[AusNOG] Assistance and Access Bill moves to PJCIS

Roy Adams roy at racs.com.au
Wed Dec 12 20:35:52 EST 2018


Strikes me that a firmware update surprise for a savvy iPhone user that
chats with other iPhone users who did not get an update would find this
suspicious. Same for Android users of course. That also ignores how big the
update is and how much data would be used sending 5 minute archives that
run cell data to the plan limit of the user getting an isp data limit near
warning

On Wed, 12 Dec 2018 at 12:58 PM, Matt Perkins <matt at spectrum.com.au> wrote:

> An example might be, Law enforcement use a lawful instrument to tell say
> Apple. Push firmware to a users phone (say based on apple id) that takes a
> screen shot every time any instant messaging app updates the screen. Pack
> up all those images and send them through to government-zyx  every 5
> minutes.  You can hardly call there firmware update system a systemic
> weakness.  But then some changes might need to be made  to allow push to a
> specific device/user and without the user seeing the process. Is that a
> weakness who knows someone more knowledgeable of the law then me.
>
> Remember these are the same people that say the law's of math will bow to
> the laws of Australia. They really dont care how it work's that's someone
> ease's problem time to head to the parliament cafe for a sandwich and check
> latest tweets from Paul Murry.
>
> Matt.
>
>
>
>
>
> On 12/12/18 2:41 pm, Paul Wilkins wrote:
>
> Neither the law nor technology has a great record for interest in
> epistemological questions, but Matt's question raises interesting
> epistemological questions around the application of 317ZG and the meaning
> of "systemic weakness".
>
> The whole point of the Assistance and Access Act is to target end point
> computing devices. So at some point, law enforcement has to exercise a
> control plane function to extract data from that device. The existence of
> this control plane function is additional to the device's functionality,
> and so expands the attack surface of the device. So it can be argued, that
> any attempt by law enforcement to access end point devices via additional
> mechanisms introduced via TCN/TAN notices, constitutes a systemic weakness,
> and gives rise to the protections of 317ZG that forbid the introduction of
> systemic weaknesses. Consequently, no TCN or TAN is enforceable in an
> epistemological sense. (They may be enforceable at law, but I don't pretend
> to be a legal expert).
>
> Kind regards
>
> Paul Wilkins
>
> On Wed, 12 Dec 2018 at 13:21, Paul Wilkins <paulwilkins369 at gmail.com>
> wrote:
>
>> The inclusion of judicial authorisation of notices is an important
>> safeguard, for no less reason than that it would provide the necessary
>> safeguard against a TCN or TAN being used as constituting authorisation
>> under section 313C(3) and s280(1)(b) of the Telecommunications Act for the
>> bulk disclosure of carrier metadata.
>>
>> Kind regards
>>
>> Paul Wilkins
>>
>>
>> On Wed, 12 Dec 2018 at 13:14, Paul Brooks <pbrooks-ausnog at layer10.com.au>
>> wrote:
>>
>>> Paul - those are the additional Opposition amendments, to have been
>>> moved by Penny Wong, that were not introduced and are not part of the
>>> current legislation. If the opposition crosses its fingers, they might be
>>> allowed to try them in February.
>>>
>>> Right now, the relevant part is 317WA  Assessment and report (regarding
>>> a TCN):
>>>
>>>
>>> (1) If a consultation notice is given to a designated communications
>>> provider under subsection 317W(1) in relation to a proposed technical
>>> capability notice, the provider may, within the time limit specified in the
>>> consultation notice, give the Attorney-General a written notice requesting
>>> the carrying out of an assessment of whether the proposed technical
>>> capability notice should be given.
>>> (2) If a designated communications provider gives the Attorney-General a
>>> notice under subsection (1) in relation to a proposed technical capability
>>> notice, the Attorney-General must appoint 2 persons to carry out an
>>> assessment of whether the proposed technical capability notice should be
>>> given.
>>> (3) For the purposes of this section, the persons appointed under
>>> subsection (2) are to be known as the *assessors.*
>>> (4) One of the assessors must be a person who:
