because I was on the list. Malcolm Turnbull had obviously heard of them — he was a subscriber. I’d subscribed to their newsletters once because my email address is in that big dumped database as well and things.

But essentially their job, if we take them at their word initially, ‘cos we’ve got some emails to read to find out some more — five million emails –– but they were a private intelligence organisation supposedly dealing with open source information to provide strategic advice and risk analysis for the private sector mostly, but some government.

So the kind of client and job that we imagined that they had until the last few weeks was things like an oil company has got to spend a couple of billion dollars in building a new oil refinery; shall we build it in the south of newly liberated Iraq or shall we build it in Pakistan, or where shall we build this because we need to look 30 years ahead.

George Friedman, the founder of Stratfor is big in the world of geopolitical analysis. His book The Next 100 Years is just that, essentially explaining how America will rule the world for the next century and the risks it faces in doing so, especially in Central Asia, and that’s the kind of thing.

Now some of the people who used the label “Anonymous” — and I keep phrasing it that way because there is no leader of Anonymous, there is no centre, there is no plan, anyone can say “I subscribe to their world view and I’m now doing things in the name of Anonymous.” So I will now just go to the short-cut way of saying that and say “Anonymous did” and “Anonymous said”, even though that is wrong and I know you’re all adults and will follow me on that. But in March last year Anonymous hacked into a company called H B Gary Federal which did information security for various bits of the United States government. And it turned out that H B Gary Federal was both incompetent and possibly even corrupt in the way it did that and, well, Anonymous took them down and in the last few days it is now being revealed that H B Gary Federal is being chopped up, sold off and that’s the end of their business.

Along the way they got of H B Gary’s emails. Apparently some of those emails mention Stratfor. And apparently some of them mentioned things that Stratfor did that Anonymous thought were wrong, corrupt, evil, nasty, whatever it might be. So they decided to have a look at what Stratfor was doing.

Over a number of weeks leading up to Christmas they did manage to break into Stratfor’s, servers and over a period of a few weeks exfiltrated, as the jargon goes, 200 gigabytes of data. Their entire email archive going back a decade. Everything sent and received. Yes, that does mean that they were moving, say, several gig of data out of their network without them noticing the extra traffic. Lucky them or incompetent them, however you look at it.

I have received word that apparently Stratfor had become, or started to become, aware that the chap doing their network was perhaps not as competent as he had told them and had recently been replaced, and they were in the process of maybe doing something about a new security person, but clearly too late.

So that all came into the news around Christmas time and, again, I want to use that phrase “the kids loose in the chocolate factory”, because hacking an organisation like that is a multi-person task. You need to bring a number of skills to bear, and they can’t all be found in the one person very often. So it’s a bit like the heist movies, you know, someone knows how to break down the door, someone knows how to deprogram the security cameras and all of that kind of stuff, with a little less action and a lot more sitting at computer terminals. They got in.

Now what focused everyone’s attention at Christmas was they found that Stratfor had not only allowed these guys to get in — but I’ll come back to that — they found that they’d kept all of the names, addresses and credit card numbers of all of their subscribers unencrypted in a database that had no password on it. So, what happens next? Well those credit card numbers start being spent, and Anonymous people sort of say “Well we’re doing a Robin Hood thing, we’re making donations to the Red Cross and Medicines sans Frontieres” etc, etc.

Except, well you know, the real reason was to get at that email archive. Well that’s what’s started to be published in the last few days through WikiLeaks, although WikiLeaks have said they don’t know where they got this email from, they just happen to have 200 gigabytes of email from Stratfor, but it’s just magically arrived.

So that’s where we’re up to and we’re up to the point where as this slowly gets released we are seeing things like an email which suggests founder George Friedman was talking to Goldman Sachs about how you could set up a separate corporate structure so that it would look like an independent advice organisation, so therefore technically it’s not insider trading, etc, etc. And I didn’t find that in George Friedman’s book anywhere. I didn’t see the bit that said “Start insider trading company” but, look, lots more will come out over the next few days.

Now this could happen to any organisation, any organisation you’re involved with, tomorrow because there are two things to point out.

