Posts Tagged ‘Posterous’

Television Drives Fibre?

February 11th, 2013

Paul Brislen, of TUANZ, recently visited Malaysia to get some insight into their fibre deployment and uptake. He’s returned convinced that IP-based Television is the key to making fibre work – the driver to bring in customers…

While I don’t deny that’s the case in Malaysia (and has been a big help elsewhere) I just don’t think it will work in NZ.

It’s a chicken and egg situation really. Currently there are so few fibre customers, and so few providers that the it’s simply not an appealing market. Until there is a seriously significant base of potential customers (those with fibre connections already, or able to get them) then no one is going to be willing to make the massive investment in establishing an IPTV operation here.

There are other problems too – the way retail internet in NZ is managed isn’t well suited. In the US and Asia the ISPs providing the fibre and IPTV services also own the infrastructure. Here, however, ISPs provide their services through wholesale connections provided by Chorus, meaning that any given customer has their choice of dozens of providers. It’s even more unlikely, facing that sort of potential fragmentation, that ISPs could afford to establish appealing IPTV operations.

And then there’s content. Where will the content for tens, or hundreds, of IPTV stations come from? There are comparatively few likely choices (look at Sky TV’s listings for a good overview). In Asia and the US there are already many channels operating and providing multiple pay TV providers. That’s not really the case locally. A provider here would only easily have access to the Australasian channels (mostly already carried by Sky) and the Infrastructure required to carry those channels is massive.

Any ISP wanting to establish an IPTV operation here would be looking at tens of millions of dollars expenditure in initial broadcast infrastructure, as well as massive ongoing licensing costs to provide the content to end users.

I simply don’t think New Zealand has the population to support more than a couple of subscription TV providers, especially through the rather niche medium of IPTV.

There is perhaps room for one or two providers to be established and on-sell services through ISPs but that’s not going to be a viable business until there is a large potential audience of fibre users. It’s the chicken. Or the egg? Certainly one of them.

Mega Piracy

January 23rd, 2013

I’m going to assume you know that Kim Dotcom recently launched Mega, his new cloud storage system. I’m also going to assume you’re aware of his previous venture Megaupload, a popular file locker site that is currently at the centre of a major legal battle.

The allegation is that Megaupload was complicit in large scale media piracy that was taking place on their site. The fact that people used Megaupload for hosting and distributing pirated media and software is not in dispute, but how much Megaupload did to encourage that usage is at the heart of the legal battle.

So it’s unsurprising that some people believe that Dotcom’s new venture, Mega, is simply an attempt to recreate what existed before – arguably a haven for piracy.

Mega’s primary point of difference is it’s client-side encryption. In principle this means that any and all data you upload to Mega is encyrpted with keys known only to you, the uploader. No matter how much they want to (or others might demand) Mega is unable to see the contents of the files you upload to the service.

On the face of it, and listening to Kim Dotcom, this is a move designed to reclaim privacy online. It’s a valid concern when we increasingly have personal data stored in servers all over the world subject to many different countries’ laws.

However a more cynical view is that this encryption serves Mega’s interests in that they can’t possibly be held liable for the any data they host given that they are entirely unable to inspect it at all. It is this interpretation that people point to as evidence that Mega has been established to again be a haven for piracy with an extra layer of protection for the company.

I just don’t think that makes sense, at all, and the reason is simple: Money.

Mega currently offers users up to 50GB of storage for free. Their business model is based on premium accounts – like Dropbox. The don’t host advertising on their site or on downloads like Megaupload did and sites like RapidShare still do. The file locker sites also sold premium memberships that allowed users to download faster or with fewer limits – this is another thing missing from Mega.

50GB is a lot of media – probably 25-40 feature films, or 200 episodes of TV. It’s free to the user and requires no more than an email address to setup. Mega has to pay for the storage space and traffic requried to store these files.

A pirate isn’t going to pay a premium rate to Mega to host their files when they could simply setup a new account to get an extra 50GB. And Mega stands to make no money from high-volume downloads with advertising as Megaupload did.

Also the account structure, even on premium accounts, doesn’t suit large-scale distribution of the sort Megaupload is accused of – traffic limits are 2x storage limits – a free account is limited to 100GB traffic per month. They would quickly be exceeded if Mega accounts were to be used for broad distribution.

It doesn’t make sense for Mega to attract pirates as they would effectively be subsidising these downloads. In fact, if anything, it’s in their interests to avoid that usage as it would cost more to service those users than others who are using only a little of their storage and not transferring a lot of data.

