<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
The real debate is about who is watching the watchers, as always !<br>
<br>
<div class="moz-cite-prefix">On 4/09/2018 9:37 p.m., Martin Hepworth
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGDKorLrtOoWVxjduyYYOBg+S77Hc1mbGpDei+aze4v24ZUyrw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>
<div><br>
</div>
<div>As a Brit working for an Ozzie firm in the UK it's
interesting looking at this that the link talks about 5eyes
and not just Australia. We know the debate is happening in the
US and the UK but this is the first time the 5eyes has been
explicit mentioned as whole in this context afaik</div>
<div dir="auto"><br>
</div>
<div dir="auto">Martin</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
<div class="gmail_quote" dir="auto">
<div dir="ltr">On Tue, 4 Sep 2018 at 10:17, Paul Wilkins
<<a href="mailto:paulwilkins369@gmail.com"
target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">There is one point which I'll be making
in my submission which needs to be firmly pressed home
- that there should not be a diversity of agencies all
with the power to authorise and execute
Assistance/Capability Notices. This should be managed
through a single agency, that serves as the interface
for the purposes of the bill, between law enforcement,
and service providers. This is the only way toensure a
standard capability for intelligence gathering across
agencies, smooth administration of justice and
execution of Assistance/Capability Notices, and
reduces the vulnerability which would arise from over
a dozen different agencies and their agents all with
access to service provider networks and services. This
one agency should work as a clearing house for
Assistance/Capability Notices, and for disseminating
gleaned data to client agencies.<br>
<br>
I'd encourage others making submissions to raise the
same point. Government has clearly not considered this
dimension, otherwise the first cab off the rank in the
bill's phrasing would be to create a new agency, or
identifying a single agency on which to confer these
powers.<br>
<br>
Kind regards</div>
</div>
<div dir="ltr">
<div dir="ltr"><br>
<br>
Paul Wilkins<br>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, 4 Sep 2018 at 18:02, Paul Wilkins
<<a href="mailto:paulwilkins369@gmail.com"
target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div>and the stick...</div>
<div><br>
</div>
<div>"Should governments continue to encounter
impediments to lawful access to information
necessary to aid the protection of the citizens
of our countries, we may pursue technological,
enforcement, legislative or other measures to
achieve lawful access solutions."</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, 4 Sep 2018 at 17:56, Paul
Wilkins <<a
href="mailto:paulwilkins369@gmail.com"
target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>"We have agreed to a <a
href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption"
target="_blank" moz-do-not-send="true">Statement
of Principles on Access to Evidence and
Encryption</a> that sets out a framework for
discussion with industry on resolving the
challenges to lawful access posed by
encryption, while respecting human rights and
fundamental freedoms."</div>
<div><br>
</div>
<div>Interesting...<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, 4 Sep 2018 at 17:34,
Serge Burjak <<a
href="mailto:sburjak@systech.com.au"
target="_blank" moz-do-not-send="true">sburjak@systech.com.au</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div class="gmail_default"><font
face="tahoma, sans-serif"><a
href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018"
target="_blank"
moz-do-not-send="true">https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018</a></font><br>
</div>
<div class="gmail_default"><font
face="tahoma, sans-serif"><br>
</font></div>
<div class="gmail_default"><font
face="tahoma, sans-serif">I think it's
just been released. Apologies if it's
a dupe.</font></div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, 4 Sep 2018 at 14:16,
Jim Woodward <<a
href="mailto:jim@alwaysnever.net"
target="_blank" moz-do-not-send="true">jim@alwaysnever.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="white" link="blue"
vlink="purple" lang="EN-US">
<div
class="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">Hi All,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">The problem with the
‘device malware’ approach is also
that if such an approach is used
where the intention is to target a
single device and the software /
hardware vendor screws up and
deploys the ‘weakened’ application
to many devices instead of one
specific device then there is the
potential to weaken the security
and compromise the privacy of
others. </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">I’m sure there’s some
political double talk that would
cover this scenario and that the
onus would be solely on the vendor
for making sure this does not
happen, the worry is that this
exact scenario is possible,
especially if proof of concepts
accidently get released into the
wild.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">The public should be
concerned about this for if we end
up in a situation where users
don’t trust security updates (or
updates of any type) then we’re in
the same boat as having a
purposefully compromised
application deployed, we’d have
devices with known vulnerabilities
with updates turned off which
would be arguably more serious as
time goes on.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">I truly believe the
reason this legislation is so
vague is that they’re trying to
find a solution where no one
scenario is without significant
risks, they’re trying to hold
water in a sieve by tipping more
water into it in an effort to fill
it. </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">Kind Regards,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU">Jim.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
lang="EN-AU"> </span></p>
<div>
<div
style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0cm
0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
AusNOG <<a
href="mailto:ausnog-bounces@lists.ausnog.net"
target="_blank"
moz-do-not-send="true">ausnog-bounces@lists.ausnog.net</a>>
<b>On Behalf Of </b>Paul
Brooks<br>
<b>Sent:</b> Tuesday, 4
September 2018 12:05 AM<br>
<b>To:</b> <a
href="mailto:ausnog@lists.ausnog.net"
target="_blank"
moz-do-not-send="true">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG]
Dutton decryption bill</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On 3/09/2018
11:47 AM, Chris Ford wrote:</p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
<p><span
style="font-family:"Calibri",sans-serif">Paul,</span></p>
<p><span
style="font-family:"Calibri",sans-serif"> </span></p>
<p><span
style="font-family:"Calibri",sans-serif">I
agree with you in general as
to the point that if we are
happy with the premise of the
current TIA Act that LEAs
should be able to intercept
communications with a duly
authorised warrant, then
extending that to encrypted
services seems a reasonable
extension to keep up with
technology.</span></p>
<p><span
style="font-family:"Calibri",sans-serif"> </span></p>
<p><span
style="font-family:"Calibri",sans-serif">However,
the current intercept regime
is very difficult if not
impossible for a bad actor to
exploit. The intercept points
are within the Carrier and CSP
networks, out of reach of most
people. When we move to
intercept end-to-end encrypted
services you either need to
break the encryption (which
thankfully does not seem to be
the path anybody is
proposing), OR, you need to
access the clear text at the
end point itself. The problem
I have with this is that the
end point is out in user land,
often accessible to anyone on
the internet, and now exposed
to exploit by bad actors.</span></p>
</div>
</blockquote>
<p class="MsoNormal">..And this is it.