One is that no-one ever gets their information security perfect. It’s just impossible, it is too hard. You just have to make one mistake, you just have to have one employee who makes a mistake, and the bad guys can get in. There are guys who do this for a living on the good side called penetration testers. They’re hired by banks, insurance companies, the military, whoever, to test their defences. If you have a beer with these guys, even if you don’t have a beer with these guys, ask them how many times they fail to get in. The answer is always zero. They never fail to get in. And often it’s, well, often it’s by manipulating people rather than anything technical.

The other thing to mention is that all of the tools that are available to do this are freely downloadable from the internet, either free or at a very low price from your friendly local Russian mafia. They come with technical support that is better than the technical support for most commercial software products. Well actually they are commercial software products, they come with good support and I’ve had the very great pleasure of one of the information security companies running me through a training session in one of these. They’re very easy to use. This training session took 90 minutes. At the end of it I knew how to get a bit of software, weaponise it, create a fake email convincing someone to download the weaponised software, install it on their computer and I now have control of that computer. All right, I was working from a cheat sheet. But I was also told that if I did not have this cheat sheet, any competent systems administrator could nut it out within two days. But as I say, if they want to pay the US$200 they’ll get the technical support and someone will talk them through it.

So it’s lovely stuff, and when I talk about the kind of tools available to you, this is absolutely complete control of the computers that you infect. You can turn on the camera without turning on the red light to say that it’s recording You can turn on the microphone,. You can take screenshots. You can record what’s happening on the keyboard,. You can do absolutely anything. You can then install software — this is off the topic of information attacks really — but should you wish to get access to their financial information, well, you can install something like the Zeus anti-banking trojan which recognises the top 200 or 300 banks in the world, will notice when your web browser has logged into your net banking for that bank — so it’s still showing you the Secure Sockets Layer padlock icon, you have a secure link — but in the background while that secure link is open it can start doing funds transfer commands, on its own, without them showing up on the screen. If it notices that you’ve set things up to notify you of transactions by say email to a Hotmail or Gmail account, it will quickly log into said account and delete that email before you get a chance to see it, etc, etc.

It’s really very, very clever stuff and hats off to some of the finest software developers that the Russian mafia has managed to find.

Now where does that leave us?

Screwed basically.

I mean I don’t wish to paint it all doom and gloom but right now, today, if I can use the Cold War analogy again, while all that was happening in the background we had many people doing things to make sure that the bad stuff didn’t happen. We had radar operators sitting at their consoles, we had fighter jets on standby, we had missiles ready to be launched and so on.

Well today we have a similar kind of battle going on We don’t hear much about it because most of it’s actually run by the commercial sector, oddly enough. It’s organisations like Microsoft and McAfee and Symantec and Kaspersky out of Russia and AVG out of Prague and all of these people who are running the defensive systems. All of these companies have their people operating in the black market and grey market to keep in touch with what the bad guys might be doing next to buy the software and show it to people like me so we’re all aware of how it works and what’s going on and so they know what they’re defending against.

And Stratfor is there –– that’s an example that’s very public now. We had so many hacks last year of Sony — I forget, did we get up to 100 million in credit card records stolen? I mean it’s got to the point now where this is all churning along. So many people in the cybercrime area have pointed to this year as being very significant because there were all of these attacks last year and yet there’s a sense of no-one’s doing anything with this data yet. It’s almost the calm before the storm.

And then finally, if I can kind of wrap up, in organisations or non-organisations like Anonymous, who’s really running this?

I mean we hear about … there are people doing things and they’re the public face. We hear about people occasionally being arrested. But I have had someone who worked for an acronymic intelligence agency — I’d better not say which one — but said relatively recently, “The fact that anyone can call themselves Anonymous is quite handy.”

That were his words, “quite handy”.

I don’t think it’s all doom and gloom but, as I say, there are people who are doing the defensive stuff and are on top of this. But it does create all of those issues for society. Who now will have the balance of power? Because we are eroding some of the exclusive access to information. We do have the sense where anyone with a grudge can decide that they will reveal information without a lot of thought about the collateral damage caused by that information coming out.

