<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    The real debate is about who is watching the watchers, as always !<br>
    <br>
    <div class="moz-cite-prefix">On 4/09/2018 9:37 p.m., Martin Hepworth
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAGDKorLrtOoWVxjduyYYOBg+S77Hc1mbGpDei+aze4v24ZUyrw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div>
        <div><br>
        </div>
        <div>As a Brit working for an Ozzie firm in the UK it's
          interesting looking at this that the link talks about 5eyes
          and not just Australia. We know the debate is happening in the
          US and the UK but this is the first time the 5eyes has been
          explicit mentioned as whole in this context afaik</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Martin</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto"><br>
          <div class="gmail_quote" dir="auto">
            <div dir="ltr">On Tue, 4 Sep 2018 at 10:17, Paul Wilkins
              <<a href="mailto:paulwilkins369@gmail.com"
                target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">
                <div dir="ltr">There is one point which I'll be making
                  in my submission which needs to be firmly pressed home
                  - that there should not be a diversity of agencies all
                  with the power to authorise and execute
                  Assistance/Capability Notices. This should be managed
                  through a single agency, that serves as the interface
                  for the purposes of the bill, between law enforcement,
                  and service providers. This is the only way toensure a
                  standard capability for intelligence gathering across
                  agencies, smooth administration of justice and
                  execution of Assistance/Capability Notices, and
                  reduces the vulnerability which would arise from over
                  a dozen different agencies and their agents all with
                  access to service provider networks and services. This
                  one agency should work as a clearing house for
                  Assistance/Capability Notices, and for disseminating
                  gleaned data to client agencies.<br>
                  <br>
                  I'd encourage others making submissions to raise the
                  same point. Government has clearly not considered this
                  dimension, otherwise the first cab off the rank in the
                  bill's phrasing would be to create a new agency, or
                  identifying a single agency on which to confer these
                  powers.<br>
                  <br>
                  Kind regards</div>
              </div>
              <div dir="ltr">
                <div dir="ltr"><br>
                  <br>
                  Paul Wilkins<br>
                  <br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr">On Tue, 4 Sep 2018 at 18:02, Paul Wilkins
                  <<a href="mailto:paulwilkins369@gmail.com"
                    target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div>and the stick...</div>
                      <div><br>
                      </div>
                      <div>"Should governments continue to encounter
                        impediments to lawful access to information
                        necessary to aid the protection of the citizens
                        of our countries, we may pursue technological,
                        enforcement, legislative or other measures to
                        achieve lawful access solutions."</div>
                    </div>
                  </div>
                  <br>
                  <div class="gmail_quote">
                    <div dir="ltr">On Tue, 4 Sep 2018 at 17:56, Paul
                      Wilkins <<a
                        href="mailto:paulwilkins369@gmail.com"
                        target="_blank" moz-do-not-send="true">paulwilkins369@gmail.com</a>>
                      wrote:<br>
                    </div>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>"We have agreed to a <a
href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption"
                            target="_blank" moz-do-not-send="true">Statement
                            of Principles on Access to Evidence and
                            Encryption</a> that sets out a framework for
                          discussion with industry on resolving the
                          challenges to lawful access posed by
                          encryption, while respecting human rights and
                          fundamental freedoms."</div>
                        <div><br>
                        </div>
                        <div>Interesting...<br>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">
                        <div dir="ltr">On Tue, 4 Sep 2018 at 17:34,
                          Serge Burjak <<a
                            href="mailto:sburjak@systech.com.au"
                            target="_blank" moz-do-not-send="true">sburjak@systech.com.au</a>>
                          wrote:<br>
                        </div>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">
                            <div dir="ltr">
                              <div class="gmail_default"><font
                                  face="tahoma, sans-serif"><a
href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018"
                                    target="_blank"
                                    moz-do-not-send="true">https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018</a></font><br>
                              </div>
                              <div class="gmail_default"><font
                                  face="tahoma, sans-serif"><br>
                                </font></div>
                              <div class="gmail_default"><font
                                  face="tahoma, sans-serif">I think it's
                                  just been released. Apologies if it's
                                  a dupe.</font></div>
                            </div>
                          </div>
                          <br>
                          <div class="gmail_quote">
                            <div dir="ltr">On Tue, 4 Sep 2018 at 14:16,
                              Jim Woodward <<a
                                href="mailto:jim@alwaysnever.net"
                                target="_blank" moz-do-not-send="true">jim@alwaysnever.net</a>>
                              wrote:<br>
                            </div>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div bgcolor="white" link="blue"
                                vlink="purple" lang="EN-US">
                                <div
class="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095WordSection1">
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">Hi All,</span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">The problem with the
                                      ‘device malware’ approach is also
                                      that if such an approach is used
                                      where the intention is to target a
                                      single device and the software /
                                      hardware vendor screws up and
                                      deploys the ‘weakened’ application
                                      to many devices instead of one
