Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
JackoBoy987

Australian Federal MPs' computer network hacked

Recommended Posts

11 minutes ago, CarlBar said:

 

Anything that allows something else into the data before it's encrypted can be used to access the data. It's the very definition of a systematic weakness.

except that's not what this bill does....If the capability to do so is already there, then it can be used,. so it's not the government is not telling them to "create" a systemic weakness, because the weakness already existed

.

think of it this way.

 

Company A makes an electronic lock that will replace the front door key to your house. when you open the box there is a Auto generated password tied to your specific lock, not even the manufactures had access to this information. if you forget it, you're out of luck, someone will need to break down the door and you will need to replace the entire thing.

 

Company B makes an electronic lock that will replace the front door key to your house. when you open the box there is a Auto generated password tied to your specific lock, but this is known to the manufacture who will be able to tell you the code to unlock your door if you forget it. If the police need to access your house for the purpose of a legitimate investigation, they go through all relevant channels to get warrants, court approval etc, they can contact your lock company and get the code to let them in, but ONLY if the correct legal channels have been followed.

 

This bill will apply to Company B. if they tried to do the same with Company A they would not be able to gain access through the lock (since this is what the bill is about), since no one but you knows what the code is. Are there other ways for them to get access to your house? sure, but this bill doesn't cover those.

Link to post
Share on other sites
1 minute ago, CarlBar said:

Anything that allows something else into the data before it's encrypted can be used to access the data. It's the very definition of a systematic weakness.

It would be systemic if it applied to every user, applied to 1 user that would not be systemic. Literally any method that would allow access to encrypted data the way you see it would be a systemic weakness.

 

Any such change could be done in such a way to make it systemic, doesn't mean it will or was, and such a method could be used beyond the bounds of a warrant under the proposed law change, doesn't mean it will.

 

The change could require a specific account be specified, I could systematically go through every single user yet it wasn't actually using a systemic weakness though you can argue that because it was used in such a way it was a systemic weakness. This is very similar to Apple's submission in response to this proposed law. It's not a case of not being able to see how it could be abused but I don't just close doors to possibilities so quickly, I also think you can put in multiple authorization steps from more than one person to make it harder to widely abuse like that, not impossible. 

https://www.computerworld.com.au/article/648483/encryption-bill-what-systemic-weakness-it-depends-government-says/

 

In relation to other comments about key handling there is this

Quote

He confirmed, however, that requiring a company to implement a key escrow arrangement would violate the bill’s provisions.

 

The issue in reality comes down to if you are willing to reach a middle ground or not. Few are, but few also want to acknowledge the real issues that exist. Simply saying law enforcement need to find another way to get the evidence is rather naive and also relies that any other evidence that may be found is enough on it's own to satisfy the court to lay charges and get a conviction.   

Link to post
Share on other sites

Australian networks are a sad sight.


Specifications:

Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

CPU: Ryzen 7 2700X @ 4.2Ghz                                                                                     Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

Boot drive: Samsung 970 EVO plus 250GB            Second drive: Micron 1100 2TB         GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

Case: Antec P8                                                                                                                    PSU: Antec HGC850

Link to post
Share on other sites
8 hours ago, leadeater said:

No they actually don't, especially if the data is stored out of country. Warrants cover electronic devices the suspect has and sometimes data a company has on the person but if the data is encrypted or protected in some other similar way you can refuse to supply the data.

 

Warrants and the laws around them differ across countries, if warrants covered encrypted data and data stored out of country in Australia you think they would actually need this law change at all?

 

Companies like Microsoft and Google comply with data requests from law enforcement mostly on a good will basis because if they don't laws like this would get proposed, something they very much don't want to be a thing.

As said, then Google and Microsoft will lose the goodwill and go e2e (for the keys/encryption at least) so there will be nothing to hand over.

The law might be good, great and well intentioned. I'm just saying, if it's impossible to implement, it's impossible to implement.

 

Making it illegal to use encryption, that's possible, that's (difficultly) enforceable. Asking to make encrypted data available to third parties may not be.

 

But as you say, this law only applies if the data was left out in the open, so to speak.

Link to post
Share on other sites
46 minutes ago, TechyBen said:

I'm just saying, if it's impossible to implement, it's impossible to implement.