I mean, the people who broke into Stratfor didn’t really care about what happened to the credit card numbers they put online, or anything in the emails. Who knows what the fallout from that bout might be? They don’t really care.

And then there’s the long term. Who creates the narrative of our history? But that’s one I better leave for another time or we’ll be here all night. Obviously you’ll have a chance to ask questions. Thank you.

[APPLAUSE]
[END TRANSCRIPT]

As I finish compiling this post, I’ve still got lots of AusCERT material to produce and Monday looks like being intense. So let’s just list everything and see what happens.

Podcasts

• Patch Monday episode 138, “Anonymous ‘crippled’: where to for hacktivism?”. Following last week’s conversation with Israeli information security researcher Tal Be’ery about hacktivists’ tactics, I spoke with former journalist and commentator Barrett Brown, who has worked with Anonymous for about a year and a half. He discusses Anonymous’ position in the wake of revelations that Sabu, a core member and informal leader of the offshoot hacking group LulzSec, had become an FBI informant.

Articles

These are just the first two articles from my AusCERT coverage. More will follow.

• AusCERT 2012: Russian crims evade transaction profiling, ZDNet Australia, 17 May 2012.
• AusCERT 2012: DNS poisoning the ‘thin end of a wedge’, ZDNet Australia, 17 May 2012.

Videos

• 5 Conference Tips for PR Professionals, an impromptu video message from Gold Coast airport.

Media Appearances

• On Monday I spoke about Facebook charging for highlighted posts and the company’s stock market float on ABC 702 Sydney.
• On Tuesday I spoke with journalism student Tom Davey about various attempts to regulate the internet. Should he choose to post the resulting radio report I’ll post a link here.
• On Friday night I spoke about AusCERT, cybercrime, cyberwar and claims that Apple is behind the pace on ABC Local Radio.
• On Sunday afteroon I spoke about the surveillance society at the Sydney Writers’ Festival. Here’s the audio recording.
• On Sunday night I spoke about using Twitter to generate ideas with James O’Loughlin on ABC Local Radio. Here’s the audio recording.

Corporate Largesse

• AusCERT 2012 conference organisers and sponsors paid for various meals and drinks, but I didn’t keep track of that. While that means I can’t disclose who paid, it also means I can’t be influenced because I can’t remember who’s meant to be doing the influencing. Complete market failure, that.

The Week Ahead

There’s a couple of days of intense writing and production ahead. At the very least there’s two or three articles about AusCERT 2012 and the Patch Monday podcast. Then there’s a piece to do for CSO Online, and one for Technology Spectator.

I should be returning to Wentworth Falls this evening, but I plan to be back on Wednesday night to go to a paintball session with Eugene Kaspersky and other journalists. That could be weird. And I’ll probably be in Sydney again at the end of the week, but that hasn’t been planned out yet.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up) and via Instagram. The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Airbus A320-232 VH-VGY at Gold Coast airport, the aircraft I traveled in on Saturday. Check out the complete history of VH-VGY at FlightAware.]

[Update 26 May 2012: Links added to last weekend's audio recordings, added earlier today as separate blog posts.]

We spoke about the conference atmosphere itself, cybercrime, cyberwar, the risk of Cybergeddon (yes, I know), and the claim by Eugene Kaspersky that Apple is ten years behind Microsoft when it comes to security.

Not that Mr Kaspersky would ever, like, troll the entire planet.

What we didn’t talk about, really, was the two stories that have been published so far:

• Russian crims evade transaction profiling, which details a trans-national organised crime operation profiled by Mikko Hypponen.
• DNS poisoning the thin end of a wedge’, in which domain name system pioneer Dr Paul Vixie supports my argument that fiddling with the internet’s fundamental navigation systems probably isn’t such a great idea.

The audio is of course ©2012 Australian Broadcasting Corporation, but as usual I’m posting it here as an archive.