 

Religion In School

December 7th, 2012

The issue of religion being taught in schools has come up a few times in the last year or so and has come up again recently with the story of Jeff McClintock’s 7-year-old daughter being left in the back of the classroom while RI was taking place in the same room.

One of the primary schools I attended had a Bibles In Schools programme, and even then – more than 20 years ago – it was difficult not to take part in the ‘optional’ programme. While I was opted out from the class I was made to attend on more than one occasion, and the rest of the time I was one of only a couple of students not attending. I was often questioned and confronted by others about why I didn’t attend, asked if I knew I’d go to hell and teased about my non-involvement.

It’s for this reason that I became really concerned when we discovered that the school our oldest son would attend next year participates in Christian Religious Education. We’ve talked to the school and hopefully won’t have any major trouble, but it’s still forcing us to choose between making our child an outsider from the very beginning at his new school, and sending him to Christian religious education that we disagree with.

For this reason I decided to write an email to the Minister of Education about the deliberate loophole that allows schools to “close” and offer religious education.

Subject: Religious Education in Schools
Date: Tue, 13 Nov 2012 22:18:03 +1300
From: Dylan Reeve
To: h.parata@ministers.govt.nz

Hi,

I am writing in regards to religious education in schools. We are moving house soon and as a result our seven-year old will be attending a new school. At our new new address we are only in zone for one school. While researching the school we discovered it runs a Christian Religious Education class for 30-minutes once a week.

We are very uncomfortable with this. While it’s possible for us to opt our child out of this class, doing so creates and “us and them” situation.

It is absolutely absurd and offensive to me as a parent and taxpayer that the school can claim to be closed for half and hour every week (while still requiring our child to be at school) and offer a program that is little more than indoctrination.

I’m a writing to express my frustration that this silly loophole is allowed to continue. Over the course of a year the students of this school will miss out on 20 hours of actual classes – that is a whole week.

Unfortunately we have no choice in this matter – we have to send our child to this school, and we will opt him out. We are hopefully this will not result in his being seen as different or an outsider, but annecdotal evidence from others doesn’t offer much hope.

Please close this loophole. In Christian groups want to run groups within schools then it should be done in a definitively opt-in fashion and entirely outside school hours.

Dylan Reeve

Unsurprisingly, I did not receive a response from the Minister herself, but instead my query was handed off…

From: Tiana Lilo <Tiana.Lilo@parliament.govt.nz>
To: “‘dylan@dylanreeve.com‘” <dylan@dylanreeve.com>
Subject: FW: Religious Education in Schools
Date: Wed, 14 Nov 2012 06:11:25 +0000

Dear Mr Reeve

On behalf of Hon Hekia Parata, I acknowledge receipt of your email.

The issues you raise fall within the responsibility of the Ministry of Education. Therefore, your letter has been referred to the Ministry for reply on the Minister’s behalf. The Ministry will respond to you as soon as possible.

Thank you for writing.

Tiana Lilo Ministerial Assistant I Office of Hon Hekia Parata – Minister of Education and Minister of Pacific Island Affairs

Almost a month later I received a response from the Ministry. It was a letter that had been typed, signed, scanned and attached as a PDF. It also arrived rotated 90 degrees to the right – I’ve had to correct that – it’s attached below.

Mineduletter

This response completely fails to address my primary point, which is, fundamentally, that this loophole in law should be closed. Of course that’s unsurprising as the Ministry can’t change law. But the minister, who I wrote to first, can.

My son starts at his new school next year, so we’ll wait and see.

Dealing with #WTFMSD

October 15th, 2012

About 24 hours ago (as I write this) journalist Keith Ng dropped a bombshell about lax security from one of our government’s biggest departments.

The Ministry of Social Development, it turns out, had some pretty big IT security issues in house and operate publicly accessible computer kiosks. These two things meant that anyone could literally wander in off the street and start browsing potentially sensitive data with a few mouse clicks.

The details have been widely covered in the media, and Ben Gracewood offered up a great post about the difficulty of doing things right in enterprise IT.

The Source

This evening the story took another interesting turn – after being alerted by inquiries from a journalist that the name of his source had been released (presumably by the MSD) Keith Ng decided to preemptively publish the source’s name and details of his dealings with the MSD.

There are two big bullet points that will gain attention in the media – the first is that the source, Ira Bailey, was one of the Urewera 17. The second is that he’d approached the MSD asking if they had a vulnerability reward program.

