Australian Federal MPs' computer network hacked

[williamcll]

Australian networks are a sad sight.

[TechyBen]

8 hours ago, leadeater said:

No they actually don't, especially if the data is stored out of country. Warrants cover electronic devices the suspect has and sometimes data a company has on the person but if the data is encrypted or protected in some other similar way you can refuse to supply the data.

 

Warrants and the laws around them differ across countries, if warrants covered encrypted data and data stored out of country in Australia you think they would actually need this law change at all?

 

Companies like Microsoft and Google comply with data requests from law enforcement mostly on a good will basis because if they don't laws like this would get proposed, something they very much don't want to be a thing.

As said, then Google and Microsoft will lose the goodwill and go e2e (for the keys/encryption at least) so there will be nothing to hand over.

The law might be good, great and well intentioned. I'm just saying, if it's impossible to implement, it's impossible to implement.

 

Making it illegal to use encryption, that's possible, that's (difficultly) enforceable. Asking to make encrypted data available to third parties may not be.

 

But as you say, this law only applies if the data was left out in the open, so to speak.

[leadeater]

46 minutes ago, TechyBen said:

I'm just saying, if it's impossible to implement, it's impossible to implement.

And yet most services, the overwhelming majority are not E2EE user controlled encryption so the proposed law would work on more things than it won't. If every service moves over to that encryption model then that would be a future problem for a future situation but it's not that currently. And even then developers could be forced to deliver an app update to the target user that mirrors the data to law enforcement before any encryption is used. The proposed law is much harsher and more enforceable than you're saying.

 

The way it is currently if you never want to be forced to do something like that would be pull out of the Australian market.

[TechyBen]

Yeah. I've never though understood why new laws are needed for new technologies (to this extent). "I drove over a person... oh, that's ok right, because I used a car instead of a horse?"

Yet "illegal on a mobile phone" or "illegal with a drone" is needed. Like here (and other countries) it was already illegal to fly/buzz/go to Airports, but they needed it spelt out for "drones" specifically. Weird.

[LunaP0n3]

On 2/8/2019 at 8:01 PM, TechyBen said:

Quote

Australia just passed tough new legislation that requires tech companies to hand over user data when requested by law enforcement, even if that means building a backdoor into their encryption.

https://www.theverge.com/2018/12/7/18130806/australia-access-and-assistance-encryption-bill-2018-facebook-google-apple-respond

 

So, yeah. There are two parts. Stupid part "make a backdoor", not stupid part "hand over existing data

Building a backdoor in ANY encryption is just a dumb idea, allowing access to law enforcement, but also opening a gaping hole to the entire world. Hackers are inquisitive types, and it wouldn't be long before they have a look and discover the flaw.

YouTuber Tom Scott explains

 

[LunaP0n3]

8 hours ago, williamcll said:

Australian networks are a sad sight.

With the NBN supposedly being really fast, but being outdone by 4G. 150Mbps in my local town on a Netgear M1. Try doing that on an NBN connection, if it even works when you go to try.

[mr moose]

On 2/9/2019 at 1:36 PM, leadeater said:

The issue in reality comes down to if you are willing to reach a middle ground or not. Few are, but few also want to acknowledge the real issues that exist. Simply saying law enforcement need to find another way to get the evidence is rather naive and also relies that any other evidence that may be found is enough on it's own to satisfy the court to lay charges and get a conviction.   

This is the driving force of most of my opinions and posts,  It's so easy to be idealistic and argue from an absolute point,  but people forget we live in a community, a local community and a global community.  Ideals and personal desires have never been and never will be 100% possible.  We all have to make compromises if we want to be be a part of it and especially if we want to enjoy the fruits it brings.  Trying to play down some of the more serious issues we face because we value our privacy more than our safety means we one day you wan't have to worry about privacy...  indefinitely.

 

 

 

 

 

[mr moose]

On 2/9/2019 at 12:28 PM, leadeater said:

Companies like Microsoft and Google comply with data requests from law enforcement mostly on a good will basis because if they don't laws like this would get proposed, something they very much don't want to be a thing.

And sometime they fight it too depending on the situation, I remember MS fought the US government over their request for emails that were stored on an Irish server. MS claimed the US government had no jurisdiction to request a clients data on a foreign server.

 

https://www.bloomberg.com/news/articles/2018-02-26/why-microsoft-is-fighting-u-s-over-emails-in-ireland-quicktake

 

[Hellion]

Ironic and well deserved.