And yet most services, the overwhelming majority are not E2EE user controlled encryption so the proposed law would work on more things than it won't. If every service moves over to that encryption model then that would be a future problem for a future situation but it's not that currently. And even then developers could be forced to deliver an app update to the target user that mirrors the data to law enforcement before any encryption is used. The proposed law is much harsher and more enforceable than you're saying.

 

The way it is currently if you never want to be forced to do something like that would be pull out of the Australian market.

Link to post
Share on other sites

Yeah. I've never though understood why new laws are needed for new technologies (to this extent). "I drove over a person... oh, that's ok right, because I used a car instead of a horse?"

Yet "illegal on a mobile phone" or "illegal with a drone" is needed. Like here (and other countries) it was already illegal to fly/buzz/go to Airports, but they needed it spelt out for "drones" specifically. Weird.

Link to post
Share on other sites
On 2/8/2019 at 8:01 PM, TechyBen said:
Quote

Australia just passed tough new legislation that requires tech companies to hand over user data when requested by law enforcement, even if that means building a backdoor into their encryption.

https://www.theverge.com/2018/12/7/18130806/australia-access-and-assistance-encryption-bill-2018-facebook-google-apple-respond

 

So, yeah. There are two parts. Stupid part "make a backdoor", not stupid part "hand over existing data

Building a backdoor in ANY encryption is just a dumb idea, allowing access to law enforcement, but also opening a gaping hole to the entire world. Hackers are inquisitive types, and it wouldn't be long before they have a look and discover the flaw.

YouTuber Tom Scott explains

 

Link to post
Share on other sites
8 hours ago, williamcll said:

Australian networks are a sad sight.

With the NBN supposedly being really fast, but being outdone by 4G. 150Mbps in my local town on a Netgear M1. Try doing that on an NBN connection, if it even works when you go to try.

Link to post
Share on other sites
On 2/9/2019 at 1:36 PM, leadeater said:

The issue in reality comes down to if you are willing to reach a middle ground or not. Few are, but few also want to acknowledge the real issues that exist. Simply saying law enforcement need to find another way to get the evidence is rather naive and also relies that any other evidence that may be found is enough on it's own to satisfy the court to lay charges and get a conviction.   

This is the driving force of most of my opinions and posts,  It's so easy to be idealistic and argue from an absolute point,  but people forget we live in a community, a local community and a global community.  Ideals and personal desires have never been and never will be 100% possible.  We all have to make compromises if we want to be be a part of it and especially if we want to enjoy the fruits it brings.  Trying to play down some of the more serious issues we face because we value our privacy more than our safety means we one day you wan't have to worry about privacy...  indefinitely.

 

 

 

 

 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
On 2/9/2019 at 12:28 PM, leadeater said:

Companies like Microsoft and Google comply with data requests from law enforcement mostly on a good will basis because if they don't laws like this would get proposed, something they very much don't want to be a thing.

And sometime they fight it too depending on the situation, I remember MS fought the US government over their request for emails that were stored on an Irish server. MS claimed the US government had no jurisdiction to request a clients data on a foreign server.

 

https://www.bloomberg.com/news/articles/2018-02-26/why-microsoft-is-fighting-u-s-over-emails-in-ireland-quicktake

 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites

Ironic and well deserved.

 

A government that can't even keep their own servers secure are in no place to be commenting on the status of encryption especially when it contradicts logic and what actual experts in the field have to say on the subject.

 

"The rules of mathematics do not apply in Australia"..............

 

It's the same level of rhetorical idiocy as the US government taking away freedoms with the same tired excuse of "terrorism".

 

Pushing an agenda so they can infringe upon the right to privacy.


What does windows 10 and ET have in common?

 

They are both constantly trying to phone home.

Link to post
Share on other sites
4 hours ago, mr moose said:

This is the driving force of most of my opinions and posts,  It's so easy to be idealistic and argue from an absolute point,  but people forget we live in a community, a local community and a global community.  Ideals and personal desires have never been and never will be 100% possible.  We all have to make compromises if we want to be be a part of it and especially if we want to enjoy the fruits it brings.  Trying to play down some of the more serious issues we face because we value our privacy more than our safety means we one day you wan't have to worry about privacy...  indefinitely.