The first issue is a distraction – a co-incidence.

The second issue is more complicated. To someone who has no familiarity with IT security it could easily appear that Bailey was attempting to extort the MSD. As Ng describes it I don’t think that’s the case. Bailey appeared to make a genuine query about such a program. Upon learning there was no such program he did what I think is the next best thing – talked to a good journalist who would strive to properly understand and report the issue (while also giving MSD reasonable notice to mitigate risk).

Vulnerability Rewards are not uncommon (they are offered by Google, Facebook, Firefox, Paypal and many many others). The idea is that they reward people for reporting security issues to them. Generally all they ask is a reasonable time period to correct the issue before public disclosure.

It’s an acknowledgment that these security issues will have a value to someone.

Preemptive Exposure

It appears that the MSD has already floated the blackmail idea (scare quotes around reward in a Herald article quoting Paula Bennett for example) – the next step was naming the “hacker” in question. It seems they’d leaked the name to at least one journalist.

Keith Ng’s decision (with Ira Bailey) to disclose all the details preemptively seems like the right one to me. It assures that journalists writing about the story aren’t only presented with the details as the MSD wish to frame them. Ng and Bailey could have responded after his name was publicly disclosed but by then the MSD’s framing of the approach would have been presented unchallenged.

Avoiding a Repeat

So what should be done about this issue and how can similar things be prevented?

The answer is to be found within this event. A vulnerability reward program. The government should establish some sort of IT advisory or oversight group that can properly communicate and cooperate with various government IT departments and contractors, and that groups should establish and publicise a vulnerability reward program.

The information in question is far too important to simply hope that a “good citizen” will report any issue they find and that it will be properly addressed without any oversight or accountability.

Ideally this process would be transparent. All vulnerability would be publicly reported once they’d been addressed and credit given (if
desired) to those that reported them.

Wheedling Their Way Out

October 3rd, 2012

When I first heard about Wheedle I was immediately skeptical for two reasons… Firstly they thought it was a good idea to sink millions into competing with TradeMe. Secondly they felt it necessary to boast about their 40 servers. Both appeared to suggest a fundamental lack of awareness about the market and the technology involved.

Then it all started to unfold – the site was very flakey pre-launch. When it wasn’t offline or timing out it was returning a different user’s session on every page load. But that wasn’t really live yet.

On Monday, when the site went live, the session issue seemed solved. It was possible to register an account and sign in. In theory you could also add a listing or browse and bid on those that were there. At least for a little while. Within hours the site, all forty servers apparently, were breaking under the load and totally unable to provide responses to all but the most simplistic responses.

But that wasn’t all – there started to be some pretty serious questions. It was quickly noted that a ‘Forgot My Password’ request resulted in an email being sent to the user with the username and password in it. This was a huge warning sign. Wheedle said they’d address the issue “ASAP

The site was up and down on Monday evening and Tuesday morning. And then things got really crazy. It became apparent that a lot of input validation was being done entirely on the client-side and people registered usernames they should not have been able to – the best I saw was 8===>~~~

Then came the Oh My God moment – Twitter user @ruatara discovered that it was possible for any logged in user to edit the prices (Starting, Reserve and Buy Now) of any auction. See a car you like? Add a Buy Now of $1 and then buy it.

Clearly this was completely impossible for Wheedle to ignore, it was impossible for anyone to run a reliable auction on the site. They did the only thing they could do and took the site offline. Then they did what, at the time, seemed like exactly the right thing – they annouced the site would be down indefinately while they seriously addressed the problems.

But then this evening I received a Personal Message from Wheedle CEO Carl Rees…

Dear Wheedle Member,

I made a decision yesterday morning to take Wheedle offline.

On Monday night our tech team made some tweaks and changes to the website to improve its performance and speed. These changes were deployed to the website without first passing through our normal test protocols. We quickly discovered that the changes were causing problems with the auction listing prices. There was also some concern raised around password security and retrieval. Please rest assured that your password has been, at all times, strongly encrypted and stored in our database. We are also exploring alternative ways to further increase password security.

In light of these events, we are undertaking a complete review of the website including engaging an independent firm to carry out a full a check of the security of the website.

We experienced a very positive interest in Wheedle and we had an astounding member uptake. We will be back soon, better, stronger and safer.

I apologise for any inconvenience this has caused and thank you for your support.

Unfortunately thie email is, at best, disingenuous; at worst, an outright lie.