Here’s what I wrote last year when, just like this year, I was on the ZDNet Australia team:

• AusCERT 2011: Firms ignore ID theft risk, in which Bennett Arron explains that police forces don’t yet take this stuff seriously enough. Has this improved? I’m seeing talk but no action.
• AusCERT 2011: Son of Stuxnet within a year: expert, in which Eric Byres explains why the Stuxnet worm — the presumed US-with-Israeli-help anti-SCADA attack on Iran’s nuclear program — would spawn a wave of copycats. This didn’t happen. Why not?
• AusCERT 2011: Black hats and whitegoods, a story which was provided with the year’s best headline by CBS Interactive’s Brian Haverty where I discussed how the Internet of Things and a billion smart appliances would be the vector for a new wave of attacks. This hasn’t happened — yet — but is it still just around the corner?
• AusCERT 2011: Bank theft goes truly mobile, in which Amit Klein, chief technology officer at Trusteer, predicted third-generation anti-banking malware on smartphones by Christmas. Did this happen? Well, not really. Why not?
• AusCERT 2011: Silent victims thwart cybercops: Qld Police, in which Detective Superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service, bemoaned the lack of hard data. I know how he feels. Do we have any yet?

The feeling I get from scanning those headlines is that there’s always a lot of scaremongering but the threats often don’t materialise. Are the threats over-stated? Does pointing out the threats trigger an effort to counter them, thus defeating them? Is it all just a bit too screechy?

And over the last year there’s been so much talk of imminent cyberwar. Is that just this year’s fashionable scary thing on a stick? I intend to ask a few questions. And I’ll plug it again: Thomas Rid says we shouldn’t believe the hype.

I haven’t yet looked in detail at the conference program but will do so over the next few hours. What do you reckon I should be investigating?

[Update 16 May 2012, 0625 AEST: Changed second paragraph to emphasise that I am covering the event for ZDNet Australia this year as well as last.]

The shoulder was repaired on Wednesday and is now slowly getting better, thank you. But despite the pain and the codeine haze, I did get a little work done.

Podcasts

• Patch Monday episode 137, “Removing the anonymity from Anonymous”. A conversation about the tactics of Anonymous, LulzSec and other hacktivists with Israeli information security researcher Tal Be’ery, web security research team leader at Imperva’s Application Defense Center (ADC), where he leads efforts to capture and analyse hacking data.

Articles

• IT: the opportunities, some lost, from a low-tech budget, Crikey, 9 May 2012.

Media Appearances

• On Friday I spoke at the inaugural Saasu Cloud Conference, with a presentation entitled Security and the Cloud: Hype versus Reality.

Corporate Largesse

None.

The Week Ahead

The current plan? A day of writing at Wentworth Falls on Monday. A day of travelling on Tuesday, taking the train to Sydney and then flying to the Gold Coast. Once there I’ll be covering the AusCERT 2012 information security conference for ZDNet Australia, flying back to Sydney on Saturday afternoon.

On Sunday afternoon I’m speaking about the total surveillance society at the Sydney Writers Festival.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Fuckin' art, innit, taken at the Hotel InterContinental, Sydney, on Saturday 12 May 2012.]

I’ll leave the article to explain itself once you click through, but to provide some Googlejuice here are the words hacking, infosec, cybercrime, cyberwar, information security, malware and cows.

This presentation was a quick run-through of what I think have been the most important themes from the past 12 to 18 months.

About two-thirds of what I write touches upon information security, cybercrime, cyberwar, or privacy and transparency issues.

If you’d like the full firehose of information, please stay in touch via my list of written articles, the compilation of my media work in my Weekly Wrap posts and — if you don’t mind seeing my less-presentable public face as well as my serious work — my high-volume Twitter feed.

If you have any questions or comments, do please add them below. I’ll generally respond within 48 hours.

Things are very scary…

2011 was billed as the year of the hacker, and the year of the hacktivist. And yes, it was bad.

Hackers working under the Anonymous brand compromised Sony’s PlayStation network, costing the company $170 million.

Anonymous also hacked Stratfor, a US private intelligence analysis firm, stealing their 10-year archive of confidential emails and apparently handing them to WikiLeaks.