 

 

 

 

 

Are people playing them down, or just bringing up the reality of security theater?

Link to post
Share on other sites
6 hours ago, TechyBen said:

Are people playing them down, or just bringing up the reality of security theater?

Ignoring them is a better word.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
On 2/10/2019 at 8:41 PM, mr moose said:

Ignoring them is a better word.

Yeah, but I word in business where security was *very* important. So I know most things is about levels of difficulty/time/cost. Not "impossible or not". So people freaking about fingerprints, and I'm like "if they are that worried, they'd just hit me with a baseball bat and take the money" or "if my details get hacked, thats a few million also (as systematic fault)."

 

I'm not ignoring the problem, just knowing where to draw the line of effort/results. It's scary that a lot of people do ignore it (and get money lost off cards/accounts/email scams because of it).

Link to post
Share on other sites
7 hours ago, TechyBen said:

Yeah, but I word in business where security was *very* important. So I know most things is about levels of difficulty/time/cost. Not "impossible or not". So people freaking about fingerprints, and I'm like "if they are that worried, they'd just hit me with a baseball bat and take the money" or "if my details get hacked, thats a few million also (as systematic fault)."

 

I'm not ignoring the problem, just knowing where to draw the line of effort/results. It's scary that a lot of people do ignore it (and get money lost off cards/accounts/email scams because of it).

I think you miss the point of what they are ignoring, we aren't talking about people ignoring personal security,  we are talking about the constant absolute backlash toward any attempt by government to overcome criminal issues that have only come to be as a result of digital evolution. When this happens it is generally accompanied by an ignorance about the increase and severity of crime as a result of technology not being properly covered by law. 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
2 hours ago, mr moose said:

I think you miss the point of what they are ignoring, we aren't talking about people ignoring personal security,  we are talking about the constant absolute backlash toward any attempt by government to overcome criminal issues that have only come to be as a result of digital evolution. When this happens it is generally accompanied by an ignorance about the increase and severity of crime as a result of technology not being properly covered by law. 

Yeah. But it's a house fire in a town fire, with the fire station ablaze. Really there are no easy solutions, and everything is a threat (from a rock on the floor to satellites in space). It's just hard to watch people jump in the fires, fight fire with more fire, and generally not know their hand from their elbow. What do I say more so on it?

 

The companies don't want to have responsibility, but want all the power (Facebook/Youtube). They want all the money, but sidestep the costs (Google were/are very good at coding an outsourcing system to users... their real true money making system). They want a community to be safe, yet with no rules/boundaries.

 

They want their cake and to eat it.

 

/drops mic.

Link to post
Share on other sites
21 minutes ago, TechyBen said:

They want a community to be safe, yet with no rules/boundaries.

What does that matter? This is rules and boundaries being proposed in to law and you object to that completely? Forget all the companies supplying submissions in opposition to such a law because as you say they don't want them so the will of course object. If you're so concerned or don't agree with all these companies having control over data, zero responsibility and only provide assistance when and how they want to why would you then object completely to a law that would introduce that to these very companies.

 

I get the arguments over specific issues with the propose law but to outright say it wont or can't work or shouldn't ever be done doesn't align with the point of view you just put forward.

Link to post
Share on other sites
4 hours ago, TechyBen said:

Yeah. But it's a house fire in a town fire, with the fire station ablaze. Really there are no easy solutions, and everything is a threat (from a rock on the floor to satellites in space). It's just hard to watch people jump in the fires, fight fire with more fire, and generally not know their hand from their elbow. What do I say more so on it?

 

The companies don't want to have responsibility, but want all the power (Facebook/Youtube). They want all the money, but sidestep the costs (Google were/are very good at coding an outsourcing system to users... their real true money making system). They want a community to be safe, yet with no rules/boundaries.

 

They want their cake and to eat it.

 

/drops mic.

