10 comments

[ 6.3 ms ] story [ 39.8 ms ] thread
Either Facebook has big pull in Oz or the Queensland police are quite proactive. Either way, they rank 22nd on freedom of the press, not exactly a Scandinavian country.
I'd really like to know what they mean here by 'external servers' ... I really thought that FB has acres of it's own servers, no ?
Presumably CDN servers whose job is just to serve up the content, not to deal with who is logged in or who has access to view which content?
(comment deleted)
When I see security vulnerabilities I rarely get involved because the party with the vulnerability will become suspicious of you. It's not worth the hassle.
It's this kind of reaction that makes our technological toys less secure. It's this kind of reaction that the Ominous Large Corporation wants us to have.

The standard belief is as follows: being proactive about privacy and security costs money, and if we don't have to spend money we won't. Most people, the ones we're crowdsourcing or selling to advertisers, don't understand and won't care who actually screwed up - we'll blame the hackers and that will limit negative perceptions.

This is certainly the correct approach to take individually.

Advantage to you of trying to disclose the flaw: zero in most cases.

Disadvantage to you of trying to disclose the security flaw: possibly years in jail, hundreds of thousands of dollars spent.

It's unfortunate that this is true, but it's true nonetheless. The country needs a Computer Good Samaritan law, where those who follow a prescribed process for flaw disclosure are granted complete immunity from prosecution, civil suits and general harassment.

Why do people assume that this is some kind of giant Facebook conspiracy? From the article:

"According to Grubb, security expert Christian Heinrich demonstrated in front of the delegates how he had managed to acquire privacy-protected photos of the wife of fellow conference speaker Chris Gatford, who is Director at HackLabs."

Isn't it more likely that the police are investigating charges against Heinrich in relation to the presentation?

Perhaps it's a misunderstanding of Australian police investigations, but I wouldn't expect them to arrest a witness. If Grubb was really arrested, that suggests (to this American who doesn't know anything about Aussie police) that someone accused him of a crime. Facebook has a motive; they want journalists to think twice before reporting on Facebook privacy flaws. Nobody else seems to have a motive. Not that there's any point in jumping to conclusions at this point -- surely there will be more information available soon.
The police say he wasn't arrested.

He claimed in a tweet that he was, but I kinda doubt it -- for starters he wasn't arrested for anything, and secondly if you are under arrest are you allowed to keep your phone and tweet all about it?

So, was he being over-dramatic, or did he genuinely believe he's under arrest? (Oh, and a handy hint: if the police ever ask you to go with them then make sure you ask 'em whether you're under arrest or not.)