From philip.loenneker at tasmanet.com.au Mon Sep 5 09:04:22 2022 From: philip.loenneker at tasmanet.com.au (Philip Loenneker) Date: Sun, 4 Sep 2022 23:04:22 +0000 Subject: [AusNOG] AusNOG 2022 was awesome Message-ID: Thank you everyone who contributed to the event, whether that was helping with organisation, providing content, sponsorship, just being there, or arranging for your staff attend. I always enjoy it, and feel lucky to be part of such an awesome community. I especially enjoyed the presentations from our NZ friends - they were very entertaining. And of course seeing Vint Cerf was a real treat! I have a question about the gift bag... what is the IAA USB gadget? I have a general rule of not plugging in untrusted USB devices so I haven't done anything with it yet. It appears to be a USB A male and female connector with some unknown function in the middle. It could be a keylogger, simulated keyboard for pranks, a USB drive or wireless dongle plus hub combo, a very small USB extension cable, or any number of other things. Regards, Philip Loenneker | Senior Network Engineer Field Solution Group -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at mc.id.au Mon Sep 5 09:48:05 2022 From: mark at mc.id.au (Mark Caetano) Date: Mon, 5 Sep 2022 09:48:05 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: <3E23554E-F614-48C0-84D3-6B2D2665D54D@mc.id.au> Consensus (after SomeOne offered theirs up for sacrifice) is that it?s a USB data blocker. Basically drops the data pins when charging over USB. https://offgrid.co/blogs/journal/what-is-a-data-blocker-and-why-you-need-one-today --- Regards, Mark Caetano Sent from my iPhone > On 5 Sep 2022, at 09:05, Philip Loenneker wrote: > > ? > Thank you everyone who contributed to the event, whether that was helping with organisation, providing content, sponsorship, just being there, or arranging for your staff attend. I always enjoy it, and feel lucky to be part of such an awesome community. I especially enjoyed the presentations from our NZ friends ? they were very entertaining. And of course seeing Vint Cerf was a real treat! > > I have a question about the gift bag? what is the IAA USB gadget? I have a general rule of not plugging in untrusted USB devices so I haven?t done anything with it yet. It appears to be a USB A male and female connector with some unknown function in the middle. It could be a keylogger, simulated keyboard for pranks, a USB drive or wireless dongle plus hub combo, a very small USB extension cable, or any number of other things. > > Regards, > Philip Loenneker | Senior Network Engineer > Field Solution Group > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From m.enger at xi.com.au Mon Sep 5 10:36:48 2022 From: m.enger at xi.com.au (Matthew Enger) Date: Mon, 5 Sep 2022 00:36:48 +0000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: Hi Philip, It is a USB data blocker, the idea being you plug that between a untrusted usb port and your phone/device cable so you can charge your phone but the port cannot talk data to your phone/device. [signature_4013076670] MATTHEW ENGER | Managing Director T 1300 789 299 D 03 9909 3104 M 0406 532 792 m.enger at xi.com.au | www.xi.com.au This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet. From: AusNOG on behalf of Philip Loenneker Date: Monday, 5 September 2022 at 9:05 am To: ausnog at ausnog.net Subject: [AusNOG] AusNOG 2022 was awesome Thank you everyone who contributed to the event, whether that was helping with organisation, providing content, sponsorship, just being there, or arranging for your staff attend. I always enjoy it, and feel lucky to be part of such an awesome community. I especially enjoyed the presentations from our NZ friends ? they were very entertaining. And of course seeing Vint Cerf was a real treat! I have a question about the gift bag? what is the IAA USB gadget? I have a general rule of not plugging in untrusted USB devices so I haven?t done anything with it yet. It appears to be a USB A male and female connector with some unknown function in the middle. It could be a keylogger, simulated keyboard for pranks, a USB drive or wireless dongle plus hub combo, a very small USB extension cable, or any number of other things. Regards, Philip Loenneker | Senior Network Engineer Field Solution Group Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering. https://www.mailguard.com.au/mg Report this message as spam -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7645 bytes Desc: image001.png URL: From christoivosilva at gmail.com Mon Sep 5 11:01:07 2022 From: christoivosilva at gmail.com (Christo Da Silva) Date: Mon, 5 Sep 2022 09:01:07 +0800 Subject: [AusNOG] Foxtel Go and Kayo streaming issue Message-ID: Hi All, We are after a contact at Foxtel Go/ Kayo Sports . Our customers are encountering issues streaming video on these platforms and get an error message saying "a vpn or proxy server was detected". Our customers ( over 100 now) have confirmed that there is no vpn turned on and can replicate the issue on native tv apps, mobile apps and browsers. Has anyone seen this before? Any guidance would be appreciated. Thank you Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: From stavros at staff.esc.net.au Mon Sep 5 11:56:18 2022 From: stavros at staff.esc.net.au (Stavros Patiniotis) Date: Mon, 5 Sep 2022 11:26:18 +0930 Subject: [AusNOG] Foxtel Go and Kayo streaming issue In-Reply-To: References: Message-ID: <075101d8c0ca$b07d7b50$117871f0$@staff.esc.net.au> Hi Christo, I normally find this is due to a geolocation mismatch. There are numerous different ip-to-geolocation databases, but I normally find IP2Location, Maxmind, and the geoloc field in your whois records are enough. You can check the various databases eg from something like https://whatismyipaddress.com/geolocation-providers. Hope this helps From: AusNOG On Behalf Of Christo Da Silva Sent: Monday, 5 September 2022 10:31 AM To: ausnog at ausnog.net Subject: [AusNOG] Foxtel Go and Kayo streaming issue Hi All, We are after a contact at Foxtel Go/ Kayo Sports . Our customers are encountering issues streaming video on these platforms and get an error message saying "a vpn or proxy server was detected". Our customers ( over 100 now) have confirmed that there is no vpn turned on and can replicate the issue on native tv apps, mobile apps and browsers. Has anyone seen this before? Any guidance would be appreciated. Thank you Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoivosilva at gmail.com Mon Sep 5 11:57:40 2022 From: christoivosilva at gmail.com (Christo Da Silva) Date: Mon, 5 Sep 2022 09:57:40 +0800 Subject: [AusNOG] Foxtel Go and Kayo streaming issue In-Reply-To: References: Message-ID: Hi All, Thank you all for your responses. Optus got back to us as it was affecting optus sports too. from optus- "We use a data source called GeoGuard from GeoComply which provides us with possible VPN and data centre CIDR ranges. I can confirm the following ranges are being blocked by the GeoGuard data set. It?s used by everyone in the media industry as it?s listed in rights agreements so mandated. It?s used by CloudFront, and Akamai too as a white glove service." thank you christo On Mon, Sep 5, 2022 at 9:01 AM Christo Da Silva wrote: > Hi All, > > We are after a contact at Foxtel Go/ Kayo Sports . Our customers are > encountering issues streaming video on these platforms and get an > error message saying "a vpn or proxy server was detected". Our customers ( > over 100 now) have confirmed that there is no vpn turned on and can > replicate the issue on native tv apps, mobile apps and browsers. > > Has anyone seen this before? Any guidance would be appreciated. > > Thank you > Christo > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Waite at comtel.com.au Mon Sep 5 13:15:27 2022 From: Steven.Waite at comtel.com.au (Steven Waite) Date: Mon, 5 Sep 2022 03:15:27 +0000 Subject: [AusNOG] Foxtel Go and Kayo streaming issue In-Reply-To: References: Message-ID: <0b41fa662da04f8cb159dc5d296a1320@comtel.com.au> I had a staff member complain about the same issue today and they are even using Foxtel internet. Was working last week. Same account same device works with 4-5g hot-spotting. Would seem some changes have been made or blocks added. From: AusNOG On Behalf Of Christo Da Silva Sent: Monday, 5 September 2022 11:58 AM To: ausnog at ausnog.net Subject: Re: [AusNOG] Foxtel Go and Kayo streaming issue Hi All, Thank you all for your responses. Optus got back to us as it was affecting optus sports too. from optus- "We use a data source called GeoGuard from GeoComply which provides us with possible VPN and data centre CIDR ranges. I can confirm the following ranges are being blocked by the GeoGuard data set. It?s used by everyone in the media industry as it?s listed in rights agreements so mandated. It?s used by CloudFront, and Akamai too as a white glove service." thank you christo On Mon, Sep 5, 2022 at 9:01 AM Christo Da Silva > wrote: Hi All, We are after a contact at Foxtel Go/ Kayo Sports . Our customers are encountering issues streaming video on these platforms and get an error message saying "a vpn or proxy server was detected". Our customers ( over 100 now) have confirmed that there is no vpn turned on and can replicate the issue on native tv apps, mobile apps and browsers. Has anyone seen this before? Any guidance would be appreciated. Thank you Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: From narellec at gmail.com Mon Sep 5 13:54:56 2022 From: narellec at gmail.com (Narelle Clark) Date: Mon, 5 Sep 2022 13:54:56 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: In the interest of reducing printed waste, we didn't put any blurb about the data blockers in the swag bags. We got them from a new supplier and by the time they got here we didn't see there was no info until it was too late. But yes, it is a data blocker, meaning it only enables the power pins across the USB port. Next time we'll at least put up a sign explaining it, cos we got quite a few questions! Great to see everyone last week, too! Another fun and informative time. Cheers Narelle On Mon, 5 Sept 2022 at 09:04, Philip Loenneker wrote: > > Thank you everyone who contributed to the event, whether that was helping with organisation, providing content, sponsorship, just being there, or arranging for your staff attend. I always enjoy it, and feel lucky to be part of such an awesome community. I especially enjoyed the presentations from our NZ friends ? they were very entertaining. And of course seeing Vint Cerf was a real treat! > > > > I have a question about the gift bag? what is the IAA USB gadget? I have a general rule of not plugging in untrusted USB devices so I haven?t done anything with it yet. It appears to be a USB A male and female connector with some unknown function in the middle. It could be a keylogger, simulated keyboard for pranks, a USB drive or wireless dongle plus hub combo, a very small USB extension cable, or any number of other things. > > > > Regards, > > Philip Loenneker | Senior Network Engineer > > Field Solution Group > > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -- Narelle narellec at gmail.com From narellec at gmail.com Mon Sep 5 14:17:25 2022 From: narellec at gmail.com (Narelle Clark) Date: Mon, 5 Sep 2022 14:17:25 +1000 Subject: [AusNOG] modern awards In-Reply-To: References: Message-ID: Hi Nick There are three awards which apply (mostly!) in our space: Business Equipment Award [MA000021] Professional Employees Award [MA000065] Telecommunications Services Award [MA000041] If you are a licenced carrier then the last one is definitely the one which applies, the rest apply depending on what you do more broadly. Actually, given you're into web hosting, I might be inclined to go for the Business Equipment Award. I find it simpler and easier to use than the Telecoms one which really reflects over a century of Telstra's industrial disputes... of course, YMMV on that one! As far as the specific grade is concerned, the grades are nicely laid out and you can see what general tasks and skills that are used in the role and how they map to the pay scales. Either way, your letter of appointment (which is a contract) or formal contract (if that's what you have) should say what award you are starting the person on. And as others have said, get advice. I can recommend someone we've used off list if you like. Cos, not being either a lawyer or an HR specialist, I could be Quite Wrong. All the best Narelle On Fri, 26 Aug 2022 at 22:05, Nick Edwards wrote: > Hi, > Just been asked to ensure staff are paid at correct rates, I am satisfied > they are, however one guy has questioned it, he's not making a fuss, but > it's got me thinking, so I thought I'd ask the community here who surely > would know, before I go contacting and waiting 3 months for a reply from > FWA - before this dude just make a fuss :now we have a union run govt -> > > This is a webhosting company, only 6 employees, the guy is one of 3 > helpdesk tech support CSR's, he questions he is in the correct award, we > have him under MA000041 and cust contact level 1 (he has no special > qualifications and doesnt have server level access, your typical run of the > mill tech support dude) > > Anyone see this as a problem? > > OFF list replies welcome, since I think this might exceed the list > charter, to which I apologise for in advance. > > Ed > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -- Narelle narellec at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenn at jenn.id.au Tue Sep 6 16:10:57 2022 From: jenn at jenn.id.au (Jennifer Sims) Date: Tue, 6 Sep 2022 16:10:57 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: tbh I thought I was going to die when I stood up and presented. I hope it was insightful on how any team can pivot in a pandemic. In unrelated news, it was great to see talks from CloudFlare, Facebook etc on how they're changing the game. Special thanks to IAA Systers for an interesting day of workshops. It was very eye opening for me! AusNOG and any org getting this email, please consider supporting the IAA SYSTERS program because 27% of women are in tech for various reasons the other 73% aren't because of horrible behaviours, glass ceilings and more. Cheers Jen On Mon, Sep 5, 2022 at 1:55 PM Narelle Clark wrote: > In the interest of reducing printed waste, we didn't put any blurb > about the data blockers in the swag bags. We got them from a new > supplier and by the time they got here we didn't see there was no info > until it was too late. > > But yes, it is a data blocker, meaning it only enables the power pins > across the USB port. > > Next time we'll at least put up a sign explaining it, cos we got quite > a few questions! > > Great to see everyone last week, too! Another fun and informative time. > > > Cheers > > Narelle > > On Mon, 5 Sept 2022 at 09:04, Philip Loenneker > wrote: > > > > Thank you everyone who contributed to the event, whether that was > helping with organisation, providing content, sponsorship, just being > there, or arranging for your staff attend. I always enjoy it, and feel > lucky to be part of such an awesome community. I especially enjoyed the > presentations from our NZ friends ? they were very entertaining. And of > course seeing Vint Cerf was a real treat! > > > > > > > > I have a question about the gift bag? what is the IAA USB gadget? I have > a general rule of not plugging in untrusted USB devices so I haven?t done > anything with it yet. It appears to be a USB A male and female connector > with some unknown function in the middle. It could be a keylogger, > simulated keyboard for pranks, a USB drive or wireless dongle plus hub > combo, a very small USB extension cable, or any number of other things. > > > > > > > > Regards, > > > > Philip Loenneker | Senior Network Engineer > > > > Field Solution Group > > > > > > > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > > > > -- > > > Narelle > narellec at gmail.com > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hughes.id Tue Sep 6 16:56:42 2022 From: david at hughes.id (david at hughes.id) Date: Tue, 6 Sep 2022 16:56:42 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: Hi Jen I hope you enjoyed your time at the conference, and thank you for your presentation. The CFP will open for next years conference in a few months ! (hint :) And regarding the Systers workshop, absolutely. AusNOG has supported it financially both time it's been run. It's great to hear it was of value to you. Regards, David ... > On 6 Sep 2022, at 4:10 pm, Jennifer Sims wrote: > > tbh I thought I was going to die when I stood up and presented. I hope it was insightful on how any team can pivot in a pandemic. > > In unrelated news, it was great to see talks from CloudFlare, Facebook etc on how they're changing the game. > > Special thanks to IAA Systers for an interesting day of workshops. It was very eye opening for me! > > AusNOG and any org getting this email, please consider supporting the IAA SYSTERS program because 27% of women are in tech for various reasons the other 73% aren't because of horrible behaviours, glass ceilings and more. > > Cheers > > Jen > > On Mon, Sep 5, 2022 at 1:55 PM Narelle Clark > wrote: > In the interest of reducing printed waste, we didn't put any blurb > about the data blockers in the swag bags. We got them from a new > supplier and by the time they got here we didn't see there was no info > until it was too late. > > But yes, it is a data blocker, meaning it only enables the power pins > across the USB port. > > Next time we'll at least put up a sign explaining it, cos we got quite > a few questions! > > Great to see everyone last week, too! Another fun and informative time. > > > Cheers > > Narelle > > On Mon, 5 Sept 2022 at 09:04, Philip Loenneker > > wrote: > > > > Thank you everyone who contributed to the event, whether that was helping with organisation, providing content, sponsorship, just being there, or arranging for your staff attend. I always enjoy it, and feel lucky to be part of such an awesome community. I especially enjoyed the presentations from our NZ friends ? they were very entertaining. And of course seeing Vint Cerf was a real treat! > > > > > > > > I have a question about the gift bag? what is the IAA USB gadget? I have a general rule of not plugging in untrusted USB devices so I haven?t done anything with it yet. It appears to be a USB A male and female connector with some unknown function in the middle. It could be a keylogger, simulated keyboard for pranks, a USB drive or wireless dongle plus hub combo, a very small USB extension cable, or any number of other things. > > > > > > > > Regards, > > > > Philip Loenneker | Senior Network Engineer > > > > Field Solution Group > > > > > > > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > > > > -- > > > Narelle > narellec at gmail.com > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenn at jenn.id.au Tue Sep 6 17:04:42 2022 From: jenn at jenn.id.au (Jennifer Sims) Date: Tue, 6 Sep 2022 17:04:42 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: ooft bigger talks! I couldn't match Meta or CloudFlare even if I tried haha. On Tue, Sep 6, 2022 at 4:56 PM wrote: > Hi Jen > > I hope you enjoyed your time at the conference, and thank you for your > presentation. The CFP will open for next years conference in a few months > ! (hint :) > > And regarding the Systers workshop, absolutely. AusNOG has supported it > financially both time it's been run. It's great to hear it was of value to > you. > > > > Regards, > > David > ... > > On 6 Sep 2022, at 4:10 pm, Jennifer Sims wrote: > > tbh I thought I was going to die when I stood up and presented. I hope it > was insightful on how any team can pivot in a pandemic. > > In unrelated news, it was great to see talks from CloudFlare, Facebook etc > on how they're changing the game. > > Special thanks to IAA Systers for an interesting day of workshops. It was > very eye opening for me! > > AusNOG and any org getting this email, please consider supporting the IAA > SYSTERS program because 27% of women are in tech for various reasons the > other 73% aren't because of horrible behaviours, glass ceilings and more. > > Cheers > > Jen > > On Mon, Sep 5, 2022 at 1:55 PM Narelle Clark wrote: > >> In the interest of reducing printed waste, we didn't put any blurb >> about the data blockers in the swag bags. We got them from a new >> supplier and by the time they got here we didn't see there was no info >> until it was too late. >> >> But yes, it is a data blocker, meaning it only enables the power pins >> across the USB port. >> >> Next time we'll at least put up a sign explaining it, cos we got quite >> a few questions! >> >> Great to see everyone last week, too! Another fun and informative time. >> >> >> Cheers >> >> Narelle >> >> On Mon, 5 Sept 2022 at 09:04, Philip Loenneker >> wrote: >> > >> > Thank you everyone who contributed to the event, whether that was >> helping with organisation, providing content, sponsorship, just being >> there, or arranging for your staff attend. I always enjoy it, and feel >> lucky to be part of such an awesome community. I especially enjoyed the >> presentations from our NZ friends ? they were very entertaining. And of >> course seeing Vint Cerf was a real treat! >> > >> > >> > >> > I have a question about the gift bag? what is the IAA USB gadget? I >> have a general rule of not plugging in untrusted USB devices so I haven?t >> done anything with it yet. It appears to be a USB A male and female >> connector with some unknown function in the middle. It could be a >> keylogger, simulated keyboard for pranks, a USB drive or wireless dongle >> plus hub combo, a very small USB extension cable, or any number of other >> things. >> > >> > >> > >> > Regards, >> > >> > Philip Loenneker | Senior Network Engineer >> > >> > Field Solution Group >> > >> > >> > >> > _______________________________________________ >> > AusNOG mailing list >> > AusNOG at ausnog.net >> > https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> >> -- >> >> >> Narelle >> narellec at gmail.com >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From narellec at gmail.com Tue Sep 6 18:59:55 2022 From: narellec at gmail.com (Narelle Clark) Date: Tue, 6 Sep 2022 18:59:55 +1000 Subject: [AusNOG] AusNOG 2022 was awesome In-Reply-To: References: Message-ID: I think Jenn was referring to the Group not the entity when she was encouraging sponsorship - AusNOG the entity got plenty of happy shouts out during the IAA Systers day! We thank you muchly for the support. It's a huge help! What a great crowd we had this time around! A huge buzz. Let us know folks if you want to support it, all the attendees have given us massive ticks of approval. Cheers Narelle On Tue, 6 Sept 2022, 4:57 pm , wrote: > Hi Jen > > I hope you enjoyed your time at the conference, and thank you for your > presentation. The CFP will open for next years conference in a few months > ! (hint :) > > And regarding the Systers workshop, absolutely. AusNOG has supported it > financially both time it's been run. It's great to hear it was of value to > you. > > > > Regards, > > David > ... > > On 6 Sep 2022, at 4:10 pm, Jennifer Sims wrote: > > tbh I thought I was going to die when I stood up and presented. I hope it > was insightful on how any team can pivot in a pandemic. > > In unrelated news, it was great to see talks from CloudFlare, Facebook etc > on how they're changing the game. > > Special thanks to IAA Systers for an interesting day of workshops. It was > very eye opening for me! > > AusNOG and any org getting this email, please consider supporting the IAA > SYSTERS program because 27% of women are in tech for various reasons the > other 73% aren't because of horrible behaviours, glass ceilings and more. > > Cheers > > Jen > > On Mon, Sep 5, 2022 at 1:55 PM Narelle Clark wrote: > >> In the interest of reducing printed waste, we didn't put any blurb >> about the data blockers in the swag bags. We got them from a new >> supplier and by the time they got here we didn't see there was no info >> until it was too late. >> >> But yes, it is a data blocker, meaning it only enables the power pins >> across the USB port. >> >> Next time we'll at least put up a sign explaining it, cos we got quite >> a few questions! >> >> Great to see everyone last week, too! Another fun and informative time. >> >> >> Cheers >> >> Narelle >> >> On Mon, 5 Sept 2022 at 09:04, Philip Loenneker >> wrote: >> > >> > Thank you everyone who contributed to the event, whether that was >> helping with organisation, providing content, sponsorship, just being >> there, or arranging for your staff attend. I always enjoy it, and feel >> lucky to be part of such an awesome community. I especially enjoyed the >> presentations from our NZ friends ? they were very entertaining. And of >> course seeing Vint Cerf was a real treat! >> > >> > >> > >> > I have a question about the gift bag? what is the IAA USB gadget? I >> have a general rule of not plugging in untrusted USB devices so I haven?t >> done anything with it yet. It appears to be a USB A male and female >> connector with some unknown function in the middle. It could be a >> keylogger, simulated keyboard for pranks, a USB drive or wireless dongle >> plus hub combo, a very small USB extension cable, or any number of other >> things. >> > >> > >> > >> > Regards, >> > >> > Philip Loenneker | Senior Network Engineer >> > >> > Field Solution Group >> > >> > >> > >> > _______________________________________________ >> > AusNOG mailing list >> > AusNOG at ausnog.net >> > https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> >> -- >> >> >> Narelle >> narellec at gmail.com >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From spoofer-info at caida.org Fri Sep 9 03:00:12 2022 From: spoofer-info at caida.org (CAIDA Spoofer Project) Date: Thu, 8 Sep 2022 10:00:12 -0700 Subject: [AusNOG] Spoofer Report for AusNOG for Aug 2022 Message-ID: <1662656412.070773.23633.nullmailer@caida.org> In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within aus. Inferred improvements during Aug 2022: none inferred Source Address Validation issues inferred during Aug 2022: ASN Name First-Spoofed Last-Spoofed 45671 AS45671-NET-AU 2020-08-18 2022-08-07 133326 RIN 2022-02-22 2022-08-10 55811 COUNTRYTELL-AU 2022-08-03 2022-08-10 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=aus&no_block=1 Please send any feedback or suggestions to spoofer-info at caida.org From ssarkis at unitedip.net.au Fri Sep 9 09:23:31 2022 From: ssarkis at unitedip.net.au (Sam Sarkis-UIP) Date: Thu, 8 Sep 2022 23:23:31 +0000 Subject: [AusNOG] Contractor 2 - 3 days a week Message-ID: <2eb8ef79356e4ea289f155e6928400bd@unitedip.net.au> Hi All, We have a need for an all l2/l3 rounder tech 2 - 3 days a week for a 6 month contract in the Brisbane area if anyone is interested. Rate is neg based on experience. Please contact me offlist if you are interested or know anyone. ssarkis at unitedip.net.au Kind Regards Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: From blue.flayme at gmail.com Fri Sep 9 14:40:40 2022 From: blue.flayme at gmail.com (Andrew Oskam) Date: Fri, 9 Sep 2022 14:40:40 +1000 Subject: [AusNOG] Recommendations for IT Support in NSW Message-ID: Hi Group, Does anyone have any recommendations for reliable IT work in NSW? We often have client desktops needing drive or system replacements, switch/router fit-outs, etc. We've tried Geeks2U for this stuff but they are too unreliable and constantly drop the ball. Looking for a contractor or a company we can send work to on occasion. Any recommendations are appreciated. -- Sent by GMail Webmail -------------- next part -------------- An HTML attachment was scrubbed... URL: From kauer at biplane.com.au Fri Sep 9 16:13:41 2022 From: kauer at biplane.com.au (Karl Auer) Date: Fri, 09 Sep 2022 16:13:41 +1000 Subject: [AusNOG] Recommendations for IT Support in NSW In-Reply-To: References: Message-ID: <3175cb51dfebbcbce31ca5a1f221de9b9a0099b4.camel@biplane.com.au> On Fri, 2022-09-09 at 14:40 +1000, Andrew Oskam wrote: > Does anyone have any recommendations for reliable IT work in NSW? > Where in NSW? Or are you looking for someone big enough (or masochistic enough) to cover the whole state for you? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer From francisfides at mailup.net Mon Sep 12 13:05:44 2022 From: francisfides at mailup.net (francisfides at mailup.net) Date: Mon, 12 Sep 2022 13:05:44 +1000 Subject: [AusNOG] Community Donations Message-ID: <36b3c379-8fec-4097-b9f6-6d4396587093@www.fastmail.com> Hi all, sorry to bother everyone. I'm writing for 4ZZZ in Brisbane, a community org I've been volunteering with for six years. A bunch of equipment is getting older and older, with crucial stuff approaching 15 years old. I'm passionate to keep the place running well, giving people a place for their art, music and voices to be heard. ? I've been asked to look around for donations, including interstate - we would pay for any pickup and we're a registered not-for-profit with DGR status. ? Servers; ? Desktops; ? and network Switches are what we are wanting to upgrade or sure up with a spare. Any pointers will be welcome too. We're better at finding radio communications gear compared to this! My email address for the station is jackw at 4zzz.org.au, but off-list on this address is fine. Thanks, Jack 0488661841 More info on the station: We are a community radio station that's focused on connecting and amplifying the voices of our local communities in Greater Brisbane. The station has a 47 year legacy of platforming marginalised and under-represented voices; including the LGBTIQA+ community, First Nations people and those living with a disability. We're a registered not-for-profit with DGR status that is run by a team of 250 volunteers and a handful of paid staff. Our website is https://4zzz.org.au. -- francisfides at mailup.net From Darren.Moss at cloud365.com.au Tue Sep 13 09:33:35 2022 From: Darren.Moss at cloud365.com.au (Darren Moss) Date: Mon, 12 Sep 2022 23:33:35 +0000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations Message-ID: Hi All, We're shipping a pallet of equipment from Sydney to the US, mainly servers and switches to East and Central locations. We've used different couriers in the past with OK results. I'm interested in hearing which shipping companies people are using. Many thanks Darren. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nathan.Brookfield at iperium.com.au Tue Sep 13 09:37:21 2022 From: Nathan.Brookfield at iperium.com.au (Nathan Brookfield) Date: Mon, 12 Sep 2022 23:37:21 +0000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: Message-ID: Hey Mate, For this kind of stuff, we?d usually always rely on DHL, they seem to be the most efficient and reliable. Nathan Brookfield General Manager p: 1300 592 330 | m: 0412 266 008 | w: https://Iperium.com.au Level 7, 82 Elizabeth Street, Sydney NSW 2000 Your Connectivity Team DISCLAIMER: This document is intended solely for the named addressee. This electronic communication, which includes any files or attachments thereto, contains proprietary or confidential information and may be privileged and otherwise protected under copyright or other applicable intellectual property laws. The use, disclosure, copying or distribution of any of the information contained in this document, by any person other than the addressee, is strictly prohibited. If you received this document in error, please contact the sender immediately and delete all the material from any computer. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. Any views or opinions presented are solely those of the author and do not necessarily represent those of Iperium. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. Iperium accepts no liability for any damage caused by any virus transmitted by this email. On 13 Sep 2022, at 09:34, Darren Moss wrote: ? Hi All, We?re shipping a pallet of equipment from Sydney to the US, mainly servers and switches to East and Central locations. We?ve used different couriers in the past with OK results. I?m interested in hearing which shipping companies people are using. Many thanks Darren. _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From luke.t at tncrew.com.au Tue Sep 13 09:48:07 2022 From: luke.t at tncrew.com.au (Luke Thompson) Date: Tue, 13 Sep 2022 09:48:07 +1000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: Message-ID: <183341a5ed8.283d.934dbec5914d2454830359510b9fa213@tncrew.com.au> We agree with Nathan. Not to take sides, but the big fruit still use DHL and the service level at delivery has a thorough feel that the others lack (or aren't as strong at). I'd trust them to get it right (A to B, in tact). Cheers, Luke Thompson Chief Technical Officer The Network Crew Pty Ltd https://thenetworkcrew.com.au On 13 September 2022 9:37:53 am Nathan Brookfield wrote: > Hey Mate, > > For this kind of stuff, we?d usually always rely on DHL, they seem to be > the most efficient and reliable. > > > Nathan Brookfield > General Manager > > p: 1300 592 330 | m: 0412 266 008 | w: https://Iperium.com.au > > Level 7, 82 Elizabeth Street, Sydney NSW 2000 > > Your Connectivity Team > > > > > > > DISCLAIMER: This document is intended solely for the named addressee. This > electronic communication, which includes any files or attachments thereto, > contains proprietary or confidential information and may be privileged and > otherwise protected under copyright or other applicable intellectual > property laws. The use, disclosure, copying or distribution of any of the > information contained in this document, by any person other than the > addressee, is strictly prohibited. If you received this document in error, > please contact the sender immediately and delete all the material from any > computer. Confidentiality and legal privilege are not waived or lost by > reason of mistaken delivery to you. Any views or opinions presented are > solely those of the author and do not necessarily represent those of Iperium. > > WARNING: Computer viruses can be transmitted via email. The recipient > should check this email and any attachments for the presence of viruses. > Iperium accepts no liability for any damage caused by any virus transmitted > by this email. > > On 13 Sep 2022, at 09:34, Darren Moss wrote: > > Hi All, > > We?re shipping a pallet of equipment from Sydney to the US, mainly servers > and switches to East and Central locations. > > We?ve used different couriers in the past with OK results. > > I?m interested in hearing which shipping companies people are using. > > Many thanks > > > Darren. > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From tonyd at pue.com.au Tue Sep 13 09:49:16 2022 From: tonyd at pue.com.au (Tony de Francesco) Date: Tue, 13 Sep 2022 09:49:16 +1000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: Message-ID: <00fd01d8c702$47a9ec10$d6fdc430$@pue.com.au> I had been using Fedex for about 8 years, but recently they charged me $11,700 to ship a pallet of equipment between the US and Australia. In recent months changed to DHL, who charge me about $4500 for the same size shipment, and a much more powerful freight management portal. Regards Tony From: AusNOG [mailto:ausnog-bounces at ausnog.net] On Behalf Of Darren Moss Sent: Tuesday, 13 September 2022 9:34 AM To: 'AusNOG at lists.ausnog.net' Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations Hi All, We're shipping a pallet of equipment from Sydney to the US, mainly servers and switches to East and Central locations. We've used different couriers in the past with OK results. I'm interested in hearing which shipping companies people are using. Many thanks Darren. From cameron.murray at gmail.com Tue Sep 13 09:53:10 2022 From: cameron.murray at gmail.com (Cameron Murray) Date: Tue, 13 Sep 2022 09:53:10 +1000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: <00fd01d8c702$47a9ec10$d6fdc430$@pue.com.au> References: <00fd01d8c702$47a9ec10$d6fdc430$@pue.com.au> Message-ID: DHL +10 Used to swear by Fedex however their policies and recent takeover of TNT sent their services here in Aus the pile. Kind Regards Cameron On Tue, Sep 13, 2022 at 9:49 AM Tony de Francesco wrote: > > I had been using Fedex for about 8 years, but recently they charged me > $11,700 to ship a pallet of equipment between the US and Australia. In > recent months changed to DHL, who charge me about $4500 for the same size > shipment, and a much more powerful freight management portal. > > Regards > Tony > > From: AusNOG [mailto:ausnog-bounces at ausnog.net] On Behalf Of Darren Moss > Sent: Tuesday, 13 September 2022 9:34 AM > To: 'AusNOG at lists.ausnog.net' > Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations > > Hi All, > > We're shipping a pallet of equipment from Sydney to the US, mainly servers > and switches to East and Central locations. > > We've used different couriers in the past with OK results. > > I'm interested in hearing which shipping companies people are using. > > Many thanks > > > Darren. > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog From brad at bradleyamm.com Tue Sep 13 10:14:34 2022 From: brad at bradleyamm.com (Bradley Amm) Date: Tue, 13 Sep 2022 00:14:34 +0000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: <00fd01d8c702$47a9ec10$d6fdc430$@pue.com.au>, Message-ID: We used DHL to get a server from Perth to KL last month. No issues with DHL. Customs was the hold up. DHL were great. They gave us Updates and what to do etc. Their tracking is pretty good as well. Get Outlook for iOS ________________________________ From: AusNOG on behalf of Cameron Murray Sent: Tuesday, September 13, 2022 9:53:10 AM To: Tony de Francesco Cc: AusNOG at lists.ausnog.net Subject: Re: [AusNOG] Shipping equipment to the US - Courier Recommendations DHL +10 Used to swear by Fedex however their policies and recent takeover of TNT sent their services here in Aus the pile. Kind Regards Cameron On Tue, Sep 13, 2022 at 9:49 AM Tony de Francesco wrote: > > I had been using Fedex for about 8 years, but recently they charged me > $11,700 to ship a pallet of equipment between the US and Australia. In > recent months changed to DHL, who charge me about $4500 for the same size > shipment, and a much more powerful freight management portal. > > Regards > Tony > > From: AusNOG [mailto:ausnog-bounces at ausnog.net] On Behalf Of Darren Moss > Sent: Tuesday, 13 September 2022 9:34 AM > To: 'AusNOG at lists.ausnog.net' > Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations > > Hi All, > > We're shipping a pallet of equipment from Sydney to the US, mainly servers > and switches to East and Central locations. > > We've used different couriers in the past with OK results. > > I'm interested in hearing which shipping companies people are using. > > Many thanks > > > Darren. > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From dazzagibbs at gmail.com Tue Sep 13 13:29:19 2022 From: dazzagibbs at gmail.com (DaZZa) Date: Tue, 13 Sep 2022 13:29:19 +1000 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: <00fd01d8c702$47a9ec10$d6fdc430$@pue.com.au> Message-ID: +100 for DHL FedEx stink. On Tue, 13 Sept 2022, 10:19 am Bradley Amm, wrote: > We used DHL to get a server from Perth to KL last month. No issues with > DHL. > > Customs was the hold up. > > DHL were great. They gave us Updates and what to do etc. > Their tracking is pretty good as well. > > > Get Outlook for iOS > ------------------------------ > *From:* AusNOG on behalf of Cameron Murray < > cameron.murray at gmail.com> > *Sent:* Tuesday, September 13, 2022 9:53:10 AM > *To:* Tony de Francesco > *Cc:* AusNOG at lists.ausnog.net > *Subject:* Re: [AusNOG] Shipping equipment to the US - Courier > Recommendations > > DHL +10 > > Used to swear by Fedex however their policies and recent takeover of > TNT sent their services here in Aus the pile. > > Kind Regards > > Cameron > > On Tue, Sep 13, 2022 at 9:49 AM Tony de Francesco > wrote: > > > > I had been using Fedex for about 8 years, but recently they charged me > > $11,700 to ship a pallet of equipment between the US and Australia. In > > recent months changed to DHL, who charge me about $4500 for the same size > > shipment, and a much more powerful freight management portal. > > > > Regards > > Tony > > > > From: AusNOG [mailto:ausnog-bounces at ausnog.net > ] On Behalf Of Darren Moss > > Sent: Tuesday, 13 September 2022 9:34 AM > > To: 'AusNOG at lists.ausnog.net' > > Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations > > > > Hi All, > > > > We're shipping a pallet of equipment from Sydney to the US, mainly > servers > > and switches to East and Central locations. > > > > We've used different couriers in the past with OK results. > > > > I'm interested in hearing which shipping companies people are using. > > > > Many thanks > > > > > > Darren. > > > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jaedwards at gmail.com Tue Sep 13 14:08:33 2022 From: jaedwards at gmail.com (John Edwards) Date: Tue, 13 Sep 2022 13:38:33 +0930 Subject: [AusNOG] Shipping equipment to the US - Courier Recommendations In-Reply-To: References: Message-ID: Some tips for international transport of kit to USA: - The main reason you're doing this at all is because the local sales rep for your vendor doesn't get a commission if they sell directly into someone else's territory, maybe figure out who the "someone else" is - Customs helps American vendors keep counterfeit goods out of the country, which means importing American vendors to USA automatically looks suss - Global Insurance policies for Australian companies sometimes have a carve-out in the fine print that doesn't cover you for the USA (no really, go and read your policy!) - Shipping routers costs more than return plane tickets for a person, but if you try and import routers as luggage you will learn the hard way that you should have paid for shipping - Fedex have their own bonded warehouse facilities which makes it harder for them to lose things in transit if they get complicated with customs - If you are taking kit for demo purposes and plan to bring it back with you, it may simplify travel to google what a Carnet is John On Tue, 13 Sept 2022 at 09:03, Darren Moss wrote: > Hi All, > > > > We?re shipping a pallet of equipment from Sydney to the US, mainly servers > and switches to East and Central locations. > > > > We?ve used different couriers in the past with OK results. > > > > I?m interested in hearing which shipping companies people are using. > > > > Many thanks > > > > > > Darren. > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hughes.id Tue Sep 13 15:26:15 2022 From: david at hughes.id (david at hughes.id) Date: Tue, 13 Sep 2022 15:26:15 +1000 Subject: [AusNOG] Streaming telemetry in the wild Message-ID: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> Afternoon all, In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? Regards, David ... From phillip.grasso at gmail.com Tue Sep 13 16:01:26 2022 From: phillip.grasso at gmail.com (Phillip Grasso) Date: Tue, 13 Sep 2022 16:01:26 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> References: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> Message-ID: Yes, its used extensively and you should too ;-) On Tue, 13 Sept 2022 at 15:26, wrote: > Afternoon all, > > In a recent conversation there was a bit of discussion on using streaming > telemetry to gather operational data from network gear. While I'm well > aware of the model driven YANG functionality that's been talked about for > ages, I honestly can't say I know anyone who's using it. Perhaps > hyperscalers have made the move from SNMP, but has the average network > operator? > > Have you guys moved (or are you looking at moving) to streaming telemetry > from your networking kit, or is SNMP polling and the odd trap still giving > you what you need? > > > Regards, > > David > ... > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hughes.id Tue Sep 13 16:08:51 2022 From: david at hughes.id (David Hughes) Date: Tue, 13 Sep 2022 16:08:51 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: References: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> Message-ID: <0E9F988D-DED4-4E4C-95E6-70566D00C718@hughes.id> Spoken like a true ex-hyperscaler :-) Regards, David ... > On 13 Sep 2022, at 4:01 pm, Phillip Grasso wrote: > > Yes, its used extensively and you should too ;-) > > On Tue, 13 Sept 2022 at 15:26, > wrote: > Afternoon all, > > In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? > > Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? > > > Regards, > > David > ... > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at spectrum.com.au Tue Sep 13 16:45:35 2022 From: matt at spectrum.com.au (Matt Perkins) Date: Tue, 13 Sep 2022 16:45:35 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> References: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> Message-ID: <5a48f07c-5cfd-5f53-a89b-62a2afd85937@spectrum.com.au> We use a custom streaming (over udp) protocol to send l2 information between our cumulus based L2 global fabric back to the provision and management stack C&C.? A global db is updated in real time from the streaming data so we know where all the MAC's and the port status are. It's all in house and im not sure it would fit anyone else's needs other then ours but it could be classified? a streaming data? and telemetry. Matt On 13/9/2022 3:26 pm, david at hughes.id wrote: > Afternoon all, > > In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? > > Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? > > > Regards, > > David > ... > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -- /* Matt Perkins Direct 02 8916 8101 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt at spectrum.com.au ABN 66 090 112 913 Level 6, 350 George Street Sydney 2000 */ From raphael.timothy at gmail.com Tue Sep 13 19:23:20 2022 From: raphael.timothy at gmail.com (Tim Raphael) Date: Tue, 13 Sep 2022 19:23:20 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> References: <42AE328D-3B83-467A-A009-B48491B8A9E2@hughes.id> Message-ID: Yep, it?s definitely being used. All major vendors support gNMI and a subset of Yang models (standard or otherwise) in recent NOSs and there is a decent array of OSS tools (gnmic, gnmi-gateway etc) that integrate with the broader ecosystem of metric storage backends (Influx, Prometheus etc) to make up the stack. You don?t have to be a hyperscaler with custom everything to consume better quality, higher resolution data. I?ll name drop EdgeIX as using it internally for metrics and alerting! - Tim > On 13 Sep 2022, at 15:26, david at hughes.id wrote: > > ?Afternoon all, > > In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? > > Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? > > > Regards, > > David > ... > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog From craig at askings.com.au Tue Sep 13 21:44:57 2022 From: craig at askings.com.au (Craig Askings) Date: Tue, 13 Sep 2022 21:44:57 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: References: Message-ID: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> Is there a telemetry software stack that will get you 80% there without too much effort? That is one thing I like about LibreNMS, you can get quick wins out of the box. > On 13 Sep 2022, at 7:24 pm, Tim Raphael wrote: > > ?Yep, it?s definitely being used. > > All major vendors support gNMI and a subset of Yang models (standard or otherwise) in recent NOSs and there is a decent array of OSS tools (gnmic, gnmi-gateway etc) that integrate with the broader ecosystem of metric storage backends (Influx, Prometheus etc) to make up the stack. You don?t have to be a hyperscaler with custom everything to consume better quality, higher resolution data. > > I?ll name drop EdgeIX as using it internally for metrics and alerting! > > - Tim > >> On 13 Sep 2022, at 15:26, david at hughes.id wrote: >> >> ?Afternoon all, >> >> In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? >> >> Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? >> >> >> Regards, >> >> David >> ... >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog From dale.shaw+ausnog at gmail.com Tue Sep 13 22:27:44 2022 From: dale.shaw+ausnog at gmail.com (Dale Shaw) Date: Tue, 13 Sep 2022 22:27:44 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> References: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> Message-ID: G?day Craig, On Tue, 13 Sep 2022 at 9:46 pm, Craig Askings wrote: > Is there a telemetry software stack that will get you 80% there without > too much effort? That is one thing I like about LibreNMS, you can get quick > wins out of the box. I?m only aware of Open NTI, but that?s not to say there aren?t others: https://github.com/Juniper/open-nti It doesn?t look like it?s getting *heaps* of love, but on the flip-side it?s clearly not abandoned either. Cheers, Dale -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hughes.id Wed Sep 14 07:53:17 2022 From: david at hughes.id (david at hughes.id) Date: Wed, 14 Sep 2022 07:53:17 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> References: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> Message-ID: <5A312555-6E76-42BC-B3CC-7B8120947A46@hughes.id> From the off-list replies (and thanks to everyone that sent one!) it looks popular to use a stack of : Pipeline or Telegraf or gNMIc for collecting metrics Prometheus or Influxdb for storage Grafana for all the cool visuals Regards, David ... > On 13 Sep 2022, at 9:44 pm, Craig Askings wrote: > > Is there a telemetry software stack that will get you 80% there without too much effort? That is one thing I like about LibreNMS, you can get quick wins out of the box. > >> On 13 Sep 2022, at 7:24 pm, Tim Raphael wrote: >> >> ?Yep, it?s definitely being used. >> >> All major vendors support gNMI and a subset of Yang models (standard or otherwise) in recent NOSs and there is a decent array of OSS tools (gnmic, gnmi-gateway etc) that integrate with the broader ecosystem of metric storage backends (Influx, Prometheus etc) to make up the stack. You don?t have to be a hyperscaler with custom everything to consume better quality, higher resolution data. >> >> I?ll name drop EdgeIX as using it internally for metrics and alerting! >> >> - Tim >> >>> On 13 Sep 2022, at 15:26, david at hughes.id wrote: >>> >>> ?Afternoon all, >>> >>> In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? >>> >>> Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? >>> >>> >>> Regards, >>> >>> David >>> ... >>> >>> _______________________________________________ >>> AusNOG mailing list >>> AusNOG at ausnog.net >>> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From rbayliss at arista.com Thu Sep 15 09:16:27 2022 From: rbayliss at arista.com (Richard Bayliss) Date: Thu, 15 Sep 2022 09:16:27 +1000 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <5A312555-6E76-42BC-B3CC-7B8120947A46@hughes.id> References: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> <5A312555-6E76-42BC-B3CC-7B8120947A46@hughes.id> Message-ID: <256A08A9-E42F-4AF0-A337-206FE1EA0C36@arista.com> I?m disappointed to learn that no one is advocating for the video game based telemetry management tool presented at AusNOG years ago. "Real-time network monitoring using 3d game engine :: Warren Harrop, Swinburne University? Shame the presentation isn?t shared, it was a great talk: https://www.ausnog.net/events/ausnog-01/presentations Cheers Rich > On 14 Sep 2022, at 07:53, david at hughes.id wrote: > > From the off-list replies (and thanks to everyone that sent one!) it looks popular to use a stack of : > Pipeline or Telegraf or gNMIc for collecting metrics > Prometheus or Influxdb for storage > Grafana for all the cool visuals > > Regards, > > David > ... > >> On 13 Sep 2022, at 9:44 pm, Craig Askings > wrote: >> >> Is there a telemetry software stack that will get you 80% there without too much effort? That is one thing I like about LibreNMS, you can get quick wins out of the box. >> >>> On 13 Sep 2022, at 7:24 pm, Tim Raphael > wrote: >>> >>> ?Yep, it?s definitely being used. >>> >>> All major vendors support gNMI and a subset of Yang models (standard or otherwise) in recent NOSs and there is a decent array of OSS tools (gnmic, gnmi-gateway etc) that integrate with the broader ecosystem of metric storage backends (Influx, Prometheus etc) to make up the stack. You don?t have to be a hyperscaler with custom everything to consume better quality, higher resolution data. >>> >>> I?ll name drop EdgeIX as using it internally for metrics and alerting! >>> >>> - Tim >>> >>>> On 13 Sep 2022, at 15:26, david at hughes.id wrote: >>>> >>>> ?Afternoon all, >>>> >>>> In a recent conversation there was a bit of discussion on using streaming telemetry to gather operational data from network gear. While I'm well aware of the model driven YANG functionality that's been talked about for ages, I honestly can't say I know anyone who's using it. Perhaps hyperscalers have made the move from SNMP, but has the average network operator? >>>> >>>> Have you guys moved (or are you looking at moving) to streaming telemetry from your networking kit, or is SNMP polling and the odd trap still giving you what you need? >>>> >>>> >>>> Regards, >>>> >>>> David >>>> ... >>>> >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>> _______________________________________________ >>> AusNOG mailing list >>> AusNOG at ausnog.net >>> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hughes.id Fri Sep 16 17:42:37 2022 From: david at hughes.id (david at hughes.id) Date: Fri, 16 Sep 2022 17:42:37 +1000 Subject: [AusNOG] AusNOG then and now. Message-ID: <13E39F39-436D-4430-BB7F-D6F71ABB5F55@hughes.id> Just wanted to share this with you all. We've come a long way and still have plans for so much more! Have a great weekend folks. Regards, David ... -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: AusNOG 07 vs 23.png Type: image/png Size: 979771 bytes Desc: not available URL: From wharrop at room52.net Sun Sep 18 09:58:35 2022 From: wharrop at room52.net (Warren Harrop) Date: Sat, 17 Sep 2022 16:58:35 -0700 Subject: [AusNOG] Streaming telemetry in the wild In-Reply-To: <256A08A9-E42F-4AF0-A337-206FE1EA0C36@arista.com> References: <604FBF4F-385A-4B3B-802B-2C8F8F666A38@askings.com.au> <5A312555-6E76-42BC-B3CC-7B8120947A46@hughes.id> <256A08A9-E42F-4AF0-A337-206FE1EA0C36@arista.com> Message-ID: <75619b8b-dca1-9c1b-adc9-46935c54331b@room52.net> On 9/14/22 16:16, Richard Bayliss wrote: > I?m disappointed to learn that no one is advocating for the video game based > telemetry management tool presented at AusNOG years ago. > > "Real-time network monitoring using 3d game engine :: Warren Harrop, Swinburne > University? > > Shame the presentation isn?t shared, it was a great talk: > > https://www.ausnog.net/events/ausnog-01/presentations > Hello, Warren here - thank you for the kind words. You've made me think that I could dig out the slides from that 2007 presentation (it has to be somewhere in my terabytes of data), but instead of that, if anyone would like to have some bed-time reading to aid in sleep, you can jump ahead in time and read the (166 page) thesis of that work: "Using immersive real-time collaboration environments to manage IP networks" (2014) https://researchbank.swinburne.edu.au/items/c025f8e2-be90-49e9-9db8-cd657c356582/1/ (full pdf is linked on that page) The final version of the work used the Quake 3 engine as the base for the collaborative network management. Unfortunately for this specific conversation though, the software is probably not really for production use, and is more of a proof of concept. The main issue as I see it, is that the open source game engines at the time had significant limitations (mostly around allowing for dynamic enough worlds/objects/textures etc.). I've not returned to network visualisation or collaborative control since then, so I'm also not sure what the current state of the art is in the area. (Although I do work for Netflix on the Open Connect CDN, it's as a hardware engineer for the OCA cache servers, not on the networking team.) Someone these days could probably have a bigger swing at network visualisation and control in 3D though. With a more modern game engine, you'd probably not have to spend as much time with workarounds to engine limitations. The engines are far more versatile (as an example, the Unreal engine is being used to create virtual sets these days for TV and movies - that are fully editable in real time). Oh, and throw in the phrase "metaverse" into the funding request, and you'd get yourself some serious cash. Warren Harrop From james.braunegg at micron21.com Fri Sep 23 17:47:08 2022 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 23 Sep 2022 07:47:08 +0000 Subject: [AusNOG] ACT Rack Space Message-ID: Dear AusNOG I am looking for some ACT / Canberra rack space (half or full rack) ? If you have some space please contact me off list ! Kindest Regards James Braunegg [cid:image001.png at 01D8CF74.7ECF7230] 1300 769 972 / 0488 997 207 james.braunegg at micron21.com www.ddosprotection.com.au [cid:image002.png at 01D8CF74.7ECF7230] [cid:image003.png at 01D8CF74.7ECF7230] [cid:image004.png at 01D8CF74.7ECF7230] Follow us on m21status.com for important service and system updates. This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 1047 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 4219 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 1137 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 1246 bytes Desc: image004.png URL: From nikolai at lusan.id.au Fri Sep 23 20:31:09 2022 From: nikolai at lusan.id.au (Nikolai Lusan) Date: Fri, 23 Sep 2022 20:31:09 +1000 Subject: [AusNOG] .au domains/registrars and CDS/CDNSKEY Message-ID: <99e64a89-cf05-5eda-00d8-124032aa75d5@lusan.id.au> Hello everyone, So I have started implementing dnssec on some domains after moving them to a registrar that allows DS records to be entered. Is anyone using bind9's automatic signing and CDS/CDNSKEY to push new DS records into the registry? Does anyone know of .au registrars that are supporting CDS/CDNSKEY? I am looking to make the deployment of dnssec for domains an easy no-brainier, potentially with some ansible magic - that is if it can be done. I also have some .com, .org, and .net domains on the list, but the .au domains are of a higher priority. Thanks -- Nikolai Lusan -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE19683455D952FA4.asc Type: application/pgp-keys Size: 8200 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From jhellenthal at dataix.net Sat Sep 24 00:03:28 2022 From: jhellenthal at dataix.net (J. Hellenthal) Date: Fri, 23 Sep 2022 09:03:28 -0500 Subject: [AusNOG] .au domains/registrars and CDS/CDNSKEY In-Reply-To: <99e64a89-cf05-5eda-00d8-124032aa75d5@lusan.id.au> References: <99e64a89-cf05-5eda-00d8-124032aa75d5@lusan.id.au> Message-ID: <91A6BA31-04BD-4290-B272-C7C7B03019A3@dataix.net> Have you considered using AWS Route 53 ? Considering the command line interface available you should be able to accomplish this fairly easily in combination with BIND > On Sep 23, 2022, at 05:31, Nikolai Lusan wrote: > > Hello everyone, > > So I have started implementing dnssec on some domains after moving them to a registrar that allows DS records to be entered. Is anyone using bind9's automatic signing and CDS/CDNSKEY to push new DS records into the registry? Does anyone know of .au registrars that are supporting CDS/CDNSKEY? I am looking to make the deployment of dnssec for domains an easy no-brainier, potentially with some ansible magic - that is if it can be done. I also have some .com, .org, and .net domains on the list, but the .au domains are of a higher priority. > > Thanks > -- > Nikolai Lusan > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. From david at hughes.id Mon Sep 26 14:26:21 2022 From: david at hughes.id (david at hughes.id) Date: Mon, 26 Sep 2022 14:26:21 +1000 Subject: [AusNOG] AusNOG 2022 presentations available Message-ID: Good afternoon everyone, PDF versions of the slides of most talks delivered at AusNOG 2022 earlier this month are now available from the AusNOG web site. You can find them via links in the Programme. Enjoy. Regards, David ... From bevan at slattery.net.au Tue Sep 27 10:46:03 2022 From: bevan at slattery.net.au (Bevan Slattery) Date: Tue, 27 Sep 2022 00:46:03 +0000 Subject: [AusNOG] Optus Hack Message-ID: Hi everyone, Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative. I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO?s on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security. There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with each other as an industry. Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there is enough interest I will send out an invitation to the list for a call. Cheers [b] -------------- next part -------------- An HTML attachment was scrubbed... URL: From rendrag at rendrag.net Tue Sep 27 10:49:19 2022 From: rendrag at rendrag.net (Damien Gardner Jnr) Date: Tue, 27 Sep 2022 10:49:19 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: Personally, I find putting Authentication on my API endpoints to be a FANTASTIC first step towards API security. And then not even using public IP addresses in test environments is a pretty good second step.. On Tue, 27 Sept 2022 at 10:46, Bevan Slattery wrote: > Hi everyone, > > > > Obviously a big week in telco and cybersecurity. As part of my work I am > on the Australian Cyber Security Industry Advisory Committee as an industry > representative. > > > > I am keen to look at opening up a dialogue with more and more telco, DC > and Cloud CISO?s on what they are doing around this issue and looking to > take a proactive step towards best practice on customer data and system > security. > > > > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed to help > each other continually increase in security posture through best practice, > but also working with each other as an industry. > > > > Are people keen on having a online/VC session sometime in the next few > weeks where like-minded industry participants get together and discuss > security, retention, encryption, threat detection etc.? If so, just ping > me directly and if there is enough interest I will send out an invitation > to the list for a call. > > > > Cheers > > > > [b] > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag at rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn.satchell at uniq.com.au Tue Sep 27 11:02:08 2022 From: glenn.satchell at uniq.com.au (glenn.satchell at uniq.com.au) Date: Tue, 27 Sep 2022 11:02:08 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > >> Hi everyone, >> >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> >> Cheers >> >> [b] >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog From glp71s at gmail.com Tue Sep 27 11:03:56 2022 From: glp71s at gmail.com (Giles Pollock) Date: Tue, 27 Sep 2022 11:03:56 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: As someone who's been on both sides of this particular fence, can we please PLEASE start doing away with using SMS as a second factor? Also, it might be time to start looking at policies on information collection and storage through some different lenses, previously we've been paranoid about collecting identity information for signing up to services, largely pushed by anti-terrorism laws... But the focus was always on collection and immediate verification, not whether or not this information should be stored nor how or why. Too many businesses at this point have a "eh, she'll be right" sort of attitude towards customer data security which leaves room for misuse and abuse wide open... I remember asking back when the My Health Record opt-out was happening what happened to the information collected for the opt-out. It consisted of the same sort of critical identity documentation, yet there was no policy described which explained the data lifecycle of information collected for the purpose of actioning the opt-out. This is depressingly common, heaps of places and things collect information, but never actually define what they're going to do with it once the purpose of its collection is complete. In my position (formal and informal) I know full well these sorts of breaches are constant and pervasive, and the only reason we're seeing all the noise about Optus is because its in the media... Nobody mentions the dozen other breaches which never got detected! On Tue, Sep 27, 2022 at 10:49 AM Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using public > IP addresses in test environments is a pretty good second step.. > > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > >> Hi everyone, >> >> >> >> Obviously a big week in telco and cybersecurity. As part of my work I am >> on the Australian Cyber Security Industry Advisory Committee as an industry >> representative. >> >> >> >> I am keen to look at opening up a dialogue with more and more telco, DC >> and Cloud CISO?s on what they are doing around this issue and looking to >> take a proactive step towards best practice on customer data and system >> security. >> >> >> >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed to help >> each other continually increase in security posture through best practice, >> but also working with each other as an industry. >> >> >> >> Are people keen on having a online/VC session sometime in the next few >> weeks where like-minded industry participants get together and discuss >> security, retention, encryption, threat detection etc.? If so, just ping >> me directly and if there is enough interest I will send out an invitation >> to the list for a call. >> >> >> >> Cheers >> >> >> >> [b] >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > > > -- > > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at alwaysnever.net Tue Sep 27 11:07:22 2022 From: jim at alwaysnever.net (Jim Woodward) Date: Tue, 27 Sep 2022 11:07:22 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: In fairness, it is hard to mention undetected breaches by their very nature, the data equivalent of Schrodinger's cat. Jim. On 27-09-2022 11:03, Giles Pollock wrote: > In my position (formal and informal) I know full well these sorts of > breaches are constant and pervasive, and the only reason we're seeing > all the noise about Optus is because its in the media... Nobody > mentions the dozen other breaches which never got detected! > > On Tue, Sep 27, 2022 at 10:49 AM Damien Gardner Jnr > wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second step.. > > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > > Obviously a big week in telco and cybersecurity. As part of my work I > am on the Australian Cyber Security Industry Advisory Committee as an > industry representative. > > I am keen to look at opening up a dialogue with more and more telco, DC > and Cloud CISO's on what they are doing around this issue and looking > to take a proactive step towards best practice on customer data and > system security. > > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed to > help each other continually increase in security posture through best > practice, but also working with each other as an industry. > > Are people keen on having a online/VC session sometime in the next few > weeks where like-minded industry participants get together and discuss > security, retention, encryption, threat detection etc.? If so, just > ping me directly and if there is enough interest I will send out an > invitation to the list for a call. > > Cheers > > [b] > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -- > > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From martinvisser99 at gmail.com Tue Sep 27 11:09:03 2022 From: martinvisser99 at gmail.com (Martin Visser) Date: Tue, 27 Sep 2022 11:09:03 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: I also wonder whether they retained only say Driver's Licence number and not the expiry date. (Same for passport). At least that might limit the damage if those that now need to verify ID info at least can ask if you have those dates - a potential misuser of that data wouldn't have those dates. (I know my DL number and the day and month by heart, but I had to check which year it expires from the actual card) Regards, Martin MartinVisser99 at gmail.com On Tue, 27 Sept 2022 at 11:02, wrote: > My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points > there only needs to be a record "100 points provided"=true and not > retain the actual details. This goes back to only keeping the private > data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > > FANTASTIC first step towards API security. And then not even using > > public IP addresses in test environments is a pretty good second > > step.. > > > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: > > > >> Hi everyone, > >> > >> Obviously a big week in telco and cybersecurity. As part of my work > >> I am on the Australian Cyber Security Industry Advisory Committee as > >> an industry representative. > >> > >> I am keen to look at opening up a dialogue with more and more telco, > >> DC and Cloud CISO?s on what they are doing around this issue and > >> looking to take a proactive step towards best practice on customer > >> data and system security. > >> > >> There will be some pretty serious consequences of this hack on the > >> industry and importantly we need to make sure we are as best placed > >> to help each other continually increase in security posture through > >> best practice, but also working with each other as an industry. > >> > >> Are people keen on having a online/VC session sometime in the next > >> few weeks where like-minded industry participants get together and > >> discuss security, retention, encryption, threat detection etc.? If > >> so, just ping me directly and if there is enough interest I will > >> send out an invitation to the list for a call. > >> > >> Cheers > >> > >> [b] > >> > >> _______________________________________________ > >> AusNOG mailing list > >> AusNOG at ausnog.net > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > > > -- > > > > Damien Gardner Jnr > > VK2TDG. Dip EE. GradIEAust > > rendrag at rendrag.net - http://www.rendrag.net/ > > -- > > We rode on the winds of the rising storm, > > We ran to the sounds of thunder. > > We danced among the lightning bolts, > > and tore the world asunder > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nathan.Brookfield at iperium.com.au Tue Sep 27 11:12:33 2022 From: Nathan.Brookfield at iperium.com.au (Nathan Brookfield) Date: Tue, 27 Sep 2022 01:12:33 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog From brad.gould at gmail.com Tue Sep 27 11:25:24 2022 From: brad.gould at gmail.com (Brad Gould) Date: Tue, 27 Sep 2022 10:55:24 +0930 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: I think the only remaining way forward is to enact heavy penalties for these incidents. Industry self-regulation and codes of conduct have repeatedly failed. I also fully understand that the Government has unwisely placed a requirement to collect and retain personal information, and on some levels poor policy put forward by security agencies has contributed to these terrible, predictable, outcomes. I'll also add that there is a similar lack of political accountability, so as an industry, we should be shouting at every opportunity that the Government required collection and retention of the data in the first place. The large companies that have breaches are not typically failing because solutions are hard, its because of lack of corporate-level care. Forcing Health and Safety obligations and penalties upon upper corporate management has seen business culture fundamentally change for the better. The same kind of legislation frameworks need to be introduced with regards to privacy.. . On Tue, 27 Sept 2022 at 10:16, Bevan Slattery wrote: > Hi everyone, > > > > Obviously a big week in telco and cybersecurity. As part of my work I am > on the Australian Cyber Security Industry Advisory Committee as an industry > representative. > > > > I am keen to look at opening up a dialogue with more and more telco, DC > and Cloud CISO?s on what they are doing around this issue and looking to > take a proactive step towards best practice on customer data and system > security. > > > > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed to help > each other continually increase in security posture through best practice, > but also working with each other as an industry. > > > > Are people keen on having a online/VC session sometime in the next few > weeks where like-minded industry participants get together and discuss > security, retention, encryption, threat detection etc.? If so, just ping > me directly and if there is enough interest I will send out an invitation > to the list for a call. > > > > Cheers > > > > [b] > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ausnog at studio442.com.au Tue Sep 27 11:26:12 2022 From: ausnog at studio442.com.au (Julien Goodwin) Date: Tue, 27 Sep 2022 11:26:12 +1000 Subject: [AusNOG] Small acoustically isolated racks Message-ID: Does anyone have any suggestions for small (likely no larger than 10RU) acoustically isolated racks? I need one for a meeting room, where it needs to fit in a space no larger than 700mm high (710mm *maybe*). The current APC NetShelter CX 12RU (AR4000MVA) seems to be ~720mm high and that's too much. I only need 4RU of actual rack equipment, so if there's other options I might be interested. From oliver at monoxane.io Tue Sep 27 11:43:28 2022 From: oliver at monoxane.io (Oliver Herrmann) Date: Tue, 27 Sep 2022 01:43:28 +0000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: Message-ID: <2D30ED46-502B-4049-8C53-EF28EF3CCB99@monoxane.io> If it's not against the aesthetic requirements, have a look at live production flight cases, there?s a lot in that sort of size range that have multiple layers of acoustic foam and baffles in the front and back lids. We use them to put switches and playout servers on stages near microphones without causing problems so they?re usually pretty well insulated. You could probably get one custom made to fit your acoustic and aesthetic needs by a reputable case company for well under the cost of a regular acoustically isolated rack too. On 27 Sep 2022, at 11:26 am, Julien Goodwin > wrote: Does anyone have any suggestions for small (likely no larger than 10RU) acoustically isolated racks? I need one for a meeting room, where it needs to fit in a space no larger than 700mm high (710mm *maybe*). The current APC NetShelter CX 12RU (AR4000MVA) seems to be ~720mm high and that's too much. I only need 4RU of actual rack equipment, so if there's other options I might be interested. _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From glp71s at gmail.com Tue Sep 27 11:50:49 2022 From: glp71s at gmail.com (Giles Pollock) Date: Tue, 27 Sep 2022 11:50:49 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: I'm hesitant to go down the punishment/penalties route, because it isn't a lack of consequence which defines and allows for such breaches to occur. I've never been involved with the response to a breach where the company has gone "big deal, its just customer data!", rather they are all too aware that they are now in an unexpected fight for their corporate lives. These events can kill entire businesses, but that realisation often only comes to the board and key decision makers when they're sitting in the war room having it all laid on the table for them. What seems to be the pervasive mentality is more akin to "it will never happen to us". Sort of similar to assuming you'll drive to work and not be involved in a car accident. The collection of the data and the construction and growth of the systems that are involved is often organic and comes under business as usual, so like a frog slowly being brought to a boil they never really think about exactly what they are custodians of. Add to that the tendency for government policy to come along and mandate the requirements to collect certain sensitive information because the policies have been written along the lines of "one size fits all (badly)" and we have this recipe for disaster. How many on this list can turn around and look at their own information handling policies and say hand-on-heart (or other important body part) that they're only storing what they need to, and that more importantly the sensitive components of that data are 100% secure? I'd suggest in the wake of this whole mess, it might be a good idea to go have a talk to the relevant people inside your various businesses and start thinking about how to run tabletop exercises on what would happen should a breach occur, and how it might happen. There will be people in the technical teams who should be able to identify risk points and flaws, not only in the technology but also in the processes and procedures. Collect those, build some scenarios and act them out in a simulation. Fear is a great motivator, and the knowledge that these breaches and the PR disaster that Optus experienced this time around can be business-killers should be a good start to getting some buy-in on dealing with these issues particularly given how fresh it is in everyone's minds. For the accountant/beancounter/finance types, just remind them that cost of remediation is always far higher than cost of protection and prevention! On Tue, Sep 27, 2022 at 11:25 AM Brad Gould wrote: > I think the only remaining way forward is to enact heavy penalties for > these incidents. > > Industry self-regulation and codes of conduct have repeatedly failed. > > I also fully understand that the Government has unwisely placed a > requirement to collect and retain personal information, and on some levels > poor policy put forward by security agencies has contributed to these > terrible, predictable, outcomes. I'll also add that there is a similar lack > of political accountability, so as an industry, we should be shouting at > every opportunity that the Government required collection and retention of > the data in the first place. > > The large companies that have breaches are not typically failing because > solutions are hard, its because of lack of corporate-level care. > > Forcing Health and Safety obligations and penalties upon upper corporate > management has seen business culture fundamentally change for the better. > The same kind of legislation frameworks need to be introduced with regards > to privacy.. . > > > > On Tue, 27 Sept 2022 at 10:16, Bevan Slattery > wrote: > >> Hi everyone, >> >> >> >> Obviously a big week in telco and cybersecurity. As part of my work I am >> on the Australian Cyber Security Industry Advisory Committee as an industry >> representative. >> >> >> >> I am keen to look at opening up a dialogue with more and more telco, DC >> and Cloud CISO?s on what they are doing around this issue and looking to >> take a proactive step towards best practice on customer data and system >> security. >> >> >> >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed to help >> each other continually increase in security posture through best practice, >> but also working with each other as an industry. >> >> >> >> Are people keen on having a online/VC session sometime in the next few >> weeks where like-minded industry participants get together and discuss >> security, retention, encryption, threat detection etc.? If so, just ping >> me directly and if there is enough interest I will send out an invitation >> to the list for a call. >> >> >> >> Cheers >> >> >> >> [b] >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at nabc.com.au Tue Sep 27 12:16:15 2022 From: mark at nabc.com.au (Mark Stewart) Date: Tue, 27 Sep 2022 02:16:15 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <578e7725-2795-4717-8941-4645be4de95d.d2ab54af-1f79-495a-8a6b-c5220e2e1e0f.744e17c3-d5e0-4212-89f3-6823a31fd582@emailsignatures365.codetwo.com> Message-ID: In this type of breach and, like many others, is that companies provide access to the entire consumer data without any consideration of the consumer who is having their data being accessed. The current model(s) need to change and are changing to be more consumer centric. Preventing 3rd party companies' direct access to consumer data without consumer consent is what needs to be put in place now to remove such egregious breaches from occurring in the future. Allowing the consumer to decide who has access to their data and what data they want is the model that should be taken. This limits the scope of an attack down to a single consumer as the data passing between "company to company where the source company is the data holder" or "company to company via the consumer where the consumer is the data holder" is only specific to that consumer not entire data set. If an attacker manages to gain access to that data in-transit, then it will be limited to the scope of that consumer, the risk can be mitigated and the cost to access large swathes of consumer data will be so high that it will be not cost effective for the hacker. It is only a matter of time until companies will need to pivot to facilitate this change. So why not start working towards making this happen before you are forced to. Regards, Mark Stewart M: 0438005415 E: mark at nabc.com.au W: www.nabc.com.au [cid:logo_134bce06-4035-4c5e-9960-5d389b43b8b5.png] [cid:nabc_9bc8b7c1-99a1-415f-8f90-68e51c42614a.png] P Please consider the environment before you print this e-mail As communication via the internet is insecure in the form of e-mail, you are advised that material which may offend or infringe individual rights may be transmitted without the knowledge or consent of Nuts and Bolts Computing or any of its related entities or subsidiaries. Whilst Nuts and Bolts Computing has taken reasonable steps to ensure the integrity of such communications, it accepts no liability for material transmitted via this medium. This e-mail may contain privileged and confidential information and is intended solely for the use of the individual or entity it is addressed to. If you are not the addressee indicated, or the person responsible for delivering e-mail, you may not copy, print, forward or deliver this message to anyone. If you have received this e-mail in error, please contact the sender by reply e-mail and insure that the original transmission and its content is deleted and destroyed. Thanking you for your attention. From: AusNOG On Behalf Of Bevan Slattery Sent: Tuesday, 27 September 2022 8:46 AM To: ausnog Subject: DMARC Violation[AusNOG] Optus Hack Hi everyone, Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative. I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO's on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security. There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with each other as an industry. Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there is enough interest I will send out an invitation to the list for a call. Cheers [b] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_134bce06-4035-4c5e-9960-5d389b43b8b5.png Type: image/png Size: 7828 bytes Desc: logo_134bce06-4035-4c5e-9960-5d389b43b8b5.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: nabc_9bc8b7c1-99a1-415f-8f90-68e51c42614a.png Type: image/png Size: 11400 bytes Desc: nabc_9bc8b7c1-99a1-415f-8f90-68e51c42614a.png URL: From dale.shaw+ausnog at gmail.com Tue Sep 27 12:21:12 2022 From: dale.shaw+ausnog at gmail.com (Dale Shaw) Date: Tue, 27 Sep 2022 12:21:12 +1000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: Message-ID: Hi Julien, On Tue, 27 Sept 2022 at 11:26, Julien Goodwin wrote: > > Does anyone have any suggestions for small (likely no larger than 10RU) > acoustically isolated racks? I've got a 24U rack from these guys: http://www.acoustiproducts.com They seem to offer smaller models. I can personally vouch for the sound-proofing -- it's pretty impressive to close the doors and the noise from a 1RU switch with a bunch of screaming 40mm fans to all but go away. Cheers, Dale -------------- next part -------------- An HTML attachment was scrubbed... URL: From yahoo at vapourforge.com Tue Sep 27 12:28:59 2022 From: yahoo at vapourforge.com (Jake Anderson) Date: Tue, 27 Sep 2022 12:28:59 +1000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: <2D30ED46-502B-4049-8C53-EF28EF3CCB99@monoxane.io> References: <2D30ED46-502B-4049-8C53-EF28EF3CCB99@monoxane.io> Message-ID: <5bcc20f2-a175-e758-786d-53bd338e166a@vapourforge.com> I can recommend these guys as being great to speak to on the phone when starting off with half of an idea of what you want to achieve and leaving the "how" up to them. Their prices and timelines for custom work were surprisingly good as well. https://giggear.com.au/ On 27/09/2022 11:43 am, Oliver Herrmann wrote: > If it's not against the aesthetic requirements, have a look at live > production flight cases, there?s a lot in that sort of size range that > have multiple layers of acoustic foam and baffles in the front and > back lids. We use them to put switches and playout servers on stages > near microphones without causing problems so they?re usually pretty > well insulated. > > You could probably?get one custom made to fit your acoustic and > aesthetic?needs by a reputable case company for well under the cost of > a regular acoustically isolated rack too. > >> On 27 Sep 2022, at 11:26 am, Julien Goodwin >> wrote: >> >> Does anyone have any suggestions for small (likely no larger than >> 10RU) acoustically isolated racks? >> >> I need one for a meeting room, where it needs to fit in a space no >> larger than 700mm high (710mm *maybe*). The current APC NetShelter CX >> 12RU (AR4000MVA) seems to be ~720mm high and that's too much. >> >> I only need 4RU of actual rack equipment, so if there's other options >> I might be interested. >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at kahl.id.au Tue Sep 27 12:39:59 2022 From: michael at kahl.id.au (Michael Kahl) Date: Tue, 27 Sep 2022 12:39:59 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. Separately, should the government provide an opt in two factor ID verification service for critical services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield < Nathan.Brookfield at iperium.com.au> wrote: > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > > FANTASTIC first step towards API security. And then not even using > > public IP addresses in test environments is a pretty good second > > step.. > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: > >> Hi everyone, > >> Obviously a big week in telco and cybersecurity. As part of my work > >> I am on the Australian Cyber Security Industry Advisory Committee as > >> an industry representative. > >> I am keen to look at opening up a dialogue with more and more telco, > >> DC and Cloud CISO?s on what they are doing around this issue and > >> looking to take a proactive step towards best practice on customer > >> data and system security. > >> There will be some pretty serious consequences of this hack on the > >> industry and importantly we need to make sure we are as best placed > >> to help each other continually increase in security posture through > >> best practice, but also working with each other as an industry. > >> Are people keen on having a online/VC session sometime in the next > >> few weeks where like-minded industry participants get together and > >> discuss security, retention, encryption, threat detection etc.? If > >> so, just ping me directly and if there is enough interest I will > >> send out an invitation to the list for a call. > >> Cheers > >> [b] > >> _______________________________________________ > >> AusNOG mailing list > >> AusNOG at ausnog.net > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > > Damien Gardner Jnr > > VK2TDG. Dip EE. GradIEAust > > rendrag at rendrag.net - http://www.rendrag.net/ > > -- > > We rode on the winds of the rising storm, > > We ran to the sounds of thunder. > > We danced among the lightning bolts, > > and tore the world asunder > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.mathieson-blakely at bmcg.net.au Tue Sep 27 13:00:16 2022 From: andrew.mathieson-blakely at bmcg.net.au (Andrew M. Mathieson-Blakely) Date: Tue, 27 Sep 2022 03:00:16 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: <56F588C3-9C7F-4C38-A6ED-1DA254FFA8FA@bmcg.net.au> What I don?t understand (and I am not a programmer) is why there isn?t a broker setup. In the Mainframe world normally, you would have your database on a private network that will only server a request server and serve the data that it requests to see. I really get nervous these days when databases are not behind private networks with no public access to whatsoever. That?s my food for thought be interested to see what goes on in the real world today but I just see this as not the most secure way to be handling any information that is stored in a database. Regards Andrew From: AusNOG on behalf of Michael Kahl Date: Tuesday, 27 September 2022 at 12:40 pm To: Nathan Brookfield Cc: "ausnog at ausnog.net" Subject: Re: [AusNOG] Optus Hack Resent from: Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. Separately, should the government provide an opt in two factor ID verification service for critical services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon.knight at gmail.com Tue Sep 27 13:05:13 2022 From: simon.knight at gmail.com (Simon Knight) Date: Tue, 27 Sep 2022 12:35:13 +0930 Subject: [AusNOG] Optus Hack In-Reply-To: <56F588C3-9C7F-4C38-A6ED-1DA254FFA8FA@bmcg.net.au> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <56F588C3-9C7F-4C38-A6ED-1DA254FFA8FA@bmcg.net.au> Message-ID: <06541ba7-1e11-4d99-a392-f56a832b24f4@Spark> There was an interesting point that credit card details weren?t leaked - some speculation that this was due to the banks enforcing a pretty tight compliance framework with the penalty that you?d be cut off from the banking system. If true that would align with an indifference to customer data - if it was treated the same as financial data would it have been so easily accessed? thank you Simon On 27 Sep 2022 at 12:30 PM +0930, Andrew M. Mathieson-Blakely , wrote: > What I don?t understand (and I am not a programmer) is why there isn?t a broker setup.? In the Mainframe world normally, you would have your database on a private network that will only server a request server and serve the data that it requests to see.? I really get nervous these days when databases are not behind private networks with no public access to whatsoever. > > That?s my food for thought be interested to see what goes on in the real world today but I just see this as not the most secure way to be handling any information that is stored in a database. > > Regards > > > Andrew > > From: AusNOG on behalf of Michael Kahl > Date: Tuesday, 27 September 2022 at 12:40 pm > To: Nathan Brookfield > Cc: "ausnog at ausnog.net" > Subject: Re: [AusNOG] Optus Hack > Resent from: > > Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. > > Separately, should the government provide?an opt in two factor ID verification service for critical?services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield wrote: > > quote_type > > They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. > > > > Looking at the data some fields are hashed and then repeated in the bloody clear :( > > > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > > > My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. > > > > regards, > > Glenn > > > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > > Personally, I find putting Authentication on my API endpoints to be a > > > FANTASTIC first step towards API security.? And then not even using > > > public IP addresses in test environments is a pretty good second > > > step..? > > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > > wrote: > > >> Hi everyone, > > >> Obviously a big week in telco and cybersecurity.? As part of my work > > >> I am on the Australian