<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Giles,</p>
<p>Don't even need to ask yourself "what if" as it already happened
back in the early days. Though the issue was XSS and so nowhere
near as serious as Optus' screw up but still inexcusable in this
or the previous decade. When the person who found this attempted
to responsibly disclose it to the government, he hit a giant brick
wall.<br>
</p>
<p>Here's the blog article
<a class="moz-txt-link-freetext" href="https://nikcub.me/posts/multiple-vulnerabilities-in-mygov-australian-government">https://nikcub.me/posts/multiple-vulnerabilities-in-mygov-australian-government</a>
and subsequent press coverage
<a class="moz-txt-link-freetext" href="https://www.smh.com.au/technology/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140514-zrczw.html">https://www.smh.com.au/technology/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140514-zrczw.html</a></p>
<p>The sad part is that as poorly as Optus has handled user info,
I've seen worse and frankly I'm amazed that one company I had the
displeasure of working with a number of years ago hasn't suffered
something similar. They kept even more PII than Optus (if you can
believe that!) and did an appalling job of securing it for the
100s of thousands of unfortunate souls in their DB.</p>
<p>I don't know what the answer is though. If you want to see a
mature digital ID system, look at Sweden where they have something
called "BankID" which is a similar concept except administered by
the banks and only available to residents with a personnummer
(similar to a tax file number). It's a system that is great for
those who are born into it or have gained access via long term
residency, but if you're on the outside, it makes everything
extremely cumbersome as basically every company asks for it.<br>
</p>
<div class="moz-cite-prefix">On 27/09/2022 11:48 am, Giles Pollock
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJQ50uo1QdiUUkEe0F3zTf2aarKKcEWJOL9ZCXEn467n=s-3TA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Had the same thought, and it's good in principle,
until you get that obnoxious little thought creeping into your
head "yeah... but what if MyGov got hacked too?"
<div><br>
</div>
<div>I suspect we'll end up with something akin to that down the
track, as the information already exists across multiple
government databases by law anyway. Might get interesting for
non citizens though?</div>
<div><br>
</div>
<div>(It probably will wind up all the sovcit types too who will
start throwing around their favourite catchphrases - NWO,
world government, UN control, etc)</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 27, 2022 at 1:40
PM jay binks <<a href="mailto:jaybinks@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">jaybinks@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">mmm I was just bouncing something like this
around in my head.
<div><br>
</div>
<div>In a perfect world, you could utilise MYGov
infrastructure...<br>
<br>
</div>
<div>Carriers could get a UUID that represents a "Know your
customer" Data validation that occurred between carriers
and "MyGov", where the customer was MFA prompted (with the
MyGov ID service) to say "Confirm you want to identify
yourself to XXXX".</div>
<div><br>
</div>
<div>Then the carrier would only be required to retain that
UUID for the MFA Verified auth transaction.</div>
<div>(and be explicitly instructed NOT to retain PII other
than an email address to send invoices)</div>
<div><br>
</div>
<div>Anyways... back to the real world.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, 27 Sept 2022 at
13:06, Nick Adams <<a href="mailto:ausnog@narkov.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">ausnog@narkov.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div>
<div>See the "Australia Card"[1] for why the Federal
government probably couldn't provide central
identification/auth services. It is politically very
challenging...despite the obvious benefits it would
provide.<br>
</div>
<div><br>
</div>
<div>[1] <a
href="https://en.wikipedia.org/wiki/Australia_Card"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://en.wikipedia.org/wiki/Australia_Card</a></div>
<div><br>
</div>
<div
id="m_8756478220392611292m_-8916055799584140862sig129256752">
<div>--<br>
</div>
<div>Regards,<br>
</div>
<div><br>
</div>
<div>Nick Adams<br>
</div>
</div>
<div><br>
</div>
<div>On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl
wrote:<br>
</div>
<blockquote type="cite"
id="m_8756478220392611292m_-8916055799584140862qt">
<div dir="ltr">
<div>Is there any legal obligation to store
sensitive ID information in its original form?
