<div><div dir="auto">Strikes me that a firmware update surprise for a savvy iPhone user that chats with other iPhone users who did not get an update would find this suspicious. Same for Android users of course. That also ignores how big the update is and how much data would be used sending 5 minute archives that run cell data to the plan limit of the user getting an isp data limit near warning</div></div><div><br><div class="gmail_quote"><div dir="ltr">On Wed, 12 Dec 2018 at 12:58 PM, Matt Perkins <<a href="mailto:matt@spectrum.com.au">matt@spectrum.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-2133378363593843772moz-cite-prefix">An example might be, Law enforcement
use a lawful instrument to tell say Apple. Push firmware to a
users phone (say based on apple id) that takes a screen shot every
time any instant messaging app updates the screen. Pack up all
those images and send them through to government-zyx every 5
minutes. You can hardly call there firmware update system a
systemic weakness. But then some changes might need to be made
to allow push to a specific device/user and without the user
seeing the process. Is that a weakness who knows someone more
knowledgeable of the law then me. <br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix">Remember these are the same people that
say the law's of math will bow to the laws of Australia. They
really dont care how it work's that's someone ease's problem time
to head to the parliament cafe for a sandwich and check latest
tweets from Paul Murry. <br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix">Matt.</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772moz-cite-prefix">On 12/12/18 2:41 pm, Paul Wilkins
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Neither the law nor technology has a great record for
interest in epistemological questions, but Matt's question
raises interesting epistemological questions around the
application of 317ZG and the meaning of "systemic weakness".</div>
<div><br>
</div>
<div>The whole point of the Assistance and Access Act is to
target end point computing devices. So at some point, law
enforcement has to exercise a control plane function to
extract data from that device. The existence of this control
plane function is additional to the device's functionality,
and so expands the attack surface of the device. So it can be
argued, that any attempt by law enforcement to access end
point devices via additional mechanisms introduced via TCN/TAN
notices, constitutes a systemic weakness, and gives rise to
the protections of 317ZG that forbid the introduction of
systemic weaknesses. Consequently, no TCN or TAN is
enforceable in an epistemological sense. (They may be
enforceable at law, but I don't pretend to be a legal expert).<br>
</div>
<div><br>
</div>
<div>Kind regards</div>
<div><br>
</div>
<div>Paul Wilkins<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 12 Dec 2018 at 13:21, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">The inclusion of judicial authorisation of
notices is an important safeguard, for no less reason than
that it would provide the necessary safeguard against a
TCN or TAN being used as constituting authorisation under
section 313C(3) and s280(1)(b) of the Telecommunications
Act for the bulk disclosure of carrier metadata.<br>
<br>
Kind regards<br>
<br>
Paul Wilkins<br>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 12 Dec 2018 at 13:14, Paul Brooks
<<a href="mailto:pbrooks-ausnog@layer10.com.au" target="_blank">pbrooks-ausnog@layer10.com.au</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix">Paul
- those are the additional Opposition amendments, to
have been moved by Penny Wong, that were not
introduced and are not part of the current
legislation. If the opposition crosses its fingers,
they might be allowed to try them in February.</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix">Right
now, the relevant part is 317WA Assessment and report
(regarding a TCN):</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix">
<blockquote type="cite"><br>
(1) If a consultation notice is given to a
designated communications provider under subsection
317W(1) in relation to a proposed technical
capability notice, the provider may, within the time
limit specified in the consultation notice, give the
Attorney-General a written notice requesting the
carrying out of an assessment of whether the
proposed technical capability notice should be
given.<br>
(2) If a designated communications provider gives
the Attorney-General a notice under subsection (1)
in relation to a proposed technical capability
