Feeds:
Posts
Comments

Posts Tagged ‘bitcoin’

Followers of IT in Australia may recall in June 2011  it was reported by Crikey.com.au that a staffer at ABC Australia placed some code on an ABC server to mine bitcoins.

Back then, as Fairfax’s Sydney Morning Herald reported at the time, ‘ABC’s head of corporate communications, Sandy Culkoff, said that the ABC would not comment on IT security matters however “there is a serious misconduct case underway in relation to this matter”

During Australian Senate Estimates in February 2012, Senator Abetz asked ABC Australia a number of questions about the incident. This revealed the incident was not a case of someone attempting to use corporate CPU time for their own advantage, but instead use visitors computers without their knowledge.

To answer Delimiter’s question from last year, this would most likely place the actions of the ABC staffer in the class of ‘petty criminal‘ under section 478 of the Australian Cybercrime Act. Today, the answers to the questions from May 2012 have arrived and it once again raises the question whether the ABC’s board are guilty under section 477 of the act – the more serious computer crime.

The ABC will be telling parliament they’ve destroyed logs. The actual quote is “The ABC did not retain the server log files for that period” which leads to wondering how long the ABC maintain their logs and why possible evidence of a ‘serious misconduct case’, or even that of a possible criminal act, has vanished. They will be telling parliament that no record was kept of the offending code “The ABC did not retain the Bitcoin code.” They will also be telling parliament that a conscious decision was made to keep notification of trying to impair computers away from the public: “There was no ABC news coverage of this matter” (this is at direct odds to my recollection of coverage at the time, but I would agree that it would seem there are no references to this incident on the ABC’s own website as of today). The ABC have previously claimed that they “ha(d) not received any complaints from audience members as a result of this Bitcoin code.”  The ABC believes that it’s not for them to tell the public when their staff members attempt to execute unauthorised code on your computer: “The ABC considered that it would be contrary to good security policy to publish any information about breaches of site security as this could reward and encourage hackers.

This is not someone attacking the ABC’s site, this is an ABC staff member attacking external computers. The ABC have decided to show no one – not the public, not AusCERT, certainly not the Federal Police – any details. If you were visiting their website and your web browser did have performance issues at the time, they certainly haven’t put their hand up to say ‘Oh sorry it might’ve been us’. Instead, they’ve hidden, obfuscated and deleted data. To say that such behaviour reminds me of the genesis of reports on the News International phone hacking scandal would be an understatement. Maybe we should expect more of this behaviour from ‘our’ ABC in the future. In the context of the push by the current Australian government’s attempts at data retention, one can’t help but also think that parliament is putting the horse before the cart. It’s time enough for Australia to have mandatory disclosure laws about data breaches. I hope that scenarios such as the ‘ABC Bitcoin Incident’ will be included in the types of data breaches requiring mandatory disclosure.

Advertisements

Read Full Post »