It is simply implausible that the fundamental failures in the security model that allowed any authenticated user to edit the details of any auction were introduced as a result of the site tuning made on Monday night. And to describe this issue as “problems with the auction listing prices” completely fails to acknowledge the nature to the issue.

As for the passwords this is either a complete lie or the practices employed on the site were incredibly irresponsible. A website should never be able to retrieve your password in any meaningful way. The fact that it was possible to email users their password is a clear indication that either they weren’t encrypted in the database at all, or they were encrypted in an unencryptible way (and that the software was doing so to send passwords to people). Either option is totally unacceptable and flys in the face of established practices in web development.

Bear in mind this was a site that is asking you to trust it to handle financial transactions on your behalf, and soon would be asking you for your credit card details.

The fact that Wheedle still seems unable to properly address the nature of their failures suggest either that they still don’t fully understand where they’ve gone wrong, or that they are deliberately trying to wheedle their way out of the situation they’ve found themselves in.

Unfortunately at all stages it has appeared that Wheedle has tried to down-play the nature of the problems, attributing them to things like higher-than-expected traffic and lack of pre-lauch testing. And now the email above. But the evidence suggests the issues were a failure in design from the outset.

While I have no inside information on the development, it would appear from the outside that the developers of the site (an Indian-based programming team of about a dozen, apparently) were handed a brief that read, approximately, “take a look a TradeMe.co.nz… Now, make a site that does that” and left to their own devices. Indeed they made a site, that in a basic look and functionality sense, duplicated TradeMe, but they lacked the knowledge or guidance to properly develop the underlying architecture to support such a site.

Wheedle will be tainted for me until they can be honest about how they’ve failed and what’s being done to correct the issue. The site’s backers need to admit they’ve embarked on the project without the right expertise and then get some of that expertise on board.

 

Remote USSD Attack – Clarifications

September 26th, 2012

I decided I should offer some clarifications about some of this USSD stuff as my blog posts and test page have become widely cited…

I didn’t discover this issue and I’m not a mobile security expert. The first place I saw details was in the YouTube clip featuring Ravi Borgaonkar (@raviborgaonkar). I recognised what was happening and set about testing it myself.

My test page uses the USSD code *#06# which is supposed to display the phone’s IMEI number. A phone is only really vulnerable if the 14- or 16-digit IMEI code is displayed with no specific user intervention.

Update: In some cases having the IMEI display doesn’t necessarily indicate a vulnerability to other (potentially more damaging) service codes. This is because it’s possible that some dialers may handled different codes differently (the IMEI code could be a special case, etc). While this is technically true it is hard to verify on a given device. In general I think that allowing the automatically handling of any special code taht wasn’t keyed in directly is a bad design and should treated with as much caution as possible.

While many Android phones are vulnerable in general to the injection of these USSD codes, only the Samsung phones are known (at this stage) to have a working “factory reset” USSD code. However, while this may mean other phones aren’t at risk of being wiped it doesn’t mean there aren’t still risks. There are a wide variety of USSD codes that can potentially do other damaging or annoying things, even interacting with a user’s carrier account.

Update: I’ve used the term USSD to describe the overall vulnerability. This is not strictly true. A USSD code is designed to communicate with the network. The other codes could more accurately be called device codes, service codes or engineering codes perhaps, as they are handled locally by the phone and have nothing to do with the network. However they do (usually) follow the same pattern, starting with * and ending with # – so I’m okay with calling them USSD codes, even if it’s not entirely accurate.

A factory reset may not be as damaging as some have suggest (to be honest, I haven’t been keen to see exactly what gets wiped) but it is, at the very least, incredibly inconvienient. It’s likely that app settings and other less obvious data will be lost even if things like images and files are retained.

Some browsers (most notably Opera) appear to offer some security by not handling the iframe injection code immediately. This is not much help as there are potentially other ways to inject the URI within the browser as well as other attack vectors (such as the QR code, SMS WAP Push and NFC methods detailed by Ravi.

While manufactuers may have issued (or be issuing) new firmware to address this issue, the frequently cited issues with Android fragmentation and carrier customisation both appear to hamper this. The best workaround for the majority of users, I believe, is to install an alternative dialer or one of the applications that has been designed to catch potentially harmful tel: URIs.

 

Remote USSD Attack – It’s not just Samsung

September 25th, 2012

Please read: Remote USSD Attack – Clarifications

The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I’ve personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).

I’ve also heard reports of the proof of concept working on a Sony Xperia Active. 