Anonymous splinter group LulzSec hacked into Rupert Murdoch’s News International, including UK newspaper The Sun — although it seems that most of LulzSec has since been arrested when their leader was turned and became an FBI informant.

Random hackers even defaced a Tasmanian government website. How very dare they.

Mid-year, McAfee told us about Operation Shady RAT, a five-year program by an unnamed nation state that had infiltrated dozens of organisations around the world. Most of them didn’t even know they were hacked.

We heard how the Stuxnet worm attacked Iran’s nuclear program — although the attack itself took place the previous year — leading to claims that 2012 would be the year of cyberwar. Atomic explosions illustrated the cover of books like Cyberdeterrence and Cyberwar by Martin C Libicki.

… but we don’t really know

Despite all the hype, we have no reliable figures on the extent of the problem.

Online crime is under-reported and under-researched. Plenty of people have called for mandatory reporting of cybercrime, including the chief technology officer of AVG
and Detective Superintendent Brian Hay of the Queensland Police. Me too.

Major security companies avoid telling us the facts and continually promote dubious statistics.

McAfee’s claims about Shady RAT were mostly hand-waving, quite probably exaggeration.

Sophos reckons this focus on high-profile attacks distracts us from the real threats.

The report on Cyber Storm III, the latest in a series of five-nation cybersecurity exercises, told us nothing.

“The exercise provided insight into key decision making processes within government, business and industry. These insights could not have been achieved without processes being tested in an exercise,” the report reveals. Gaps were identified. Improvements made. Relationships built.

Introducing the hacker

Jasmine Singh Cheema, aka Pherk, aka Zero Cool, is a typical hacker and the most likely threat you’ll face.

Cheema did $1.5 million of damage to his employer’s competitors in 2005 in exchange for a few sneakers and a watch. His story is told in Tracking Cybercrooks: the tools feds use and Hacker’s Delight.

The story of the December 2011 extortion attempt against Sulieman Ravell’s financial advisory business is told in the Manly Daily, and I spoke with him at length in a subsequent Patch Monday podcast.

Israeli researcher Tal Be’ery has monitored Anonymous and LulzSec. He reckons Anonymous hacktivists prefer penetration, but choose targets of opportunity. I spoke with him for the Patch Monday podcast too, Removing the anonymity from Anonymous.

Most cybercriminals are stupid, but there’s a lot of them and the tools are cheap and easy to obtain. Your paper boy might hack your home network because you didn’t tip him.

The Cloud changes none of this…

… except for the complexity and your ability to understand what’s going on.

Most of the recent surveys have shown that when it comes to cloud computing, security is the number one concern. And every time I’ve looked at this in detail, the message from the information security experts has been get a lawyer.

That goes double in government circles.

Legal complexities make it difficult to use public cloud computing, according to Raimund Genes, Trend Micro’s chief technology officer. Unless you’re a criminal, that is.

“Public cloud for me is not really a security challenge. It is a change in the way we operate with data. It doesn’t decrease security. It increases complexity, and that’s a problem,” he told the company’s Canberra Cloud Security Conference.

“The cloud, from a legal point of view, will keep our internal lawyers and everybody else busy for the next fifty, one hundred years,” he said.

Hybrid clouds will probably be the answer, balancing the low price of public clouds for less critical with the increased ability to monitor private clouds for more critical data.

Mobile devices are changing everything — especially on the Android operating system, which could end up being a simmering security shemozzle.

You don’t know who your Friends of Friends are

The internet connects every computer directly with every other computer. That’s not new.

What is new is that we’re publishing more information than ourselves than ever before. And while we might think we’re sharing that information with our friends, or friends of friends — those terms are highly misleading.

We might think of friends-of-friends as someone we’d let a friend bring to dinner. But research by Sophos shows that half of the time people will automatically friend someone on Facebook, even if they know nothing about them. Friends of those friends could be literally anyone.

We don’t even know who our enemies are either. After all, anyone can call themselves Anonymous.

DSD has some great advice

According to the Defence Signals Directorate, the agency responsible for the protection of Australian government and military networks, four simple strategies can prevent 85% of targeted intrusions.