 

A government that can't even keep their own servers secure are in no place to be commenting on the status of encryption especially when it contradicts logic and what actual experts in the field have to say on the subject.

 

"The rules of mathematics do not apply in Australia"..............

 

It's the same level of rhetorical idiocy as the US government taking away freedoms with the same tired excuse of "terrorism".

 

Pushing an agenda so they can infringe upon the right to privacy.

[TechyBen]

4 hours ago, mr moose said:

This is the driving force of most of my opinions and posts,  It's so easy to be idealistic and argue from an absolute point,  but people forget we live in a community, a local community and a global community.  Ideals and personal desires have never been and never will be 100% possible.  We all have to make compromises if we want to be be a part of it and especially if we want to enjoy the fruits it brings.  Trying to play down some of the more serious issues we face because we value our privacy more than our safety means we one day you wan't have to worry about privacy...  indefinitely.

 

 

 

 

 

Are people playing them down, or just bringing up the reality of security theater?

[mr moose]

6 hours ago, TechyBen said:

Are people playing them down, or just bringing up the reality of security theater?

Ignoring them is a better word.

[TechyBen]

On 2/10/2019 at 8:41 PM, mr moose said:

Ignoring them is a better word.

Yeah, but I word in business where security was *very* important. So I know most things is about levels of difficulty/time/cost. Not "impossible or not". So people freaking about fingerprints, and I'm like "if they are that worried, they'd just hit me with a baseball bat and take the money" or "if my details get hacked, thats a few million also (as systematic fault)."

 

I'm not ignoring the problem, just knowing where to draw the line of effort/results. It's scary that a lot of people do ignore it (and get money lost off cards/accounts/email scams because of it).

[mr moose]

7 hours ago, TechyBen said:

Yeah, but I word in business where security was *very* important. So I know most things is about levels of difficulty/time/cost. Not "impossible or not". So people freaking about fingerprints, and I'm like "if they are that worried, they'd just hit me with a baseball bat and take the money" or "if my details get hacked, thats a few million also (as systematic fault)."

 

I'm not ignoring the problem, just knowing where to draw the line of effort/results. It's scary that a lot of people do ignore it (and get money lost off cards/accounts/email scams because of it).

I think you miss the point of what they are ignoring, we aren't talking about people ignoring personal security,  we are talking about the constant absolute backlash toward any attempt by government to overcome criminal issues that have only come to be as a result of digital evolution. When this happens it is generally accompanied by an ignorance about the increase and severity of crime as a result of technology not being properly covered by law. 

[TechyBen]

2 hours ago, mr moose said:

I think you miss the point of what they are ignoring, we aren't talking about people ignoring personal security,  we are talking about the constant absolute backlash toward any attempt by government to overcome criminal issues that have only come to be as a result of digital evolution. When this happens it is generally accompanied by an ignorance about the increase and severity of crime as a result of technology not being properly covered by law. 

Yeah. But it's a house fire in a town fire, with the fire station ablaze. Really there are no easy solutions, and everything is a threat (from a rock on the floor to satellites in space). It's just hard to watch people jump in the fires, fight fire with more fire, and generally not know their hand from their elbow. What do I say more so on it?

 

The companies don't want to have responsibility, but want all the power (Facebook/Youtube). They want all the money, but sidestep the costs (Google were/are very good at coding an outsourcing system to users... their real true money making system). They want a community to be safe, yet with no rules/boundaries.

 

They want their cake and to eat it.

 

/drops mic.

[leadeater]

21 minutes ago, TechyBen said:

They want a community to be safe, yet with no rules/boundaries.

What does that matter? This is rules and boundaries being proposed in to law and you object to that completely? Forget all the companies supplying submissions in opposition to such a law because as you say they don't want them so the will of course object. If you're so concerned or don't agree with all these companies having control over data, zero responsibility and only provide assistance when and how they want to why would you then object completely to a law that would introduce that to these very companies.

 

I get the arguments over specific issues with the propose law but to outright say it wont or can't work or shouldn't ever be done doesn't align with the point of view you just put forward.

[mr moose]

4 hours ago, TechyBen said:

Yeah. But it's a house fire in a town fire, with the fire station ablaze. Really there are no easy solutions, and everything is a threat (from a rock on the floor to satellites in space). It's just hard to watch people jump in the fires, fight fire with more fire, and generally not know their hand from their elbow. What do I say more so on it?