                                      specific device then there is the
                                      potential to weaken the security
                                      and compromise the privacy of
                                      others. </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">I’m sure there’s some
                                      political double talk that would
                                      cover this scenario and that the
                                      onus would be solely on the vendor
                                      for making sure this does not
                                      happen, the worry is that this
                                      exact scenario is possible,
                                      especially if proof of concepts
                                      accidently get released into the
                                      wild.</span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">The public should be
                                      concerned about this for if we end
                                      up in a situation where users
                                      don’t trust security updates (or
                                      updates of any type) then we’re in
                                      the same boat as having a
                                      purposefully compromised
                                      application deployed, we’d have
                                      devices with known vulnerabilities
                                      with updates turned off which
                                      would be arguably more serious as
                                      time goes on.</span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">I truly believe the
                                      reason this legislation is so
                                      vague is that they’re trying to
                                      find a solution where no one
                                      scenario is without significant
                                      risks, they’re trying to hold
                                      water in a sieve by tipping more
                                      water into it in an effort to fill
                                      it. </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">Kind Regards,</span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU">Jim.</span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"
                                      lang="EN-AU"> </span></p>
                                  <div>
                                    <div
                                      style="border:none;border-top:solid
                                      #e1e1e1 1.0pt;padding:3.0pt 0cm
                                      0cm 0cm">
                                      <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
                                          AusNOG <<a
                                            href="mailto:ausnog-bounces@lists.ausnog.net"
                                            target="_blank"
                                            moz-do-not-send="true">ausnog-bounces@lists.ausnog.net</a>>
                                          <b>On Behalf Of </b>Paul
                                          Brooks<br>
                                          <b>Sent:</b> Tuesday, 4
                                          September 2018 12:05 AM<br>
                                          <b>To:</b> <a
                                            href="mailto:ausnog@lists.ausnog.net"
                                            target="_blank"
                                            moz-do-not-send="true">ausnog@lists.ausnog.net</a><br>
                                          <b>Subject:</b> Re: [AusNOG]
                                          Dutton decryption bill</span></p>
                                    </div>
                                  </div>
                                  <p class="MsoNormal"> </p>
                                  <div>
                                    <p class="MsoNormal">On 3/09/2018
                                      11:47 AM, Chris Ford wrote:</p>
                                  </div>
                                  <blockquote
                                    style="margin-top:5.0pt;margin-bottom:5.0pt">
                                    <div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
                                      <p><span
                                          style="font-family:"Calibri",sans-serif">Paul,</span></p>
                                      <p><span
                                          style="font-family:"Calibri",sans-serif"> </span></p>
                                      <p><span
                                          style="font-family:"Calibri",sans-serif">I
                                          agree with you in general as
                                          to the point that if we are
                                          happy with the premise of the
                                          current TIA Act that LEAs
                                          should be able to intercept
                                          communications with a duly
                                          authorised warrant, then
                                          extending that to encrypted
                                          services seems a reasonable
                                          extension to keep up with
                                          technology.</span></p>
                                      <p><span
                                          style="font-family:"Calibri",sans-serif"> </span></p>
                                      <p><span
                                          style="font-family:"Calibri",sans-serif">However,
                                          the current intercept regime
                                          is very difficult if not
                                          impossible for a bad actor to
                                          exploit. The intercept points
                                          are within the Carrier and CSP
                                          networks, out of reach of most
                                          people. When we move to
                                          intercept end-to-end encrypted
                                          services you either need to
                                          break the encryption (which
                                          thankfully does not seem to be
                                          the path anybody is
                                          proposing), OR, you need to
                                          access the clear text at the
                                          end point itself. The problem
                                          I have with this is that the
                                          end point is out in user land,
                                          often accessible to anyone on
                                          the internet, and now exposed
                                          to exploit by bad actors.</span></p>
                                    </div>
                                  </blockquote>
                                  <p class="MsoNormal">..And this is it.