DSD has published the full list of the top 35 mitigation strategies.

This work won DSD the US Cybersecurity Innovation Award for 2001.

Evgeny (“Eugene”) Aseev, head of the Kaspersky’s China antivirus lab, has his own list of 18 infosec fails that let crims win.

This time we’re all in the front line

John Lawler, chief executive officer of the Australian Crime Commission (ACC) reckons we all need to harden up.

“There will always be exceptions — high-profile cases and particularly unique cases — where prosecution will be attempted,” he said, “where for deterrent purposes you’ll put a head on a stake somewhere, and I’m an advocate of that — not literally — where that becomes important for community confidence.” …

“I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack.”

Organisations must have audit controls, for example, particularly for digital information, and robust governance. They must understand security risks in their full complexity, both technical and human factors.

“That message hasn’t, I think, permeated — certainly in business — to the extent and level it needs to,” Lawler said.

And we need to make sure our data is encrypted, especially on portable media.

The problem is, it’s human nature to put security last.

Businesses need to start taking this more seriously. I’ve called for their to be less pep talk, more stick, and I reckon negligent data breaches should become a criminal offence. I’m not alone.

Coda

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Australia License.

The non-commercial and share-alike conditions are required to adhere to the licensing of the imagery used. Please contact me if you require an alternative version. As a minimum, attribution should read: “Source: Stilgherrian.” Online versions must link the word Stilgherrian to the website at stilgherrian.com.

[Image credits: Cows by Emmett Tullos III, used under a Creative Commons Attribution license (CC BY); photo of Jasmine Singh Cheemsa supplied by FBI via PCWorld Communications Inc; Clouds by Jerry Pierce (Flickr/Uncle Jerry) CC BY-NC-SA; Social graph image by Jim Bumgardner (Flickr/krazydad) CC BY-NC-SA; "Loose Tweets Sink Fleets" by Brian Lane Winfield Moore CC BY-NC-SA; "This time we are all in the front line" by Phil Bradley CC BY-NC-SA.]

I won’t go into the cancelled flight in detail just now. Either you saw it unfold via my Twitter feed or you didn’t. Not everything has to be recorded everywhere forever.

I got back to Wentworth Falls late on Tuesday and went to bed — and didn’t emerge until Friday, thanks to a nasty cold I seem to have picked up along the way.

Podcasts

• Patch Monday episode 136, “Blackhole crimeware as a service here to stay”. A discussion of the evolution of the Blackhole malware toolkit and other trends highlighted in the latest AVG Community Powered Threat Report (PDF) with Michael McKinnon, security advisor for AVG Australia and New Zealand, and Rob Collins, senior sales engineer for Asia-Pacific with WatchGuard.

Articles

• Street View Wi-Fi: is it Google’s News of the World moment?, Crikey, 30 April 2012.
• Facebook is profitable, but $86 billion is still speculation, Crikey, 4 May 2012.
• Anonymous hacktivists prefer penetration, but choose targets of opportunity, CSO Online, 4 May 2012.

Media Appearances

• On Wednesday I spoke about the risks of unsecured Wi-Fi on Adelaide radio 1395 FIVEaa.

Corporate Largesse

None.

The Week Ahead

The current plan is that I’ll be in Wentworth Falls until Thursday morning, writing a whole bunch of stuff and, with luck, getting rid of this cold. I’ll head to Sydney some time on Thursday, and then present a keynote on security at Friday’s Saasu Cloud Conference.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.

[Photo: Waratah Cottage via Instagram. Waratah Cottage is one of the Bunjaree Cottages, where I've spent maybe three-fifths of my time over the past year. It's not the building I usually stay in, but it's likely that I'll be here until Thursday.]

Here’s the audio, and I reckon you can hear very clearly that I had a very bad cold.

The audio is ©2012 dmgRadio Australia, but here it is ‘cos it hasn’t been posted on the radio station’s website. Besides, this is a reasonable plug.