>>>             (a) has knowledge that would enable the person to assess
>>> whether proposed technical capability notices would contravene section
>>> 317ZG; and
>>>             (b) is cleared for security purposes to:
>>>                             (i) the highest level required by staff
>>> members of ASIO; or
>>>                             (ii) such lower level as the
>>> Attorney-General approves.
>>> (5) One of the assessors must be a person who:
>>>                (a) has served as a judge in one or more prescribed
>>> courts for a period of 5 years; and
>>>                (b) no longer holds a commission as a judge of a
>>> prescribed court.
>>>
>>>
>>> etc.
>>>
>>>
>>>
>>> On 12/12/2018 12:45 pm, Paul Wilkins wrote:
>>>
>>>
>>>
>>> 317V, substitute:
>>> unless:
>>> (a) the Attorney-General is satisfied that:
>>> (i) the requirements imposed by the notice are reasonable and
>>> proportionate; and
>>> (ii) compliance with the notice is practicable and technically feasible;
>>> and
>>> *(b) an eligible Judge has approved the giving of the notice.*
>>>
>>> On Wed, 12 Dec 2018 at 12:39, Paul Wilkins <paulwilkins369 at gmail.com>
>>> wrote:
>>>
>>>>
>>>> https://parlinfo.aph.gov.au/parlInfo/download/legislation/amend/r6195_amend_96ffec08-558c-4ff9-9448-0a18c21cf1c7/upload_pdf/8627%20CW%20Telecommunications%20and%20Other%20Legislation%20Amendment%20(Assistance%20and%20Access)%20Bill%202018%20Wong.pdf;fileType=application/pdf
>>>>
>>>> On Wed, 12 Dec 2018 at 12:25, Paul Brooks <
>>>> pbrooks-ausnog at layer10.com.au> wrote:
>>>>
>>>>> @Matt - 'a screen capture and remote access ability', if installed on
>>>>> all phones would surely be a 'systemic vulnerability' in anybody's view,
>>>>> and would be a global disaster if the method of triggering this ability
>>>>> escaped to the wider world. This would be an example of precisely the
>>>>> dangerous and ill-advised exploit that we are all concerned the agencies
>>>>> might ask for in ignorance.   Heck, this is exactly the sort of malware
>>>>> exploit that after-market malware scanners and virus checkers for phones
>>>>> should be looking for to to detect and warn the user if an app or the OS
>>>>> had been compromised and was attempting to do these things. I can see a
>>>>> rapidly growing market for malware checkers!
>>>>>
>>>>> @Paul - where is the requirement for 'judicial approval'? - it doesn't
>>>>> go anywhere near a court.   The TCN can be issued by the Attorney General.
>>>>> If (and only if) the recipient thinks it might be able to be pushed back
>>>>> on, they can ask for a review by a *retired* judge and a tech expert with a
>>>>> high security clearance.  A *retired* judge is not a 'judicial approval',
>>>>> and the easiest place to source the other expert from is from within ASIO -
>>>>> hardly independent.  The AGD chooses the two reviewers, not the recipient.
>>>>> The legislation as passed also doesn't deal with the situation if the two
>>>>> experts disagree on whether it is allowable or not.   And there is no
>>>>> requirement for a warrant to have been issued - the whole point of a TCN is
>>>>> to preemptively create a capability that can be exploited later, on the off
>>>>> chance there will be a future warrant that requires the exploit to be
>>>>> triggered.
>>>>>
>>>>> Paul.
>>>>>
>>>>> On 12/12/2018 12:02 pm, Paul Wilkins wrote:
>>>>>
>>>>> Matt, (IINAL)
>>>>> But it appears on my reading that both 317ZG and more specifically the
>>>>> new 317ZGA would arguably prohibit this.
>>>>>
>>>>> The (pending?) amendments are worth a read. Stronger terms on 317ZG
>>>>> and importantly - *requirement for judicial approval of TCNs*.
>>>>>
>>>>> 317P (5)(2)(d) the designated communications provider has, if
>>>>> reasonably practicable, been consulted and given a reasonable opportunity
>>>>> to make submissions on whether the requirements to be imposed by the notice
>>>>> are reasonable and proportionate and whether compliance with the notice is
>>>>> practicable and technically feasible.
>>>>>
>>>>>
>>>>> On Wed, 12 Dec 2018 at 11:30, Matt Perkins <matt at spectrum.com.au>
>>>>> wrote:
>>>>>
>>>>>> It strikes me that all that will be needed is the phone manufacturers
>>>>>> to put a screen capture and remote access ability on the phones. Then Law
>>>>>> enforcement need to do is read the screens no need to involve the
>>>>>> individual app makers at all.  They are after a wide and non savvy audience
>>>>>> here. Looking over the shoulder of phone users is what we are talking
>>>>>> about. I would say expect to see a boost in convictions of medium size drug
>>>>>> distributors  and  small amateur terror type people.
>>>>>>
>>>>>> These are the same people that used sms before they just want that
>>>>>> capability back.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> /* Matt Perkins
>>>>>>        Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
>>>>>>        Office 1300 133 299     matt at spectrum.com.au
>>>>>>        Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
>>>>>>       SIP 1300137379 at sip.spectrum.com.au
>>>>>>        Google Talk MattAPerkins at gmail.com
>>>>>>        PGP/GNUPG Public Key can be found at  http://pgp.mit.edu
>>>>>> */
>>>>>>
>>>>>> > On 12 Dec 2018, at 8:27 am, Paul Brooks <
>>>>>> pbrooks-ausnog at layer10.com.au> wrote:
>>>>>> >
>>>>>> >> On 12/12/2018 3:54 am, Scott Weeks wrote:
>>>>>> >>
>>>>>> >> -----------------
>>>>>> >> The Bill was passed on Thursday
>>>>>> >> -----------------
>>>>>> >>
>>>>>> >>
>>>>>> >> Damn, I'm gonna need a bigger bag of popcorn!
>>>>>> >> Waaaay bigger.  I can't wait to see how this
>>>>>> >> plays out.
>>>>>> >
>>>>>> > We'll probably never know how this plays out, unless one of the
>>>>>> major global brands
>>>>>> > pulls out of the Australian market.
>>>>>> >
>>>>>> > Tech companies doing development in Aust will put in independent
>>>>>> code reviews by an
>>>>>> > offshore team to protect against onshore employees, or will quietly
>>>>>> close Australian
>>>>>> > development shops over years.  Some tech companies will move
>>>>>> overseas - gradually,
>>>>>> > over months and years.    Net result - lower demand for Australian
>>>>>> IT staff, lower
>>>>>> > export figures in the DFAT stats over years.
>>>>>> >
>>>>>> > Many 'component manufacturers or suppliers' will blithely carry on,
>>>>>> unaware this might
>>>>>> > apply to them at all until they receive a notice
>>>>>> >
>>>>>> > A massive data breach in 3 years time may not be traced back to a
>>>>>> system change caused
>>>>>> > as a result of a notice, or if an investigation does uncover the
>>>>>> root cause, is likely
>>>>>> > to be quietly hushed up.
>>>>>> >
>>>>>> > It'll take a massive ASIC-website-blocking-like event own-goal to
>>>>>> generate demand for
>>>>>> > popcorn. That or a majority of politicians starting to listen to
>>>>>> experts rather than
>>>>>> > agencies and repealing it, and there's precious few Andrew Wilkies
>>>>>> around at the
>>>>>> > moment so that's even less likely.
>>>>>> >
>>>>>> > P.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >>
>>>>>> >> scott
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> _______________________________________________
>>>>>> >>> AusNOG mailing list
>>>>>> >>> AusNOG at lists.ausnog.net
>>>>>> >>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> _______________________________________________
>>>>>> >> AusNOG mailing list
>>>>>> >> AusNOG at lists.ausnog.net
>>>>>> >> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>> >>
>>>>>> >>
>>>>>> >> _______________________________________________
>>>>>> >> AusNOG mailing list
>>>>>> >> AusNOG at lists.ausnog.net
>>>>>> >> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>> >
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > AusNOG mailing list
>>>>>> > AusNOG at lists.ausnog.net
>>>>>> > http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>
>>>>>> _______________________________________________
>>>>>> AusNOG mailing list
>>>>>> AusNOG at lists.ausnog.net
>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>
>>>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> --
> /* Matt Perkins
>         Direct 1300 137 379        Spectrum Networks Ptd. Ltd.
>         Office 1300 133 299        matt at spectrum.com.au
>                                    Level 6, 350 George Street Sydney 2000
>         Spectrum Networks is a member of the Communications Alliance & TIO
> */
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-- 
Sent from my iPhone. Apologies for typos and brevity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181212/9093d958/attachment.html>


More information about the AusNOG mailing list