notice, the Attorney-General must appoint 2 persons
to carry out an assessment of whether the proposed
technical capability notice should be given.<br>
(3) For the purposes of this section, the persons
appointed under subsection (2) are to be known as
the <i>assessors.</i><br>
(4) One of the assessors must be a person who: <br>
(a) has knowledge that would enable the
person to assess whether proposed technical
capability notices would contravene section 317ZG;
and<br>
(b) is cleared for security purposes to:<br>
(i) the highest level
required by staff members of ASIO; or<br>
(ii) such lower level as
the Attorney-General approves.<br>
(5) One of the assessors must be a person who:<br>
(a) has served as a judge in one or
more prescribed courts for a period of 5 years; and<br>
(b) no longer holds a commission as a
judge of a prescribed court.</blockquote>
<br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix">etc.</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072moz-cite-prefix">On
12/12/2018 12:45 pm, Paul Wilkins wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>317V, substitute:<br>
unless:<br>
<div style="margin-left:40px">(a) the
Attorney-General is satisfied that:<br>
</div>
<div style="margin-left:80px">(i) the
requirements imposed by the notice are
reasonable and proportionate; and<br>
(ii) compliance with the notice is practicable
and technically feasible; and<br>
</div>
<div style="margin-left:40px"><b>(b) an eligible
Judge has approved the giving of the notice.</b><br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 12 Dec 2018 at 12:39, Paul
Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><a href="https://parlinfo.aph.gov.au/parlInfo/download/legislation/amend/r6195_amend_96ffec08-558c-4ff9-9448-0a18c21cf1c7/upload_pdf/8627%20CW%20Telecommunications%20and%20Other%20Legislation%20Amendment%20(Assistance%20and%20Access)%20Bill%202018%20Wong.pdf;fileType=application/pdf" target="_blank">https://parlinfo.aph.gov.au/parlInfo/download/legislation/amend/r6195_amend_96ffec08-558c-4ff9-9448-0a18c21cf1c7/upload_pdf/8627%20CW%20Telecommunications%20and%20Other%20Legislation%20Amendment%20(Assistance%20and%20Access)%20Bill%202018%20Wong.pdf;fileType=application/pdf</a><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 12 Dec 2018 at 12:25,
Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au" target="_blank">pbrooks-ausnog@layer10.com.au</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix">@Matt
- 'a screen capture and remote access
ability', if installed on all phones would
surely be a 'systemic vulnerability' in
anybody's view, and would be a global
disaster if the method of triggering this
ability escaped to the wider world. This
would be an example of precisely the
dangerous and ill-advised exploit that we
are all concerned the agencies might ask
for in ignorance. Heck, this is exactly
the sort of malware exploit that
after-market malware scanners and virus
checkers for phones should be looking for
to to detect and warn the user if an app
or the OS had been compromised and was
attempting to do these things. I can see a
rapidly growing market for malware
checkers!</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix">@Paul
- where is the requirement for 'judicial
approval'? - it doesn't go anywhere near a
court. The TCN can be issued by the
Attorney General. If (and only if) the
recipient thinks it might be able to be
pushed back on, they can ask for a review
by a *retired* judge and a tech expert
with a high security clearance. A
*retired* judge is not a 'judicial
approval', and the easiest place to source
the other expert from is from within ASIO
- hardly independent. The AGD chooses the
two reviewers, not the recipient. The
legislation as passed also doesn't deal
with the situation if the two experts
disagree on whether it is allowable or
not. And there is no requirement for a
warrant to have been issued - the whole
point of a TCN is to preemptively create a
capability that can be exploited later, on
the off chance there will be a future
warrant that requires the exploit to be
triggered.<br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix">Paul.<br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix"><br>
</div>
<div class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-cite-prefix">On
12/12/2018 12:02 pm, Paul Wilkins wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Matt,
(IINAL)</div>
<div>But it
appears on my
reading that
both 317ZG and
more
specifically
the new 317ZGA
would arguably
prohibit this.</div>
<div><br>
</div>
<div>The
(pending?)
amendments are
worth a read.