Cyber Security Industry Advisory Committee as > > >> an industry representative. > > >> I am keen to look at opening up a dialogue with more and more telco, > > >> DC and Cloud CISO?s on what they are doing around this issue and > > >> looking to take a proactive step towards best practice on customer > > >> data and system security. > > >> There will be some pretty serious consequences of this hack on the > > >> industry and importantly we need to make sure we are as best placed > > >> to help each other continually increase in security posture through > > >> best practice, but also working with each other as an industry. > > >> Are people keen on having a online/VC session sometime in the next > > >> few weeks where like-minded industry participants get together and > > >> discuss security, retention, encryption, threat detection etc.?? If > > >> so, just ping me directly and if there is enough interest I will > > >> send out an invitation to the list for a call. > > >> Cheers > > >> [b] > > >> _______________________________________________ > > >> AusNOG mailing list > > >> AusNOG at ausnog.net > > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > > -- > > > Damien Gardner Jnr > > > VK2TDG. Dip EE. GradIEAust > > > rendrag at rendrag.net -? http://www.rendrag.net/ > > > -- > > > We rode on the winds of the rising storm, > > > We ran to the sounds of thunder. > > > We danced among the lightning bolts, > > > and tore the world asunder > > > _______________________________________________ > > > AusNOG mailing list > > > AusNOG at ausnog.net > > > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From ausnog at narkov.com Tue Sep 27 13:06:18 2022 From: ausnog at narkov.com (Nick Adams) Date: Tue, 27 Sep 2022 13:06:18 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: See the "Australia Card"[1] for why the Federal government probably couldn't provide central identification/auth services. It is politically very challenging...despite the obvious benefits it would provide. [1] https://en.wikipedia.org/wiki/Australia_Card -- Regards, Nick Adams On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: > Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. > > Separately, should the government provide an opt in two factor ID verification service for critical services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield wrote: >> They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> > Personally, I find putting Authentication on my API endpoints to be a >> > FANTASTIC first step towards API security. And then not even using >> > public IP addresses in test environments is a pretty good second >> > step.. >> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> > wrote: >> >> Hi everyone, >> >> Obviously a big week in telco and cybersecurity. As part of my work >> >> I am on the Australian Cyber Security Industry Advisory Committee as >> >> an industry representative. >> >> I am keen to look at opening up a dialogue with more and more telco, >> >> DC and Cloud CISO?s on what they are doing around this issue and >> >> looking to take a proactive step towards best practice on customer >> >> data and system security. >> >> There will be some pretty serious consequences of this hack on the >> >> industry and importantly we need to make sure we are as best placed >> >> to help each other continually increase in security posture through >> >> best practice, but also working with each other as an industry. >> >> Are people keen on having a online/VC session sometime in the next >> >> few weeks where like-minded industry participants get together and >> >> discuss security, retention, encryption, threat detection etc.? If >> >> so, just ping me directly and if there is enough interest I will >> >> send out an invitation to the list for a call. >> >> Cheers >> >> [b] >> >> _______________________________________________ >> >> AusNOG mailing list >> >> AusNOG at ausnog.net >> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > -- >> > Damien Gardner Jnr >> > VK2TDG. Dip EE. GradIEAust >> > rendrag at rendrag.net - http://www.rendrag.net/ >> > -- >> > We rode on the winds of the rising storm, >> > We ran to the sounds of thunder. >> > We danced among the lightning bolts, >> > and tore the world asunder >> > _______________________________________________ >> > AusNOG mailing list >> > AusNOG at ausnog.net >> > https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.mathieson-blakely at bmcg.net.au Tue Sep 27 13:09:13 2022 From: andrew.mathieson-blakely at bmcg.net.au (Andrew M. Mathieson-Blakely) Date: Tue, 27 Sep 2022 03:09:13 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: Maybe it was because either a) the database containing these records was encrypted and no use to the hacker or maybe he hadn?t got that far before he was exposed. Who knows LOL Regards Andrew Mathieson-Blakely From: AusNOG on behalf of Nick Adams Date: Tuesday, 27 September 2022 at 1:07 pm To: "ausnog at ausnog.net" Subject: Re: [AusNOG] Optus Hack Resent from: See the "Australia Card"[1] for why the Federal government probably couldn't provide central identification/auth services. It is politically very challenging...despite the obvious benefits it would provide. [1] https://en.wikipedia.org/wiki/Australia_Card -- Regards, Nick Adams On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. Separately, should the government provide an opt in two factor ID verification service for critical services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrandombob at darkglade.com Tue Sep 27 13:26:09 2022 From: jrandombob at darkglade.com (Jrandombob) Date: Tue, 27 Sep 2022 13:26:09 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <56F588C3-9C7F-4C38-A6ED-1DA254FFA8FA@bmcg.net.au> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <56F588C3-9C7F-4C38-A6ED-1DA254FFA8FA@bmcg.net.au> Message-ID: Hi Andrew, Based on the public information available there was no direct access to the database involved in the breach, the attacker found an unsecured public API endpoint (essentially your "broker") which they then proceeded to query for every customer record iterating the contact id each time, i.e. wget http://somedomain.com/some/api/contactid=1, wget http://somedomain.com/some/api/contactid=2, etc.. Whether or not the database is in a private network is irrelevant, if there's a conduit to it and if that doesn't have proper access controls implemented you end up with this situation. Best Regards, Morgan On Tue, Sep 27, 2022 at 1:00 PM Andrew M. Mathieson-Blakely < andrew.mathieson-blakely at bmcg.net.au> wrote: > What I don?t understand (and I am not a programmer) is why there isn?t a > broker setup. In the Mainframe world normally, you would have your > database on a private network that will only server a request server and > serve the data that it requests to see. I really get nervous these days > when databases are not behind private networks with no public access to > whatsoever. > > > > That?s my food for thought be interested to see what goes on in the real > world today but I just see this as not the most secure way to be handling > any information that is stored in a database. > > > > Regards > > > > > > Andrew > > > > *From: *AusNOG on behalf of Michael Kahl < > michael at kahl.id.au> > *Date: *Tuesday, 27 September 2022 at 12:40 pm > *To: *Nathan Brookfield > *Cc: *"ausnog at ausnog.net" > *Subject: *Re: [AusNOG] Optus Hack > *Resent from: * > > > > Is there any legal obligation to store sensitive ID information in its > original form? Storing a hashed version only would be sufficient to prove > the details had been collected and verify any future ID verification > requirements without actually retaining the sensitive data. > > > > Separately, should the government provide an opt in two factor ID > verification service for critical services such as telco, utilities, > banking, etc? There are privacy concerns, however if implemented correctly > they wouldn't be collecting any further information than what they legally > have access to now. > > > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > My understanding was that the data included the 100 points of ID info. Why > are they retaining this? Surely after confirming the 100 points there only > needs to be a record "100 points provided"=true and not retain the actual > details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > > FANTASTIC first step towards API security. And then not even using > > public IP addresses in test environments is a pretty good second > > step.. > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: > >> Hi everyone, > >> Obviously a big week in telco and cybersecurity. As part of my work > >> I am on the Australian Cyber Security Industry Advisory Committee as > >> an industry representative. > >> I am keen to look at opening up a dialogue with more and more telco, > >> DC and Cloud CISO?s on what they are doing around this issue and > >> looking to take a proactive step towards best practice on customer > >> data and system security. > >> There will be some pretty serious consequences of this hack on the > >> industry and importantly we need to make sure we are as best placed > >> to help each other continually increase in security posture through > >> best practice, but also working with each other as an industry. > >> Are people keen on having a online/VC session sometime in the next > >> few weeks where like-minded industry participants get together and > >> discuss security, retention, encryption, threat detection etc.? If > >> so, just ping me directly and if there is enough interest I will > >> send out an invitation to the list for a call. > >> Cheers > >> [b] > >> _______________________________________________ > >> AusNOG mailing list > >> AusNOG at ausnog.net > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > > Damien Gardner Jnr > > VK2TDG. Dip EE. GradIEAust > > rendrag at rendrag.net - http://www.rendrag.net/ > > -- > > We rode on the winds of the rising storm, > > We ran to the sounds of thunder. > > We danced among the lightning bolts, > > and tore the world asunder > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jaybinks at gmail.com Tue Sep 27 13:39:36 2022 From: jaybinks at gmail.com (jay binks) Date: Tue, 27 Sep 2022 13:39:36 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: mmm I was just bouncing something like this around in my head. In a perfect world, you could utilise MYGov infrastructure... Carriers could get a UUID that represents a "Know your customer" Data validation that occurred between carriers and "MyGov", where the customer was MFA prompted (with the MyGov ID service) to say "Confirm you want to identify yourself to XXXX". Then the carrier would only be required to retain that UUID for the MFA Verified auth transaction. (and be explicitly instructed NOT to retain PII other than an email address to send invoices) Anyways... back to the real world. On Tue, 27 Sept 2022 at 13:06, Nick Adams wrote: > See the "Australia Card"[1] for why the Federal government probably > couldn't provide central identification/auth services. It is politically > very challenging...despite the obvious benefits it would provide. > > [1] https://en.wikipedia.org/wiki/Australia_Card > > -- > Regards, > > Nick Adams > > On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: > > Is there any legal obligation to store sensitive ID information in its > original form? Storing a hashed version only would be sufficient to prove > the details had been collected and verify any future ID verification > requirements without actually retaining the sensitive data. > > Separately, should the government provide an opt in two factor ID > verification service for critical services such as telco, utilities, > banking, etc? There are privacy concerns, however if implemented correctly > they wouldn't be collecting any further information than what they legally > have access to now. > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > > FANTASTIC first step towards API security. And then not even using > > public IP addresses in test environments is a pretty good second > > step.. > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: > >> Hi everyone, > >> Obviously a big week in telco and cybersecurity. As part of my work > >> I am on the Australian Cyber Security Industry Advisory Committee as > >> an industry representative. > >> I am keen to look at opening up a dialogue with more and more telco, > >> DC and Cloud CISO?s on what they are doing around this issue and > >> looking to take a proactive step towards best practice on customer > >> data and system security. > >> There will be some pretty serious consequences of this hack on the > >> industry and importantly we need to make sure we are as best placed > >> to help each other continually increase in security posture through > >> best practice, but also working with each other as an industry. > >> Are people keen on having a online/VC session sometime in the next > >> few weeks where like-minded industry participants get together and > >> discuss security, retention, encryption, threat detection etc.? If > >> so, just ping me directly and if there is enough interest I will > >> send out an invitation to the list for a call. > >> Cheers > >> [b] > >> _______________________________________________ > >> AusNOG mailing list > >> AusNOG at ausnog.net > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > > Damien Gardner Jnr > > VK2TDG. Dip EE. GradIEAust > > rendrag at rendrag.net - http://www.rendrag.net/ > > -- > > We rode on the winds of the rising storm, > > We ran to the sounds of thunder. > > We danced among the lightning bolts, > > and tore the world asunder > > _______________________________________________ > > AusNOG mailing list > > AusNOG at ausnog.net > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -- Sincerely Jay -------------- next part -------------- An HTML attachment was scrubbed... URL: From glp71s at gmail.com Tue Sep 27 13:48:29 2022 From: glp71s at gmail.com (Giles Pollock) Date: Tue, 27 Sep 2022 13:48:29 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: Had the same thought, and it's good in principle, until you get that obnoxious little thought creeping into your head "yeah... but what if MyGov got hacked too?" I suspect we'll end up with something akin to that down the track, as the information already exists across multiple government databases by law anyway. Might get interesting for non citizens though? (It probably will wind up all the sovcit types too who will start throwing around their favourite catchphrases - NWO, world government, UN control, etc) On Tue, Sep 27, 2022 at 1:40 PM jay binks wrote: > mmm I was just bouncing something like this around in my head. > > In a perfect world, you could utilise MYGov infrastructure... > > Carriers could get a UUID that represents a "Know your customer" Data > validation that occurred between carriers and "MyGov", where the customer > was MFA prompted (with the MyGov ID service) to say "Confirm you want to > identify yourself to XXXX". > > Then the carrier would only be required to retain that UUID for the MFA > Verified auth transaction. > (and be explicitly instructed NOT to retain PII other than an email > address to send invoices) > > Anyways... back to the real world. > > > On Tue, 27 Sept 2022 at 13:06, Nick Adams wrote: > >> See the "Australia Card"[1] for why the Federal government probably >> couldn't provide central identification/auth services. It is politically >> very challenging...despite the obvious benefits it would provide. >> >> [1] https://en.wikipedia.org/wiki/Australia_Card >> >> -- >> Regards, >> >> Nick Adams >> >> On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: >> >> Is there any legal obligation to store sensitive ID information in its >> original form? Storing a hashed version only would be sufficient to prove >> the details had been collected and verify any future ID verification >> requirements without actually retaining the sensitive data. >> >> Separately, should the government provide an opt in two factor ID >> verification service for critical services such as telco, utilities, >> banking, etc? There are privacy concerns, however if implemented correctly >> they wouldn't be collecting any further information than what they legally >> have access to now. >> >> On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield < >> Nathan.Brookfield at iperium.com.au> wrote: >> >> They?re legally obligated to retain it but why it?s on the API and why >> it?s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the >> bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 points of ID info. >> Why are they retaining this? Surely after confirming the 100 points there >> only needs to be a record "100 points provided"=true and not retain the >> actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> > Personally, I find putting Authentication on my API endpoints to be a >> > FANTASTIC first step towards API security. And then not even using >> > public IP addresses in test environments is a pretty good second >> > step.. >> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> > wrote: >> >> Hi everyone, >> >> Obviously a big week in telco and cybersecurity. As part of my work >> >> I am on the Australian Cyber Security Industry Advisory Committee as >> >> an industry representative. >> >> I am keen to look at opening up a dialogue with more and more telco, >> >> DC and Cloud CISO?s on what they are doing around this issue and >> >> looking to take a proactive step towards best practice on customer >> >> data and system security. >> >> There will be some pretty serious consequences of this hack on the >> >> industry and importantly we need to make sure we are as best placed >> >> to help each other continually increase in security posture through >> >> best practice, but also working with each other as an industry. >> >> Are people keen on having a online/VC session sometime in the next >> >> few weeks where like-minded industry participants get together and >> >> discuss security, retention, encryption, threat detection etc.? If >> >> so, just ping me directly and if there is enough interest I will >> >> send out an invitation to the list for a call. >> >> Cheers >> >> [b] >> >> _______________________________________________ >> >> AusNOG mailing list >> >> AusNOG at ausnog.net >> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > -- >> > Damien Gardner Jnr >> > VK2TDG. Dip EE. GradIEAust >> > rendrag at rendrag.net - http://www.rendrag.net/ >> > -- >> > We rode on the winds of the rising storm, >> > We ran to the sounds of thunder. >> > We danced among the lightning bolts, >> > and tore the world asunder >> > _______________________________________________ >> > AusNOG mailing list >> > AusNOG at ausnog.net >> > https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > > > -- > Sincerely > > Jay > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at juneks.com.au Tue Sep 27 14:26:03 2022 From: michael at juneks.com.au (Michael Junek) Date: Tue, 27 Sep 2022 04:26:03 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: And what about all those international travellers who order Optus services (for example) who don?t have, and aren?t entitled to have, a MyGov account? From: AusNOG On Behalf Of Giles Pollock Sent: Tuesday, 27 September 2022 13:48 Cc: ausnog at ausnog.net Subject: Re: [AusNOG] Optus Hack Had the same thought, and it's good in principle, until you get that obnoxious little thought creeping into your head "yeah... but what if MyGov got hacked too?" I suspect we'll end up with something akin to that down the track, as the information already exists across multiple government databases by law anyway. Might get interesting for non citizens though? (It probably will wind up all the sovcit types too who will start throwing around their favourite catchphrases - NWO, world government, UN control, etc) On Tue, Sep 27, 2022 at 1:40 PM jay binks > wrote: mmm I was just bouncing something like this around in my head. In a perfect world, you could utilise MYGov infrastructure... Carriers could get a UUID that represents a "Know your customer" Data validation that occurred between carriers and "MyGov", where the customer was MFA prompted (with the MyGov ID service) to say "Confirm you want to identify yourself to XXXX". Then the carrier would only be required to retain that UUID for the MFA Verified auth transaction. (and be explicitly instructed NOT to retain PII other than an email address to send invoices) Anyways... back to the real world. On Tue, 27 Sept 2022 at 13:06, Nick Adams > wrote: See the "Australia Card"[1] for why the Federal government probably couldn't provide central identification/auth services. It is politically very challenging...despite the obvious benefits it would provide. [1] https://en.wikipedia.org/wiki/Australia_Card -- Regards, Nick Adams On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: Is there any legal obligation to store sensitive ID information in its original form? Storing a hashed version only would be sufficient to prove the details had been collected and verify any future ID verification requirements without actually retaining the sensitive data. Separately, should the government provide an opt in two factor ID verification service for critical services such as telco, utilities, banking, etc? There are privacy concerns, however if implemented correctly they wouldn't be collecting any further information than what they legally have access to now. On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -- Sincerely Jay _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott at doc.net.au Tue Sep 27 16:10:56 2022 From: scott at doc.net.au (Scott Howard) Date: Tue, 27 Sep 2022 16:10:56 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: Message-ID: Official penalties helps make security top of mind, but realistically it should already be there anyway. Optus has to know (or have known) that when something like this happens it has a serious impact on the companies credibility and costs them serious money in lost customers/future business. However the simply fact is that most companies likely have something similar to this floating around somewhere on the website - no latter what controls they have in place. Possibly not as big as this one, but whilst ever humans are involved with the process, bug will exist. Serious effort should be put into minimizing those bugs, limiting their impact, and quickly detecting and fixing them, but odds are some will still get through. It's one of the classic cases where the development/security process needs to get it right 100% of the time - 99.99% isn't good enough, and perfection is hard to achieve. I've got a bit of experience here. As well as previously working for companies that were involved in detecting/blocking attacks like this, over the years I've found similar vulnerability in dozens of websites. Only a few weeks ago I found a similar vulnerability to the Optus one in the Dish Networks/Boost Mobile (4th largest mobile provider in the US) - details available here . In that case it was an authorization issue rather than an authentication issue, and the scope was less due to US providers not having the need to ID customers as is required in Australia, but the fundamental issue is similar. What seems to be the pervasive mentality is more akin to "it will never > happen to us". > Exactly. The correct mentality is that it WILL happen to you. If you're lucky, the person that finds it will be on the side of right, and will notify you and you can fix it with minimal impact. But if the wrong person finds it... > I'd suggest in the wake of this whole mess, it might be a good idea to go > have a talk to the relevant people inside your various businesses and start > thinking about how to run tabletop exercises on what would happen should a > breach occur, and how it might happen. > Not just should a breach occur, but multiple variations of what could occur. If someone contacts you can let you know of a vulnerability, how should you communicate with them. I've had too many companies simply fail to talk to me when I'm trying to report an issue (the Dish/Boost one mentioned above is a perfect example - to their credit we're now communicating on multiple levels and they recognize the flaws in how they handled it). If the notification is from a white-hat, do you have the tools/logging in place to make sure that nobody else has accessed the same vulnerability. If it's a black-hat, can you tell what they access (if they technically had access to 1 million records, but your logs show they only accessed 3 then you're in a much better spot than if you don't know!) Most importantly, have a path for people to report issues to you. That could be via a formalized bug bounty program (eg, BugCrowd, HackerOne), but at a minimum a you need to have a path to reaches the right people quickly and efficiently. Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From karen at iamunique.net.au Tue Sep 27 16:28:09 2022 From: karen at iamunique.net.au (karen at iamunique.net.au) Date: Tue, 27 Sep 2022 16:28:09 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: <32b3fbeb376d32ae01dc2d39315c2a40@iamunique.net.au> Michael, I like your suggestion about hashed versions. It would have certainly saved some hassle. For the last year and a half I have been working as a tutor in information security and at this point, would like to thank the nice folk at optus for allowing us to update some notes with a really good example of what NOT to do. I get that we went through this period where the terrorists would buy phones so we all had to be able to be tracked to prove we weren't one. But that was during a time when the value was in credit card information, not identify information. The public expects a certain level of professionalism and care to be taken with personal and sensitive information and especially with our identity information. For them to make the mistakes they have, in this day and age is just.... wrong. On 2022-09-27 12:39, Michael Kahl wrote: > Is there any legal obligation to store sensitive ID information in its > original form? Storing a hashed version only would be sufficient to > prove the details had been collected and verify any future ID > verification requirements without actually retaining the sensitive > data. > > Separately, should the government provide an opt in two factor ID > verification service for critical services such as telco, utilities, > banking, etc? There are privacy concerns, however if implemented > correctly they wouldn't be collecting any further information than what > they legally have access to now. > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield > wrote: > >> They're legally obligated to retain it but why it's on the API and why >> it's not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the >> bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> My understanding was that the data included the 100 points of ID info. >> Why are they retaining this? Surely after confirming the 100 points >> there only needs to be a record "100 points provided"=true and not >> retain the actual details. This goes back to only keeping the private >> data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >>> Personally, I find putting Authentication on my API endpoints to be a >>> FANTASTIC first step towards API security. And then not even using >>> public IP addresses in test environments is a pretty good second >>> step.. >>> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >>> wrote: >>>> Hi everyone, >>>> Obviously a big week in telco and cybersecurity. As part of my work >>>> I am on the Australian Cyber Security Industry Advisory Committee as >>>> an industry representative. >>>> I am keen to look at opening up a dialogue with more and more telco, >>>> DC and Cloud CISO's on what they are doing around this issue and >>>> looking to take a proactive step towards best practice on customer >>>> data and system security. >>>> There will be some pretty serious consequences of this hack on the >>>> industry and importantly we need to make sure we are as best placed >>>> to help each other continually increase in security posture through >>>> best practice, but also working with each other as an industry. >>>> Are people keen on having a online/VC session sometime in the next >>>> few weeks where like-minded industry participants get together and >>>> discuss security, retention, encryption, threat detection etc.? If >>>> so, just ping me directly and if there is enough interest I will >>>> send out an invitation to the list for a call. >>>> Cheers >>>> [b] >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>> -- >>> Damien Gardner Jnr >>> VK2TDG. Dip EE. GradIEAust >>> rendrag at rendrag.net - http://www.rendrag.net/ >>> -- >>> We rode on the winds of the rising storm, >>> We ran to the sounds of thunder. >>> We danced among the lightning bolts, >>> and tore the world asunder >>> _______________________________________________ >>> AusNOG mailing list >>> AusNOG at ausnog.net >>> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jamesmurphyau at me.com Tue Sep 27 16:35:47 2022 From: jamesmurphyau at me.com (James Murphy) Date: Tue, 27 Sep 2022 16:35:47 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Does anyone know which laws cover the data they were keeping? Did a search for anything with "telecommunication" in the name (link ), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. The closest thing I found was in the following: C2022C00151 - Telecommunications (Interception and Access) Act 1979 C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? 