 

The companies don't want to have responsibility, but want all the power (Facebook/Youtube). They want all the money, but sidestep the costs (Google were/are very good at coding an outsourcing system to users... their real true money making system). They want a community to be safe, yet with no rules/boundaries.

 

They want their cake and to eat it.

 

/drops mic.

I'm, not entirely sure you have thoroughly thought out that post.   It seems to re-iterate the issue if anything.  We have an issue where the basic use of today's digital services leaves users open to abuse, leaves criminals open to further methods of obscurity and yet any move by governments to address either are condemned as unworkable.   The Bit people are missing is that most of us (those who are active in these forums) are well aware of encryption and the issue with backdoors, we understand the "math" as you put it, we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 

[TechyBen]

6 hours ago, mr moose said:

I'm, not entirely sure you have thoroughly thought out that post.   It seems to re-iterate the issue if anything.  We have an issue where the basic use of today's digital services leaves users open to abuse, leaves criminals open to further methods of obscurity and yet any move by governments to address either are condemned as unworkable.   The Bit people are missing is that most of us (those who are active in these forums) are well aware of encryption and the issue with backdoors, we understand the "math" as you put it, we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 

Yeah. But the society the Government are trying to fix is destroying itself (the point I was trying to make). As to the Government? As said, their trying to fix and unfixable problem, so I feel bad for them. My main input in this thread was just to point out the Aus' law seemed to be contradictory (and basically is, but for Law reasons, it lays out definitions, then blocks what it's own law can and cannot do, so it's less clear for a lawman to read, but perfectly watertight for lawyers to check). I just missed the tiny bits it did allow to be done in the reems of "not able to" act ons.

 

Quote

we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 

Again. Missing my point. We may apply those legislations. We may accept them. But do you think the criminals will?

 

The law as passed is fine. The question most people ask though, is for the return on results, is it worth giving up those liberties? In a perfect world it would be, but in a perfect world we would not need to. So we will have 2 camps of people. We cannot solve that problem any more than we can turn up into down, or left into right. It's an unsolvable problem in this current setup of  society.

 

Think of it as bag searches. I'm happy with my boss searching my bag, because we get along and I trust him... but what if I find out they were stealing lunches? Or find out they were telling others what underwear I wore? Or found out that their lockers got broken into or third parties were planting evidence? Or I found out that they were just not reasonable, and put unrealistic requests on staff? Oh, but they caught 1 phone thief, or one person stealing headphones from the stockroom? So yeah, I can agree with a request, but see that it probably is not a clear cut "benefit". I can understand other people's opinions on it.

 

People get afraid for reasons. It's important to sympathise with them on that, even if we don't condone them, or understand that later they became overly afraid.

[TechyBen]

10 hours ago, leadeater said:

What does that matter? This is rules and boundaries being proposed in to law and you object to that completely? Forget all the companies supplying submissions in opposition to such a law because as you say they don't want them so the will of course object. If you're so concerned or don't agree with all these companies having control over data, zero responsibility and only provide assistance when and how they want to why would you then object completely to a law that would introduce that to these very companies.

 

I get the arguments over specific issues with the propose law but to outright say it wont or can't work or shouldn't ever be done doesn't align with the point of view you just put forward.

No. I said the law appears to be self contradictory or asking for the impossible. It may be verboise to list all possibilities, and seems to list the long list of things it cannot do, and a tiny tiny subset of what it can do. That's probably my error, as I'd forgot the law is a list of "not dos" not a list of "must dos".

 

Also, yes. I may be of the opinion that mathematically or in a society/social setting it cannot work. Does not mean I'm against it. I also think locks and doors and windows are fantastic, but I know they won't stop burglars, only deter them. Big difference! (As said, this is coming from a small physical security understanding, seeing methods of preventing theft, and how it was managed, vs the imagined "prevented").

 

Likewise, I do think all the data companies hold on the cloud should be better managed. That may mean e2e so third parties/existing workers/coders do not have access. There is a reason Apple in making sure their secure enclave works + waiting for either national law to change on access rights, or preventing their ability to ever know what a user has. Because it sets a service/method/responsibility Apple does not want.

 

Imagine if Apple wants to sell you a pen, paper and ability to write. Now imagine the law says "producers of pens and paper, must help the law enforcers prevent use for terrorism" or "get hold of all communications" when using pens and paper. That's a rather impossible and broad task. No one is against helping prevent crime, just we need to think about what is being asked, and if it even makes sense.