Stronger terms
on 317ZG and
importantly -
<b>requirement
for judicial
approval of
TCNs</b>.<br>
</div>
<div><br>
</div>
<div>
<div style="margin-left:40px">317P
(5)(2)(d) the
designated
communications
provider has,
if reasonably
practicable,
been consulted
and given a
reasonable
opportunity to
make
submissions on
whether the
requirements
to be imposed
by the notice
are reasonable
and
proportionate
and whether
compliance
with the
notice is
practicable
and
technically
feasible.<br>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 12 Dec 2018 at
11:30, Matt Perkins <<a href="mailto:matt@spectrum.com.au" target="_blank">matt@spectrum.com.au</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">It
strikes me that all that will be
needed is the phone manufacturers to
put a screen capture and remote access
ability on the phones. Then Law
enforcement need to do is read the
screens no need to involve the
individual app makers at all. They
are after a wide and non savvy
audience here. Looking over the
shoulder of phone users is what we are
talking about. I would say expect to
see a boost in convictions of medium
size drug distributors and small
amateur terror type people. <br>
<br>
These are the same people that used
sms before they just want that
capability back. <br>
<br>
Matt<br>
<br>
<br>
<br>
-- <br>
/* Matt Perkins<br>
Direct 1300 137 379
Spectrum Networks Ptd. Ltd.<br>
Office 1300 133 299 <a href="mailto:matt@spectrum.com.au" target="_blank">matt@spectrum.com.au</a><br>
Fax 1300 133 255 Level
6, 350 George Street Sydney 2000<br>
SIP <a href="mailto:1300137379@sip.spectrum.com.au" target="_blank">1300137379@sip.spectrum.com.au</a><br>
Google Talk <a href="mailto:MattAPerkins@gmail.com" target="_blank">MattAPerkins@gmail.com</a><br>
PGP/GNUPG Public Key can be
found at <a href="http://pgp.mit.edu" rel="noreferrer" target="_blank">http://pgp.mit.edu</a><br>
*/<br>
<br>
> On 12 Dec 2018, at 8:27 am, Paul
Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au" target="_blank">pbrooks-ausnog@layer10.com.au</a>>
wrote:<br>
> <br>
>> On 12/12/2018 3:54 am, Scott
Weeks wrote:<br>
>> <br>
>> -----------------<br>
>> The Bill was passed on
Thursday<br>
>> -----------------<br>
>> <br>
>> <br>
>> Damn, I'm gonna need a bigger
bag of popcorn!<br>
>> Waaaay bigger. I can't wait
to see how this <br>
>> plays out.<br>
> <br>
> We'll probably never know how
this plays out, unless one of the
major global brands<br>
> pulls out of the Australian
market.<br>
> <br>
> Tech companies doing development
in Aust will put in independent code
reviews by an<br>
> offshore team to protect against
onshore employees, or will quietly
close Australian<br>
> development shops over years.
Some tech companies will move overseas
- gradually,<br>
> over months and years. Net
result - lower demand for Australian
IT staff, lower<br>
> export figures in the DFAT stats
over years.<br>
> <br>
> Many 'component manufacturers or
suppliers' will blithely carry on,
unaware this might<br>
> apply to them at all until they
receive a notice<br>
> <br>
> A massive data breach in 3 years
time may not be traced back to a
system change caused<br>
> as a result of a notice, or if an
investigation does uncover the root
cause, is likely<br>
> to be quietly hushed up.<br>
> <br>
> It'll take a massive
ASIC-website-blocking-like event
own-goal to generate demand for<br>
> popcorn. That or a majority of
politicians starting to listen to
experts rather than<br>
> agencies and repealing it, and
there's precious few Andrew Wilkies
around at the<br>
> moment so that's even less
likely.<br>
> <br>
> P.<br>
> <br>
> <br>
> <br>
> <br>
> <br>
>> <br>
>> scott<br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>> <br>
>>> <br>
>>> <br>
>>> <br>
>>>
_______________________________________________<br>
>>> AusNOG mailing list<br>
>>> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
>>> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
>> <br>
>> <br>
>> <br>
>>
_______________________________________________<br>
>> AusNOG mailing list<br>
>> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
>> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
>> <br>
>> <br>
>>
_______________________________________________<br>
>> AusNOG mailing list<br>
>> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
>> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> <br>
> <br>
>
_______________________________________________<br>
> AusNOG mailing list<br>
> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
<br>
<fieldset class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892mimeAttachmentHeader"></fieldset>
<pre class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-quote-pre">_______________________________________________
AusNOG mailing list
<a class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_-2133378363593843772gmail-m_1481898916327875589gmail-m_6924476029596879072gmail-m_520188063830096251gmail-m_5788927746176696892moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<p><br>
</p>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="m_-2133378363593843772mimeAttachmentHeader"></fieldset>
<pre class="m_-2133378363593843772moz-quote-pre">_______________________________________________
AusNOG mailing list
<a class="m_-2133378363593843772moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_-2133378363593843772moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<p><br>
</p>
<pre class="m_-2133378363593843772moz-signature" cols="72">--
/* Matt Perkins
Direct 1300 137 379 Spectrum Networks Ptd. Ltd.
Office 1300 133 299 <a class="m_-2133378363593843772moz-txt-link-abbreviated" href="mailto:matt@spectrum.com.au" target="_blank">matt@spectrum.com.au</a>
Level 6, 350 George Street Sydney 2000
Spectrum Networks is a member of the Communications Alliance & TIO
*/
</pre>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Sent from my iPhone. Apologies for typos and brevity</div>