The potential impact of the issue is limited only by whatever USSD codes can be executed on a given phone. It’s not clear if all manufacturers have Factory Reset USSDs on but at least some do.

I have only been testing with the IMEI code and have no intention to test with anything more damaging, but it is possible that in some cases different USSD codes could be handled differently. So while the IMEI code may work, it’s possible that other more damaging codes would not. This is, however, very speculative and there’s no safe way to know without testing.

Regardless it is very poor design to allow a passed value to execute as if it were keyed in interactively.

Update: It would appear that the root of the problem is probably the standard Android dialer – the vulnerability was identified and patched three months ago. For this reason it’s likely to affect any phone using the standard dialer (as it existed three months ago) or a dialer based on it.

It would be fairly trivial to weaponise the vulnerability to detect phone model with browser User Agent and tailor the response to suit.

As I mentioned in my earlier post – the simplist to mitigate the risk from this issue is to install another dialer. Either setting one that exhibit the risky behaviour as default, or simply having more than one installed to force a “Complete action using..” choice.

Remote USSD Attack – Prevention

September 25th, 2012

Please read: Remote USSD Attack – Clarifications

An interesting (and potentially devestating) remote attack against at least some Samsung Android phones (including the Galaxy S3) was disclosed recently.

Update 1: Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue.

Update 1a: While some 4.0.4 versions appear to be secure, others are vulnerable.

Update 1b: The issue has been patched in some firmware builds. It appears that all 4.1-based builds are safe, and possibly some 4.0.4 builds are also.

Update 2: Samsung is not alone in being vulnerable to this issue.

Update 3: Some apps have been created specifically to catch these URL calls: TelStop (by @colimrm) and Auto-reset Blocker

In brief it works like this:

  • Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number) and phone specific ones (including, on some phones, a factory reset code). 
  • There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone’s dialer to call that number.
  • In some phones the dialer will automatically process the incoming number. If it’s a USSD code then it will be handled exactly as if it had be keyed in manually – requiring no user intervention to execute.
  • A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts I guess). It may then be loaded and acted upon with no user intervention at all.

A video demonstrating the process has been widely circulated – it also details some other vectors to deliver the tel: URL – including WAP Push SMS, QR Code and NFC. All of these processes have the same end result.

[youtube http://www.youtube.com/watch?v=Q2-0B04HPhs?wmode=transparent]

I created a small page to test the attack myself (using the non-destructive *#06# IMEI code rather than the very damaging factory reset one) and replicated the outcomes displayed in the video and documented elsewhere.

Ussd-imei

The fundamental problem here is the dialer. It is acting on the phone number it’s sent exactly as it would had it been keyed in directly. If it the tel: URL can be directed to an application that does not have that behaviour then the threat can be neutralised.

Thankfully Android allows for alternate dialers to be installed. I picked a popular one from Google Play – Dialer One – and installed it. Even with out making it the default phone dialer I have prevented the threat. A tel: URL will now prompt me for the application to use.

Ussd-prompt

If I select the standard dialer the same issue reoccurs, but if I select Dialer One (which does not take action on the incoming USSD code) or cancel the request entire I am protected.

Ussd-dialerone

It’s likely that many other dialers behave in the same way, but you should test them carefully. The important thing is to avoid letting the stock dialer handle tel: URLs without direct user interaction.

A Digital Killswitch

August 9th, 2012

In current court proceedings examining the Kim Dotcom raid by the NZ police early this year it is being suggested that part of the decision to use the police special tactics group (previously known as the anti-terrorist squad) was based on the FBI’s apparent suspicion that Dotcom had some sort of digital killswitch or some other device that would allow him to destroy data on computer systems and warn others.

Even if that were true – and to be fair such a system is something that could very easily be implemented – it is hard to understand how that would support the use of possibly the least subtle method of arrest possible. 

If you are to imagine that, with the press of a button, a phone call or some other simple action, it was possible for Kim Dotcom to destroy evidence then it’s very difficult to imagine that two helicopters and armed police officers screaming “police” and bashing in doors wasn’t going to give him enough time to activate that switch.

The alternative – that a detective makes an appointment to come and “discuss some issues” or even turns up unannounced for a chat – would seem to provide much more opportunity to prevent the alleged MegaPirate from destroying evidence. With no warning that the meeting was likely to result in arrest or search it would be hardly likely that Dotcom would have been on edge with his finger on the “button”.