13 Identification of a particular person For the purposes of this Schedule, a particular person may be identified: (a) by the person?s full name; or (b) by a name by which the person is commonly known; or (c) as the person to whom a particular individual transmission service is supplied; or (d) as the person to whom a particular individual message/call application service is provided; or (e) as the person who has a particular account with a prescribed communications provider; or (f) as the person who has a particular telephone number; or (g) as the person who has a particular email address; or (h) as the person who has a particular internet protocol address; or (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or (j) by any other unique identifying factor that is applicable to the person. and 187AA Information to be kept (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): Item 1 Topic The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service Description of information The following: (a) any information that is one or both of the following: (i) any name or address information; (ii) any other information for identification purposes; relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; (c) any information that is one or both of the following: (i) billing or payment information; (ii) contact information; relating to the relevant service, being information used by the service provider in relation to the relevant service; (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; (e) he status of the relevant service, or any related account, service or device. > On 27 Sep 2022, at 11:12, Nathan Brookfield wrote: > > They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> wrote: >>> Hi everyone, >>> Obviously a big week in telco and cybersecurity. As part of my work >>> I am on the Australian Cyber Security Industry Advisory Committee as >>> an industry representative. >>> I am keen to look at opening up a dialogue with more and more telco, >>> DC and Cloud CISO?s on what they are doing around this issue and >>> looking to take a proactive step towards best practice on customer >>> data and system security. >>> There will be some pretty serious consequences of this hack on the >>> industry and importantly we need to make sure we are as best placed >>> to help each other continually increase in security posture through >>> best practice, but also working with each other as an industry. >>> Are people keen on having a online/VC session sometime in the next >>> few weeks where like-minded industry participants get together and >>> discuss security, retention, encryption, threat detection etc.? If >>> so, just ping me directly and if there is enough interest I will >>> send out an invitation to the list for a call. >>> Cheers >>> [b] >>> _______________________________________________ >>> AusNOG mailing list >>> AusNOG at ausnog.net >>> https://lists.ausnog.net/mailman/listinfo/ausnog >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> rendrag at rendrag.net - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3854 bytes Desc: not available URL: From sburjak at systech.com.au Tue Sep 27 16:46:53 2022 From: sburjak at systech.com.au (Serge Burjak) Date: Tue, 27 Sep 2022 16:46:53 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <39A7316D-66B0-4333-B379-071182A51A6B@me.com> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: https://www.oaic.gov.au/privacy/the-privacy-act Covers it pretty well. On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 > > which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is supplied; or > (d) as the person to whom a particular individual message/call application service is provided; or > (e) as the person who has a particular account with a prescribed communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or > (j) by any other unique identifying factor that is applicable to the person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; > > (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; > > (e) he status of the relevant service, or any related account, service or device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield wrote: > > They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog From glipschitz at summitinternet.com.au Tue Sep 27 17:15:23 2022 From: glipschitz at summitinternet.com.au (Greg Lipschitz) Date: Tue, 27 Sep 2022 07:15:23 +0000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: Message-ID: Hi Julien I've previously installed one of these for a customer. https://www.apc.com/au/en/product-range/61820-netshelter-cx-enclosures/?parent-subcategory-id=88954 [https://download.schneider-electric.com/files?p_Doc_Ref=APC-SLIE-8HNQDS_02&p_File_Type=rendition_369_jpg] NetShelter CX Enclosures | APC Australia A soundproofed server room in a box which allows for IT deployment wherever and whenever it is needed, saving space, cost and deployment time. | APC Australia www.apc.com Cheers Greg ________________________________ Greg Lipschitz | Founder & CEO | Summit Internet glipschitz at summitinternet.com.au summitinternet.com.au 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131 Summit Internet From: AusNOG on behalf of Julien Goodwin Sent: 27 September 2022 11:26 To: ausnog at ausnog.net Subject: [AusNOG] Small acoustically isolated racks Does anyone have any suggestions for small (likely no larger than 10RU) acoustically isolated racks? I need one for a meeting room, where it needs to fit in a space no larger than 700mm high (710mm *maybe*). The current APC NetShelter CX 12RU (AR4000MVA) seems to be ~720mm high and that's too much. I only need 4RU of actual rack equipment, so if there's other options I might be interested. _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C8999708ca0be46f8b1e308daa027603b%7C0838a12f226e43dfa6e4bb63d2643a7e%7C1%7C0%7C637998388232224864%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N1WELv3nHLsVj%2F%2F%2B2jAXZi3D9DDWiRRW6Ze5KPiUpg8%3D&reserved=0 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image708322.png Type: image/png Size: 984 bytes Desc: image708322.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image046133.png Type: image/png Size: 10728 bytes Desc: image046133.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image828146.png Type: image/png Size: 1930 bytes Desc: image828146.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image215306.png Type: image/png Size: 3004 bytes Desc: image215306.png URL: From jenn at jenn.id.au Tue Sep 27 17:28:07 2022 From: jenn at jenn.id.au (Jennifer Sims) Date: Tue, 27 Sep 2022 17:28:07 +1000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: Message-ID: We use those racks in our office space, I've lovingly nicknamed it "the cheese board" since you could literally build a charcuterie board on it. Some of them however, if they don't have good air flow you hear fans go into "A380 take off mode". (aka Loud!) On Tue, Sep 27, 2022 at 5:15 PM Greg Lipschitz < glipschitz at summitinternet.com.au> wrote: > Hi Julien > > I've previously installed one of these for a customer. > > > https://www.apc.com/au/en/product-range/61820-netshelter-cx-enclosures/?parent-subcategory-id=88954 > > > NetShelter CX Enclosures | APC Australia > > A soundproofed server room in a box which allows for IT deployment > wherever and whenever it is needed, saving space, cost and deployment time. > | APC Australia > www.apc.com > > Cheers > Greg > > > Greg Lipschitz? | Founder & CEO | Summit Internet > *glipschitz at summitinternet.com.au* > *summitinternet.com.au* > *1300 049 749* <1300%20049%20749> > *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* > > [image: Summit Internet] > ------------------------------ > *From:* AusNOG on behalf of Julien Goodwin < > ausnog at studio442.com.au> > *Sent:* 27 September 2022 11:26 > *To:* ausnog at ausnog.net > *Subject:* [AusNOG] Small acoustically isolated racks > > Does anyone have any suggestions for small (likely no larger than 10RU) > acoustically isolated racks? > > I need one for a meeting room, where it needs to fit in a space no > larger than 700mm high (710mm *maybe*). The current APC NetShelter CX > 12RU (AR4000MVA) seems to be ~720mm high and that's too much. > > I only need 4RU of actual rack equipment, so if there's other options I > might be interested. > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C8999708ca0be46f8b1e308daa027603b%7C0838a12f226e43dfa6e4bb63d2643a7e%7C1%7C0%7C637998388232224864%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N1WELv3nHLsVj%2F%2F%2B2jAXZi3D9DDWiRRW6Ze5KPiUpg8%3D&reserved=0 > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image708322.png Type: image/png Size: 984 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image046133.png Type: image/png Size: 10728 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image828146.png Type: image/png Size: 1930 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image215306.png Type: image/png Size: 3004 bytes Desc: not available URL: From brad at bradleyamm.com Tue Sep 27 17:46:16 2022 From: brad at bradleyamm.com (Bradley Amm) Date: Tue, 27 Sep 2022 07:46:16 +0000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: , Message-ID: <1664264749373.2881@bradleyamm.com> ?We have been looking at Micro Data Center | Edge Micro Data Center | Zella DC Got a demo tomorrow ? ________________________________ From: AusNOG on behalf of Jennifer Sims Sent: Tuesday, September 27, 2022 3:28 PM To: Greg Lipschitz Cc: ausnog at ausnog.net Subject: Re: [AusNOG] Small acoustically isolated racks We use those racks in our office space, I've lovingly nicknamed it "the cheese board" since you could literally build a charcuterie board on it. Some of them however, if they don't have good air flow you hear fans go into "A380 take off mode". (aka Loud!) On Tue, Sep 27, 2022 at 5:15 PM Greg Lipschitz > wrote: Hi Julien I've previously installed one of these for a customer. https://www.apc.com/au/en/product-range/61820-netshelter-cx-enclosures/?parent-subcategory-id=88954 [https://download.schneider-electric.com/files?p_Doc_Ref=APC-SLIE-8HNQDS_02&p_File_Type=rendition_369_jpg] NetShelter CX Enclosures | APC Australia A soundproofed server room in a box which allows for IT deployment wherever and whenever it is needed, saving space, cost and deployment time. | APC Australia www.apc.com Cheers Greg Greg Lipschitz? | Founder & CEO | Summit Internet glipschitz at summitinternet.com.au summitinternet.com.au 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131 [cid:1837dd77be520ac31aa1] [cid:1837dd77be58beff5b52] [Summit Internet] [cid:1837dd77be6b4ac91394] ________________________________ From: AusNOG > on behalf of Julien Goodwin > Sent: 27 September 2022 11:26 To: ausnog at ausnog.net > Subject: [AusNOG] Small acoustically isolated racks Does anyone have any suggestions for small (likely no larger than 10RU) acoustically isolated racks? I need one for a meeting room, where it needs to fit in a space no larger than 700mm high (710mm *maybe*). The current APC NetShelter CX 12RU (AR4000MVA) seems to be ~720mm high and that's too much. I only need 4RU of actual rack equipment, so if there's other options I might be interested. _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C8999708ca0be46f8b1e308daa027603b%7C0838a12f226e43dfa6e4bb63d2643a7e%7C1%7C0%7C637998388232224864%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N1WELv3nHLsVj%2F%2F%2B2jAXZi3D9DDWiRRW6Ze5KPiUpg8%3D&reserved=0 _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image708322.png Type: image/png Size: 984 bytes Desc: image708322.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image046133.png Type: image/png Size: 10728 bytes Desc: image046133.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image828146.png Type: image/png Size: 1930 bytes Desc: image828146.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image215306.png Type: image/png Size: 3004 bytes Desc: image215306.png URL: From kauer at biplane.com.au Tue Sep 27 17:52:13 2022 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 27 Sep 2022 17:52:13 +1000 Subject: [AusNOG] Small acoustically isolated racks In-Reply-To: References: Message-ID: <73829e416d03b9ba7c9a1bbfa83fda26c040c067.camel@biplane.com.au> On Tue, 2022-09-27 at 17:28 +1000, Jennifer Sims wrote: > We use those racks in our office space > > > > https://www.apc.com/au/en/product-range/61820-netshelter-cx-enclosures/?parent-subcategory-id=88954 > > They seem ferociously expensive, or am I just out of touch? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer From mqh at miju.com.au Tue Sep 27 19:39:24 2022 From: mqh at miju.com.au (Michael Hockey) Date: Tue, 27 Sep 2022 09:39:24 +0000 Subject: [AusNOG] Optus hack - another angle Message-ID: I received one of those emails from Optus today. But I did phone Optus as I had a curious incident related to a third party entity that links via Optus. The Optus help line was not helpful, the hold music was very loud and the queue wait kept getting longer. I asked them what steps they took to notify other institutions they went public. It is obvious that Optus had to have a plan in place - eg steps to do if happened (insert whatever you want here - fire, network down, etc) and going public is not step 1. So does anyone have any information as to what the Optus data breach plan was likely to be. ? Michael Hockey CISM (Ret),CISA (Ret),MACS,BA,BSc PO Box 176, Corinda Q 4075, Australia Phone: +61 0409 835 041 Email: michael.hockey @miju.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From sburjak at systech.com.au Tue Sep 27 20:24:12 2022 From: sburjak at systech.com.au (Serge Burjak) Date: Tue, 27 Sep 2022 20:24:12 +1000 Subject: [AusNOG] Optus hack - another angle In-Reply-To: References: Message-ID: <57A57D9F-99C1-42BC-A996-903BEB60C87A@systech.com.au> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: apple-touch-icon.png Type: image/png Size: 1489 bytes Desc: not available URL: From ausnog at arstotzka.su Tue Sep 27 22:44:13 2022 From: ausnog at arstotzka.su (Jorji Costava) Date: Tue, 27 Sep 2022 12:44:13 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> Message-ID: <010101837ef9f14f-abe91c23-d996-4720-a679-cd620f07fb0f-000000@us-west-2.amazonses.com> Hi Giles, Don't even need to ask yourself "what if" as it already happened back in the early days. Though the issue was XSS and so nowhere near as serious as Optus' screw up but still inexcusable in this or the previous decade. When the person who found this attempted to responsibly disclose it to the government, he hit a giant brick wall. Here's the blog article https://nikcub.me/posts/multiple-vulnerabilities-in-mygov-australian-government and subsequent press coverage https://www.smh.com.au/technology/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140514-zrczw.html The sad part is that as poorly as Optus has handled user info, I've seen worse and frankly I'm amazed that one company I had the displeasure of working with a number of years ago hasn't suffered something similar. They kept even more PII than Optus (if you can believe that!) and did an appalling job of securing it for the 100s of thousands of unfortunate souls in their DB. I don't know what the answer is though. If you want to see a mature digital ID system, look at Sweden where they have something called "BankID" which is a similar concept except administered by the banks and only available to residents with a personnummer (similar to a tax file number). It's a system that is great for those who are born into it or have gained access via long term residency, but if you're on the outside, it makes everything extremely cumbersome as basically every company asks for it. On 27/09/2022 11:48 am, Giles Pollock wrote: > Had the same thought, and it's good in principle, until you get that > obnoxious little thought creeping into your head "yeah... but what if > MyGov got hacked too?" > > I suspect we'll end up with something akin to that down the track, as > the information already exists across multiple government databases by > law anyway. Might get interesting for non citizens though? > > (It probably will wind up all the sovcit types too who will start > throwing around their favourite catchphrases - NWO, world government, > UN control, etc) > > On Tue, Sep 27, 2022 at 1:40 PM jay binks wrote: > > mmm I was just bouncing something like this around in my head. > > In a perfect world, you could utilise MYGov infrastructure... > > Carriers could get a UUID that represents a "Know your customer" > Data validation that occurred between carriers and "MyGov", where > the customer was MFA prompted (with the MyGov ID service) to say > "Confirm you want to identify yourself to XXXX". > > Then the carrier would only be required to retain that UUID for > the MFA Verified auth transaction. > (and be explicitly instructed NOT to retain PII other than an > email address to send invoices) > > Anyways... back to the real world. > > > On Tue, 27 Sept 2022 at 13:06, Nick Adams wrote: > > See the "Australia Card"[1] for why the Federal government > probably couldn't provide central identification/auth > services. It is politically very challenging...despite the > obvious benefits it would provide. > > [1] https://en.wikipedia.org/wiki/Australia_Card > > -- > Regards, > > Nick Adams > > On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote: >> Is there any legal obligation to store sensitive ID >> information in its original form? Storing a hashed version >> only would be sufficient to prove the details had been >> collected and verify any future ID verification requirements >> without actually retaining the sensitive data. >> >> Separately, should the government provide?an opt in two >> factor ID verification service for critical?services such as >> telco, utilities, banking, etc? There are privacy concerns, >> however if implemented correctly they wouldn't be collecting >> any further information than what they legally have access to >> now. >> >> On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield >> wrote: >> >> They?re legally obligated to retain it but why it?s on >> the API and why it?s not encrypted. >> >> Looking at the data some fields are hashed and then >> repeated in the bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 >> points of ID info. Why are they retaining this? Surely >> after confirming the 100 points there only needs to be a >> record "100 points provided"=true and not retain the >> actual details. This goes back to only keeping the >> private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> > Personally, I find putting Authentication on my API >> endpoints to be a >> > FANTASTIC first step towards API security.? And then >> not even using >> > public IP addresses in test environments is a pretty >> good second >> > step.. >> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> >> > wrote: >> >> Hi everyone, >> >> Obviously a big week in telco and cybersecurity.? As >> part of my work >> >> I am on the Australian Cyber Security Industry >> Advisory Committee as >> >> an industry representative. >> >> I am keen to look at opening up a dialogue with more >> and more telco, >> >> DC and Cloud CISO?s on what they are doing around this >> issue and >> >> looking to take a proactive step towards best practice >> on customer >> >> data and system security. >> >> There will be some pretty serious consequences of this >> hack on the >> >> industry and importantly we need to make sure we are >> as best placed >> >> to help each other continually increase in security >> posture through >> >> best practice, but also working with each other as an >> industry. >> >> Are people keen on having a online/VC session sometime >> in the next >> >> few weeks where like-minded industry participants get >> together and >> >> discuss security, retention, encryption, threat >> detection etc.?? If >> >> so, just ping me directly and if there is enough >> interest I will >> >> send out an invitation to the list for a call. >> >> Cheers >> >> [b] >> >> _______________________________________________ >> >> AusNOG mailing list >> >> AusNOG at ausnog.net >> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > -- >> > Damien Gardner Jnr >> > VK2TDG. Dip EE. GradIEAust >> > rendrag at rendrag.net - http://www.rendrag.net/ >> > -- >> > We rode on the winds of the rising storm, >> > We ran to the sounds of thunder. >> > We danced among the lightning bolts, >> > and tore the world asunder >> > _______________________________________________ >> > AusNOG mailing list >> > AusNOG at ausnog.net >> > https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > > -- > Sincerely > > Jay > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jamesmurphyau at me.com Tue Sep 27 23:29:13 2022 From: jamesmurphyau at me.com (James Murphy) Date: Tue, 27 Sep 2022 23:29:13 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Looking over the Privacy Act and oaic.gov.au, I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) "identification information" is the term that includes a drivers license number and date of birth "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) From the Privacy Act: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. If this is required by law, I would love to understand how (ie which laws/acts cover it) > On 27 Sep 2022, at 16:46, Serge Burjak wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: >> >> Does anyone know which laws cover the data they were keeping? >> >> Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. >> >> The closest thing I found was in the following: >> >> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 >> C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 >> >> which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? >> >> 13 Identification of a particular person >> For the purposes of this Schedule, a particular person may be identified: >> (a) by the person?s full name; or >> (b) by a name by which the person is commonly known; or >> (c) as the person to whom a particular individual transmission service is supplied; or >> (d) as the person to whom a particular individual message/call application service is provided; or >> (e) as the person who has a particular account with a prescribed communications provider; or >> (f) as the person who has a particular telephone number; or >> (g) as the person who has a particular email address; or >> (h) as the person who has a particular internet protocol address; or >> (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or >> (j) by any other unique identifying factor that is applicable to the person. >> >> >> and >> >> 187AA Information to be kept >> (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): >> Item >> >> 1 >> >> Topic >> >> The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service >> >> Description of information >> >> The following: >> >> (a) any information that is one or both of the following: >> >> (i) any name or address information; >> >> (ii) any other information for identification purposes; >> >> relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; >> >> (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; >> >> (c) any information that is one or both of the following: >> >> (i) billing or payment information; >> >> (ii) contact information; >> >> relating to the relevant service, being information used by the service provider in relation to the relevant service; >> >> (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; >> >> (e) he status of the relevant service, or any related account, service or device. >> >> >> >> On 27 Sep 2022, at 11:12, Nathan Brookfield wrote: >> >> They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> wrote: >> >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> rendrag at rendrag.net - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3854 bytes Desc: not available URL: From mmc at mmc.com.au Wed Sep 28 09:27:07 2022 From: mmc at mmc.com.au (Matthew Moyle-Croft) Date: Wed, 28 Sep 2022 08:57:07 +0930 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: HI, There's more than just the telco and privacy laws though and what you think your company is required to adhere to can be non-trivial to determine and may not be consistent. eg. https://www.legislation.gov.au/Details/C2022C00179 If a telco is providing devices on hire-purchase or lease (see 6.(2) 10 and 12 for instance) as often people do with mobile carriers for phones then the requirement to maintain that information is 7 years as per part 10. MMC On Tue, Sep 27, 2022 at 11:00 PM James Murphy wrote: > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > "identification information" is the term that includes a drivers license > number and date of birth > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > From the Privacy Act: > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > (a) whether the information or opinion is true or not; and > (b) whether the information or opinion is recorded in a material form or > not. > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > On 27 Sep 2022, at 16:46, Serge Burjak wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at resolvergroup.com.au Wed Sep 28 09:44:41 2022 From: jeremy at resolvergroup.com.au (Jeremy Chequer) Date: Tue, 27 Sep 2022 23:44:41 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Hi There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. - Jeremy From: AusNOG On Behalf Of James Murphy Sent: Tuesday, 27 September 2022 11:29 PM To: Serge Burjak Cc: AusNOG Mailing List Subject: Re: [AusNOG] Optus Hack Looking over the Privacy Act and oaic.gov.au, I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) "identification information" is the term that includes a drivers license number and date of birth "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) From the Privacy Act: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. If this is required by law, I would love to understand how (ie which laws/acts cover it) On 27 Sep 2022, at 16:46, Serge Burjak > wrote: https://www.oaic.gov.au/privacy/the-privacy-act Covers it pretty well. On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: Does anyone know which laws cover the data they were keeping? Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. The closest thing I found was in the following: C2022C00151 - Telecommunications (Interception and Access) Act 1979 C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? 13 Identification of a particular person For the purposes of this Schedule, a particular person may be identified: (a) by the person?s full name; or (b) by a name by which the person is commonly known; or (c) as the person to whom a particular individual transmission service is supplied; or (d) as the person to whom a particular individual message/call application service is provided; or (e) as the person who has a particular account with a prescribed communications provider; or (f) as the person who has a particular telephone number; or (g) as the person who has a particular email address; or (h) as the person who has a particular internet protocol address; or (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or (j) by any other unique identifying factor that is applicable to the person. and 187AA Information to be kept (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): Item 1 Topic The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service Description of information The following: (a) any information that is one or both of the following: (i) any name or address information; (ii) any other information for identification purposes; relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; (c) any information that is one or both of the following: (i) billing or payment information; (ii) contact information; relating to the relevant service, being information used by the service provider in relation to the relevant service; (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; (e) he status of the relevant service, or any related account, service or device. On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: Personally, I find putting Authentication on my API endpoints to be a FANTASTIC first step towards API security. And then not even using public IP addresses in test environments is a pretty good second step.. On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: Hi everyone, Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative. I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO?s on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security. There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with each other as an industry. Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there is enough interest I will send out an invitation to the list for a call. Cheers [b] _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag at rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jaedwards at gmail.com Wed Sep 28 09:45:13 2022 From: jaedwards at gmail.com (John Edwards) Date: Wed, 28 Sep 2022 09:15:13 +0930 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: It's within the industry's living memory that Australia's biggest telco used to publish a physical book with everyone's personal information in it. Most of our telco privacy legislation evolved from how things got in this book, which was an "open by default" model. The very first Optus retail customers were those who dialled an override code on a Telstra phone line for cheaper STD rates. Telstra then provided personal details for billing, even though no-one had an existing relationship with Optus.. John On Tue, 27 Sept 2022 at 22:59, James Murphy wrote: > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > "identification information" is the term that includes a drivers license > number and date of birth > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > From the Privacy Act: > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > (a) whether the information or opinion is true or not; and > (b) whether the information or opinion is recorded in a material form or > not. > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > On 27 Sep 2022, at 16:46, Serge Burjak wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From martinvisser99 at gmail.com Wed Sep 28 10:10:58 2022 From: martinvisser99 at gmail.com (Martin Visser) Date: Wed, 28 Sep 2022 10:10:58 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Talking about hashing and so on, there are some quite interesting developments around being able to disclose with confidence to a consuming entity some information about you without actually sharing the data. For example one was being able to prove your age is greater than say 18 (at a pub or club) but without actually disclosing your birthday. Others were whether you had met some certification or other obligations. I know this sometimes gets sucked into the whole cryptocurrency/blockchain thing but I don't think it has to be fully tied to that. Anyway, the two podcasts I listened to on this have stimulated me to looking into it a bit deeper - https://twit.tv/shows/floss-weekly/episodes/685 (Sam Curren on DIDs and DIDcomm) and https://twit.tv/shows/floss-weekly/episodes/686 (Dave Huseby on Authentic Data) Regards, Martin MartinVisser99 at gmail.com On Wed, 28 Sept 2022 at 09:45, John Edwards wrote: > It's within the industry's living memory that Australia's biggest telco > used to publish a physical book with everyone's personal information in it. > > Most of our telco privacy legislation evolved from how things got in this > book, which was an "open by default" model. > > The very first Optus retail customers were those who dialled an override > code on a Telstra phone line for cheaper STD rates. Telstra then provided > personal details for billing, even though no-one had an existing > relationship with Optus.. > > John > > > > > On Tue, 27 Sept 2022 at 22:59, James Murphy wrote: > >> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws >> about a telco (or any business other than a credit reporting body) storing >> this level of information - specifically a drivers license number or date >> of birth (passport number isn't mentioned) >> >> "identification information" is the term that includes a drivers license >> number and date of birth >> "Credit information" is the term that includes "identification >> information" about an individual (therefor includes drivers license number >> and date of birth) >> >> There are only laws about how long a credit reporting body stores this >> information. A credit provider (ie Optus) doesn't need to store it, but >> does need to provide it to the credit reporting body - so they need to >> collect it and share it but they don't need to store it. >> >> For the data a telco does need to store - which looks to be added in the >> "Telecommunications (Interception and Access) Act 1979", they all talk >> about "personal information" (which doesn't specifically include date of >> birth or drivers license number, so you would be complying with that law if >> you didn't store those pieces of data - provided you can reasonably >> identify a person with the data you do store) >> >> From the Privacy Act: >> >> *personal information* means information or an opinion about an >> identified individual, or an individual who is reasonably identifiable: >> (a) whether the information or opinion is true or not; and >> (b) whether the information or opinion is recorded in a material form or >> not. >> Note: Section 187LA of the Telecommunications (Interception and Access) >> Act 1979 extends the meaning of personal information to cover information >> kept under Part 5-1A of that Act. >> >> >> So the argument that they need to store this by law - to me (a software >> developer/techy who sometimes can spend hours reading shit like this trying >> to pick holes in it - so: not a lawyer) - doesn't seem valid. >> >> If this is required by law, I would love to understand how (ie which >> laws/acts cover it) >> >> >> >> On 27 Sep 2022, at 16:46, Serge Burjak wrote: >> >> https://www.oaic.gov.au/privacy/the-privacy-act >> >> Covers it pretty well. >> >> On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: >> >> >> Does anyone know which laws cover the data they were keeping? >> >> Did a search for anything with "telecommunication" in the name (link), >> found 71 results and downloaded 73 PDF files (C2022C00170 >> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't >> find anything that mentions keeping this level of data. >> >> The closest thing I found was in the following: >> >> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >> C2015A00039 - Telecommunications (Interception and Access) Amendment >> (Data Retention) Act 2015 >> C2021A00078 - Telecommunications Legislation Amendment (International >> Production Orders) Act 2021 >> >> which contained the following two sections that seem to cover >> identification information - there doesn't seem to be anything that says >> they need to collect or store to the level that Optus seems to have done.. >> Almost reads like you could store name and address (without DOB?) and that >> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking >> in the wrong place/at the wrong laws? >> >> 13 Identification of a particular person >> For the purposes of this Schedule, a particular person may be identified: >> (a) by the person?s full name; or >> (b) by a name by which the person is commonly known; or >> (c) as the person to whom a particular individual transmission service is >> supplied; or >> (d) as the person to whom a particular individual message/call >> application service is provided; or >> (e) as the person who has a particular account with a prescribed >> communications provider; or >> (f) as the person who has a particular telephone number; or >> (g) as the person who has a particular email address; or >> (h) as the person who has a particular internet protocol address; or >> (i) as the person who has a device that has a particular unique >> identifier (for example, an electronic serial number or a Media Access >> Control address); or >> (j) by any other unique identifying factor that is applicable to the >> person. >> >> >> and >> >> 187AA Information to be kept >> (1) The following table sets out the kinds of information that a service >> provider must keep, or cause to be kept, under subsection 187A(1): >> Item >> >> 1 >> >> Topic >> >> The subscriber of, and accounts, services, telecommunications devices and >> other relevant services relating to, the relevant service >> >> Description of information >> >> The following: >> >> (a) any information that is one or both of the following: >> >> (i) any name or address information; >> >> (ii) any other information for identification purposes; >> >> relating to the relevant service, being information used by the service >> provider for the purposes of identifying the subscriber of the relevant >> service; >> >> (b) any information relating to any contract, agreement or arrangement >> relating to the relevant service, or to any related account, service or >> device; >> >> (c) any information that is one or both of the following: >> >> (i) billing or payment information; >> >> (ii) contact information; >> >> relating to the relevant service, being information used by the service >> provider in relation to the relevant service; >> >> (d) any identifiers relating to the relevant service or any related >> account, service or device, being information used by the service provider >> in relation to the relevant service or any related account, service or >> device; >> >> (e) he status of the relevant service, or any related account, service or >> device. >> >> >> >> On 27 Sep 2022, at 11:12, Nathan Brookfield < >> Nathan.Brookfield at iperium.com.au> wrote: >> >> They?re legally obligated to retain it but why it?s on the API and why >> it?s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the >> bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 points of ID info. >> Why are they retaining this? Surely after confirming the 100 points there >> only needs to be a record "100 points provided"=true and not retain the >> actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery >> wrote: >> >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> rendrag at rendrag.net - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at oakeley.com.au Wed Sep 28 10:31:50 2022 From: andrew at oakeley.com.au (Andrew Oakeley) Date: Wed, 28 Sep 2022 00:31:50 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Hi, > Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. This should also cut both ways. There needs to be some way consumers can easily Identify that the provider calling them is actually who they say they are. I am sick of my bank and teleco calling me and saying ?Before we go any further can you please tell me your date of birth so we can confirm we are talking to the right person??. Well how about you confirm who you are before I disclose my DOB to someone who has randomly called me. Andrew From: AusNOG On Behalf Of Jeremy Chequer Sent: Wednesday, 28 September 2022 7:45 AM To: James Murphy Cc: AusNOG Mailing List Subject: Re: [AusNOG] Optus Hack Hi There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. - Jeremy From: AusNOG > On Behalf Of James Murphy Sent: Tuesday, 27 September 2022 11:29 PM To: Serge Burjak > Cc: AusNOG Mailing List > Subject: Re: [AusNOG] Optus Hack Looking over the Privacy Act and oaic.gov.au, I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) "identification information" is the term that includes a drivers license number and date of birth "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) From the Privacy Act: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. If this is required by law, I would love to understand how (ie which laws/acts cover it) On 27 Sep 2022, at 16:46, Serge Burjak > wrote: https://www.oaic.gov.au/privacy/the-privacy-act Covers it pretty well. On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: Does anyone know which laws cover the data they were keeping? Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. The closest thing I found was in the following: C2022C00151 - Telecommunications (Interception and Access) Act 1979 C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? 13 Identification of a particular person For the purposes of this Schedule, a particular person may be identified: (a) by the person?s full name; or (b) by a name by which the person is commonly known; or (c) as the person to whom a particular individual transmission service is supplied; or (d) as the person to whom a particular individual message/call application service is provided; or (e) as the person who has a particular account with a prescribed communications provider; or (f) as the person who has a particular telephone number; or (g) as the person who has a particular email address; or (h) as the person who has a particular internet protocol address; or (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or (j) by any other unique identifying factor that is applicable to the person. and 187AA Information to be kept (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): Item 1 Topic The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service Description of information The following: (a) any information that is one or both of the following: (i) any name or address information; (ii) any other information for identification purposes; relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; (c) any information that is one or both of the following: (i) billing or payment information; (ii) contact information; relating to the relevant service, being information used by the service provider in relation to the relevant service; (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; (e) he status of the relevant service, or any related account, service or device. On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: Personally, I find putting Authentication on my API endpoints to be a FANTASTIC first step towards API security. And then not even using public IP addresses in test environments is a pretty good second step.. On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: Hi everyone, Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative. I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO?s on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security. There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with each other as an industry. Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there is enough interest I will send out an invitation to the list for a call. Cheers [b] _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag at rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From glp71s at gmail.com Wed Sep 28 10:33:36 2022 From: glp71s at gmail.com (Giles Pollock) Date: Wed, 28 Sep 2022 10:33:36 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: So.... SSL for phone calls? On Wed, Sep 28, 2022 at 10:32 AM Andrew Oakeley wrote: > Hi, > > > > > Providers also need to keep enough information to verify you are who > you say you are when you make contact though and are required to ensure > they don?t disclose information about your account to someone else, which > is why many providers keep things like your Date of Birth on file. > > > > This should also cut both ways. There needs to be some way consumers can > easily Identify that the provider calling them is actually who they say > they are. > > > > I am sick of my bank and teleco calling me and saying ?Before we go any > further can you please tell me your date of birth so we can confirm we are > talking to the right person??. Well how about you confirm who you are > before I disclose my DOB to someone who has randomly called me. > > > > Andrew > > > > > > *From:* AusNOG *On Behalf Of *Jeremy Chequer > *Sent:* Wednesday, 28 September 2022 7:45 AM > *To:* James Murphy > *Cc:* AusNOG Mailing List > *Subject:* Re: [AusNOG] Optus Hack > > > > Hi > > > > There are specific rules for prepaid regarding ID validation and documents > which must be checked ( > https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). > As a Credit Provider, they are also required to validate you are who you > say you are before providing credit services. Additionally, telcos also > have specific provisions for customer protection requiring credit checks to > be run before certain services are provided. > > > > Providers also need to keep enough information to verify you are who you > say you are when you make contact though and are required to ensure they > don?t disclose information about your account to someone else, which is why > many providers keep things like your Date of Birth on file. The requirement > to hold PII is required to a degree and is even outlined in the TCP Code > with Clause 3.7 covering the storage and security of said information. > > > > Hopefully, this attack will result in some changes not just in our > industry but across the board. Maybe something like validating Licences, > Medicare, etc against DVS (already commonly done) but then just keeping the > Pass/Fail result and Check ID instead of keeping the full details on file > could be a way to minimise the amount of data available in a breach like > this, but I?m not sure if that would be enough to comply with some of the > obligations. > > > > - Jeremy > > > > *From:* AusNOG *On Behalf Of *James Murphy > *Sent:* Tuesday, 27 September 2022 11:29 PM > *To:* Serge Burjak > *Cc:* AusNOG Mailing List > *Subject:* Re: [AusNOG] Optus Hack > > > > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > > > "identification information" is the term that includes a drivers license > number and date of birth > > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > > > From the Privacy Act: > > > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > > (a) whether the information or opinion is true or not; and > > (b) whether the information or opinion is recorded in a material form or > not. > > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > > > > > On 27 Sep 2022, at 16:46, Serge Burjak wrote: > > > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott at doc.net.au Wed Sep 28 10:47:54 2022 From: scott at doc.net.au (Scott Howard) Date: Tue, 27 Sep 2022 17:47:54 -0700 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: On Tue, Sep 27, 2022 at 5:32 PM Andrew Oakeley wrote: > I am sick of my bank and teleco calling me and saying ?Before we go any > further can you please tell me your date of birth so we can confirm we are > talking to the right person??. Well how about you confirm who you are > before I disclose my DOB to someone who has randomly called me. > This is starting to happen in the US. The combination of SHAKEN/STIR caller id authentication, along with things like Android "Verified Calls" ( https://developers.google.com/business-communications/verified-calls) and Apple's equivalent mean that it's far easier to confirm the caller really is who they are saying they are. When I get a call from my US bank (on my US phone), it clearly states who it's from, and that the call is verified to be from them. Unfortunately it's otherwise a hard problem to solve. Sure, there are "simple" solutions (like asking to call back on the number on your card) but these are an imposition on both sides. The average consumer doesn't understand the problem, so when companies do add additional steps like that, it's seen as a negative by the customer. Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From justinjoncourtney at gmail.com Wed Sep 28 10:53:19 2022 From: justinjoncourtney at gmail.com (Justin Courtney) Date: Wed, 28 Sep 2022 10:53:19 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Interesting regarding the voice authentication. I have this feature when transferring large amounts with an Aussie based bank. On Wed, 28 Sept 2022 at 10:48, Scott Howard wrote: > On Tue, Sep 27, 2022 at 5:32 PM Andrew Oakeley > wrote: > >> I am sick of my bank and teleco calling me and saying ?Before we go any >> further can you please tell me your date of birth so we can confirm we are >> talking to the right person??. Well how about you confirm who you are >> before I disclose my DOB to someone who has randomly called me. >> > > This is starting to happen in the US. The combination of SHAKEN/STIR > caller id authentication, along with things like Android "Verified Calls" ( > https://developers.google.com/business-communications/verified-calls) and > Apple's equivalent mean that it's far easier to confirm the caller really > is who they are saying they are. When I get a call from my US bank (on my > US phone), it clearly states who it's from, and that the call is verified > to be from them. > > Unfortunately it's otherwise a hard problem to solve. Sure, there are > "simple" solutions (like asking to call back on the number on your card) > but these are an imposition on both sides. The average consumer doesn't > understand the problem, so when companies do add additional steps like > that, it's seen as a negative by the customer. > > Scott > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jamesmurphyau at me.com Wed Sep 28 12:02:48 2022 From: jamesmurphyau at me.com (James Murphy) Date: Wed, 28 Sep 2022 12:02:48 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> I'll stop referring to DOB because it seems valid and reasonable that it is kept - so I'll just mention the license number / passport number - which is what people really have an issue with. What I read in that law you linked to below (F2017L00399 - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile Carriage Services) Determination 2017) actually says it's against the law to "record and keep" either "the identifying number of a government document" or "a category A document or category B document." They are allowed to "record or keep" the identification number for "permitted purposes" (verifying someones identity) and "only for such time as is reasonably necessary for the permitted purpose" Does anyone actually know where or how they are required by law to store a license number or passport number?? Or does everyone just assume they need to do this because others have said so, or they think the company needs to keep X years of records for their business (of which those records do currently include license number, but by law they don't need to include a license number - and by some laws, it's even against the law to store the license number) 6.4 Restrictions on the recording and keeping of certain information (1) Subject to subsections (2) and (3), a carriage service provider must not, in connection with a requirement imposed by this Determination, record and keep: (a) the identifying number of a government document; or (b) a category A document or category B document. (2) Subsection (1) does not prohibit the recording and keeping of information or a document if that recording and keeping is required or authorised by or under a law. (3) Subsection (1) does not prohibit the recording and keeping of the identifying number of a government document where: (a) the carriage service provider records the identifying number of a government document for a permitted purpose; and (b) the carriage service provider records the information only for such time as is reasonably necessary for the permitted purpose; and (c) immediately after the carriage service provider verifies the service activator?s identity, the carriage service provider destroys the number; and (d) the recording is not otherwise prohibited by law. Example If a customer has unsuccessfully attempted to verify their identity online using a government online verification service, a carriage service provider may use the identifying number of that customer?s government document to assist that customer to verify his or her identity (4) A carriage service provider must not copy or reproduce any document that contains the information which must not be recorded and kept because of subsection (1). Note A carriage service provider?s arrangements for recording and handling personal information must comply with Commonwealth privacy laws where applicable. (5) In this section: permitted purpose means: (a) the purpose of verifying the identity of a service activator in accordance with section 4.5; or (b) any other purpose that is ancillary or incidental to the provider?s obligation to verify the identity of a service activator in accordance with section 4.5. 4.5 Verification of the identity of a customer who is a service activator (1) This section applies to the carriage service provider if the customer is a service activator. (2) The carriage service provider must verify the identity of the service activator using an approved method of identity verification specified in column B of Schedule 1 > On 28 Sep 2022, at 09:44, Jeremy Chequer wrote: > > Hi > > There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. > > Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. > > Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. > > - Jeremy > > From: AusNOG On Behalf Of James Murphy > Sent: Tuesday, 27 September 2022 11:29 PM > To: Serge Burjak > Cc: AusNOG Mailing List > Subject: Re: [AusNOG] Optus Hack > > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) > > "identification information" is the term that includes a drivers license number and date of birth > "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) > > There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. > > For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) > > From the Privacy Act: > > personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: > (a) whether the information or opinion is true or not; and > (b) whether the information or opinion is recorded in a material form or not. > Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. > > So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. > > If this is required by law, I would love to understand how (ie which laws/acts cover it) > > > > > On 27 Sep 2022, at 16:46, Serge Burjak > wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 > > which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is supplied; or > (d) as the person to whom a particular individual message/call application service is provided; or > (e) as the person who has a particular account with a prescribed communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or > (j) by any other unique identifying factor that is applicable to the person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; > > (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; > > (e) he status of the relevant service, or any related account, service or device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: > > They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3854 bytes Desc: not available URL: From jamesmurphyau at me.com Wed Sep 28 12:06:17 2022 From: jamesmurphyau at me.com (James Murphy) Date: Wed, 28 Sep 2022 12:06:17 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> Message-ID: <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> By "everyone", I don't mean everyone in this email thread - I mean everyone (e.g. the news, everyone at Optus (CEO etc), general public, etc) > On 28 Sep 2022, at 12:02, James Murphy wrote: > > I'll stop referring to DOB because it seems valid and reasonable that it is kept - so I'll just mention the license number / passport number - which is what people really have an issue with. > > What I read in that law you linked to below (F2017L00399 - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile Carriage Services) Determination 2017) actually says it's against the law to "record and keep" either "the identifying number of a government document" or "a category A document or category B document." > > They are allowed to "record or keep" the identification number for "permitted purposes" (verifying someones identity) and "only for such time as is reasonably necessary for the permitted purpose" > > Does anyone actually know where or how they are required by law to store a license number or passport number?? Or does everyone just assume they need to do this because others have said so, or they think the company needs to keep X years of records for their business (of which those records do currently include license number, but by law they don't need to include a license number - and by some laws, it's even against the law to store the license number) > > > 6.4 Restrictions on the recording and keeping of certain information > > (1) Subject to subsections (2) and (3), a carriage service provider must not, in connection with a requirement imposed by this Determination, record and keep: > (a) the identifying number of a government document; or > (b) a category A document or category B document. > (2) Subsection (1) does not prohibit the recording and keeping of information or a document if that recording and keeping is required or authorised by or under a law. > > (3) Subsection (1) does not prohibit the recording and keeping of the identifying number of a government document where: > (a) the carriage service provider records the identifying number of a government document for a permitted purpose; and > (b) the carriage service provider records the information only for such time as is reasonably necessary for the permitted purpose; and > (c) immediately after the carriage service provider verifies the service activator?s identity, the carriage service provider destroys the number; and > (d) the recording is not otherwise prohibited by law. > Example If a customer has unsuccessfully attempted to verify their identity online using a government online verification service, a carriage service provider may use the identifying number of that customer?s government document to assist that customer to verify his or her identity > > (4) A carriage service provider must not copy or reproduce any document that contains the information which must not be recorded and kept because of subsection (1). > Note A carriage service provider?s arrangements for recording and handling personal information must comply with Commonwealth privacy laws where applicable. > > (5) In this section: > permitted purpose means: > (a) the purpose of verifying the identity of a service activator in accordance with section 4.5; or > (b) any other purpose that is ancillary or incidental to the provider?s obligation to verify the identity of a service activator in accordance with section 4.5. > > 4.5 Verification of the identity of a customer who is a service activator > (1) This section applies to the carriage service provider if the customer is a service activator. > (2) The carriage service provider must verify the identity of the service activator using an approved method of identity verification specified in column B of Schedule 1 > > > > >> On 28 Sep 2022, at 09:44, Jeremy Chequer > wrote: >> >> Hi >> >> There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. >> >> Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. >> >> Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. >> >> - Jeremy >> >> From: AusNOG > On Behalf Of James Murphy >> Sent: Tuesday, 27 September 2022 11:29 PM >> To: Serge Burjak > >> Cc: AusNOG Mailing List > >> Subject: Re: [AusNOG] Optus Hack >> >> Looking over the Privacy Act and oaic.gov.au , I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) >> >> "identification information" is the term that includes a drivers license number and date of birth >> "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) >> >> There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. >> >> For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) >> >> From the Privacy Act: >> >> personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: >> (a) whether the information or opinion is true or not; and >> (b) whether the information or opinion is recorded in a material form or not. >> Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. >> >> So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. >> >> If this is required by law, I would love to understand how (ie which laws/acts cover it) >> >> >> >> >> On 27 Sep 2022, at 16:46, Serge Burjak > wrote: >> >> https://www.oaic.gov.au/privacy/the-privacy-act >> >> Covers it pretty well. >> >> On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: >> >> >> Does anyone know which laws cover the data they were keeping? >> >> Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. >> >> The closest thing I found was in the following: >> >> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 >> C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 >> >> which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? >> >> 13 Identification of a particular person >> For the purposes of this Schedule, a particular person may be identified: >> (a) by the person?s full name; or >> (b) by a name by which the person is commonly known; or >> (c) as the person to whom a particular individual transmission service is supplied; or >> (d) as the person to whom a particular individual message/call application service is provided; or >> (e) as the person who has a particular account with a prescribed communications provider; or >> (f) as the person who has a particular telephone number; or >> (g) as the person who has a particular email address; or >> (h) as the person who has a particular internet protocol address; or >> (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or >> (j) by any other unique identifying factor that is applicable to the person. >> >> >> and >> >> 187AA Information to be kept >> (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): >> Item >> >> 1 >> >> Topic >> >> The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service >> >> Description of information >> >> The following: >> >> (a) any information that is one or both of the following: >> >> (i) any name or address information; >> >> (ii) any other information for identification purposes; >> >> relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; >> >> (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; >> >> (c) any information that is one or both of the following: >> >> (i) billing or payment information; >> >> (ii) contact information; >> >> relating to the relevant service, being information used by the