[AusNOG] Assistance and Access Bill moves to PJCIS

Robert Hudson hudrob at gmail.com
Thu Dec 6 17:00:38 EST 2018 

On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <paulwilkins369 at gmail.com wrote:

> The original 172 page Bill was so obviously deficient in so many areas, it
> was easier to just say the Bill should be thrown out in its entirety and
> start over. Now, post 50 pages of amendments, there's still plenty of scope
> for serious criticism, and the debate around getting the balance right
> between citizens rights, and the right of the State to extend judicial writ
> to cyberspace will continue, but this is in every way a very much improved
> Bill over the original.
>

Is it? Have the amendments increased the likelyhood that it will actually
help law enforcement? Have the amendments helped to ensure that criminals
continue to use services that are subject to the reach of Australian law
enforcement agencies?

As Mark Newton pointed out in another forum recently, he was told, face to
face, by a sitting MP, in that MPs office, that his concerns that the
agencies that would have access to metadata would increase substantially
were ill-founded, as were his concerns that the reasons to request metadata
would increase dramatically. And now local councils have access to
metadata, and there are close to 1,000 requests for metadata per day.

>
> I don't see on any of the grounds of criticism of the original Bill, the
> amendments have gone as far as they need to, but on all the metrics that
> matter this new Bill represents an honest attempt to accommodate issues of
> privacy, accountability, and the need to maintain security and protect
> service provider property rights against unnecessary or disproportionate
> intrusion by Law Enforcement, and balance those against the legitimate
> interests of the State to enforce the rule of law in cyberspace.
>

I contend that the bill now represents an honest attempt to look like
they're accomodating issues that aren't related to the core fact that the
proposed laws won't actually reduce crime or increase security.

How explicitly removing state (and potential future federal) ICACs as
agencies able to utilise the powers of the bill is, in any way, reasonably
associated with the phrase "honest attempt" is beyond me.

>
> From the definitions of systemic vulnerability and systemic weakness it
> would seem to put it beyond question that back doors can only be deployed
> against target devices, not deployed en masse. That said, there needs to be
> a control plane function that allows access to the target device that
> wasn't there before, which still constitutes a potential
> weakness/vulnerability.
>

I am sure the bill will be successful in stopping the vulnerabilities it
creates leaking. I mean, if (when, recall just how successfully the NSA
managed to keep stuxnet under lock and key) the AFP manage to leak code
that allows keylogger installs onto iPhones, no criminal group (or just
obnoxious bunch of script kiddies posing as an online hacking group) would
be able to take advantage of this - that's not a systemic vulnerability or
weakness, right?


> "systemic vulnerability means a vulnerability that affects a whole class
> of technology, but does not include a vulnerability that is selectively
> introduced to one or more target technologies that are connected with a
> particular person. For this purpose, it is immaterial whether the person
> can be identified."
>
> There's still obvious gaps around the powers and accountabilities of state
> police.
>
> I have to say it looks dangerously like a sensible working position from
> which to move forward from, while ensuring security services get the powers
> they say they have an immediate need for.
>

When they prove the need beyond saying "We need this because we say we need
it", and show that the intended targets won't simply sidestep it and move
on, THEN we may have a working position from which to move forward.

Until then, this is just massive over-reach.

As Mark Newton previously noted, this has "The Four Horsemen of the
Infocalypse" written all over it. In particular, the script to follow:

"How to get what you want in 4 easy stages:


   1. Have a target "thing" you wish to stop, yet lack any moral, or
   practical reasons for doing so? *[We want to break encryption]*
   2. Pick a fear common to lots of people, something that will evoke a gut
   reaction: terrorists, pedophiles, serial killers. *[Terrorists, natch.]*
   3. Scream loudly to the media that "thing" is being used by
   perpetrators. (Don't worry if this is true, or common to all other things,
   or less common with "thing" than with other long established
   systems—payphones, paper mail, private hotel rooms, lack of bugs in all
   houses etc.) *[OMG, terrorists are using encryption (lets ignore the
   fact that we're still stopping them without being able to break it, and we
   still let the ones we know about stab people). Sure, its ubiquitous,  but
   TERRORISTS!]*
   4. Say that the only way to stop perpetrators is to close down "thing",
   or to regulate it to death, or to have laws forcing en masse tapability of
   all private communications on "thing". Don't worry if communicating on
   "thing" is a constitutionally protected right, if you have done a good job
   in choosing and publicising the horsemen in 2, no one will notice, they
   will be too busy clamouring for you to save them from the supposed
evils. *[This
   whole debate - there are still people acting on the assumption that this is
   needed, and that it will achieve the stated goals. Bonus points for
   screaming at anyone who disagrees that they're only doing so because they
   must support terrorism - yep, we've seen that.]*"


Just because they say they need it doesn't mean that they do, or that it
will work.

>
> Kind regards
>
> Paul Wilkins
>
>
> On Thu, 6 Dec 2018 at 13:48, Mark Newton <newton at atdot.dotat.org> wrote:
>
>>
>>
>> On 12/05/2018 11:48 AM, Paul Wilkins wrote:
>> > "If this passes I can see similar legislation being introduced in
>> > other jurisdictions."
>> >
>> > I think this legislation and all its warts is going to be a
>> > particularly Australian feature.
>>
>> Exported globally, though.
>>
>> A 5-eyes power who wants to surveil someone can come to Australia, get
>> ASIO or ASD to land a TCN on the target's platform provider, and pass on
>> the result.
>>
>> Example:
>>
>> CIA wants something from an iPhone user. They can't get it themselves.
>> So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.
>>
>> ASD screams "terrorist!" in a TCN sent to Apple, which demands
>> production of a compromised version of iOS which keylogs and screenshots
>> any encrypted messaging apps which happen to run, and pushed as a silent
>> upgrade to that user's phone.
>>
>> Results flow from Apple to ASD, and ASD passes them back to the CIA.
>>
>> There is no need for any other 5-eyes nation to pass this law now that
>> Australia has it. It's provided 5-eyes with a global capability.
>>
>>    - mark
>>
>>
>> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181206/33829a09/attachment.html>

More information about the AusNOG mailing list