 

[mr moose]

20 minutes ago, TechyBen said:

Yeah. But the society the Government are trying to fix is destroying itself (the point I was trying to make). As to the Government? As said, their trying to fix and unfixable problem, so I feel bad for them. My main input in this thread was just to point out the Aus' law seemed to be contradictory (and basically is, but for Law reasons, it lays out definitions, then blocks what it's own law can and cannot do, so it's less clear for a lawman to read, but perfectly watertight for lawyers to check). I just missed the tiny bits it did allow to be done in the reems of "not able to" act ons.

I am really trying to be nice here, but I dare say the reason you see it as contradictory and futile is because you don't understand how the law works.  You keep thinking in one dimension, stuck in the concept of there only being one problem  and no solution.

 

Quote

Again. Missing my point. We may apply those legislations. We may accept them. But do you think the criminals will?

 

The law as passed is fine. The question most people ask though, is for the return on results, is it worth giving up those liberties? In a perfect world it would be, but in a perfect world we would not need to. So we will have 2 camps of people. We cannot solve that problem any more than we can turn up into down, or left into right. It's an unsolvable problem in this current setup of  society.

 

Think of it as bag searches. I'm happy with my boss searching my bag, because we get along and I trust him... but what if I find out they were stealing lunches? Or find out they were telling others what underwear I wore? Or found out that their lockers got broken into or third parties were planting evidence? Or I found out that they were just not reasonable, and put unrealistic requests on staff? Oh, but they caught 1 phone thief, or one person stealing headphones from the stockroom? So yeah, I can agree with a request, but see that it probably is not a clear cut "benefit". I can understand other people's opinions on it.

 

People get afraid for reasons. It's important to sympathise with them on that, even if we don't condone them, or understand that later they became overly afraid.

you are using analogies that don't even fit the issue now.  If someone wants to plant evidence or abuse the system in some corrupt way then they are going to. They already are, in fact life whether you care to find out or not, but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common.   If you think the police or government of today are corrupt you need to pick up a history book and consider how they lived in the 18th century and before. 

[leadeater]

9 minutes ago, TechyBen said:

Also, yes. I may be of the opinion that mathematically or in a society/social setting it cannot work. Does not mean I'm against it. I also think locks and doors and windows are fantastic, but I know they won't stop burglars, only deter them. Big difference! (As said, this is coming from a small physical security understanding, seeing methods of preventing theft, and how it was managed, vs the imagined "prevented").

Yes but you aren't actively dismissing the law that makes it illegal to break and enter or trespass either. Locks don't stop a persistent criminal wanting to commit a crime but first there has to be a law they are breaking for it to be a crime.

 

9 minutes ago, TechyBen said:

No. I said the law appears to be self contradictory or asking for the impossible.

It's not impossible to put in to law legal provision that prevent companies from hiding behind the 'it's encrypted defense' when they can 100% help out or use the 'the data is off shore so not under your jurisdiction' defense. A law that means operating legally within Australia means offshore data is within it's jurisdiction means you can no longer use that as a defense, that is extremely easy to enforce and fine for non compliance.

 

Hardly anything is hard to enforce unless you are talking about the very small subset of end to end user controlled encryption which is an extreme minority of encryption methods used on the internet, i.e. HTTPS is not that. Hardly anything is that, not saying it's not a thing but you have to look damn hard for it to find it where you can trip over every other kind of encryption method on your search to find something that does use end to end user controlled encryption.

 

It is in fact totally opposite to what you are saying, especially in light of the law having provisions that can force companies to modify software or infrastructure to facilitate the evidence collection. 

[TechyBen]

2 minutes ago, mr moose said:

you are using analogies that don't even fit the issue now.  If someone wants to plant evidence or abuse the system in some corrupt way then they are going to. They already are, in fact life whether you care to find out or not, but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common.   If you think the police or government of today are corrupt you need to pick up a history book and consider how they lived in the 28th century and before. 

Yes! They already are! So, I just feel it's turning more and more, and fixing less and less. I'm happy to see people trying to fix these problems (data access, security, preventing unwanted actors using such things)... but sad to see them failing.

 

Quote

but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common. 