The other major factor that lead to the STG’s involvement in the raid (or perhaps that was used to help justify it) was a claim that Dotcom was “armed, had a history of violence, was showing current signs of violence and had issued threats to kill” on a police threat assessment form – a claim which is clearly untrue. The source of that information, unsurprisingly, was the FBI.

While police, probably truthfully, claim that the FBI agents weren’t directly involved with the planning or execution of the assault on the Dotcom mansion it seems plainly obvious that they chose to provide ‘information’ that would lead to that sort of action. I’m sure the police have many sane officers who would have been more than capable of arresting Dotcom without incident had they simply been given a full picture of the situation.

Unfortunately the end result of all this is that the police are made to look like gung-ho fools, which I think they generally are not. If I were a senior commander involved with this operation I would be furious at having been put in this position – I hope the NZ police learn a lot from these events.

Minimum Alcohol Pricing

July 2nd, 2012

Labour has announced that it intends to seek to amend the Alcohol Law Reform Bill to allow for minimum pricing to be enforced. This was something that featured in Labour’s policy before the election (although it wasn’t a bullet point they ever brought up). There’s no indication of how Labour would implement the idea or what the cost implications would be.

The problem that this will supposedly address is related to binge drinking and alcohol related disorder in NZ. The idea being that people (young people) are “pre-loading” on cheap booze before going into town. The simplistic solution then? Make booze more expensive. 

The scapegoats in this argument are usually either “alcopops” (premixed drinks) and discount wine (usually from supermarkets). By imposing minimum pricing, the argument goes, you increase the cost and thus decrease the appeal and availability of those type of drinking.

This, like Labour’s GST-free fruit and vege policy, is short-sighted and unoriginal. They are taking aim at very simple parts of very complex issues and attempting to attack them in broad and blunt way.

So far we have only two clues really about what Labour might be imagining for this law. The first is a quote today from Labour’s Charles Chauvel, “If instead of being able to buy a bottle of cheap wine for $6 from the supermarket, a minimum pricing regime puts that up to 12, 13 or 14 dollars then it’s much harder people to lay their hands on cheap booze.”

The second is a ballpark figure tossed around by Lianne Dalziel in discussion of alcohol law reform late last year where she mentioned “$2 per standard drink” – this would possibly line up with Chauvel’s estimate as a bottle of wine is usually between 6 and 8 standard drinks.

But the whole idea seems fatally flawed really. We’re talking about people who are presumably getting drunk then heading into town and buying a few drinks while out. Is the price rise going to stop them? They’ll still buy the cheapest booze and it’s not going to cost a lot more. Assuming that 6-8 drinks is enough to get you happily drunk then we’re looking at only $12-16 which isn’t much compared to the $5-10 per drink you’d expect to pay in a bar. Sure, it’s more than the maybe $6-10 to get drunk now, but it’s hardly the sort of price hike that’ll change behaviour.

Instead the people who suffer are the rest of us who buy wine, beer and spirits to enjoy responsibly. Chances are we’re not buying the cheapest products on the shelf now, but if the bottom shelf goes up in price then it seems certain that rest of the market will trend upward too. After all, if a budget bottle of wine is $7 now, but will be $14 in the future, then the mid-range $15 bottle is hardly going to stay that price. 

And what of spirits? The only obvious way to legislate pricing is on the “standard drink” measure, any other methods will either be worked around or will simple change demand toward whatever is a cheaper option. So the minimum (legal) price on a standard 1L bottle of spirits will be around $60. That’s about $20 more than you’d expect to pay currently for a common brand like McKenna or Jim Beam. The “middle shelf” products tend to be about $20 more, so maybe they’d go from around $40 to $60? So what do we expect to happen to quality spirits – a 1L bottle of Glenfiddich Reserve currently is around $100 – about 2.5x the entry level price, so should we expect that to come in at $150?

Obviously raising the price of an aged single malt Scotch isn’t going to make any difference to binge drinkers, but it seems likely to be an unavoidable consequence and one that punishes those who are currently choosing to drink responsibly.

Also if $60 is the absolute least you can charge for a 1L bottle of 40% spirits, then will that be the standard retail price? Typical retail marketing psychology makes strong use of discounts and sales to drive business – so perhaps we would expect standard retail pricing to be above that lower limit to allow for price reductions.

Minimum drink pricing isn’t going to make a difference – at the low end (where problem drinking apparently occurs) it makes only a small dent on wallets. But at the upper end where many entirely responsible adults chose to spend their money it sill make a big difference.