That’s Perth in the photo, with the Swan River just visible between the apartment buildings of East Perth. The photo was taken with my bashed-up HTC Desire phone and processed through Instagram.

Heck, if Zuckerberg reckons it’s worth a billion dollars I might as well have a look, right?

I’ll comment on Instagram itself later, and figure out a better way to integrate the photos into this website. Meanwhile, here’s a gallery of my Instagram photos, updated automatically.

And now on with the show…

Podcasts

• Patch Monday episode 135, “iiNet wards off AFACT, but what next?” A summary of the High Court’s decision in Roadshow Films and others versus iiNet Limited, the initial reactions, and a wide-ranging discussion with Dr Rebecca Giblin, a copyright academic and geek from Monash University’s law school, who literally wrote the book on this subject: Code Wars: 10 Years of P2P Software Litigation. Keywords for the other things we mention are SOPA/PIPA, peer-to-peer production,

Articles

• Blockbuster trial for a movie and TV industry in decline, ABC Drum Opinion, 23 April 2012.
• Security concerns over Australia’s e-health records, CSO Online, 23 April 2012.

Media Appearances

• On Wednesday I was interviewed about the cash for tweets demi-scandal by Adelaide newspaper The Advertiser and their website AdelaideNow. The cash for what? Well, ABC TV’s Media Watch covered it on Monday night. Basically the South Australian Department of Tourism paid “celebrities” $750 to tweet about Kangaroo Island — but the tweets weren’t disclosed as advertising.
• On Thursday I was interviewed by SBS News for the story Wi-Fi networks ‘too hackable’. Quotes from this article appeared in Your WiFi Used In Their Crimes at smarthouse.com.au, where I was billed as a “tech blogger”.
• On Friday I presented at the DigitalMe event in Perth. I’ll link to the video as soon as that’s posted. Meanwhile here’s Sara Culverhouse’s summary.
• Also on Friday I was interviewed on ABC 720 Perth about that DigitalMe presentation. Thanks to Perth’s endemic taxi shortage I ended up walking briskly to the ABC studios — but not briskly enough. I did the interview via phone from the street. That meant I couldn’t record it.
• And still on Friday I spoke about the Optus TV Now appeal on ABC Local Radio sort-of-nationally with Dom Knight, as well as some of the stuff I covered at DigitalMe.

Corporate Largesse

• I wasn’t paid to present at DigitalMe, they did cover travel from Sydney to Perth and one night’s accommodation at Aarons Hotel including breakfast. Wine by Brad provided booze for the welcome drinks, as well as a bottle to take home. Food was supplied by Sorrento Restaurant, Northbridge.

The Week Ahead

A busy week of writing lies ahead, including a story for CSO Online and my presentation for the Saasu Cloud Conference the following week. I’ll also continue work on the feature story I’m writing for ZDNet Australia

I believe I’ll be back in Wentworth Falls for most of the week, but this could change at short notice. The Dopplr widget on the left-hand side of every page of my website is usually updated within an hour of plans changing, so always check there first — but bear in mind it has odd ideas of what day it is.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.

There’s no photo this week because I lost my camera — though it has since been found in the Blue Mountains taxi where I dropped it. I’ll be collecting it on Sunday, probably.

There was also quite a bit of disruption thanks to the need to perform some emergency geekery. I may or may not write about that another time.

Podcasts

• Patch Monday episode 133, “OS X botnet: disaster or speed bump?”. A chat about the Flashback botnet with Chris Gatford, director of penetration testing firm Hacklabs, and applications architect Benno Rice.

Articles

• Facebook buys Instagram’s buzz in lead-up to share float, Crikey, 10 April 2012.

Media Appearances

• On Friday I talked about Instagram and Facebook on ABC Radio National’s Media Report.

Corporate Largesse

None.

The Week Ahead

I’m in Sydney all this week too, before returning to Wentworth Falls on Sunday afternoon. My main task is to complete a feature story for ZDNet Australia and an opinion piece for CSO Online. I’m also attending two launch events for new “smart TVs”, one for Samsung and one for LG. And apart from that I’ll be attempting to avoid the seasonal affective disorder that usually strikes at this time of the year.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.