Again, I know of specific places this is not true. Same with the comments that fears of abuse are misguided. AFAIK for Aus they are not misapplying these laws. I know of places they do. Not a problem with the law (and as said, I'm not against this law), but those who apply it and carry out their interpretation, or plain purposeful misinterpretation of it.

 

Probably more than half the planet is in that situation!

[leadeater]

11 minutes ago, mr moose said:

consider how they lived in the 28th century and before

You can see the future?

[mr moose]

1 minute ago, leadeater said:

You can see the future?

Apparently I can.  I'll just go edit that.

[TechyBen]

 

22 minutes ago, leadeater said:

It is in fact totally opposite to what you are saying, especially in light of the law having provisions that can force companies to modify software or infrastructure to facilitate the evidence collection. 

As said. This is the societary bit I see as changing. I gave the example of Apple being ink pen and paper producers, and how these requests make seemingly impossible tasks for them. I'll not repost it. But think of such a request for any physical goods company. For example, we make dangerous goods *illegal* or we force safety on them. Or think of how it differs with postal services. There is no guarantee on a postal service being "encrypted". These systems show, we can only have 1 or the other. We cannot have both!

 

These things exist, but they exist in an either cost/physical system, or a systematic/national system (either you buy/pay for skeleton keys, or you nationalise the phone/postal service or access to it). You cannot have your cake and eat it. There are going to have to be other changes to facilitate such actions. These may end up clarified in courts (as said, I'm not against it or for it, just trying to see what it applies to, and it may become clearer what the meanings are later on).

 

Again, I'm not against this.  I just see that there is a lot of misunderstanding, and the main thing is I've been posting my observations, asking questions, and giving examples. I have noted MrMoose's comment on this not being a contradictory law, and yours stating it does apply to non-encrypted (e2e anyhow) data. Great! I did not see that detail of it's application (I assumed existing laws covered that!). So no arguments from me on those aspects!

[edit as I got lost in multiple posts updates on 2800s! ]

 

Quote

Yes but you aren't actively dismissing the law that makes it illegal to break and enter or trespass either. Locks don't stop a persistent criminal wanting to commit a crime but first there has to be a law they are breaking for it to be a crime.

This is not a law preventing a crime. It's a law requiring action. "You must facilitate a police officer in a car chase by smashing into the criminals car" is very different from "you must not speed".

 

I'm not saying we should not help. I'm saying if one law says "you have no obligation to speak, and can remain silent" then the next law saying "you must give out passwords" is contradictory, unless we have "you may not speak, with the exception of passwords". At which case it becomes problematic if said person has no passwords, as they automatically break the law by having no passwords, they cannot speak! 

 

As said, this is a natural problem with the logic/maths of the situation. It is fine if the users of such a system see that, and don't abuse it... but for the half of the planet that know of that weakness, and thus do exploit it... it's sad. (I know of how it's being applied right now for such actions, thankfully not in Aus though!)

[mr moose]

16 minutes ago, TechyBen said:

Yes! They already are! So, I just feel it's turning more and more, and fixing less and less. I'm happy to see people trying to fix these problems (data access, security, preventing unwanted actors using such things)... but sad to see them failing.

 

Again, I know of specific places this is not true. Same with the comments that fears of abuse are misguided. AFAIK for Aus they are not misapplying these laws. I know of places they do. Not a problem with the law (and as said, I'm not against this law), but those who apply it and carry out their interpretation, or plain purposeful misinterpretation of it.

 

Probably more than half the planet is in that situation!

https://ourworldindata.org/corruption

And because corruption is strongly linked too human development:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&ved=2ahUKEwjA7YXou7jgAhUGXCsKHUNgDTQQFjAOegQICxAC&url=http%3A%2F%2Ffaculty.georgetown.edu%2Fmh5%2Fclass%2Fecon102%2Freadings%2FStandard%20of%20Living%201800.pdf&usg=AOvVaw03lYLnNBVVSoS_a1rBL0bA

 

It really is good news for all of us if we can just get past this last hurdle (being the internet one).

5 minutes ago, TechyBen said:

Again, I'm not against this.  I just see that there is a lot of misunderstanding, and the main thing is I've been posting my observations, asking questions, and giving examples. I have noted MrMoose's comment on this not being a contradictory law, and yours stating it does apply to non-encrypted (e2e anyhow) data. Great! I did not see that detail of it's application (I assumed existing laws covered that!). So no arguments from me on those aspects!

That's a refreshing paragraph.