<div><div><br></div><div>As a Brit working for an Ozzie firm in the UK it's interesting looking at this that the link talks about 5eyes and not just Australia. We know the debate is happening in the US and the UK but this is the first time the 5eyes has been explicit mentioned as whole in this context afaik</div><div dir="auto"><br></div><div dir="auto">Martin</div><div dir="auto"><br></div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr">On Tue, 4 Sep 2018 at 10:17, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">There is one point which I'll be making in my submission which needs to be firmly pressed home - that there should not be a diversity of agencies all with the power to authorise and execute Assistance/Capability Notices. This should be managed through a single agency, that serves as the interface for the purposes of the bill, between law enforcement, and service providers. This is the only way toensure a standard capability for intelligence gathering across agencies, smooth administration of justice and execution of Assistance/Capability Notices, and reduces the vulnerability which would arise from over a dozen different agencies and their agents all with access to service provider networks and services. This one agency should work as a clearing house for Assistance/Capability Notices, and for disseminating gleaned data to client agencies.<br><br>I'd encourage others making submissions to raise the same point. Government has clearly not considered this dimension, otherwise the first cab off the rank in the bill's phrasing would be to create a new agency, or identifying a single agency on which to confer these powers.<br><br>Kind regards</div></div><div dir="ltr"><div dir="ltr"><br><br>Paul Wilkins<br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 4 Sep 2018 at 18:02, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>and the stick...</div><div><br></div><div>"Should governments continue to encounter impediments to lawful access to
information necessary to aid the protection of the citizens of our
countries, we may pursue technological, enforcement, legislative or
other measures to achieve lawful access solutions."</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 4 Sep 2018 at 17:56, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>"We have agreed to a <a href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption" target="_blank">Statement of Principles on Access to Evidence and Encryption</a>
that sets out a framework for discussion with industry on resolving the
challenges to lawful access posed by encryption, while respecting human
rights and fundamental freedoms."</div><div><br></div><div>Interesting...<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 4 Sep 2018 at 17:34, Serge Burjak <<a href="mailto:sburjak@systech.com.au" target="_blank">sburjak@systech.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div class="gmail_default"><font face="tahoma, sans-serif"><a href="https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018" target="_blank">https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018</a></font><br></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">I think it's just been released. Apologies if it's a dupe.</font></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 4 Sep 2018 at 14:16, Jim Woodward <<a href="mailto:jim@alwaysnever.net" target="_blank">jim@alwaysnever.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div class="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095WordSection1"><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi All,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The problem with the ‘device malware’ approach is also that if such an approach is used where the intention is to target a single device and the software / hardware vendor screws up and deploys the ‘weakened’ application to many devices instead of one specific device then there is the potential to weaken the security and compromise the privacy of others. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I’m sure there’s some political double talk that would cover this scenario and that the onus would be solely on the vendor for making sure this does not happen, the worry is that this exact scenario is possible, especially if proof of concepts accidently get released into the wild.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The public should be concerned about this for if we end up in a situation where users don’t trust security updates (or updates of any type) then we’re in the same boat as having a purposefully compromised application deployed, we’d have devices with known vulnerabilities with updates turned off which would be arguably more serious as time goes on.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I truly believe the reason this legislation is so vague is that they’re trying to find a solution where no one scenario is without significant risks, they’re trying to hold water in a sieve by tipping more water into it in an effort to fill it. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Kind Regards,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Jim.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> AusNOG <<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>> <b>On Behalf Of </b>Paul Brooks<br><b>Sent:</b> Tuesday, 4 September 2018 12:05 AM<br><b>To:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br><b>Subject:</b> Re: [AusNOG] Dutton decryption bill<u></u><u></u></span></p></div></div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On 3/09/2018 11:47 AM, Chris Ford wrote:<u></u><u></u></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper"><p><span style="font-family:"Calibri",sans-serif">Paul,<u></u><u></u></span></p><p><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p><p><span style="font-family:"Calibri",sans-serif">I agree with you in general as to the point that if we are happy with the premise of the current TIA Act that LEAs should be able to intercept communications with a duly authorised warrant, then extending that to encrypted services seems a reasonable extension to keep up with technology.