The new legislation is NOT about
encryption, primarily, despite what
we thought before the draft was
released.<br>
They've explicitly acknowledged they
can't 'break' encryption, and do not
want to weaken encryption. They want
the sent and received message text,
stored in the device after/before
the encrypted transport.<br>
<br>
Its actually a 'device malware' bill
- a bill to enable general police
forces to achieve things that
previously only shadowy four-letter
agencies could do - implant malware
and modify the function of any
end-user device, handset, modem,
laptop, tablet, printer, connected
TV, Amazon Alexa/Google Home/etc.
Actually it goes further - rather
than implant the malware themselves
once they've achieved physical
access, this 'device malware' bill
enables them to ask nicely for
assistance, and then to require, the
device suppliers and manufacturers
to build and implant the exploit for
them. Why should AS** develop an
exploit, when they can ask Apple or
Netgear or Samsung nicely to develop
and install the exploit for them.<br>
<br>
We've spent decades educating users
that the green padlock on a website
means something, and that 'IOT
devices' such as your average Smart
TV might be easily hijacked and be
recording and watching the home
through its microphone and embedded
webcam. This bill makes
government-authorised modified
firmware with exploits that the
network and software industry have
spent billions developing virus
scanning apps to detect and
eradicate.<br>
<br>
Paul.<br>
<br>
<br>
<br>
<br>
</p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
<p><span
style="font-family:"Calibri",sans-serif"> </span></p>
<p><span
style="font-family:"Calibri",sans-serif">--</span></p>
<div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095Signature">
<div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
<p style="background:white"><span
style="font-family:"Calibri",sans-serif">Chris Ford | CTO</span></p>
<p style="background:white"><span
style="font-family:"Calibri",sans-serif">Inabox Group Limited</span></p>
<p style="background:white"><span
style="font-family:"Calibri",sans-serif"> </span></p>
<p style="background:white"><span
style="font-family:"Calibri",sans-serif">Ph: + 61 2 8275 6871</span></p>
<p style="background:white"><span
style="font-family:"Calibri",sans-serif">Mb: +61 401 988 844</span></p>
<p style="background:white"><span
style="font-family:"Calibri",sans-serif">Em: <a
href="mailto:chris.ford@inaboxgroup.com.au"
target="_blank"
moz-do-not-send="true">chris.ford@inaboxgroup.com.au</a></span></p>
</div>
</div>
</div>
<div class="MsoNormal"
style="text-align:center"
align="center">
<hr size="2" align="center"
width="98%"></div>
<div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divRplyFwdMsg">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
AusNOG <a
href="mailto:ausnog-bounces@lists.ausnog.net"
target="_blank"
moz-do-not-send="true"><ausnog-bounces@lists.ausnog.net></a>
on behalf of Paul Wilkins <a
href="mailto:paulwilkins369@gmail.com" target="_blank"
moz-do-not-send="true"><paulwilkins369@gmail.com></a><br>
<b>Sent:</b> Monday, 3
September 2018 11:31:14 AM<br>
<b>To:</b> <a
href="mailto:AusNOG@lists.ausnog.net"
target="_blank"
moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG]
Dutton decryption bill</span>
</p>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Bradley,</p>
</div>
<div>
<p class="MsoNormal">The
Common Law has always
allowed judicial scrutiny of
our privacy. There's always
been the right for judicial
search warrants to override
what's considered one's
private domain. I'm
supportive of this bill
where it extends judicial
oversite to the cyber
domain, which is a gap that
exists only because
legislation/common law has
lagged behind technology.
While at the same time
realising that conversations
conducted over the internet,
even if encrypted, are more
properly regarded as public
conversations, than say one
you might have in your
living room. Whether
government is going to
regulate the internet, the
boat has sailed on this long
ago. The hard line privacy
advocates are simply going
to be left out of a
conversation democracy needs
to have over not whether the
internet should be
regulated, but how.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">What's
interesting in this bill is
that it goes beyond
extending judicial writ,
allowing law enforcement
emergency powers the right
to surveil suspects. This
will be authorised by law
enforcement, without
judicial or governmental
oversite. I think this
probably goes too far. The
best outcome for everyone,
to protect privacy, and to
empower law enforcement to
enforce laws and to protect
citizens rights, would be to
limit the scope of these new
powers to judicial writ.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Kind
regards</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Paul
Wilkins</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>AusNOG mailing list</pre>
<pre><a href="mailto:AusNOG@lists.ausnog.net" target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a></pre>
<pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank" moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a></pre>
</blockquote>
<p> </p>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net"
target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
<a
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net"
target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
<a
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank"
moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
</div>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">-- <br>
Martin Hepworth, CISSP<br>
Oxford, UK</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>