Storing a hashed version only would be
sufficient to prove the details had been
collected and verify any future ID verification
requirements without actually retaining the
sensitive data.<br>
</div>
<div><br>
</div>
<div>Separately, should the government provide an
opt in two factor ID verification service for
critical services such as telco, utilities,
banking, etc? There are privacy concerns,
however if implemented correctly they wouldn't
be collecting any further information than what
they legally have access to now.<br>
</div>
</div>
<div><br>
</div>
<div>
<div dir="ltr">On Tue, Sep 27, 2022 at 11:12 AM
Nathan Brookfield <<a
href="mailto:Nathan.Brookfield@iperium.com.au"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Nathan.Brookfield@iperium.com.au</a>>
wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>They’re legally obligated to retain it but
why it’s on the API and why it’s not
encrypted.<br>
</div>
<div> <br>
</div>
<div> Looking at the data some fields are hashed
and then repeated in the bloody clear :(<br>
</div>
<div> <br>
</div>
<div> On 27 Sep 2022, at 11:02, <a
href="mailto:glenn.satchell@uniq.com.au"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">glenn.satchell@uniq.com.au</a>
wrote:<br>
</div>
<div> <br>
</div>
<div> My understanding was that the data
included the 100 points of ID info. Why are
they retaining this? Surely after confirming
the 100 points there only needs to be a record
"100 points provided"=true and not retain the
actual details. This goes back to only keeping
the private data you need.<br>
</div>
<div> <br>
</div>
<div> regards,<br>
</div>
<div> Glenn<br>
</div>
<div> <br>
</div>
<div> On 2022-09-27 10:49, Damien Gardner Jnr
wrote:<br>
</div>
<div> > Personally, I find putting
Authentication on my API endpoints to be a<br>
</div>
<div> > FANTASTIC first step towards API
security. And then not even using<br>
</div>
<div> > public IP addresses in test
environments is a pretty good second<br>
</div>
<div> > step..
</onlyhalfsarcasticherewhydoesthiskeephappening><br>
</div>
<div> > On Tue, 27 Sept 2022 at 10:46, Bevan
Slattery <<a
href="mailto:bevan@slattery.net.au"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bevan@slattery.net.au</a>><br>
</div>
<div> > wrote:<br>
</div>
<div> >> Hi everyone,<br>
</div>
<div> >> Obviously a big week in telco and
cybersecurity. As part of my work<br>
</div>
<div> >> I am on the Australian Cyber
Security Industry Advisory Committee as<br>
</div>
<div> >> an industry representative.<br>
</div>
<div> >> I am keen to look at opening up a
dialogue with more and more telco,<br>
</div>
<div> >> DC and Cloud CISO’s on what they
are doing around this issue and<br>
</div>
<div> >> looking to take a proactive step
towards best practice on customer<br>
</div>
<div> >> data and system security.<br>
</div>
<div> >> There will be some pretty serious
consequences of this hack on the<br>
</div>
<div> >> industry and importantly we need
to make sure we are as best placed<br>
</div>
<div> >> to help each other continually
increase in security posture through<br>
</div>
<div> >> best practice, but also working
with each other as an industry.<br>
</div>
<div> >> Are people keen on having a
online/VC session sometime in the next<br>
</div>
<div> >> few weeks where like-minded
industry participants get together and<br>
</div>
<div> >> discuss security, retention,
encryption, threat detection etc.? If<br>
</div>
<div> >> so, just ping me directly and if
there is enough interest I will<br>
</div>
<div> >> send out an invitation to the
list for a call.<br>
</div>
<div> >> Cheers<br>
</div>
<div> >> [b]<br>
</div>
<div> >>
_______________________________________________<br>
</div>
<div> >> AusNOG mailing list<br>
</div>
<div> >> <a
href="mailto:AusNOG@ausnog.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
</div>
<div> >> <a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
<div> > --<br>
</div>
<div> > Damien Gardner Jnr<br>
</div>
<div> > VK2TDG. Dip EE. GradIEAust<br>
</div>
<div> > <a href="mailto:rendrag@rendrag.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">rendrag@rendrag.net</a>
- <a href="http://www.rendrag.net/"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">http://www.rendrag.net/</a><br>
</div>
<div> > --<br>
</div>
<div> > We rode on the winds of the rising
storm,<br>
</div>
<div> > We ran to the sounds of thunder.<br>
</div>
<div> > We danced among the lightning bolts,<br>
</div>
<div> > and tore the world asunder<br>
</div>
<div> >
_______________________________________________<br>
</div>
<div> > AusNOG mailing list<br>
</div>
<div> > <a href="mailto:AusNOG@ausnog.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
</div>
<div> > <a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
<div>
_______________________________________________<br>
</div>
<div> AusNOG mailing list<br>
</div>
<div> <a href="mailto:AusNOG@ausnog.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
</div>
<div> <a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
<div>
_______________________________________________<br>
</div>
<div> AusNOG mailing list<br>
</div>
<div> <a href="mailto:AusNOG@ausnog.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
</div>
<div> <a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
</blockquote>
</div>
<div>_______________________________________________<br>
</div>
<div>AusNOG mailing list<br>
</div>
<div><a href="mailto:AusNOG@ausnog.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
</div>
<div><a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
<div><br>
</div>
</blockquote>
<div><br>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@ausnog.net" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
<a
href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Sincerely<br>
<br>
Jay</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@ausnog.net" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">AusNOG@ausnog.net</a><br>
<a href="https://lists.ausnog.net/mailman/listinfo/ausnog"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@ausnog.net">AusNOG@ausnog.net</a>
<a class="moz-txt-link-freetext" href="https://lists.ausnog.net/mailman/listinfo/ausnog">https://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
</body>
</html>