service provider in relation to the relevant service; >> >> (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; >> >> (e) he status of the relevant service, or any related account, service or device. >> >> >> >> On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: >> >> They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the bloody clear :( >> >> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >> >> ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > >> wrote: >> >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO?s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> rendrag at rendrag.net - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3854 bytes Desc: not available URL: From glp71s at gmail.com Wed Sep 28 12:16:03 2022 From: glp71s at gmail.com (Giles Pollock) Date: Wed, 28 Sep 2022 12:16:03 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> Message-ID: It would require far more time than I currently have to go digging through the legislation, but I really wouldn't be surprised if there is conflicting components in different laws which means you both need to retain the information and also not retain it. I'd lean towards the laws relating to AML/CTF and similar being the ones saying the information needs to be retained for a specific length of time too. That said, the interesting bit of that statement is the "only for such time as is reasonably necessary for the permitted purpose" bit. Every time you call up Optus, or pretty much any other telco, they will do something to attempt to verify your identity. Arguably this could constitute covering the time for the permitted purpose, because they are required to verify identity for the duration of the contract... That sounds like a game for lawyers to argue out though. On Wed, Sep 28, 2022 at 12:06 PM James Murphy wrote: > By "everyone", I don't mean everyone in this email thread - I mean > everyone (e.g. the news, everyone at Optus (CEO etc), general public, etc) > > On 28 Sep 2022, at 12:02, James Murphy wrote: > > I'll stop referring to DOB because it seems valid and reasonable that it > is kept - so I'll just mention the license number / passport number - which > is what people really have an issue with. > > What I read in that law you linked to below (F2017L00399 > - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile > Carriage Services) Determination 2017) actually says it's against the law > to "record and keep" either "the identifying number of a government > document" or "a category A document or category B document." > > They are allowed to "record or keep" the identification number for > "permitted purposes" (verifying someones identity) and "only for such time > as is reasonably necessary for the permitted purpose" > > Does anyone actually know where or how they are required by law to store a > license number or passport number?? Or does everyone just assume they need > to do this because others have said so, or they think the company needs to > keep X years of records for their business (of which those records do > *currently* include license number, but by law they don't need to include > a license number - and by some laws, it's even against the law to store the > license number) > > > *6.4 Restrictions on the recording and keeping of certain information* > > (1) Subject to subsections (2) and (3), a carriage service provider must > not, in connection with a requirement imposed by this Determination, record > and keep: > (a) the identifying number of a government document; or > (b) a category A document or category B document. > (2) Subsection (1) does not prohibit the recording and keeping of > information or a document if that recording and keeping is required or > authorised by or under a law. > > (3) Subsection (1) does not prohibit the recording and keeping of the > identifying number of a government document where: > (a) the carriage service provider records the identifying number of a > government document for a permitted purpose; and > (b) the carriage service provider records the information only for > such time as is reasonably necessary for the permitted purpose; and > (c) immediately after the carriage service provider verifies the > service activator?s identity, the carriage service provider destroys the > number; and > (d) the recording is not otherwise prohibited by law. > Example If a customer has unsuccessfully attempted to verify their > identity online using a government online verification service, a carriage > service provider may use the identifying number of that customer?s > government document to assist that customer to verify his or her identity > > (4) A carriage service provider must not copy or reproduce any document > that contains the information which must not be recorded and kept because > of subsection (1). > Note A carriage service provider?s arrangements for recording and > handling personal information must comply with Commonwealth privacy laws > where applicable. > > (5) In this section: > permitted purpose means: > (a) the purpose of verifying the identity of a service activator in > accordance with section 4.5; or > (b) any other purpose that is ancillary or incidental to the > provider?s obligation to verify the identity of a service activator in > accordance with section 4.5. > > *4.5 Verification of the identity of a customer who is a service activator* > (1) This section applies to the carriage service provider if the > customer is a service activator. > (2) The carriage service provider must verify the identity of the > service activator using an approved method of identity verification > specified in column B of Schedule 1 > > > > > > On 28 Sep 2022, at 09:44, Jeremy Chequer > wrote: > > Hi > > There are specific rules for prepaid regarding ID validation and documents > which must be checked ( > https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). > As a Credit Provider, they are also required to validate you are who you > say you are before providing credit services. Additionally, telcos also > have specific provisions for customer protection requiring credit checks to > be run before certain services are provided. > > Providers also need to keep enough information to verify you are who you > say you are when you make contact though and are required to ensure they > don?t disclose information about your account to someone else, which is why > many providers keep things like your Date of Birth on file. The requirement > to hold PII is required to a degree and is even outlined in the TCP Code > with Clause 3.7 covering the storage and security of said information. > > Hopefully, this attack will result in some changes not just in our > industry but across the board. Maybe something like validating Licences, > Medicare, etc against DVS (already commonly done) but then just keeping the > Pass/Fail result and Check ID instead of keeping the full details on file > could be a way to minimise the amount of data available in a breach like > this, but I?m not sure if that would be enough to comply with some of the > obligations. > > - Jeremy > > *From:* AusNOG *On Behalf Of *James Murphy > *Sent:* Tuesday, 27 September 2022 11:29 PM > *To:* Serge Burjak > *Cc:* AusNOG Mailing List > *Subject:* Re: [AusNOG] Optus Hack > > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > "identification information" is the term that includes a drivers license > number and date of birth > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > From the Privacy Act: > > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > (a) whether the information or opinion is true or not; and > (b) whether the information or opinion is recorded in a material form or > not. > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > > On 27 Sep 2022, at 16:46, Serge Burjak wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person?s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > Nathan.Brookfield at iperium.com.au> wrote: > > They?re legally obligated to retain it but why it?s on the API and why > it?s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: > > ?My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO?s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > rendrag at rendrag.net - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at resolvergroup.com.au Wed Sep 28 12:19:26 2022 From: jeremy at resolvergroup.com.au (Jeremy Chequer) Date: Wed, 28 Sep 2022 02:19:26 +0000 Subject: [AusNOG] Optus Hack In-Reply-To: <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> Message-ID: Hi James I think it is one of those things where a clarification may be needed. I know internally, we keep it for long enough to validate your ID via DVS and then just keep the result and check ID not the details. But, we also don't do anything more than month to month or where we are providing credit services so I have no reason to know the requirements beyond that or keep the data beyond that. We may not be fully complying with our requirements by doing so though but I feel it is enough to meet them (and is something I will definitely be raising with our lawyers given all the current discussions). My personal opinion is that with services like DVS there shouldn't be a reason to keep the details beyond the verification, but again i don't know the law well enough to know if it is required in some cases, especially around credit services. This is one of those areas where I feel that a major change is needed and a new method resulting in less data being held needs to be found, not just for our industry but across all industries. Services like DVS could help with this. However, I also think it is something that will require a lot of industry cooperation and where clarification on requirements would be helpful, instead of needing to check multiple different pieces of legislation to see what applies specifically to you. Ultimately, IMO the less data we are all holding the better as it makes it less worthwhile to try and obtain it. - Jeremy ________________________________ From: James Murphy Sent: Wednesday, 28 September 2022, 12:06 pm To: Jeremy Chequer ; AusNOG Mailing List Subject: Re: [AusNOG] Optus Hack By "everyone", I don't mean everyone in this email thread - I mean everyone (e.g. the news, everyone at Optus (CEO etc), general public, etc) On 28 Sep 2022, at 12:02, James Murphy wrote: I'll stop referring to DOB because it seems valid and reasonable that it is kept - so I'll just mention the license number / passport number - which is what people really have an issue with. What I read in that law you linked to below (F2017L00399 - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile Carriage Services) Determination 2017) actually says it's against the law to "record and keep" either "the identifying number of a government document" or "a category A document or category B document." They are allowed to "record or keep" the identification number for "permitted purposes" (verifying someones identity) and "only for such time as is reasonably necessary for the permitted purpose" Does anyone actually know where or how they are required by law to store a license number or passport number?? Or does everyone just assume they need to do this because others have said so, or they think the company needs to keep X years of records for their business (of which those records do currently include license number, but by law they don't need to include a license number - and by some laws, it's even against the law to store the license number) 6.4 Restrictions on the recording and keeping of certain information (1) Subject to subsections (2) and (3), a carriage service provider must not, in connection with a requirement imposed by this Determination, record and keep: (a) the identifying number of a government document; or (b) a category A document or category B document. (2) Subsection (1) does not prohibit the recording and keeping of information or a document if that recording and keeping is required or authorised by or under a law. (3) Subsection (1) does not prohibit the recording and keeping of the identifying number of a government document where: (a) the carriage service provider records the identifying number of a government document for a permitted purpose; and (b) the carriage service provider records the information only for such time as is reasonably necessary for the permitted purpose; and (c) immediately after the carriage service provider verifies the service activator?s identity, the carriage service provider destroys the number; and (d) the recording is not otherwise prohibited by law. Example If a customer has unsuccessfully attempted to verify their identity online using a government online verification service, a carriage service provider may use the identifying number of that customer?s government document to assist that customer to verify his or her identity (4) A carriage service provider must not copy or reproduce any document that contains the information which must not be recorded and kept because of subsection (1). Note A carriage service provider?s arrangements for recording and handling personal information must comply with Commonwealth privacy laws where applicable. (5) In this section: permitted purpose means: (a) the purpose of verifying the identity of a service activator in accordance with section 4.5; or (b) any other purpose that is ancillary or incidental to the provider?s obligation to verify the identity of a service activator in accordance with section 4.5. 4.5 Verification of the identity of a customer who is a service activator (1) This section applies to the carriage service provider if the customer is a service activator. (2) The carriage service provider must verify the identity of the service activator using an approved method of identity verification specified in column B of Schedule 1 On 28 Sep 2022, at 09:44, Jeremy Chequer > wrote: Hi There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. - Jeremy From: AusNOG > On Behalf Of James Murphy Sent: Tuesday, 27 September 2022 11:29 PM To: Serge Burjak > Cc: AusNOG Mailing List > Subject: Re: [AusNOG] Optus Hack Looking over the Privacy Act and oaic.gov.au, I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) "identification information" is the term that includes a drivers license number and date of birth "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) From the Privacy Act: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. If this is required by law, I would love to understand how (ie which laws/acts cover it) On 27 Sep 2022, at 16:46, Serge Burjak > wrote: https://www.oaic.gov.au/privacy/the-privacy-act Covers it pretty well. On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: Does anyone know which laws cover the data they were keeping? Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. The closest thing I found was in the following: C2022C00151 - Telecommunications (Interception and Access) Act 1979 C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? 13 Identification of a particular person For the purposes of this Schedule, a particular person may be identified: (a) by the person?s full name; or (b) by a name by which the person is commonly known; or (c) as the person to whom a particular individual transmission service is supplied; or (d) as the person to whom a particular individual message/call application service is provided; or (e) as the person who has a particular account with a prescribed communications provider; or (f) as the person who has a particular telephone number; or (g) as the person who has a particular email address; or (h) as the person who has a particular internet protocol address; or (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or (j) by any other unique identifying factor that is applicable to the person. and 187AA Information to be kept (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): Item 1 Topic The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service Description of information The following: (a) any information that is one or both of the following: (i) any name or address information; (ii) any other information for identification purposes; relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; (c) any information that is one or both of the following: (i) billing or payment information; (ii) contact information; relating to the relevant service, being information used by the service provider in relation to the relevant service; (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; (e) he status of the relevant service, or any related account, service or device. On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. Looking at the data some fields are hashed and then repeated in the bloody clear :( On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. regards, Glenn On 2022-09-27 10:49, Damien Gardner Jnr wrote: Personally, I find putting Authentication on my API endpoints to be a FANTASTIC first step towards API security. And then not even using public IP addresses in test environments is a pretty good second step.. On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > wrote: Hi everyone, Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative. I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO?s on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security. There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with each other as an industry. Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there is enough interest I will send out an invitation to the list for a call. Cheers [b] _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag at rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From jamesmurphyau at me.com Wed Sep 28 12:21:19 2022 From: jamesmurphyau at me.com (James Murphy) Date: Wed, 28 Sep 2022 12:21:19 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> <30178AD8-8E51-4913-8B57-7E2A6453F5AE@me.com> Message-ID: <52444523-BC55-4AB6-A678-C9F4F743AC07@me.com> See 6.4(5) in my email below, and then 4.5(1) and 4.5(2) - from everything I'm reading, it's only to verify them initially. The table mentioned in 4.5(2) was too large but a quick summary: Approved methods for verification of the identity of a customer who is a service activator ?Government online verification service? ?Existing post-paid account? ?White listed email service? ?Real-time financial transaction? ?Time-delayed financial transaction? ?Existing eligible prepaid (other) account? (no direct debit arrangement in place) ?Existing eligible prepaid (direct debit) account? (direct debit arrangement in place) ?Visual identity document check? > On 28 Sep 2022, at 12:16, Giles Pollock wrote: > > It would require far more time than I currently have to go digging through the legislation, but I really wouldn't be surprised if there is conflicting components in different laws which means you both need to retain the information and also not retain it. I'd lean towards the laws relating to AML/CTF and similar being the ones saying the information needs to be retained for a specific length of time too. > > That said, the interesting bit of that statement is the "only for such time as is reasonably necessary for the permitted purpose" bit. Every time you call up Optus, or pretty much any other telco, they will do something to attempt to verify your identity. Arguably this could constitute covering the time for the permitted purpose, because they are required to verify identity for the duration of the contract... > > That sounds like a game for lawyers to argue out though. > > On Wed, Sep 28, 2022 at 12:06 PM James Murphy > wrote: >> By "everyone", I don't mean everyone in this email thread - I mean everyone (e.g. the news, everyone at Optus (CEO etc), general public, etc) >> >>> On 28 Sep 2022, at 12:02, James Murphy > wrote: >>> >>> I'll stop referring to DOB because it seems valid and reasonable that it is kept - so I'll just mention the license number / passport number - which is what people really have an issue with. >>> >>> What I read in that law you linked to below (F2017L00399 - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile Carriage Services) Determination 2017) actually says it's against the law to "record and keep" either "the identifying number of a government document" or "a category A document or category B document." >>> >>> They are allowed to "record or keep" the identification number for "permitted purposes" (verifying someones identity) and "only for such time as is reasonably necessary for the permitted purpose" >>> >>> Does anyone actually know where or how they are required by law to store a license number or passport number?? Or does everyone just assume they need to do this because others have said so, or they think the company needs to keep X years of records for their business (of which those records do currently include license number, but by law they don't need to include a license number - and by some laws, it's even against the law to store the license number) >>> >>> >>> 6.4 Restrictions on the recording and keeping of certain information >>> >>> (1) Subject to subsections (2) and (3), a carriage service provider must not, in connection with a requirement imposed by this Determination, record and keep: >>> (a) the identifying number of a government document; or >>> (b) a category A document or category B document. >>> (2) Subsection (1) does not prohibit the recording and keeping of information or a document if that recording and keeping is required or authorised by or under a law. >>> >>> (3) Subsection (1) does not prohibit the recording and keeping of the identifying number of a government document where: >>> (a) the carriage service provider records the identifying number of a government document for a permitted purpose; and >>> (b) the carriage service provider records the information only for such time as is reasonably necessary for the permitted purpose; and >>> (c) immediately after the carriage service provider verifies the service activator?s identity, the carriage service provider destroys the number; and >>> (d) the recording is not otherwise prohibited by law. >>> Example If a customer has unsuccessfully attempted to verify their identity online using a government online verification service, a carriage service provider may use the identifying number of that customer?s government document to assist that customer to verify his or her identity >>> >>> (4) A carriage service provider must not copy or reproduce any document that contains the information which must not be recorded and kept because of subsection (1). >>> Note A carriage service provider?s arrangements for recording and handling personal information must comply with Commonwealth privacy laws where applicable. >>> >>> (5) In this section: >>> permitted purpose means: >>> (a) the purpose of verifying the identity of a service activator in accordance with section 4.5; or >>> (b) any other purpose that is ancillary or incidental to the provider?s obligation to verify the identity of a service activator in accordance with section 4.5. >>> >>> 4.5 Verification of the identity of a customer who is a service activator >>> (1) This section applies to the carriage service provider if the customer is a service activator. >>> (2) The carriage service provider must verify the identity of the service activator using an approved method of identity verification specified in column B of Schedule 1 >>> >>> >>> >>> >>>> On 28 Sep 2022, at 09:44, Jeremy Chequer > wrote: >>>> >>>> Hi >>>> >>>> There are specific rules for prepaid regarding ID validation and documents which must be checked (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). As a Credit Provider, they are also required to validate you are who you say you are before providing credit services. Additionally, telcos also have specific provisions for customer protection requiring credit checks to be run before certain services are provided. >>>> >>>> Providers also need to keep enough information to verify you are who you say you are when you make contact though and are required to ensure they don?t disclose information about your account to someone else, which is why many providers keep things like your Date of Birth on file. The requirement to hold PII is required to a degree and is even outlined in the TCP Code with Clause 3.7 covering the storage and security of said information. >>>> >>>> Hopefully, this attack will result in some changes not just in our industry but across the board. Maybe something like validating Licences, Medicare, etc against DVS (already commonly done) but then just keeping the Pass/Fail result and Check ID instead of keeping the full details on file could be a way to minimise the amount of data available in a breach like this, but I?m not sure if that would be enough to comply with some of the obligations. >>>> >>>> - Jeremy >>>> >>>> From: AusNOG > On Behalf Of James Murphy >>>> Sent: Tuesday, 27 September 2022 11:29 PM >>>> To: Serge Burjak > >>>> Cc: AusNOG Mailing List > >>>> Subject: Re: [AusNOG] Optus Hack >>>> >>>> Looking over the Privacy Act and oaic.gov.au , I still can't see any laws about a telco (or any business other than a credit reporting body) storing this level of information - specifically a drivers license number or date of birth (passport number isn't mentioned) >>>> >>>> "identification information" is the term that includes a drivers license number and date of birth >>>> "Credit information" is the term that includes "identification information" about an individual (therefor includes drivers license number and date of birth) >>>> >>>> There are only laws about how long a credit reporting body stores this information. A credit provider (ie Optus) doesn't need to store it, but does need to provide it to the credit reporting body - so they need to collect it and share it but they don't need to store it. >>>> >>>> For the data a telco does need to store - which looks to be added in the "Telecommunications (Interception and Access) Act 1979", they all talk about "personal information" (which doesn't specifically include date of birth or drivers license number, so you would be complying with that law if you didn't store those pieces of data - provided you can reasonably identify a person with the data you do store) >>>> >>>> From the Privacy Act: >>>> >>>> personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: >>>> (a) whether the information or opinion is true or not; and >>>> (b) whether the information or opinion is recorded in a material form or not. >>>> Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act. >>>> >>>> So the argument that they need to store this by law - to me (a software developer/techy who sometimes can spend hours reading shit like this trying to pick holes in it - so: not a lawyer) - doesn't seem valid. >>>> >>>> If this is required by law, I would love to understand how (ie which laws/acts cover it) >>>> >>>> >>>> >>>> >>>> On 27 Sep 2022, at 16:46, Serge Burjak > wrote: >>>> >>>> https://www.oaic.gov.au/privacy/the-privacy-act >>>> >>>> Covers it pretty well. >>>> >>>> On Tue, 27 Sept 2022 at 16:36, James Murphy > wrote: >>>> >>>> >>>> Does anyone know which laws cover the data they were keeping? >>>> >>>> Did a search for anything with "telecommunication" in the name (link), found 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act 1997 had 3 files, all others had 1 file), and can't find anything that mentions keeping this level of data. >>>> >>>> The closest thing I found was in the following: >>>> >>>> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >>>> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 >>>> C2021A00078 - Telecommunications Legislation Amendment (International Production Orders) Act 2021 >>>> >>>> which contained the following two sections that seem to cover identification information - there doesn't seem to be anything that says they need to collect or store to the level that Optus seems to have done.. Almost reads like you could store name and address (without DOB?) and that would be adequate enough (but I'm not a lawyer so who knows).. Am I looking in the wrong place/at the wrong laws? >>>> >>>> 13 Identification of a particular person >>>> For the purposes of this Schedule, a particular person may be identified: >>>> (a) by the person?s full name; or >>>> (b) by a name by which the person is commonly known; or >>>> (c) as the person to whom a particular individual transmission service is supplied; or >>>> (d) as the person to whom a particular individual message/call application service is provided; or >>>> (e) as the person who has a particular account with a prescribed communications provider; or >>>> (f) as the person who has a particular telephone number; or >>>> (g) as the person who has a particular email address; or >>>> (h) as the person who has a particular internet protocol address; or >>>> (i) as the person who has a device that has a particular unique identifier (for example, an electronic serial number or a Media Access Control address); or >>>> (j) by any other unique identifying factor that is applicable to the person. >>>> >>>> >>>> and >>>> >>>> 187AA Information to be kept >>>> (1) The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1): >>>> Item >>>> >>>> 1 >>>> >>>> Topic >>>> >>>> The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service >>>> >>>> Description of information >>>> >>>> The following: >>>> >>>> (a) any information that is one or both of the following: >>>> >>>> (i) any name or address information; >>>> >>>> (ii) any other information for identification purposes; >>>> >>>> relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service; >>>> >>>> (b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device; >>>> >>>> (c) any information that is one or both of the following: >>>> >>>> (i) billing or payment information; >>>> >>>> (ii) contact information; >>>> >>>> relating to the relevant service, being information used by the service provider in relation to the relevant service; >>>> >>>> (d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device; >>>> >>>> (e) he status of the relevant service, or any related account, service or device. >>>> >>>> >>>> >>>> On 27 Sep 2022, at 11:12, Nathan Brookfield > wrote: >>>> >>>> They?re legally obligated to retain it but why it?s on the API and why it?s not encrypted. >>>> >>>> Looking at the data some fields are hashed and then repeated in the bloody clear :( >>>> >>>> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote: >>>> >>>> ?My understanding was that the data included the 100 points of ID info. Why are they retaining this? Surely after confirming the 100 points there only needs to be a record "100 points provided"=true and not retain the actual details. This goes back to only keeping the private data you need. >>>> >>>> regards, >>>> Glenn >>>> >>>> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >>>> >>>> Personally, I find putting Authentication on my API endpoints to be a >>>> FANTASTIC first step towards API security. And then not even using >>>> public IP addresses in test environments is a pretty good second >>>> step.. >>>> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery > >>>> wrote: >>>> >>>> Hi everyone, >>>> Obviously a big week in telco and cybersecurity. As part of my work >>>> I am on the Australian Cyber Security Industry Advisory Committee as >>>> an industry representative. >>>> I am keen to look at opening up a dialogue with more and more telco, >>>> DC and Cloud CISO?s on what they are doing around this issue and >>>> looking to take a proactive step towards best practice on customer >>>> data and system security. >>>> There will be some pretty serious consequences of this hack on the >>>> industry and importantly we need to make sure we are as best placed >>>> to help each other continually increase in security posture through >>>> best practice, but also working with each other as an industry. >>>> Are people keen on having a online/VC session sometime in the next >>>> few weeks where like-minded industry participants get together and >>>> discuss security, retention, encryption, threat detection etc.? If >>>> so, just ping me directly and if there is enough interest I will >>>> send out an invitation to the list for a call. >>>> Cheers >>>> [b] >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> -- >>>> Damien Gardner Jnr >>>> VK2TDG. Dip EE. GradIEAust >>>> rendrag at rendrag.net - http://www.rendrag.net/ >>>> -- >>>> We rode on the winds of the rising storm, >>>> We ran to the sounds of thunder. >>>> We danced among the lightning bolts, >>>> and tore the world asunder >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> >>>> _______________________________________________ >>>> AusNOG mailing list >>>> AusNOG at ausnog.net >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG at ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3854 bytes Desc: not available URL: From dazzagibbs at gmail.com Wed Sep 28 12:23:21 2022 From: dazzagibbs at gmail.com (DaZZa) Date: Wed, 28 Sep 2022 12:23:21 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: On Wed, 28 Sept 2022, 10:32 am Andrew Oakeley, wrote: > > I am sick of my bank and teleco calling me and saying ?Before we go any > further can you please tell me your date of birth so we can confirm we are > talking to the right person??. Well how about you confirm who you are > before I disclose my DOB to someone who has randomly called me. > Amen to that. I flat out refuse to give them any information. My standard response is "Give me your name, switchboard number and extension and I'll call you back". D > -------------- next part -------------- An HTML attachment was scrubbed... URL: From narellec at gmail.com Wed Sep 28 12:39:44 2022 From: narellec at gmail.com (Narelle Clark) Date: Wed, 28 Sep 2022 12:39:44 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: On Wed, 28 Sept 2022 at 12:23, DaZZa wrote: > On Wed, 28 Sept 2022, 10:32 am Andrew Oakeley, > wrote: > >> >> I am sick of my bank and teleco calling me and saying ?Before we go any >> further can you please tell me your date of birth so we can confirm we are >> talking to the right person??. Well how about you confirm who you are >> before I disclose my DOB to someone who has randomly called me. >> > > Amen to that. > > I flat out refuse to give them any information. My standard response is > "Give me your name, switchboard number and extension and I'll call you > back". > Err no, you want to call them back on their listed number or the one provided on your Official Correspondence From Them You Know To Be True. I doubt there's many on this list prepared to give an unauthenticated caller PII. And many a time I've been in a little dance with them which goes: you give me something to identify you, and then we'll see what we can do next... one step, two steps... Narelle -- Narelle narellec at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From yahoo at vapourforge.com Wed Sep 28 13:09:32 2022 From: yahoo at vapourforge.com (yahoo) Date: Wed, 28 Sep 2022 13:09:32 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: Message-ID: Switchboard number as in what do you press after you have called the main number.Sent from my Galaxy -------- Original message --------From: Narelle Clark Date: 28/9/22 12:40 pm (GMT+10:00) To: DaZZa Cc: AusNOG Mailing List Subject: Re: [AusNOG] Optus Hack On Wed, 28 Sept 2022 at 12:23, DaZZa wrote:On Wed, 28 Sept 2022, 10:32 am Andrew Oakeley, wrote: I am sick of my bank and teleco calling me and saying ?Before we go any further can you please tell me your date of birth so we can confirm we are talking to the right person??. Well how about you confirm who you are before I disclose my DOB to someone who has randomly called me.Amen to that.I flat out refuse to give them any information. My standard response is "Give me your name, switchboard number and extension and I'll call you back".Err no, you want to call them back on their listed number or the one provided on your Official Correspondence From Them You Know To Be True. I doubt there's many on this list prepared to give an unauthenticated caller PII.And many a time I've been in a little dance with them which?goes: you give me something to identify you, and then we'll see what we can do next... one step, two steps...Narelle-- Narellenarellec at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From martinvisser99 at gmail.com Wed Sep 28 13:47:43 2022 From: martinvisser99 at gmail.com (Martin Visser) Date: Wed, 28 Sep 2022 13:47:43 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: On Wed, 28 Sept 2022 at 12:40, Narelle Clark wrote: > > On Wed, 28 Sept 2022 at 12:23, DaZZa wrote: > >> >> I flat out refuse to give them any information. My standard response is >> "Give me your name, switchboard number and extension and I'll call you >> back". >> > > Err no, you want to call them back on their listed number or the one > provided on your Official Correspondence From Them You Know To Be True. > And of course you will still be expected to provide the identifying information when you can call them back (because as everyone knows CALLER-ID can't be trusted). I guess the other option is voice print identification ... Regards. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From glp71s at gmail.com Wed Sep 28 14:00:34 2022 From: glp71s at gmail.com (Giles Pollock) Date: Wed, 28 Sep 2022 14:00:34 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> Message-ID: Voice print identification works fine until you have a cold... Or someone who happens to have a near identical voice (eg identical twins). What I'd like to see is something akin to a confidence/suspicion score for identity verification that could draw from a wide variety of verification means, whether it be push notification via government ID confirmation app on phone (with biometrics on the device), voiceprint, password, TOTP and so on. Similarly the suspicion score could draw from information such as whether the call is originating from the expected source caller ID(s), whether the person sounds the same as previous calls, did they provide a valid verification or not and so on. Such things could be done without necessarily validating to the caller whether any one single detail (such as a birthdate) was necessarily correct or not too. It's a hard problem to solve unfortunately, because it ties back to the age old question of "Are you who you say you are?" which even in pre-internet and pre-telephony times was a challenge mostly met by human verification and glorified trust... On Wed, Sep 28, 2022 at 1:48 PM Martin Visser wrote: > > > On Wed, 28 Sept 2022 at 12:40, Narelle Clark wrote: > >> >> On Wed, 28 Sept 2022 at 12:23, DaZZa wrote: >> >>> >>> I flat out refuse to give them any information. My standard response is >>> "Give me your name, switchboard number and extension and I'll call you >>> back". >>> >> >> Err no, you want to call them back on their listed number or the one >> provided on your Official Correspondence From Them You Know To Be True. >> > > And of course you will still be expected to provide the > identifying information when you can call them back (because as > everyone knows CALLER-ID can't be trusted). > > I guess the other option is voice print identification ... > > Regards. Martin > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From narellec at gmail.com Wed Sep 28 14:55:16 2022 From: narellec at gmail.com (Narelle Clark) Date: Wed, 28 Sep 2022 14:55:16 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> References: <6284f33d07a1bc5b9f6299355e2929ff@uniq.com.au> <39A7316D-66B0-4333-B379-071182A51A6B@me.com> <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> Message-ID: Yep A lot of this is in the industry codes we live with, and yes, there are differing opinions on what is a reasonable business purpose and for how long. Other good suggestions have been made, but on the voice print one, I now answer the phone with a non-descript noise, rather than my name as this would therefore be snippable and usable! Ah for the olden days when things were simpler, and the worst you got was a kid asking if Mr Walls was there... Narelle On Wed, 28 Sept 2022 at 12:03, James Murphy wrote: > I'll stop referring to DOB because it seems valid and reasonable that it > is kept - so I'll just mention the license number / passport number - which > is what people really have an issue with. > > What I read in that law you linked to below (F2017L00399 > - Telecommunications (Service Provider ? Identity Checks for Prepaid Mobile > Carriage Services) Determination 2017) actually says it's against the law > to "record and keep" either "the identifying number of a government > document" or "a category A document or category B document." > > They are allowed to "record or keep" the identification number for > "permitted purposes" (verifying someones identity) and "only for such time > as is reasonably necessary for the permitted purpose" > > Does anyone actually know where or how they are required by law to store a > license number or passport number?? Or does everyone just assume they need > to do this because others have said so, or they think the company needs to > keep X years of records for their business (of which those records do > *currently* include license number, but by law they don't need to include > a license number - and by some laws, it's even against the law to store the > license number) > > > *6.4 Restrictions on the recording and keeping of certain information* > > (1) Subject to subsections (2) and (3), a carriage service provider must > not, in connection with a requirement imposed by this Determination, record > and keep: > (a) the identifying number of a government document; or > (b) a category A document or category B document. > (2) Subsection (1) does not prohibit the recording and keeping of > information or a document if that recording and keeping is required or > authorised by or under a law. > > (3) Subsection (1) does not prohibit the recording and keeping of the > identifying number of a government document where: > (a) the carriage service provider records the identifying number of a > government document for a permitted purpose; and > (b) the carriage service provider records the information only for > such time as is reasonably necessary for the permitted purpose; and > (c) immediately after the carriage service provider verifies the > service activator?s identity, the carriage service provider destroys the > number; and > (d) the recording is not otherwise prohibited by law. > Example If a customer has unsuccessfully attempted to verify their > identity online using a government online verification service, a carriage > service provider may use the identifying number of that customer?s > government document to assist that customer to verify his or her identity > > (4) A carriage service provider must not copy or reproduce any document > that contains the information which must not be recorded and kept because > of subsection (1). > Note A carriage service provider?s arrangements for recording and > handling personal information must comply with Commonwealth privacy laws > where applicable. > > (5) In this section: > permitted purpose means: > (a) the purpose of verifying the identity of a service activator in > accordance with section 4.5; or > (b) any other purpose that is ancillary or incidental to the > provider?s obligation to verify the identity of a service activator in > accordance with section 4.5. > > *4.5 Verification of the identity of a customer who is a service activator* > (1) This section applies to the carriage service provider if the > customer is a service activator. > (2) The carriage service provider must verify the identity of the > service activator using an approved method of identity verification > specified in column B of Schedule 1 > > -- Narelle narellec at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at thesysadmin.dev Wed Sep 28 16:15:10 2022 From: chris at thesysadmin.dev (Christopher Hawker) Date: Wed, 28 Sep 2022 16:15:10 +1000 Subject: [AusNOG] Optus Hack In-Reply-To: <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> References: <0B0E2091-2495-43F5-9522-3AAA959E0118@me.com> Message-ID: <51816642-0EA0-47DC-8FE1-264FED68915D@thesysadmin.dev> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0f3d8b97c5710e76fbb229eba5f2e5bd.png Type: image/png Size: 678122 bytes Desc: not available URL: From rhys at nexusone.com.au Wed Sep 28 20:25:22 2022 From: rhys at nexusone.com.au (Rhys Hanrahan) Date: Wed, 28 Sep 2022 10:25:22 +0000 Subject: [AusNOG] Looking at 4G Providers Message-ID: Hi Everyone, I have a project where I?m looking at deploying up to a few hundred 4G sites. We currently use M2MOne and while it works well functionality-wise, the data pricing is not going to work for this project, so I am looking for other options for some kind of wholesale 4G provider. Each site for this project is probably going to be pushing 10-20GB minimum data per month and I need to be able to price way more competitively. And just in general we are in need of far more competitive data rates on 4G. We do also have a lot of existing 4G sites that we do backup 4G with that I would likely want to move over, but I doubt that we would be near the the point of qualifying for an MVNO relationship as we?re not in the thousands? Happy to be proven wrong though. Any suggestions would be greatly appreciated. In terms of some functionality I am after: * Needs to allow for Telstra 4G, though other providers are welcome. * Needs to support Telstra Extranet, or some equivalent where we can get a direct public IP on the 4G that is off our network (can be dynamic though static would be nice). * Some kind of control panel where we can view and perform basic diagnostics on our SIMs so we can self-manage. More transparency is better. * Ability to adjust SIM data plans on demand. * Ability to pre-purchase SIMs un-activated and activate on demand so we have them ready to deploy. * Data pooling options Things that would be nice: * Ability to swap SIMs to some kind of layer 2 handoff * Or a private-network style service with each SIM having a private IP that we could hand-off to our core network. * 5G would be awesome but AFAIK the Telstra MVNO wholesale network doesn?t support this yet. Thanks all! Have a good night. Rhys Hanrahan | Chief Information Officer e: rhys at nexusone.com.au [www.nexusone.com.au] [signature_1237010360] NEXUS ONE | FUSION TECHNOLOGY SOLUTIONS p: 1800 NEXUS1 (1800 639 871) or 1800 565 845 | a: Suite 12.03 Level 12, 227 Elizabeth Street, Sydney NSW 2000 www.nexusone.com.au | www.fusiontech.com.au The information in this email and any accompanying attachments may contain; a. Confidential information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties; b. Legally privileged information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties; and or c. Copyright material Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties. If you have received this email in error, please notify the sender immediately and delete this message. Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd does not accept any responsibility for loss or damage arising from the use or distribution of this email. Please consider the environment before printing this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 13851 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 9103 bytes Desc: image002.png URL: From tom.minchin at gmail.com Fri Sep 30 11:09:37 2022 From: tom.minchin at gmail.com (Tom Minchin) Date: Fri, 30 Sep 2022 11:09:37 +1000 Subject: [AusNOG] Seeking Senior Network Engineer - CSIRO Message-ID: hi all, We are looking to find a Senior Network Engineer to join the CSIRO Network Operations team. https://jobs.csiro.au/job/Melbourne%2C-VIC-Senior-Network-Engineer/931997410/ Location: Brisbane/Canberra/Melbourne/Sydney Big network, lot of active use cases. Hybrid working available. Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From graham at maltby.id.au Fri Sep 30 11:37:34 2022 From: graham at maltby.id.au (Graham Maltby) Date: Fri, 30 Sep 2022 11:37:34 +1000 Subject: [AusNOG] NBN requesting personal information Message-ID: Hi All, In light of the current Optus debacle, can anyone explain NBN's constant demands for Proof of Occupancy Documentation (POD) in relation to the most trivial of request. I accept they want to ensure requests are legitimate for creating and modifying LOCIDs, but surely that should be limited to addressing details only, with the onus of vetting the end user left to the RSP. What possible reason can they have to demand end user names and contact information? In my mind, they are overstepping their wholesale role and, creating the opportunity for another needless future compromise. Cheers, Graham -------------- next part -------------- An HTML attachment was scrubbed... URL: From glp71s at gmail.com Fri Sep 30 13:03:21 2022 From: glp71s at gmail.com (Giles Pollock) Date: Fri, 30 Sep 2022 13:03:21 +1000 Subject: [AusNOG] NBN requesting personal information In-Reply-To: References: Message-ID: Its NBNCo... With what I've experienced over the last near six years of dealing with them over a failure in infrastructure planning, I am quite prepared to expect a future severe data breach from them. There are whole slabs of design and implementation elements of the NBN both at wholesaler and RSP levels which leave me deeply concerned about the privacy elements of things, especially the apparent decision to push all RSPs to use TR069 autoprovisioning systems for end users. Some in the know might know of how one little mistake with those particular systems could turn into a pretty hefty data breach in its own rights... On Fri, Sep 30, 2022 at 11:37 AM Graham Maltby wrote: > Hi All, > > In light of the current Optus debacle, can anyone explain NBN's constant > demands for Proof of Occupancy Documentation (POD) in relation to the most > trivial of request. I accept they want to ensure requests are legitimate > for creating and modifying LOCIDs, but surely that should be limited to > addressing details only, with the onus of vetting the end user left to the > RSP. > > What possible reason can they have to demand end user names and contact > information? > > In my mind, they are overstepping their wholesale role and, creating the > opportunity for another needless future compromise. > > Cheers, > Graham > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nathan.Brookfield at iperium.com.au Fri Sep 30 13:24:53 2022 From: Nathan.Brookfield at iperium.com.au (Nathan Brookfield) Date: Fri, 30 Sep 2022 03:24:53 +0000 Subject: [AusNOG] NBN requesting personal information In-Reply-To: References: Message-ID: I do these daily Graham and I can say apart from the business name or there website to verify, I?ve NEVER been asked for end users details by NBN nor would I provide them, absolutely never for a Proof of Occupancy and that?s over hundreds of them. Nathan Brookfield General Manager p: 1300 592 330 | m: 0412 266 008 | w: https://Iperium.com.au Level 7, 82 Elizabeth Street, Sydney NSW 2000 Your Connectivity Team DISCLAIMER: This document is intended solely for the named addressee. This electronic communication, which includes any files or attachments thereto, contains proprietary or confidential information and may be privileged and otherwise protected under copyright or other applicable intellectual property laws. The use, disclosure, copying or distribution of any of the information contained in this document, by any person other than the addressee, is strictly prohibited. If you received this document in error, please contact the sender immediately and delete all the material from any computer. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. Any views or opinions presented are solely those of the author and do not necessarily represent those of Iperium. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. Iperium accepts no liability for any damage caused by any virus transmitted by this email. On 30 Sep 2022, at 11:04, Giles Pollock wrote: ? Its NBNCo... With what I've experienced over the last near six years of dealing with them over a failure in infrastructure planning, I am quite prepared to expect a future severe data breach from them. There are whole slabs of design and implementation elements of the NBN both at wholesaler and RSP levels which leave me deeply concerned about the privacy elements of things, especially the apparent decision to push all RSPs to use TR069 autoprovisioning systems for end users. Some in the know might know of how one little mistake with those particular systems could turn into a pretty hefty data breach in its own rights... On Fri, Sep 30, 2022 at 11:37 AM Graham Maltby > wrote: Hi All, In light of the current Optus debacle, can anyone explain NBN's constant demands for Proof of Occupancy Documentation (POD) in relation to the most trivial of request. I accept they want to ensure requests are legitimate for creating and modifying LOCIDs, but surely that should be limited to addressing details only, with the onus of vetting the end user left to the RSP. What possible reason can they have to demand end user names and contact information? In my mind, they are overstepping their wholesale role and, creating the opportunity for another needless future compromise. Cheers, Graham _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nathan.Brookfield at iperium.com.au Fri Sep 30 13:25:53 2022 From: Nathan.Brookfield at iperium.com.au (Nathan Brookfield) Date: Fri, 30 Sep 2022 03:25:53 +0000 Subject: [AusNOG] NBN requesting personal information In-Reply-To: References: Message-ID: <3E6F047E-1682-4925-9D62-B5FFD738C088@iperium.com.au> I should always say, when they insist on a copy of a lease document or utility bill, we have a company policy to remove all identifying information. Nathan Brookfield General Manager p: 1300 592 330 | m: 0412 266 008 | w: https://Iperium.com.au Level 7, 82 Elizabeth Street, Sydney NSW 2000 Your Connectivity Team DISCLAIMER: This document is intended solely for the named addressee. This electronic communication, which includes any files or attachments thereto, contains proprietary or confidential information and may be privileged and otherwise protected under copyright or other applicable intellectual property laws. The use, disclosure, copying or distribution of any of the information contained in this document, by any person other than the addressee, is strictly prohibited. If you received this document in error, please contact the sender immediately and delete all the material from any computer. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. Any views or opinions presented are solely those of the author and do not necessarily represent those of Iperium. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. Iperium accepts no liability for any damage caused by any virus transmitted by this email. On 30 Sep 2022, at 11:04, Giles Pollock wrote: ? Its NBNCo... With what I've experienced over the last near six years of dealing with them over a failure in infrastructure planning, I am quite prepared to expect a future severe data breach from them. There are whole slabs of design and implementation elements of the NBN both at wholesaler and RSP levels which leave me deeply concerned about the privacy elements of things, especially the apparent decision to push all RSPs to use TR069 autoprovisioning systems for end users. Some in the know might know of how one little mistake with those particular systems could turn into a pretty hefty data breach in its own rights... On Fri, Sep 30, 2022 at 11:37 AM Graham Maltby > wrote: Hi All, In light of the current Optus debacle, can anyone explain NBN's constant demands for Proof of Occupancy Documentation (POD) in relation to the most trivial of request. I accept they want to ensure requests are legitimate for creating and modifying LOCIDs, but surely that should be limited to addressing details only, with the onus of vetting the end user left to the RSP. What possible reason can they have to demand end user names and contact information? In my mind, they are overstepping their wholesale role and, creating the opportunity for another needless future compromise. Cheers, Graham _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG at ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at spectrum.com.au Fri Sep 30 14:04:34 2022 From: matt at spectrum.com.au (Matt Perkins) Date: Fri, 30 Sep 2022 14:04:34 +1000 Subject: [AusNOG] NBN requesting personal information In-Reply-To: References: Message-ID: <86d4c50e-31ad-b3ad-40a9-ba7a96f3dcb5@spectrum.com.au> Thousand's of NBN connections only a handful of times been asked for a Proof of occupancy.? As far as NBNco goes i dont thing they are a major threat as far as a privacy / data breech goes. Letter box theft will get you the same sort of info.? There are way worse out there let me tell you. Some of the people i deal with especially some that work for the big outsource IT firms are totally incompetent in my humble opinion. Fixated on box ticking some list of best practice that they have plagiarised form a google search that does not correctly fit their clients business leaving them with nothing more then a sense of security. Over the last 10 years in Australia there has been shift toward a type of IT Mafia where C and B levels have been afraid to hire anyone perceived to be smarted then themselves with a tending toward hire people they know and can trust not to steal their job. They live in a delusional world with their sense of security and boxes checked, happy in the notion that if something happens they can bring out the team meeting minutes and declare but we checked all the boxes. We hired most expensive management firm out their It must be [spin the wheel of blame] fault. Until we bring back thinkers and innovators in our industry we will be doomed to repeat problems like the Optus one over and over. Matt On 30/9/2022 1:24 pm, Nathan Brookfield wrote: > I do these daily Graham and I can say apart from the business name or > there website to verify, I?ve NEVER been asked for end users details > by NBN nor would I provide them, absolutely never for a Proof of > Occupancy and that?s over hundreds of them. > > *Nathan Brookfield * > General Manager > > *p*:?1300 592 330? | *m*: 0412 266 008 | *w*: https://Iperium.com.au > > > Level 7, 82 Elizabeth Street, Sydney NSW 2000 > > *Your Connectivity Team* > > > > > > > DISCLAIMER: This document is intended solely for the named addressee. > This electronic communication, which includes any files or attachments > thereto, contains proprietary or confidential information and may be > privileged and otherwise protected under copyright or other applicable > intellectual property laws. The use, disclosure, copying or > distribution of any of the information contained in this document, by > any person other than the addressee, is strictly prohibited. If you > received this document in error, please contact the sender immediately > and delete all the material from any computer. Confidentiality and > legal privilege are not waived or lost by reason of mistaken delivery > to you. Any views or opinions presented are solely those of the author > and do not necessarily represent those of Iperium. > > WARNING: Computer viruses can be transmitted via email. The recipient > should check this email and any attachments for the presence of > viruses. Iperium accepts no liability for any damage caused by any > virus transmitted by this email. > > > On 30 Sep 2022, at 11:04, Giles Pollock wrote: > > ? > Its NBNCo... With what I've experienced over the last near six years > of dealing with them over a failure in infrastructure planning, I am > quite prepared to expect a future severe data breach from them. > > There are whole slabs of design and implementation elements of the NBN > both at wholesaler and RSP levels which leave me deeply concerned > about the privacy elements of things, especially the apparent decision > to push all RSPs to use TR069 autoprovisioning systems for end users. > Some in the know might know of how one little mistake with those > particular systems could turn into a pretty hefty data breach in its > own rights... > > On Fri, Sep 30, 2022 at 11:37 AM Graham Maltby > wrote: > > Hi All, > > In light of the current Optus debacle, can anyone explain NBN's > constant demands for Proof of Occupancy Documentation (POD) in > relation to the most trivial of request. I accept they want to > ensure requests are legitimate for creating and modifying LOCIDs, > but surely that should be limited to addressing details only, with > the onus of vetting the end user left to the RSP. > > What possible reason can they have to demand end user names and > contact information? > > In my mind, they are overstepping their wholesale role and, > creating the opportunity for another needless future compromise. > > Cheers, > Graham > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > AusNOG at ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog -- /* Matt Perkins Direct 02 8916 8101 Spectrum Networks Ptd. Ltd. Office 1300 133 299matt at spectrum.com.au ABN 66 090 112 913 Level 6, 350 George Street Sydney 2000 */ -------------- next part -------------- An HTML attachment was scrubbed... URL: