[AusNOG] Dutton decryption bill
Alan Maher
alanmaher at gmail.com
Tue Sep 4 20:25:19 EST 2018
The real debate is about who is watching the watchers, as always !
On 4/09/2018 9:37 p.m., Martin Hepworth wrote:
>
> As a Brit working for an Ozzie firm in the UK it's interesting looking
> at this that the link talks about 5eyes and not just Australia. We
> know the debate is happening in the US and the UK but this is the
> first time the 5eyes has been explicit mentioned as whole in this
> context afaik
>
> Martin
>
>
> On Tue, 4 Sep 2018 at 10:17, Paul Wilkins <paulwilkins369 at gmail.com
> <mailto:paulwilkins369 at gmail.com>> wrote:
>
> There is one point which I'll be making in my submission which
> needs to be firmly pressed home - that there should not be a
> diversity of agencies all with the power to authorise and execute
> Assistance/Capability Notices. This should be managed through a
> single agency, that serves as the interface for the purposes of
> the bill, between law enforcement, and service providers. This is
> the only way toensure a standard capability for intelligence
> gathering across agencies, smooth administration of justice and
> execution of Assistance/Capability Notices, and reduces the
> vulnerability which would arise from over a dozen different
> agencies and their agents all with access to service provider
> networks and services. This one agency should work as a clearing
> house for Assistance/Capability Notices, and for disseminating
> gleaned data to client agencies.
>
> I'd encourage others making submissions to raise the same point.
> Government has clearly not considered this dimension, otherwise
> the first cab off the rank in the bill's phrasing would be to
> create a new agency, or identifying a single agency on which to
> confer these powers.
>
> Kind regards
>
>
> Paul Wilkins
>
>
> On Tue, 4 Sep 2018 at 18:02, Paul Wilkins
> <paulwilkins369 at gmail.com <mailto:paulwilkins369 at gmail.com>> wrote:
>
> and the stick...
>
> "Should governments continue to encounter impediments to
> lawful access to information necessary to aid the protection
> of the citizens of our countries, we may pursue technological,
> enforcement, legislative or other measures to achieve lawful
> access solutions."
>
> On Tue, 4 Sep 2018 at 17:56, Paul Wilkins
> <paulwilkins369 at gmail.com <mailto:paulwilkins369 at gmail.com>>
> wrote:
>
> "We have agreed to a Statement of Principles on Access to
> Evidence and Encryption
> <https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption>
> that sets out a framework for discussion with industry on
> resolving the challenges to lawful access posed by
> encryption, while respecting human rights and fundamental
> freedoms."
>
> Interesting...
>
> On Tue, 4 Sep 2018 at 17:34, Serge Burjak
> <sburjak at systech.com.au <mailto:sburjak at systech.com.au>>
> wrote:
>
> https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018
>
> I think it's just been released. Apologies if it's a dupe.
>
> On Tue, 4 Sep 2018 at 14:16, Jim Woodward
> <jim at alwaysnever.net <mailto:jim at alwaysnever.net>> wrote:
>
> Hi All,
>
> The problem with the ‘device malware’ approach is
> also that if such an approach is used where the
> intention is to target a single device and the
> software / hardware vendor screws up and deploys
> the ‘weakened’ application to many devices instead
> of one specific device then there is the potential
> to weaken the security and compromise the privacy
> of others.
>
> I’m sure there’s some political double talk that
> would cover this scenario and that the onus would
> be solely on the vendor for making sure this does
> not happen, the worry is that this exact scenario
> is possible, especially if proof of concepts
> accidently get released into the wild.
>
> The public should be concerned about this for if
> we end up in a situation where users don’t trust
> security updates (or updates of any type) then
> we’re in the same boat as having a purposefully
> compromised application deployed, we’d have
> devices with known vulnerabilities with updates
> turned off which would be arguably more serious as
> time goes on.
>
> I truly believe the reason this legislation is so
> vague is that they’re trying to find a solution
> where no one scenario is without significant
> risks, they’re trying to hold water in a sieve by
> tipping more water into it in an effort to fill it.
>
> Kind Regards,
>
> Jim.
>
> *From:*AusNOG <ausnog-bounces at lists.ausnog.net
> <mailto:ausnog-bounces at lists.ausnog.net>> *On
> Behalf Of *Paul Brooks
> *Sent:* Tuesday, 4 September 2018 12:05 AM
> *To:* ausnog at lists.ausnog.net
> <mailto:ausnog at lists.ausnog.net>
> *Subject:* Re: [AusNOG] Dutton decryption bill
>
> On 3/09/2018 11:47 AM, Chris Ford wrote:
>
> Paul,
>
> I agree with you in general as to the point
> that if we are happy with the premise of the
> current TIA Act that LEAs should be able to
> intercept communications with a duly
> authorised warrant, then extending that to
> encrypted services seems a reasonable
> extension to keep up with technology.
>
> However, the current intercept regime is very
> difficult if not impossible for a bad actor to
> exploit. The intercept points are within the
> Carrier and CSP networks, out of reach of most
> people. When we move to intercept end-to-end
> encrypted services you either need to break
> the encryption (which thankfully does not seem
> to be the path anybody is proposing), OR, you
> need to access the clear text at the end point
> itself. The problem I have with this is that
> the end point is out in user land,
> often accessible to anyone on the internet,
> and now exposed to exploit by bad actors.
>
> ..And this is it. The new legislation is NOT about
> encryption, primarily, despite what we thought
> before the draft was released.
> They've explicitly acknowledged they can't 'break'
> encryption, and do not want to weaken encryption.
> They want the sent and received message text,
> stored in the device after/before the encrypted
> transport.
>
> Its actually a 'device malware' bill - a bill to
> enable general police forces to achieve things
> that previously only shadowy four-letter agencies
> could do - implant malware and modify the function
> of any end-user device, handset, modem, laptop,
> tablet, printer, connected TV, Amazon Alexa/Google
> Home/etc. Actually it goes further - rather than
> implant the malware themselves once they've
> achieved physical access, this 'device malware'
> bill enables them to ask nicely for assistance,
> and then to require, the device suppliers and
> manufacturers to build and implant the exploit for
> them. Why should AS** develop an exploit, when
> they can ask Apple or Netgear or Samsung nicely to
> develop and install the exploit for them.
>
> We've spent decades educating users that the green
> padlock on a website means something, and that
> 'IOT devices' such as your average Smart TV might
> be easily hijacked and be recording and watching
> the home through its microphone and embedded
> webcam. This bill makes government-authorised
> modified firmware with exploits that the network
> and software industry have spent billions
> developing virus scanning apps to detect and
> eradicate.
>
> Paul.
>
>
>
>
> --
>
> Chris Ford | CTO
>
> Inabox Group Limited
>
> Ph: + 61 2 8275 6871
>
> Mb: +61 401 988 844
>
> Em: chris.ford at inaboxgroup.com.au
> <mailto:chris.ford at inaboxgroup.com.au>
>
> ------------------------------------------------------------------------
>
> *From:*AusNOG
> <ausnog-bounces at lists.ausnog.net>
> <mailto:ausnog-bounces at lists.ausnog.net> on
> behalf of Paul Wilkins
> <paulwilkins369 at gmail.com>
> <mailto:paulwilkins369 at gmail.com>
> *Sent:* Monday, 3 September 2018 11:31:14 AM
> *To:* AusNOG at lists.ausnog.net
> <mailto:AusNOG at lists.ausnog.net>
> *Subject:* Re: [AusNOG] Dutton decryption bill
>
> Bradley,
>
> The Common Law has always allowed judicial
> scrutiny of our privacy. There's always been
> the right for judicial search warrants to
> override what's considered one's private
> domain. I'm supportive of this bill where it
> extends judicial oversite to the cyber domain,
> which is a gap that exists only because
> legislation/common law has lagged behind
> technology. While at the same time realising
> that conversations conducted over the
> internet, even if encrypted, are more properly
> regarded as public conversations, than say one
> you might have in your living room. Whether
> government is going to regulate the internet,
> the boat has sailed on this long ago. The hard
> line privacy advocates are simply going to be
> left out of a conversation democracy needs to
> have over not whether the internet should be
> regulated, but how.
>
> What's interesting in this bill is that it
> goes beyond extending judicial writ, allowing
> law enforcement emergency powers the right to
> surveil suspects. This will be authorised by
> law enforcement, without judicial or
> governmental oversite. I think this probably
> goes too far. The best outcome for everyone,
> to protect privacy, and to empower law
> enforcement to enforce laws and to protect
> citizens rights, would be to limit the scope
> of these new powers to judicial writ.
>
> Kind regards
>
> Paul Wilkins
>
>
>
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
> <mailto:AusNOG at lists.ausnog.net>
>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180904/14f77c76/attachment.html>
More information about the AusNOG
mailing list