The real debate is about who is watching the watchers, as always !
On 4/09/2018 9:37 p.m., Martin Hepworth wrote:
As a Brit working for an Ozzie firm in the UK it's interesting looking
at this that the link talks about 5eyes and not just Australia. We
know the debate is happening in the US and the UK but this is the
first time the 5eyes has been explicit mentioned as whole in this
context afaik
Martin
On Tue, 4 Sep 2018 at 10:17, Paul Wilkins <paulwilkins...@gmail.com
<mailto:paulwilkins...@gmail.com>> wrote:
There is one point which I'll be making in my submission which
needs to be firmly pressed home - that there should not be a
diversity of agencies all with the power to authorise and execute
Assistance/Capability Notices. This should be managed through a
single agency, that serves as the interface for the purposes of
the bill, between law enforcement, and service providers. This is
the only way toensure a standard capability for intelligence
gathering across agencies, smooth administration of justice and
execution of Assistance/Capability Notices, and reduces the
vulnerability which would arise from over a dozen different
agencies and their agents all with access to service provider
networks and services. This one agency should work as a clearing
house for Assistance/Capability Notices, and for disseminating
gleaned data to client agencies.
I'd encourage others making submissions to raise the same point.
Government has clearly not considered this dimension, otherwise
the first cab off the rank in the bill's phrasing would be to
create a new agency, or identifying a single agency on which to
confer these powers.
Kind regards
Paul Wilkins
On Tue, 4 Sep 2018 at 18:02, Paul Wilkins
<paulwilkins...@gmail.com <mailto:paulwilkins...@gmail.com>> wrote:
and the stick...
"Should governments continue to encounter impediments to
lawful access to information necessary to aid the protection
of the citizens of our countries, we may pursue technological,
enforcement, legislative or other measures to achieve lawful
access solutions."
On Tue, 4 Sep 2018 at 17:56, Paul Wilkins
<paulwilkins...@gmail.com <mailto:paulwilkins...@gmail.com>>
wrote:
"We have agreed to a Statement of Principles on Access to
Evidence and Encryption
<https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption>
that sets out a framework for discussion with industry on
resolving the challenges to lawful access posed by
encryption, while respecting human rights and fundamental
freedoms."
Interesting...
On Tue, 4 Sep 2018 at 17:34, Serge Burjak
<sbur...@systech.com.au <mailto:sbur...@systech.com.au>>
wrote:
https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018
I think it's just been released. Apologies if it's a dupe.
On Tue, 4 Sep 2018 at 14:16, Jim Woodward
<j...@alwaysnever.net <mailto:j...@alwaysnever.net>> wrote:
Hi All,
The problem with the ‘device malware’ approach is
also that if such an approach is used where the
intention is to target a single device and the
software / hardware vendor screws up and deploys
the ‘weakened’ application to many devices instead
of one specific device then there is the potential
to weaken the security and compromise the privacy
of others.
I’m sure there’s some political double talk that
would cover this scenario and that the onus would
be solely on the vendor for making sure this does
not happen, the worry is that this exact scenario
is possible, especially if proof of concepts
accidently get released into the wild.
The public should be concerned about this for if
we end up in a situation where users don’t trust
security updates (or updates of any type) then
we’re in the same boat as having a purposefully
compromised application deployed, we’d have
devices with known vulnerabilities with updates
turned off which would be arguably more serious as
time goes on.
I truly believe the reason this legislation is so
vague is that they’re trying to find a solution
where no one scenario is without significant
risks, they’re trying to hold water in a sieve by
tipping more water into it in an effort to fill it.
Kind Regards,
Jim.
*From:*AusNOG <ausnog-boun...@lists.ausnog.net
<mailto:ausnog-boun...@lists.ausnog.net>> *On
Behalf Of *Paul Brooks
*Sent:* Tuesday, 4 September 2018 12:05 AM
*To:* ausnog@lists.ausnog.net
<mailto:ausnog@lists.ausnog.net>
*Subject:* Re: [AusNOG] Dutton decryption bill
On 3/09/2018 11:47 AM, Chris Ford wrote:
Paul,
I agree with you in general as to the point
that if we are happy with the premise of the
current TIA Act that LEAs should be able to
intercept communications with a duly
authorised warrant, then extending that to
encrypted services seems a reasonable
extension to keep up with technology.
