Those of you in Australia can download the full episode from the ABC, those internationally can find a higher-quality video, and those who are too lazy can just see it below.

The Federal and NSW Governments spent over $250m on securing the Sydney CBD for the ongoing 2007 APEC Summit.

Two of the Chaser’s War on Everything guys, not only did they get waved through two checkpoints and posing as the Canadian motorcade, thy got as far as near Dubya’s hotel before being stopped, arrested and charged under the APEC Act.

The APEC Act restricts people from being in the “secure area” without justification during the summit (a case of guilty until you prove yourself innocent?). Even the ABC’s own report states that they didn’t intend to get as far as they did.

True, Chas being dressed up as Bin Laden during the stunt probably didn’t help, but is bloody funny.

This incident is highly embarrasing for the police, federal and state governments who have essentially fallen for the old trick of Social Engineering to bypass Security measures. For example, the media are reporting that it was due to a “breakdown in communication”, but surely they could have checked to see if the Canadians were in town in the first place (the Canadian PM hasn’t even arrived in Australia yet).

Of course, its not the only Security gaffe so far. Two “unauthorised” men were arrested for being in the hotel lobby when Dubya arrived. Two members of the Labor party were issued police passes for the security zone.

With the global media (so far: CNN, el Reg via Reuters, Australian news.com.au, etc) already covering the story, I believe its likely that they will be made an example of when they front court in Early October.

Hopefully, these minor gaffes will jolt the authorities into a proper state of alert, against real risks or threats. Personally, i can’t wait until next weeks’ episode of The Chaser as they’ll be taking the piss big time.

Could this herald the return of the “bootsector” virus with a nasty undetectable payload, giving it root privileges? An article about it (very interesting read, highly recommended) is at http://www.nvlabs.in/?q=node/16 including detailed technical information (pdf format) and presentation slides/video demonstration also on the site. One to keep in mind …

The demo, of course, compromises Windows Vista. Or if you’re feeling like a bit of fun this weekend, you can download the source code for the vbootkit for Windows 2000, XP and 2003 from the same site. Shame they didn’t put the antispam on their blog page, where there are the usual spamdverts for certain medicals and loans.

I’m not sure if the use of external authorisation solutions (the “Access Manager” products”) is the most appropriate in all cases. Sure, for use in Web Access Management/Control, they play a good part for coarse-grained authorisation (and the adapters exist already) but implementing these to control access to enterprise-level COTS products can be a pain.

I think that an easier way of implementation is through the use of Provisioning solutions (the “Identity Manager” products) to assign users to access rights via Roles, Rules and the request-based model; but the whole area of Role Definition is a large undertaking and requires a lot of business- and systems- analysis.

What’s the answer? Whats the magic bullet? How can we get the 80/20 rule in place? A few people are thinking around this already, I have some thoughts but not put them into words just yet …