Not so much media output this week, ‘cos I was dealing with a web development matter for a long-standing client, I researched one story that turned out to be a fizzer, and yesterday I got caught up in a cleaning the hackers out of a website. Plus I recorded tomorrow’s Patch Monday podcast early. Plus it hit the end of the month and I reckon my editors’ freelancer budgets had run out.

Podcasts

• Patch Monday episode 131, “Your word is your log-in, literally”. Dr Clive Summerfield, chief executive of Australian company Auraya, talks about the state of the art in voice biometric authentication. Fascinating stuff from a great explainer.

Articles

• Apple in court: ACCC iPad fight tests dodgy 4G claims, Crikey, 28 March 2012.

Media Appearances

• On Thursday night I spoke about the National Broadband Network rollout on ABC 702 Sydney and ABC Local Radio around NSW.

Corporate Largesse

None.

The Week Ahead

I won’t be able to lock in the week ahead until I talk to some people on Monday morning. However there’s a technical briefing on the NBN rollout in Sydney on Monday that might be useful to attend, and I’m thinking of sitting in with a team participating in the Cyber Defence University Challenge and turning that into a podcast. But, as I say, I’ll work that out tomorrow.

Friday, of course, is Good Friday, and I’ll be moving down to Sydney for a couple weeks while Bunjaree Cottages enjoys the busy time of school holidays.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.

[Photo: Chirgwin with Chainsaw: Bunjaree Cottages proprietor Richard Chirgwin observes all safety precautions — although technically this photograph, actually a frame grab from a video, belongs to last week as it was taken on 25 March.]

The cloud is the enabler, it’s the medium that automation grows in. We want to focus on the value of online accounting automation, why it’s often undervalued and how you can get some for your own business or practice.

Saasu makes the online accounting system that I’ve been using since July 2007, and I know the chief executive officer and founder Marc Lehmann and chief happiness officer Tony Hollingsworth.

Good leadership and a good attitude continues to deliver a good product. Well, I think so anyway. At least it works for me.

My keynote will be something about security and the cloud, obviously enough, but I’ll lock down the details before the end of this week.

Mind you, I wrote the ZDNet Australia feature Cloud security? Better get a lawyer, Son! in October 2010, and since then I’ve written Cloud could be ‘privacy enhancing’: Pilgrim and Hybrid clouds the eventual reality for risk management and Today’s cloud winners: the cybercriminals and Want government cloud? Rethink security! so I’ve got plenty of material to start with.

Saasu has kept the price down to a reasonable $99 for a full-day event. You can register online.

[Update 11 May 2012: I've just posted notes and background material for my presentation, Security and the Cloud: Hype versus Reality.]

Podcasts

• Patch Monday episode 130, “Yellow alert! Windows RDP flaw explained”. Casey Ellis from Tall Poppy Group and HackLabs proprietor Chris Gatford explain all the things.
• The 9pm Edict episode 20, which covers Tony Abbott’s tribute to Margaret Whitlam, comedian Bill Bailey’s thoughts on classical music, Harmony Day and more.

Articles

• Remote Desktop Protocol security hole: 5 unanswered questions, CSO Online, 19 March 2012.
• The Facebook experiment, ZDNet Australia, 23 March 2012.

Media Appearances

• On Tuesday I spoke about the death of passwords on ABC 105.7 Darwin.

Corporate Largesse

• On Thursday I attended the iappANZ workshop on Identity and Privacy as the guest of the Lockstep Group.
• Also on Thursday, I met with Oliver Friedrichs from Sourcefire, and they bought me a beer.

The Week Ahead

Nothing of specific note has been locked in yet.

Elsewhere

Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.

[Photo: Bunjaree Track with Fog, photographed at Bunjaree Cottages on the morning I finally saw the lyrebird.]

I managed to include a mention of the voice biometric work by Australian company Auraya that’s based on technology used by Centrelink, and the concept of two-factor authentication.

The audio is of course ©2012 Australian Broadcasting Corporation, but since they don’t usually post it online here it is.