                                    The new legislation is NOT about
                                    encryption, primarily, despite what
                                    we thought before the draft was
                                    released.<br>
                                    They've explicitly acknowledged they
                                    can't 'break' encryption, and do not
                                    want to weaken encryption. They want
                                    the sent and received message text,
                                    stored in the device after/before
                                    the encrypted transport.<br>
                                    <br>
                                    Its actually a 'device malware' bill
                                    - a bill to enable general police
                                    forces to achieve things that
                                    previously only shadowy four-letter
                                    agencies could do - implant malware
                                    and modify the function of any
                                    end-user device, handset, modem,
                                    laptop, tablet, printer, connected
                                    TV, Amazon Alexa/Google Home/etc.
                                    Actually it goes further - rather
                                    than implant the malware themselves
                                    once they've achieved physical
                                    access, this 'device malware' bill
                                    enables them to ask nicely for
                                    assistance, and then to require, the
                                    device suppliers and manufacturers
                                    to build and implant the exploit for
                                    them. Why should AS** develop an
                                    exploit, when they can ask Apple or
                                    Netgear or Samsung nicely to develop
                                    and install the exploit for them.<br>
                                    <br>
                                    We've spent decades educating users
                                    that the green padlock on a website
                                    means something, and that 'IOT
                                    devices' such as your average Smart
                                    TV might be easily hijacked and be
                                    recording and watching the home
                                    through its microphone and embedded
                                    webcam. This bill makes
                                    government-authorised modified
                                    firmware with exploits that the
                                    network and software industry have
                                    spent billions developing virus
                                    scanning apps to detect and
                                    eradicate.<br>
                                    <br>
                                    Paul.<br>
                                    <br>
                                    <br>
                                    <br>
                                    <br>
                                  </p>
                                  <blockquote
                                    style="margin-top:5.0pt;margin-bottom:5.0pt">
                                    <div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
                                      <p><span
                                          style="font-family:"Calibri",sans-serif"> </span></p>
                                      <p><span
                                          style="font-family:"Calibri",sans-serif">--</span></p>
                                      <div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095Signature">
                                        <div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper">
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif">Chris Ford | CTO</span></p>
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif">Inabox Group Limited</span></p>
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif"> </span></p>
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif">Ph: + 61 2 8275 6871</span></p>
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif">Mb: +61 401 988 844</span></p>
                                          <p style="background:white"><span
style="font-family:"Calibri",sans-serif">Em: <a
                                                href="mailto:chris.ford@inaboxgroup.com.au"
                                                target="_blank"
                                                moz-do-not-send="true">chris.ford@inaboxgroup.com.au</a></span></p>
                                        </div>
                                      </div>
                                    </div>
                                    <div class="MsoNormal"
                                      style="text-align:center"
                                      align="center">
                                      <hr size="2" align="center"
                                        width="98%"></div>
                                    <div
id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divRplyFwdMsg">
                                      <p class="MsoNormal"><b><span
                                            style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
                                          AusNOG <a
                                            href="mailto:ausnog-bounces@lists.ausnog.net"
                                            target="_blank"
                                            moz-do-not-send="true"><ausnog-bounces@lists.ausnog.net></a>
                                          on behalf of Paul Wilkins <a
href="mailto:paulwilkins369@gmail.com" target="_blank"
                                            moz-do-not-send="true"><paulwilkins369@gmail.com></a><br>
                                          <b>Sent:</b> Monday, 3
                                          September 2018 11:31:14 AM<br>
                                          <b>To:</b> <a
                                            href="mailto:AusNOG@lists.ausnog.net"
                                            target="_blank"
                                            moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
                                          <b>Subject:</b> Re: [AusNOG]
                                          Dutton decryption bill</span>
                                      </p>
                                      <div>
                                        <p class="MsoNormal"> </p>
                                      </div>
                                    </div>
                                    <div>
                                      <div>
                                        <div>
                                          <p class="MsoNormal">Bradley,</p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal">The
                                            Common Law has always
                                            allowed judicial scrutiny of
                                            our privacy. There's always
                                            been the right for judicial
                                            search warrants to override
                                            what's considered one's
                                            private domain. I'm
                                            supportive of this bill
                                            where it extends judicial
                                            oversite to the cyber
                                            domain, which is a gap that
                                            exists only because
                                            legislation/common law has
                                            lagged behind technology.