I'm, not entirely sure you have thoroughly thought out that post.   It seems to re-iterate the issue if anything.  We have an issue where the basic use of today's digital services leaves users open to abuse, leaves criminals open to further methods of obscurity and yet any move by governments to address either are condemned as unworkable.   The Bit people are missing is that most of us (those who are active in these forums) are well aware of encryption and the issue with backdoors, we understand the "math" as you put it, we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
6 hours ago, mr moose said:

I'm, not entirely sure you have thoroughly thought out that post.   It seems to re-iterate the issue if anything.  We have an issue where the basic use of today's digital services leaves users open to abuse, leaves criminals open to further methods of obscurity and yet any move by governments to address either are condemned as unworkable.   The Bit people are missing is that most of us (those who are active in these forums) are well aware of encryption and the issue with backdoors, we understand the "math" as you put it, we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 

Yeah. But the society the Government are trying to fix is destroying itself (the point I was trying to make). As to the Government? As said, their trying to fix and unfixable problem, so I feel bad for them. My main input in this thread was just to point out the Aus' law seemed to be contradictory (and basically is, but for Law reasons, it lays out definitions, then blocks what it's own law can and cannot do, so it's less clear for a lawman to read, but perfectly watertight for lawyers to check). I just missed the tiny bits it did allow to be done in the reems of "not able to" act ons. :P

 

Quote

we're just not going to ignore great swathes of legislation or the issues it attempts to solve because of something we fear. 

Again. Missing my point. We may apply those legislations. We may accept them. But do you think the criminals will? :D

 

The law as passed is fine. The question most people ask though, is for the return on results, is it worth giving up those liberties? In a perfect world it would be, but in a perfect world we would not need to. So we will have 2 camps of people. We cannot solve that problem any more than we can turn up into down, or left into right. It's an unsolvable problem in this current setup of  society.

 

Think of it as bag searches. I'm happy with my boss searching my bag, because we get along and I trust him... but what if I find out they were stealing lunches? Or find out they were telling others what underwear I wore? Or found out that their lockers got broken into or third parties were planting evidence? Or I found out that they were just not reasonable, and put unrealistic requests on staff? Oh, but they caught 1 phone thief, or one person stealing headphones from the stockroom? So yeah, I can agree with a request, but see that it probably is not a clear cut "benefit". I can understand other people's opinions on it.

 

People get afraid for reasons. It's important to sympathise with them on that, even if we don't condone them, or understand that later they became overly afraid.

Link to post
Share on other sites
10 hours ago, leadeater said:

What does that matter? This is rules and boundaries being proposed in to law and you object to that completely? Forget all the companies supplying submissions in opposition to such a law because as you say they don't want them so the will of course object. If you're so concerned or don't agree with all these companies having control over data, zero responsibility and only provide assistance when and how they want to why would you then object completely to a law that would introduce that to these very companies.

 

I get the arguments over specific issues with the propose law but to outright say it wont or can't work or shouldn't ever be done doesn't align with the point of view you just put forward.

No. I said the law appears to be self contradictory or asking for the impossible. It may be verboise to list all possibilities, and seems to list the long list of things it cannot do, and a tiny tiny subset of what it can do. That's probably my error, as I'd forgot the law is a list of "not dos" not a list of "must dos".

 

Also, yes. I may be of the opinion that mathematically or in a society/social setting it cannot work. Does not mean I'm against it. I also think locks and doors and windows are fantastic, but I know they won't stop burglars, only deter them. Big difference! (As said, this is coming from a small physical security understanding, seeing methods of preventing theft, and how it was managed, vs the imagined "prevented").

 

Likewise, I do think all the data companies hold on the cloud should be better managed. That may mean e2e so third parties/existing workers/coders do not have access. There is a reason Apple in making sure their secure enclave works + waiting for either national law to change on access rights, or preventing their ability to ever know what a user has. Because it sets a service/method/responsibility Apple does not want.

 

Imagine if Apple wants to sell you a pen, paper and ability to write. Now imagine the law says "producers of pens and paper, must help the law enforcers prevent use for terrorism" or "get hold of all communications" when using pens and paper. That's a rather impossible and broad task. No one is against helping prevent crime, just we need to think about what is being asked, and if it even makes sense. :)

 

Link to post
Share on other sites
20 minutes ago, TechyBen said:

Yeah. But the society the Government are trying to fix is destroying itself (the point I was trying to make). As to the Government? As said, their trying to fix and unfixable problem, so I feel bad for them. My main input in this thread was just to point out the Aus' law seemed to be contradictory (and basically is, but for Law reasons, it lays out definitions, then blocks what it's own law can and cannot do, so it's less clear for a lawman to read, but perfectly watertight for lawyers to check). I just missed the tiny bits it did allow to be done in the reems of "not able to" act ons. :P

I am really trying to be nice here, but I dare say the reason you see it as contradictory and futile is because you don't understand how the law works.  You keep thinking in one dimension, stuck in the concept of there only being one problem  and no solution.

