[AusNOG] Assistance and Access Bill moves to PJCIS

Paul Brooks pbrooks-ausnog at layer10.com.au
Wed Dec 12 12:24:49 EST 2018 

@Matt - 'a screen capture and remote access ability', if installed on all phones would
surely be a 'systemic vulnerability' in anybody's view, and would be a global disaster
if the method of triggering this ability escaped to the wider world. This would be an
example of precisely the dangerous and ill-advised exploit that we are all concerned
the agencies might ask for in ignorance.   Heck, this is exactly the sort of malware
exploit that after-market malware scanners and virus checkers for phones should be
looking for to to detect and warn the user if an app or the OS had been compromised
and was attempting to do these things. I can see a rapidly growing market for malware
checkers!

@Paul - where is the requirement for 'judicial approval'? - it doesn't go anywhere
near a court.   The TCN can be issued by the Attorney General. If (and only if) the
recipient thinks it might be able to be pushed back on, they can ask for a review by a
*retired* judge and a tech expert with a high security clearance.  A *retired* judge
is not a 'judicial approval', and the easiest place to source the other expert from is
from within ASIO - hardly independent.  The AGD chooses the two reviewers, not the
recipient. The legislation as passed also doesn't deal with the situation if the two
experts disagree on whether it is allowable or not.   And there is no requirement for
a warrant to have been issued - the whole point of a TCN is to preemptively create a
capability that can be exploited later, on the off chance there will be a future
warrant that requires the exploit to be triggered.

Paul.

On 12/12/2018 12:02 pm, Paul Wilkins wrote:
> Matt, (IINAL)
> But it appears on my reading that both 317ZG and more specifically the new 317ZGA
> would arguably prohibit this.
>
> The (pending?) amendments are worth a read. Stronger terms on 317ZG and importantly
> - *requirement for judicial approval of TCNs*.
>
> 317P (5)(2)(d) the designated communications provider has, if reasonably
> practicable, been consulted and given a reasonable opportunity to make submissions
> on whether the requirements to be imposed by the notice are reasonable and
> proportionate and whether compliance with the notice is practicable and technically
> feasible.
>
>
> On Wed, 12 Dec 2018 at 11:30, Matt Perkins <matt at spectrum.com.au
> <mailto:matt at spectrum.com.au>> wrote:
>
>     It strikes me that all that will be needed is the phone manufacturers to put a
>     screen capture and remote access ability on the phones. Then Law enforcement
>     need to do is read the screens no need to involve the individual app makers at
>     all.  They are after a wide and non savvy audience here. Looking over the
>     shoulder of phone users is what we are talking about. I would say expect to see
>     a boost in convictions of medium size drug distributors  and  small amateur
>     terror type people.
>
>     These are the same people that used sms before they just want that capability back.
>
>     Matt
>
>
>
>     -- 
>     /* Matt Perkins
>            Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
>            Office 1300 133 299     matt at spectrum.com.au <mailto:matt at spectrum.com.au>
>            Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
>           SIP 1300137379 at sip.spectrum.com.au <mailto:1300137379 at sip.spectrum.com.au>
>            Google Talk MattAPerkins at gmail.com <mailto:MattAPerkins at gmail.com>
>            PGP/GNUPG Public Key can be found at  http://pgp.mit.edu
>     */
>
>     > On 12 Dec 2018, at 8:27 am, Paul Brooks <pbrooks-ausnog at layer10.com.au
>     <mailto:pbrooks-ausnog at layer10.com.au>> wrote:
>     >
>     >> On 12/12/2018 3:54 am, Scott Weeks wrote:
>     >>
>     >> -----------------
>     >> The Bill was passed on Thursday
>     >> -----------------
>     >>
>     >>
>     >> Damn, I'm gonna need a bigger bag of popcorn!
>     >> Waaaay bigger.  I can't wait to see how this
>     >> plays out.
>     >
>     > We'll probably never know how this plays out, unless one of the major global
>     brands
>     > pulls out of the Australian market.
>     >
>     > Tech companies doing development in Aust will put in independent code reviews
>     by an
>     > offshore team to protect against onshore employees, or will quietly close
>     Australian
>     > development shops over years.  Some tech companies will move overseas - gradually,
>     > over months and years.    Net result - lower demand for Australian IT staff, lower
>     > export figures in the DFAT stats over years.
>     >
>     > Many 'component manufacturers or suppliers' will blithely carry on, unaware
>     this might
>     > apply to them at all until they receive a notice
>     >
>     > A massive data breach in 3 years time may not be traced back to a system
>     change caused
>     > as a result of a notice, or if an investigation does uncover the root cause,
>     is likely
>     > to be quietly hushed up.
>     >
>     > It'll take a massive ASIC-website-blocking-like event own-goal to generate
>     demand for
>     > popcorn. That or a majority of politicians starting to listen to experts
>     rather than
>     > agencies and repealing it, and there's precious few Andrew Wilkies around at the
>     > moment so that's even less likely.
>     >
>     > P.
>     >
>     >
>     >
>     >
>     >
>     >>
>     >> scott
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>> 
>     >>>
>     >>>
>     >>> _______________________________________________
>     >>> AusNOG mailing list
>     >>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     >>> http://lists.ausnog.net/mailman/listinfo/ausnog
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> AusNOG mailing list
>     >> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     >> http://lists.ausnog.net/mailman/listinfo/ausnog
>     >>
>     >>
>     >> _______________________________________________
>     >> AusNOG mailing list
>     >> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     >> http://lists.ausnog.net/mailman/listinfo/ausnog
>     >
>     >
>     > _______________________________________________
>     > AusNOG mailing list
>     > AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     > http://lists.ausnog.net/mailman/listinfo/ausnog
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181212/cd263e22/attachment.html>

More information about the AusNOG mailing list