                                            While at the same time
                                            realising that conversations
                                            conducted over the internet,
                                            even if encrypted, are more
                                            properly regarded as public
                                            conversations, than say one
                                            you might have in your
                                            living room. Whether
                                            government is going to
                                            regulate the internet, the
                                            boat has sailed on this long
                                            ago. The hard line privacy
                                            advocates are simply going
                                            to be left out of a
                                            conversation democracy needs
                                            to have over not whether the
                                            internet should be
                                            regulated, but how.</p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal">What's
                                            interesting in this bill is
                                            that it goes beyond
                                            extending judicial writ,
                                            allowing law enforcement
                                            emergency powers the right
                                            to surveil suspects. This
                                            will be authorised by law
                                            enforcement, without
                                            judicial or governmental
                                            oversite. I think this
                                            probably goes too far. The
                                            best outcome for everyone,
                                            to protect privacy, and to
                                            empower law enforcement to
                                            enforce laws and to protect
                                            citizens rights, would be to
                                            limit the scope of these new
                                            powers to judicial writ.</p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal">Kind
                                            regards</p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal">Paul
                                            Wilkins</p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                      </div>
                                    </div>
                                    <p class="MsoNormal"><br>
                                      <br>
                                      <br>
                                    </p>
                                    <pre>_______________________________________________</pre>
                                    <pre>AusNOG mailing list</pre>
                                    <pre><a href="mailto:AusNOG@lists.ausnog.net" target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a></pre>
                                    <pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank" moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a></pre>
                                  </blockquote>
                                  <p> </p>
                                </div>
                              </div>
_______________________________________________<br>
                              AusNOG mailing list<br>
                              <a href="mailto:AusNOG@lists.ausnog.net"
                                target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
                              <a
                                href="http://lists.ausnog.net/mailman/listinfo/ausnog"
                                rel="noreferrer" target="_blank"
                                moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
                            </blockquote>
                          </div>
_______________________________________________<br>
                          AusNOG mailing list<br>
                          <a href="mailto:AusNOG@lists.ausnog.net"
                            target="_blank" moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
                          <a
                            href="http://lists.ausnog.net/mailman/listinfo/ausnog"
                            rel="noreferrer" target="_blank"
                            moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
                        </blockquote>
                      </div>
                    </blockquote>
                  </div>
                </blockquote>
              </div>
              _______________________________________________<br>
              AusNOG mailing list<br>
              <a href="mailto:AusNOG@lists.ausnog.net" target="_blank"
                moz-do-not-send="true">AusNOG@lists.ausnog.net</a><br>
              <a href="http://lists.ausnog.net/mailman/listinfo/ausnog"
                rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
            </blockquote>
          </div>
        </div>
      </div>
      -- <br>
      <div dir="ltr" class="gmail_signature"
        data-smartmail="gmail_signature">-- <br>
        Martin Hepworth, CISSP<br>
        Oxford, UK</div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <br>
  <div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
        <tr>
        <td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
                <td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avast.com</a>
                </td>
        </tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>