 

Quote

Again. Missing my point. We may apply those legislations. We may accept them. But do you think the criminals will? :D

 

The law as passed is fine. The question most people ask though, is for the return on results, is it worth giving up those liberties? In a perfect world it would be, but in a perfect world we would not need to. So we will have 2 camps of people. We cannot solve that problem any more than we can turn up into down, or left into right. It's an unsolvable problem in this current setup of  society.

 

Think of it as bag searches. I'm happy with my boss searching my bag, because we get along and I trust him... but what if I find out they were stealing lunches? Or find out they were telling others what underwear I wore? Or found out that their lockers got broken into or third parties were planting evidence? Or I found out that they were just not reasonable, and put unrealistic requests on staff? Oh, but they caught 1 phone thief, or one person stealing headphones from the stockroom? So yeah, I can agree with a request, but see that it probably is not a clear cut "benefit". I can understand other people's opinions on it.

 

People get afraid for reasons. It's important to sympathise with them on that, even if we don't condone them, or understand that later they became overly afraid.

you are using analogies that don't even fit the issue now.  If someone wants to plant evidence or abuse the system in some corrupt way then they are going to. They already are, in fact life whether you care to find out or not, but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common.   If you think the police or government of today are corrupt you need to pick up a history book and consider how they lived in the 18th century and before. 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
9 minutes ago, TechyBen said:

Also, yes. I may be of the opinion that mathematically or in a society/social setting it cannot work. Does not mean I'm against it. I also think locks and doors and windows are fantastic, but I know they won't stop burglars, only deter them. Big difference! (As said, this is coming from a small physical security understanding, seeing methods of preventing theft, and how it was managed, vs the imagined "prevented").

Yes but you aren't actively dismissing the law that makes it illegal to break and enter or trespass either. Locks don't stop a persistent criminal wanting to commit a crime but first there has to be a law they are breaking for it to be a crime.

 

9 minutes ago, TechyBen said:

No. I said the law appears to be self contradictory or asking for the impossible.

It's not impossible to put in to law legal provision that prevent companies from hiding behind the 'it's encrypted defense' when they can 100% help out or use the 'the data is off shore so not under your jurisdiction' defense. A law that means operating legally within Australia means offshore data is within it's jurisdiction means you can no longer use that as a defense, that is extremely easy to enforce and fine for non compliance.

 

Hardly anything is hard to enforce unless you are talking about the very small subset of end to end user controlled encryption which is an extreme minority of encryption methods used on the internet, i.e. HTTPS is not that. Hardly anything is that, not saying it's not a thing but you have to look damn hard for it to find it where you can trip over every other kind of encryption method on your search to find something that does use end to end user controlled encryption.

 

It is in fact totally opposite to what you are saying, especially in light of the law having provisions that can force companies to modify software or infrastructure to facilitate the evidence collection. 

Link to post
Share on other sites
2 minutes ago, mr moose said:

you are using analogies that don't even fit the issue now.  If someone wants to plant evidence or abuse the system in some corrupt way then they are going to. They already are, in fact life whether you care to find out or not, but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common.   If you think the police or government of today are corrupt you need to pick up a history book and consider how they lived in the 28th century and before. 

Yes! They already are! So, I just feel it's turning more and more, and fixing less and less. I'm happy to see people trying to fix these problems (data access, security, preventing unwanted actors using such things)... but sad to see them failing.

 

Quote

but the human race is actually getting less corrupt and less violent as it evolves and wealth becomes more common. 

Again, I know of specific places this is not true. Same with the comments that fears of abuse are misguided. AFAIK for Aus they are not misapplying these laws. I know of places they do. Not a problem with the law (and as said, I'm not against this law), but those who apply it and carry out their interpretation, or plain purposeful misinterpretation of it.

 

Probably more than half the planet is in that situation!

Link to post
Share on other sites
1 minute ago, leadeater said:

You can see the future?

Apparently I can.  I'll just go edit that.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×