<u></u><u></u></span></p><p><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p><p><span style="font-family:"Calibri",sans-serif">However, the current intercept regime is very difficult if not impossible for a bad actor to exploit. The intercept points are within the Carrier and CSP networks, out of reach of most people. When we move to intercept end-to-end encrypted services you either need to break the encryption (which thankfully does not seem to be the path anybody is proposing), OR, you need to access the clear text at the end point itself. The problem I have with this is that the end point is out in user land, often accessible to anyone on the internet, and now exposed to exploit by bad actors.<u></u><u></u></span></p></div></blockquote><p class="MsoNormal">..And this is it. The new legislation is NOT about encryption, primarily, despite what we thought before the draft was released.<br>They've explicitly acknowledged they can't 'break' encryption, and do not want to weaken encryption. They want the sent and received message text, stored in the device after/before the encrypted transport.<br><br>Its actually a 'device malware' bill - a bill to enable general police forces to achieve things that previously only shadowy four-letter agencies could do - implant malware and modify the function of any end-user device, handset, modem, laptop, tablet, printer, connected TV, Amazon Alexa/Google Home/etc. Actually it goes further - rather than implant the malware themselves once they've achieved physical access, this 'device malware' bill enables them to ask nicely for assistance, and then to require, the device suppliers and manufacturers to build and implant the exploit for them. Why should AS** develop an exploit, when they can ask Apple or Netgear or Samsung nicely to develop and install the exploit for them.<br><br>We've spent decades educating users that the green padlock on a website means something, and that 'IOT devices' such as your average Smart TV might be easily hijacked and be recording and watching the home through its microphone and embedded webcam. This bill makes government-authorised modified firmware with exploits that the network and software industry have spent billions developing virus scanning apps to detect and eradicate.<br><br>Paul.<br><br><br><br><br><u></u><u></u></p><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper"><p><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p><p><span style="font-family:"Calibri",sans-serif">--<u></u><u></u></span></p><div id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095Signature"><div id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divtagdefaultwrapper"><p style="background:white"><span style="font-family:"Calibri",sans-serif">Chris Ford | CTO<u></u><u></u></span></p><p style="background:white"><span style="font-family:"Calibri",sans-serif">Inabox Group Limited<u></u><u></u></span></p><p style="background:white"><span style="font-family:"Calibri",sans-serif"><u></u> <u></u></span></p><p style="background:white"><span style="font-family:"Calibri",sans-serif">Ph: + 61 2 8275 6871<u></u><u></u></span></p><p style="background:white"><span style="font-family:"Calibri",sans-serif">Mb: +61 401 988 844<u></u><u></u></span></p><p style="background:white"><span style="font-family:"Calibri",sans-serif">Em: <a href="mailto:chris.ford@inaboxgroup.com.au" target="_blank">chris.ford@inaboxgroup.com.au</a><u></u><u></u></span></p></div></div></div><div class="MsoNormal" align="center" style="text-align:center"><hr size="2" width="98%" align="center"></div><div id="m_-3982447786034692250m_-2479550193675366264m_-5158624285440553620m_6824654010180354063m_-6107826436236504148m_7687516636362054095divRplyFwdMsg"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> AusNOG <a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank"><ausnog-bounces@lists.ausnog.net></a> on behalf of Paul Wilkins <a href="mailto:paulwilkins369@gmail.com" target="_blank"><paulwilkins369@gmail.com></a><br><b>Sent:</b> Monday, 3 September 2018 11:31:14 AM<br><b>To:</b> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br><b>Subject:</b> Re: [AusNOG] Dutton decryption bill</span> <u></u><u></u></p><div><p class="MsoNormal"> <u></u><u></u></p></div></div><div><div><div><p class="MsoNormal">Bradley,<u></u><u></u></p></div><div><p class="MsoNormal">The Common Law has always allowed judicial scrutiny of our privacy. There's always been the right for judicial search warrants to override what's considered one's private domain. I'm supportive of this bill where it extends judicial oversite to the cyber domain, which is a gap that exists only because legislation/common law has lagged behind technology. While at the same time realising that conversations conducted over the internet, even if encrypted, are more properly regarded as public conversations, than say one you might have in your living room. Whether government is going to regulate the internet, the boat has sailed on this long ago. The hard line privacy advocates are simply going to be left out of a conversation democracy needs to have over not whether the internet should be regulated, but how.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">What's interesting in this bill is that it goes beyond extending judicial writ, allowing law enforcement emergency powers the right to surveil suspects. This will be authorised by law enforcement, without judicial or governmental oversite. I think this probably goes too far. The best outcome for everyone, to protect privacy, and to empower law enforcement to enforce laws and to protect citizens rights, would be to limit the scope of these new powers to judicial writ.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Kind regards<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Paul Wilkins<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div></div></div><p class="MsoNormal"><br><br><br><u></u><u></u></p><pre>_______________________________________________<u></u><u></u></pre><pre>AusNOG mailing list<u></u><u></u></pre><pre><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><u></u><u></u></pre><pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></pre></blockquote><p><u></u> <u></u></p></div></div>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div>
</div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div>