<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com">paulwilkins369@gmail.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">The original 172 page Bill was so obviously deficient in so many areas, it was easier to just say the Bill should be thrown out in its entirety and start over. Now, post 50 pages of amendments, there's still plenty of scope for serious criticism, and the debate around getting the balance right between citizens rights, and the right of the State to extend judicial writ to cyberspace will continue, but this is in every way a very much improved Bill over the original.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Is it? Have the amendments increased the likelyhood that it will actually help law enforcement? Have the amendments helped to ensure that criminals continue to use services that are subject to the reach of Australian law enforcement agencies?</div><div dir="auto"><br></div><div dir="auto">As Mark Newton pointed out in another forum recently, he was told, face to face, by a sitting MP, in that MPs office, that his concerns that the agencies that would have access to metadata would increase substantially were ill-founded, as were his concerns that the reasons to request metadata would increase dramatically. And now local councils have access to metadata, and there are close to 1,000 requests for metadata per day.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>I don't see on any of the grounds of criticism of the original Bill, the amendments have gone as far as they need to, but on all the metrics that matter this new Bill represents an honest attempt to accommodate issues of privacy, accountability, and the need to maintain security and protect service provider property rights against unnecessary or disproportionate intrusion by Law Enforcement, and balance those against the legitimate interests of the State to enforce the rule of law in cyberspace. <br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I contend that the bill now represents an honest attempt to look like they're accomodating issues that aren't related to the core fact that the proposed laws won't actually reduce crime or increase security.</div><div dir="auto"><br></div><div dir="auto">How explicitly removing state (and potential future federal) ICACs as agencies able to utilise the powers of the bill is, in any way, reasonably associated with the phrase "honest attempt" is beyond me.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>From the definitions of systemic vulnerability and systemic weakness it would seem to put it beyond question that back doors can only be deployed against target devices, not deployed en masse. That said, there needs to be a control plane function that allows access to the target device that wasn't there before, which still constitutes a potential weakness/vulnerability.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I am sure the bill will be successful in stopping the vulnerabilities it creates leaking. I mean, if (when, recall just how successfully the NSA managed to keep stuxnet under lock and key) the AFP manage to leak code that allows keylogger installs onto iPhones, no criminal group (or just obnoxious bunch of script kiddies posing as an online hacking group) would be able to take advantage of this - that's not a systemic vulnerability or weakness, right?</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><br><div style="margin-left:40px">"systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified."<br></div><br>There's still obvious gaps around the powers and accountabilities of state police.<br><br>I have to say it looks dangerously like a sensible working position from which to move forward from, while ensuring security services get the powers they say they have an immediate need for.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">When they prove the need beyond saying "We need this because we say we need it", and show that the intended targets won't simply sidestep it and move on, THEN we may have a working position from which to move forward.</div><div dir="auto"><br></div><div dir="auto">Until then, this is just massive over-reach.</div><div dir="auto"><br></div><div dir="auto">As Mark Newton previously noted, this has "The Four Horsemen of the Infocalypse" written all over it. In particular, the script to follow:</div><div dir="auto"><br></div><div dir="auto">"<span style="background-color:rgb(255,255,255);color:rgb(34,34,34);font-family:"linux libertine",georgia,times,serif;font-size:17.6px">How to get what you want in 4 easy stages:</span></div><div dir="auto"><span style="background-color:rgb(255,255,255);color:rgb(34,34,34);font-family:"linux libertine",georgia,times,serif;font-size:17.6px"><br></span></div><div dir="auto"><ol style="margin:0px;padding:0px;border:0px;line-height:inherit;font-family:"linux libertine",georgia,times,serif;font-size:17.6px;vertical-align:baseline;background:none rgb(255,255,255);list-style-position:inside"><li style="margin:0px 0px 10px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:none"><font color="#222222" style="font-weight:inherit">Have a target "thing" you wish to stop, yet lack any moral, or practical reasons for doing so? </font><font color="#f44336" style=""><b>[We want to break encryption]</b></font></li><li style="margin:0px 0px 10px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:none"><span style="color:rgb(34,34,34);font-weight:inherit">Pick a fear common to lots of people, something that will evoke a gut reaction: terrorists, pedophiles, serial killers. </span><b style=""><font color="#f44336">[Terrorists, natch.]</font></b></li><li style="margin:0px 0px 10px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:none"><span style="color:rgb(34,34,34);font-weight:inherit">Scream loudly to the media that "thing" is being used by perpetrators. (Don't worry if this is true, or common to all other things, or less common with "thing" than with other long established systems—payphones, paper mail, private hotel rooms, lack of bugs in all houses etc.) </span><b style=""><font color="#f44336">[OMG, terrorists are using encryption (lets ignore the fact that we're still stopping them without being able to break it, and we still let the ones we know about stab people). Sure, its ubiquitous, but TERRORISTS!]</font></b></li><li style="margin-top:0px;margin-right:0px;margin-bottom:inherit;margin-left:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:none"><span style="color:rgb(34,34,34);font-weight:inherit">Say that the only way to stop perpetrators is to close down "thing", or to regulate it to death, or to have laws forcing en masse tapability of all private communications on "thing". Don't worry if communicating on "thing" is a constitutionally protected right, if you have done a good job in choosing and publicising the horsemen in 2, no one will notice, they will be too busy clamouring for you to save them from the supposed evils. </span><b style=""><font color="#f44336">[This whole debate - there are still people acting on the assumption that this is needed, and that it will achieve the stated goals. Bonus points for screaming at anyone who disagrees that they're only doing so because they must support terrorism - yep, we've seen that.]</font></b><span style="color:rgb(34,34,34);font-weight:inherit">"</span></li></ol></div><div dir="auto"><br></div><div dir="auto">Just because they say they need it doesn't mean that they do, or that it will work.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>Kind regards<br><br>Paul Wilkins<br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 13:48, Mark Newton <<a href="mailto:newton@atdot.dotat.org" target="_blank" rel="noreferrer">newton@atdot.dotat.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 12/05/2018 11:48 AM, Paul Wilkins wrote:<br>
> "If this passes I can see similar legislation being introduced in <br>
> other jurisdictions."<br>
><br>
> I think this legislation and all its warts is going to be a <br>
> particularly Australian feature.<br>
<br>
Exported globally, though.<br>
<br>
A 5-eyes power who wants to surveil someone can come to Australia, get <br>
ASIO or ASD to land a TCN on the target's platform provider, and pass on <br>
the result.<br>
<br>
Example:<br>
<br>
CIA wants something from an iPhone user. They can't get it themselves. <br>
So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.<br>
<br>
ASD screams "terrorist!" in a TCN sent to Apple, which demands <br>
production of a compromised version of iOS which keylogs and screenshots <br>
any encrypted messaging apps which happen to run, and pushed as a silent <br>
upgrade to that user's phone.<br>
<br>
Results flow from Apple to ASD, and ASD passes them back to the CIA.<br>
<br>
There is no need for any other 5-eyes nation to pass this law now that <br>
Australia has it. It's provided 5-eyes with a global capability.<br>
<br>
- mark<br>
<br>
<br>
</blockquote></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank" rel="noreferrer">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div></div>