However, the current intercept regime is very
difficult if not impossible for a bad actor to
exploit. The intercept points are within the
Carrier and CSP networks, out of reach of most
people. When we move to intercept end-to-end
encrypted services you either need to break
the encryption (which thankfully does not seem
to be the path anybody is proposing), OR, you
need to access the clear text at the end point
itself. The problem I have with this is that
the end point is out in user land,
often accessible to anyone on the internet,
and now exposed to exploit by bad actors.
..And this is it. The new legislation is NOT about
encryption, primarily, despite what we thought
before the draft was released.
They've explicitly acknowledged they can't 'break'
encryption, and do not want to weaken encryption.
They want the sent and received message text,
stored in the device after/before the encrypted
transport.
Its actually a 'device malware' bill - a bill to
enable general police forces to achieve things
that previously only shadowy four-letter agencies
could do - implant malware and modify the function
of any end-user device, handset, modem, laptop,
tablet, printer, connected TV, Amazon Alexa/Google
Home/etc. Actually it goes further - rather than
implant the malware themselves once they've
achieved physical access, this 'device malware'
bill enables them to ask nicely for assistance,
and then to require, the device suppliers and
manufacturers to build and implant the exploit for
them. Why should AS** develop an exploit, when
they can ask Apple or Netgear or Samsung nicely to
develop and install the exploit for them.
We've spent decades educating users that the green
padlock on a website means something, and that
'IOT devices' such as your average Smart TV might
be easily hijacked and be recording and watching
the home through its microphone and embedded
webcam. This bill makes government-authorised
modified firmware with exploits that the network
and software industry have spent billions
developing virus scanning apps to detect and
eradicate.
Paul.
--
Chris Ford | CTO
Inabox Group Limited
Ph: + 61 2 8275 6871
Mb: +61 401 988 844
Em: chris.f...@inaboxgroup.com.au
<mailto:chris.f...@inaboxgroup.com.au>
------------------------------------------------------------------------
*From:*AusNOG
<ausnog-boun...@lists.ausnog.net>
<mailto:ausnog-boun...@lists.ausnog.net> on
behalf of Paul Wilkins
<paulwilkins...@gmail.com>
<mailto:paulwilkins...@gmail.com>
*Sent:* Monday, 3 September 2018 11:31:14 AM
*To:* AusNOG@lists.ausnog.net
<mailto:AusNOG@lists.ausnog.net>
*Subject:* Re: [AusNOG] Dutton decryption bill
Bradley,
The Common Law has always allowed judicial
scrutiny of our privacy. There's always been
the right for judicial search warrants to
override what's considered one's private
domain. I'm supportive of this bill where it
extends judicial oversite to the cyber domain,
which is a gap that exists only because
legislation/common law has lagged behind
technology. While at the same time realising
that conversations conducted over the
internet, even if encrypted, are more properly
regarded as public conversations, than say one
you might have in your living room. Whether
government is going to regulate the internet,
the boat has sailed on this long ago. The hard
line privacy advocates are simply going to be
left out of a conversation democracy needs to
have over not whether the internet should be
regulated, but how.
What's interesting in this bill is that it
goes beyond extending judicial writ, allowing
law enforcement emergency powers the right to
surveil suspects. This will be authorised by
law enforcement, without judicial or
governmental oversite. I think this probably
goes too far. The best outcome for everyone,
to protect privacy, and to empower law
enforcement to enforce laws and to protect
citizens rights, would be to limit the scope
of these new powers to judicial writ.
Kind regards
Paul Wilkins
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
<mailto:AusNOG@lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
<mailto:AusNOG@lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net <mailto:AusNOG@lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net <mailto:AusNOG@lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
--
--
Martin Hepworth, CISSP
Oxford, UK
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog