Jump to content

Australian Federal MPs' computer network hacked

JackoBoy987
By JackoBoy987
in Tech News
 Share
Posted

@mr moose

 

Yeah, requiring a mechanical system to have a hookup is very different to requiring a mathematical system to have a hookup. Wiretapping physical things is not the same as wiretapping a logical mathematical processes.

 

Putting it in law simply makes encrypted communication impossible in principle. That is a problem. We could argue over degrees of the problem, but no one here should be arguing the existence of the problem! You can for example make unbreakable communication *in principle*, thus any change to the law would be impossible to implement into encrypted communication. Akin to asking for antigravity (which may be easier than secure snoopable encryption! :D ).

 

To some, the mere existence is the problem, if you deny their opinion, you fail to understand the facts. They are not arguing against the facts (as you seem to be arguing past them on that) but over the opinion of how these affect people. You say this is not a problem, @LAwLz Says it is. That is opinion. However, LAwLz also says (and IMO is a factual observation) that the encryption weakness exists if you apply a secondary access (the business/government/etc).

 

Maths says that is true. No opinion on it. Only on if we should allow it or not. That we can agree to disagree on. But it certainly exists. It is dangerous to disagree on that!

 

[Edit]

PS, I don't know "these other posts", as searching a massive forum is not always easy... So saying "the proof exists in a room underground, behind the sign beware of the leopard" is not helpful to me. ;) 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, TechyBen said:

@mr moose

 

Yeah, requiring a mechanical system to have a hookup is very different to requiring a mathematical system to have a hookup. Wiretapping physical things is not the same as wiretapping logical processes.

 

Putting it in law simply makes encrypted communication impossible in principle. That is a problem. We could argue over degrees of the problem, but no one here should be arguing the existence of the problem!

I am not sure you understand the point of the law, it is not about wiretapping, it is about gaining legal access to stored data where that data is obtainable by the service provider.  Previous Australian law meant that the service provider could just say no or wind up the issue requiring a court order by which time the stored data could be deleted.

1 minute ago, TechyBen said:

To some, the mere existence is the problem, if you deny their opinion, you fail to understand the facts.

That is not true,  seeing when an opinion is wrong is not the same as failing to understand facts.  The facts are quite simple, the law strictly forbids a backdoor, it strictly forbids anything that will introduce a systemic weakness both currently and in the future.  That is not something you can just claim is untrue because you want to create your own definition of systemic weakness. 

1 minute ago, TechyBen said:

They are not arguing against the facts (as you seem to be arguing past them on that) but over the opinion of how these affect people. You say this is not a problem, @LAwLz Says it is. That is opinion. However, LAwLz (and my observation) is that the encryption weakness exists if you apply a secondary access (the business/government/etc), and that is fact, one which you strangely seem to be arguing does not exist?

Yes they are, Lawlz is specifically trying to argue that the term "systemic weakness" hasn't been specifically defined in the law, therefore it can mean anything.  That is BS, that is just clutching at straws to make erroneous claims sound legitimate. The term "systemic weakness" just like "ongoing risk" and "critical evidence" have very well defined meanings and are not specifically defined in any other Bill for the same reason, they don't need to be.   The law specifically states that they can't ask for access to data if service provider cannot obtain it, meaning if (using apple for the argument) if apple can't access the information on your phone, then there is no way the government or police can order apple to do anything that would make that data available. 

 

I am sorry this isn't the big nasty anti encryption bill people want it to be,  for god knows what strange reason.  I would have thought people would be happy to know they can't ask for a backdoor.  Alas, there seems to be no way to argue this, if people won't accept that you can't just change the definition of a word, then they have no hope understanding the difference between a supermarket tabloid and a bill of law.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
19 minutes ago, mr moose said:

That is not true,  seeing when an opinion is wrong is not the same as failing to understand facts.  The facts are quite simple, the law strictly forbids a backdoor, it strictly forbids anything that will introduce a systemic weakness both currently and in the future.  That is not something you can just claim is untrue because you want to create your own definition of systemic weakness. 

No, you fail to see where the opinion stops and the facts start. Opinion, this should or should not be allowed or is good or bad. Fact, mathematically these systems cannot do what that law ask. It may be self contradictory in the law, or just a mathematical impossibility. That will have to be tested in court or defined.

We don't need a definition for systemic weakness. Mathematically encryption is secure or *not*. There is no strengthening by adding an additional [hidden/silent] party, it will weaken it. Thus the law is written to allow weakening for access (fact) and where we disagree is on if this is acceptable/reasonable (opinion). As said, I don't disagree with anyones opinion here (go for it, or not, it's already happened and is passed), but show where the facts are, lay them out on the table. :)

 

Quote

I am not sure you understand the point of the law, it is not about wiretapping, it is about gaining legal access to stored data where that data is obtainable by the service provider.  Previous Australian law meant that the service provider could just say no or wind up the issue requiring a court order by which time the stored data could be deleted.

https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

 

I said "Wiretapping physical things is not the same as wiretapping logical processes.". So, can we wiretap here? Nope. You cannot insert into existing encryption (unlike a phone line, where you can crocodile clip into existing phone lines). Thus it is different. We agree!!! There may be *no stored data* with encryption services (this is being phased out of existing ones at times). Some may (Googles and other password apps), but others don't. Does the law say they must now, add such access, even if it does not exist?

 

"They cannot ask a provider to "implement or build a new decryption capability", or "render systemic methods of authentication or encryption less effective", or introduce a "selective" vulnerability or weakness that would "jeopardise the security of any information held by any other person", or create "a material risk that otherwise secure information can be accessed by an unauthorised third party"."

 

So basically it's a self conflicting law. Or similar to the Apple cases in the US. The desire is to "go get that guy" and get access to their phone/private communication. Physically, that works, we can do that... mathematically it does not. They could ask till their blue in the face, but it will not be a possibility for the majority of companies, with the exception of silent "off" switches to the communications (for example if facebook suddenly turned it off for criminal X ). However, that would also, systematically mean the same could be done to anyone else, thus any access is systematic weakness.

 

I don't need definitions of degrees of weakness, because mathematically, any access is a weakness. The *law* needs to define the definitions, that's what a law is! ?

 

[Edit]

PS, it is self contradictory, and has the definitions. Again, your opinion may be correct, but understanding of the facts seems off (Lawlz may also be, but less so).

"systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.

systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified."

I am currently watching some other countries use laws like this to witch hunt certain groups of people.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, TechyBen said:

No, you fail to see where the opinion stops and the facts start. Opinion, this should or should not be allowed or is good or bad. Fact, mathematically these systems cannot do what that law ask. It may be self contradictory in the law, or just a mathematical impossibility. That will have to be tested in court or defined.

We don't need a definition for systemic weakness. Mathematically encryption is secure or *not*. There is no strengthening by adding an additional [hidden/silent] party, it will weaken it. Thus the law is written to allow weakening for access (fact) and where we disagree is on if this is acceptable/reasonable (opinion). As said, I don't disagree with anyones opinion here (go for it, or not, it's already happened and is passed), but show where the facts are, lay them out on the table. :)

 

https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

 

I said "Wiretapping physical things is not the same as wiretapping logical processes.". So, can we wiretap here? Nope. You cannot insert into existing encryption (unlike a phone line, where you can crocodile clip into existing phone lines). Thus it is different. We agree!!! There may be *no stored data* with encryption services (this is being phased out of existing ones at times). Some may (Googles and other password apps), but others don't. Does the law say they must now, add such access, even if it does not exist?

 

"They cannot ask a provider to "implement or build a new decryption capability", or "render systemic methods of authentication or encryption less effective", or introduce a "selective" vulnerability or weakness that would "jeopardise the security of any information held by any other person", or create "a material risk that otherwise secure information can be accessed by an unauthorised third party"."

 

So basically it's a self conflicting law. Or similar to the Apple cases in the US. The desire is to "go get that guy" and get access to their phone/private communication. Physically, that works, we can do that... mathematically it does not. They could ask till their blue in the face, but it will not be a possibility for the majority of companies, with the exception of silent "off" switches to the communications (for example if facebook suddenly turned it off for criminal X ). However, that would also, systematically mean the same could be done to anyone else, thus any access is systematic weakness.

 

I don't need definitions of degrees of weakness, because mathematically, any access is a weakness. The *law* needs to define the definitions, that's what a law is! ?

It's not really self conflicting, the law is designed to supersede a whole lot of antique laws that aren't easily applicable to cloud storage, online backups and PM services like facebook and messenger etc.  

 

The worst thing about this is it's just as bad as the arguments when the meta data laws were introduced, we had people arguing black and blue that ISP's had to log every website you visit and every email you sent. There were even news articles making those same claims.  That was just a load of BS too.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 minutes ago, mr moose said:

It's not really self conflicting, the law is designed to supersede a whole lot of antique laws that aren't easily applicable to cloud storage, online backups and PM services like facebook and messenger etc.  

 

The worst thing about this is it's just as bad as the arguments when the meta data laws were introduced, we had people arguing black and blue that ISP's had to log every website you visit and every email you sent. There were even news articles making those same claims.  That was just a load of BS too.

Any service that uses maths for the service cannot have this law applied to. Maths. Like, unless your cloud storage is photocopies and printed out, you cannot "provide access without systematic weakening". A mathematical storage in any form with any form of mathematical security will be weakened by adding a secondary/third party access!

 

In reality space/matter/time seperate access, a safe, a lock, a wall. Mathematically nothing separates access. any access granted to a third party is granted to everyone!

 

It's logically self contradictory as written. Fact. Do you agree or disagree with the math?

 

[Again with the straw men, where have *I* ever said meta data == HTML code? Why not first ask me my opinion on meta data vs full access snooping? ] ? ?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, LAwLz said:

The Australian law requires companies to under some circumstances implement a method for the Australian government or people working for the government to gain access to data on individuals, possibly without their consent or knowledge. That is a backdoor.

Well no because it did not exist before hand, and does not have to exist afterward. Requests have to be specific and targeted, more extensive requests that requires modification of systems have to go through a wider approval process, not by 'one guy' and not without input from independent industry experts which AGs do solicit.

 

Or

 

Well yes it technically fits a broad description of a backdoor.

 

The way you (the greater you, not you specifically) present it vastly influences perception of what something is. I will forever refuse to call that a backdoor because it does not fit the established, industry general, definition of and how we talk about backdoors in systems and code. Just like I don't call a Police battering ram a master key, it opens all locks though.

 

Yea that was a zero effort example just given because that's all it needs. You've also made the mistake of thinking I support the law or appears to be the case. The only thing I support in relation to that topic is rational discussion, rational examples, and a keen mind for the intent of the law. When that isn't the case willingness to stick to that wains.

 

1 hour ago, LAwLz said:

The law (flimsily and with a ton of loopholes) forbids "systemic weaknesses", but not all backdoors are systemic. It is therefore 100% correct to say that the Australian government can require backdoors. Although it might be a bit misleading because a lot of people think of systemic backdoors when they think of backdoors.

And yet many laws are filled with these or have problems many people can point out however modification of the written law to address these is often not required because they have been tested in court and there is established case law that shows what can and cannot be done that counteracts the concerns when reading a law.

 

Laws have a tenancy to be wide precisely so that can happen, I will let the legal system/courts define was is and is not allowed under such a law. Once you wall something off legally that's it there is no room to move, however if you allow room for something but also requires other considerations and cross assessments something may be allowed while something else very similar may not. Something might happen, something might be possible, or maybe it isn't. You know just about as much as I do for how it will actually turn out when tested in practice, very little. Neither of us have the legal background and experience nor understand the Australian legal systems enough to make any such claims.

 

That does not stop us from pointing out potential problems with laws and discussing them and how they might be bad, just remember the key word, might.

 

The need to establish a legal framework around data encryption should not be so readily dismissed, ridiculed or swept aside. Any such law is a fundamental threat to many organizations, like the EFF, who would oppose it right to it's dying breath. Fairy tale ideals only work in fairy tales, reality is much harsher than that and there will always be a time where accessing encrypted data could be vitally important and doing nothing to address that need will, surprisingly, do nothing.

 

The only thing I'm glad about is the fact Australia is doing it first, or more correctly it isn't my country trying to address it first.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

They've got inspiration from Facebook 

 

/s

You can take a look at all of the Tech that I own and have owned over the years in my About Me section and on my Profile.

 

I'm Swiss and my Mother language is Swiss German of course, I speak the Aargauer dialect. If you want to watch a great video about Swiss German which explains the language and outlines the Basics, then click here.

 

If I could just play Videogames and consume Cool Content all day long for the rest of my life, then that would be sick.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, TechyBen said:

Any service that uses maths for the service cannot have this law applied to. Maths. Like, unless your cloud storage is photocopies and printed out, you cannot "provide access without systematic weakening". A mathematical storage in any form with any form of mathematical security will be weakened by adding a secondary/third party access!

Yes you can, apple and MS have full access to everything stored on their cloud services, the only real exceptions are encrypted files that are uploaded. I believe most of the device synced data is accessible by apple currently.   There is no application here to add second or third party access to encrypted data.

 

 

Just now, TechyBen said:

 

In reality space/matter/time seperate access, a safe, a lock, a wall. Mathematically nothing separates access. any access granted to a third party is granted to everyone!

 

It's logically self contradictory as written. Fact. Do you agree or disagree with the math?

You are describing a single set of data that is encrypted with one unshared key, that would work in that example and that example only.  The issue is that the entire communications and technology world does not have that one single model.  There are places were data can be accessed without introducing a second or third access point or targetable weakness.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, mr moose said:

Yes you can, apple and MS have full access to everything stored on their cloud services, the only real exceptions are encrypted files that are uploaded. I believe most of the device synced data is accessible by apple currently.   There is no application here to add second or third party access to encrypted data.

 

 

You are describing a single set of data that is encrypted with one unshared key, that would work in that example and that example only.  The issue is that the entire communications and technology world does not have that one single model.  There are places were data can be accessed without introducing a second or third access point or targetable weakness.

Existing data that is encrypted by third party keys. So, the law can/may allow access to existing stored keys. No idea if that is what it's suppose to say. But there are systems that are end to end encryption. These have no ability to add [secure] access to them. Even in principle.

 

Quote

There are places were data can be accessed without introducing a second or third access point or targetable weakness.

Yes. So is this the Apple iPhone US access case, or the Server confiscation cases? Is this law applicable to all communications (including single key) at which point my case stands (I don't need to draw a venn diagram do I? :P ) or only to stored data on third party servers?

 

Quote

WHAT CAN AGENCIES ASK FOR?

The list of "acts or things" that can be requested runs for two pages. The first is "removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider". Electronic protection is defined as an authentication system or encryption.

 

So basically, they can ask Facebook to turn off Messenger encryption for 1 suspected criminal (or ip if currently unidentified). This is also a systematic weakness, because it means that Facebook could do the same for any individual at any other time (say to steal your bank details if using Facebook Pay *fictional?* or blackmail you if your a politician ;) ).

 

So, law is self contradictory.

 

As said, I will follow the facts, and support opinions. Find me the facts, and you will win me over. :)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, TechyBen said:

Existing data that is encrypted by third party keys. So, the law can/may allow access to existing stored keys. No idea if that is what it's suppose to say. But there are systems that are end to end encryption. These have no ability to add [secure] access to them. Even in principle.

The law does not apply to E2E  or where that encryption key is not in the hands of the service provider

4 minutes ago, TechyBen said:

Yes. So is this the Apple iPhone US access case, or the Server confiscation cases? Is this law applicable to all communications (including single key) at which point my case stands (I don't need to draw a venn diagram do I? :P ) or only to stored data on third party servers?

I simply meant places like cloud storage, or services where the service provider does the encrypting and not the user.  It is not creating a weakness if the service provider can already turn encryption on or off at their end.

4 minutes ago, TechyBen said:

 

So basically, they can ask Facebook to turn off Messenger encryption for 1 suspected criminal (or ip if currently unidentified). This is also a systematic weakness, because it means that Facebook could do the same for any individual at any other time (say to steal your bank details if using Facebook Pay *fictional?* or blackmail you if your a politician ;) ).

No, that does not make it a systemic weakness,  under that condition it already was an option to facebook,  this law just gives authority to investigators to use those existing options to eaves drop or collect data. If facebook cannot turn encryption off (becasue it is set by the user) then the law can't ask them to re-code their services to give them that option.  There is a distinct difference here and it is an important one.

 

4 minutes ago, TechyBen said:

So, law is self contradictory.

 

As said, I will follow the facts, and support opinions. Find me the facts, and you will win me over. :)

These are the facts, as short as possible:

 

If a service provider already has access to data (becasue they control the encryption) then the law can ask them for it.

If a service provider has no access to data (becasue the user controls the encryption) then the law cannot ask squat from the service provider.

If a service provider can gain access to messages, then the law can ask them to help with setting up an eavesdropping service to collect evidence.

If a service provider cannot gain access to messages, then the law can't ask for shit.

 

 

If I was to go out on a limb as far as I could,  under really dire and dodgy (everyone is corrupt) conditions, maybe a service provider could be persuaded to hand over their source code so some one else can try and crack the encryption/make a spy program. 

 

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, mr moose said:

No, that does not make it a systemic weakness,  under that condition it already was an option to facebook

Which is a pre-existing systematic weakness (though this law does not force them to implement it, if it does not exist, then what is the point of the law if there is nowhere the law can be applied?). Though not one applied by a request from the authorities. EG, the law can exploit existing weaknesses, but not ask for new ones? If Facebook can silently turn off encryption to the user/s, then that is a security risk.

 

As you said, this does not apply to e2e encryption. But then what is the point of the law? That they can access existing keys? Great! They could already do that with a warrant? So this law is clarifying this? As said, we just hope it's not squeezed into other uses!

 

But as said, this will mean everyone will follow the Apple "secure enclave" and possibly e2e encryption on cloud services too.

 

I'd still need citation for your list, as the quote I had above still says they are allowed to request the service be silently deactivated. So that seems very much like dictatorship like powers of control. I can understand public requests to shut down services "we are turning off the gas to prevent explosions, we are turning off Facebook to prevent threats of violence", but doing so secretively, and towards communication, is somewhat concerning. Is the law still contradictory in that statement?

 

That part may be one that gets tested in court and modified in the future?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, TechyBen said:

Which is a pre-existing systematic weakness (though this law does not force them to implement it, if it does not exist, then what is the point of the law if there is nowhere the law can be applied?). Though not one applied by a request from the authorities. EG, the law can exploit existing weaknesses, but not ask for new ones? If Facebook can silently turn off encryption to the user/s, then that is a security risk.

Correct,  it can also ask for service providers to modify software for specific targets where they have the ability to do so.

 

3 minutes ago, TechyBen said:

As you said, this does not apply to e2e encryption. But then what is the point of the law? That they can access existing keys? Great! They could already do that with a warrant? So this law is clarifying this? As said, we just hope it's not squeezed into other uses!

The point of the law is to be able to legally use the services available to attain digital evidence in much the same way they would get a search warrant for a house.

3 minutes ago, TechyBen said:

But as said, this will mean everyone will follow the Apple "secure enclave" and possibly e2e encryption on cloud services too.

Everything will move in that directtion naturally, no one is naive to that.

3 minutes ago, TechyBen said:

I'd still need citation for your list, as the quote I had above still says they are allowed to request the service be silently deactivated. So that seems very much like dictatorship like powers of control. I can understand public requests to shut down services "we are turning off the gas to prevent explosions, we are turning off Facebook to prevent threats of violence", but doing so secretively, and towards communication, is somewhat concerning. Is the law still contradictory in that statement?

 

That part may be one that gets tested in court and modified in the future?

The silently bit is so the target suspect doesn't know and continues to arrange his nefarious activities unaware his phone has been tapped.  That is the problem with the old laws, by the time a court had ordered something be done, it is too late, the horse has bolted, everyone knows what they are looking for so it would have been deleted.

 

It's literally like trying to organise the digital equivalent of a surprise raid while they still can.  

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, mr moose said:

Correct,  it can also ask for service providers to modify software for specific targets where they have the ability to do so.

And therein lies the problem. We hope they understand, Maths works for one boss only. ?

 

Quote

It's literally like trying to organise the digital equivalent of a surprise raid while they still can.  

Which is why it needs to be in writing (rightly so both as the law, and in individual requests) and why it will be tested in courts. Because, as said, the requests VS the reality vary massively here, compared to (partially) easy to decide physical access.

 

"Please open that safe" might have an easy answer "yes we have the key" or "sorry, the key is at the bottom of the ocean, you'll need a few hours with a JCB and a road hammer to open it"... but when it comes to current communications, cloud services and encryption, try telling the authorities "sorry, it don't work that way" (see how hard it was for us, both knowing the math/limitations, to find the points each of us were discussing, me a bottom up, you a top down, and meeting in the middle finding out I was on about the implications of this law to e2e, and you were commenting about cloud services). I feel for anyone even remotely involved in IT. :P

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
50 minutes ago, mr moose said:

I am not sure you understand the point of the law, it is not about wiretapping, it is about gaining legal access to stored data where that data is obtainable by the service provider.  Previous Australian law meant that the service provider could just say no or wind up the issue requiring a court order by which time the stored data could be deleted.

That is incorrect. The law specifically states that the government is allowed to request changes to the system to allow them access as well, as long as it does not "break encryption". The bill does not just say "share what you already have" (a TAN). It also says "you need share data which you potentially don't collect right now" (TCN).

 

The law enables three different requests and notices to be sent by the government, as I explained in this post:

On 8/16/2018 at 12:57 PM, LAwLz said:

Well, the source in the OP is mostly just reciting what the politicians are saying, which is of course extremely biased because of course they want to make their own proposals good and get people onboard.

 

Here is what the legislation says. (Please note that I have not read all of the documents yet, so I may be getting some things incorrect).

The parts I am referring to are mostly outlined on page 8 of the explanatory document.

 

This bill introduces three new items into the telecommunications act.

 

*Designated communications provider is defined as a foreign or domestic communications provider, device manufacturer, component manufacturer, application provider, or traditional carriers and carriage service provider.*

 

1) Technical Assistance Request (TAR) - This is a framework for how a designated communications provider can voluntarily provide assistance to Australian Security Intelligence Organisation (ASIO), Australian Secret Intelligence Service (ASIS) and Australian Signals Directorate (ASD).

Nothing wrong with this if you ask me. In fact, it is very good to have this.

 

2) Technical Assistance Notice (TAN) - A TAN requires a designated communications provider to provide assistance to these organizations IF THEY ARE ALREADY CAPABLE OF DOING SO.

This is what is mostly being highlighted in the article, and I think that's alright. I have some privacy-related concerns and I think this can set a very bad presidency even if you completely trust the Australian government, I don't have faith in some other parts of the world. In any case, it seems somewhat reasonable to me, and a lot of companies already provide help to law enforcement when asked. I'd even go as far as to say most companies do.

 

3) Technical Capability Notice (TCN) - I am going to quote the actual, legal document which explains what a TCN is because it is very important that people can't say I am interpreting things. Here is what a TCN is:

Quote

Allow the Attorney General to issue a technical capability notice, requiring a designated communications provider to build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies.

A technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption. The Attorney-General must be satisfied that any requirements are reasonable, proportionate, practicable and technically feasible. The Attorney-General must also consult with the affected

provider prior to issuing a notice, and may also determine procedures and arrangements relating to requests for technical capability notices.

While the bill explicitly says they can't force encryption to be removed, it does also specify that they are required to build new tools and capabilities into their services to comply with requests.

Are you trying to pretend like the TCN doesn't exist and that this law only outlines the TAN? Very disingenuous of you if that's the case.

 

 

51 minutes ago, mr moose said:

That is not true,  seeing when an opinion is wrong is not the same as failing to understand facts.  The facts are quite simple, the law strictly forbids a backdoor, it strictly forbids anything that will introduce a systemic weakness both currently and in the future.  That is not something you can just claim is untrue because you want to create your own definition of systemic weakness.  

The law does not forbid backdoors. It forbids a "systemic weakness".

The problem I have is that it requires the person validating the order to actually understand if the weakness proposed can be applied in a systemic way. Saying "we need a program to access this person's account" can be interpreted as a non-systemic weakness because "it only access one account". However, if the judge fails to take into consideration that the program can easily be modified to be used against anyone (or everyone) then the end result is that a systemic weakness is introduced.

 

My example was very obvious, but there could be cases where the potential for abuse is far less obvious.

 

 

1 hour ago, mr moose said:

Yes they are, Lawlz is specifically trying to argue that the term "systemic weakness" hasn't been specifically defined in the law, therefore it can mean anything. 

No I am not. What I have seen countless times is that since it is not clearly defined it is up to some non-technical person to determine if the proposed exploit fits that criteria or not. I am not saying "since they haven't defined it, it can mean anything!". I am saying "since they haven't defined it, it does not have a rigid test and is left up for interpretation by someone who may not have a technical background".

 

I would like something like this added to the law "if anyone can suggest one or more ways where the proposed changes could potentially lower the security of more than the intended person, even if such way requires additional changes to the tool, it is a systemic weakness"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, TechyBen said:

"Please open that safe" might have an easy answer "yes we have the key" or "sorry, the key is at the bottom of the ocean, you'll need a few hours with a JCB and a road hammer to open it"... but when it comes to current communications, cloud services and encryption, try telling the authorities "sorry, it don't work that way" (see how hard it was for us, both knowing the math/limitations, to find the points each of us were discussing, me a bottom up, you a top down, and meeting in the middle finding out I was on about the implications of this law to e2e, and you were commenting about cloud services). I feel for anyone even remotely involved in IT. :P

I think you're stuck on the math side of encryption and forgetting or not seeing the other points presented. Quick example, service provide has and always had access to the data. The data is encrypted, police need that data, currently example service provider cannot be compelled to decrypt that data which they have always been able to do.

 

That in no way 'breaks encryption' or has much at all to do with the mathematics of encryption.

 

Another example would be service provider encrypts communication between users or hosted services, they have the capability currently to be able to disable the usage of encryption for targeted users or can mirror that data/communication at their end. One disables the usage of encryption and the other is an intercept only possible due to implementation method and usage of encryption in that particular way. Again that doesn't break encryption or fly in the face of maths.

 

End to end user controlled encryption is only a sub section of where the proposed law could be applied, end to end user controlled encryption wouldn't be effected either since asking the impossible is impossible. Police, judges, legal teams and consultants aren't as dimwitted and IT impaired as many think or say.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, leadeater said:

End to end user controlled encryption is only a sub section of where the proposed law could be applied, end to end user controlled encryption wouldn't be effected either since asking the impossible is impossible. Police, judges, legal teams and consultants aren't as dimwitted and IT impaired as many think or say.

The Australian government could however demand things which could compromise the security for E2EE software.

For example this bill would not protect software from changes such as "before the encryption is applied to the message, the message is sent to a government owned server using a different key which the government has access to".

 

Since the process happens before the encryption is applied, it is technically not "breaking" any existing encryption, but still renders all the data readable to the government.

This is change which developers could be forced to implement under this new law, or they would be sentenced to jail. Hell, even mentioning that they have been requested to implement such a change is punishable by jail-time. Do you think that sounds like a good law?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, leadeater said:

I think you're stuck on the math side of encryption and forgetting or not seeing the other points presented. Quick example, service provide has and always had access to the data. The data is encrypted, police need that data, currently example service provider cannot be compelled to decrypt that data which they have always been able to do.

Warrant already covers that. The law specifically states "technologies". Not wants (we want access to info you hold). It says we want access to technologies you hold. Thus I'm not missing anything. :) I'm not stuck on the math, when the required will require math. As with the safe example, it applies that not all safes can have spare keys or can be reasonably breakable. So the law is either "you must not stop the police opening the safe" or "you may not make a safe with 5 meter thick walls, because this prevents the police getting in". The math is a 5 meter thick wall. You either have the key, or do not.

 

Quote

That in no way 'breaks encryption' or has much at all to do with the mathematics of encryption.

It does if the company must provide technologies (math) for access to the data. That is where the law seems contradictory or incomplete. Either the company has the data, and can hand it over, or it does not, and cannot be compelled, math be damned, to hand it over.

 

But even then, the contradictory law may be as pointless as making square wheels illegal. If everyone goes e2e encryption, then this law is pointless. Banks already have my banking history, this law is not required (communication and storage is encrypted, but access is not, and the police can get access to my banking details). However, there is no such requirement for communication, and thus no such ability to access communication that way.

 

Quote

Another example would be service provider encrypts communication between users or hosted services, they have the capability currently to be able to disable the usage of encryption for targeted users or can mirror that data/communication at their end. One disables the usage of encryption and the other is an intercept only possible due to implementation method and usage of encryption in that particular way. Again that doesn't break encryption or fly in the face of maths.

Or wiretapping. You just defined wiretapping. You just defined a (of any type) systematic weakening of e2e encryption. ;)

This law can pass as "you have to give use the keys" *or* "you have to not weaken encryption" currently it is contradictory, because it wants both.

 

As MR Moose said. This can be applied to cloud/server storage, where the provider also has the key/unencrypted version. In which case, this is where this law applies, and if cloud storage goes over to e2e encryption, we are back at square one of no ability to provide data (other than metadata).

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
9 hours ago, TechyBen said:

And therein lies the problem. We hope they understand, Maths works for one boss only. ?

 

Which is why it needs to be in writing (rightly so both as the law, and in individual requests) and why it will be tested in courts. Because, as said, the requests VS the reality vary massively here, compared to (partially) easy to decide physical access.

 

"Please open that safe" might have an easy answer "yes we have the key" or "sorry, the key is at the bottom of the ocean, you'll need a few hours with a JCB and a road hammer to open it"... but when it comes to current communications, cloud services and encryption, try telling the authorities "sorry, it don't work that way" (see how hard it was for us, both knowing the math/limitations, to find the points each of us were discussing, me a bottom up, you a top down, and meeting in the middle finding out I was on about the implications of this law to e2e, and you were commenting about cloud services). I feel for anyone even remotely involved in IT. :P

You seem to be stuck on one condition that really isn't an issue in this.   If the service provider can't do it then they can;t be compelled to.  If they can do it without breaking user controlled encryption but it takes time then that's what happens, there is nothing in this law that compels a company to do things it cannot.

 

9 hours ago, LAwLz said:

snip

 

12 hours ago, mr moose said:

 

 

We've been over this ad nausea, I have posted all the bills verbatim and the limitation attached to them.   I am not even going to bother reading what you have to say.

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 hours ago, TechyBen said:

Warrant already covers that.

No they actually don't, especially if the data is stored out of country. Warrants cover electronic devices the suspect has and sometimes data a company has on the person but if the data is encrypted or protected in some other similar way you can refuse to supply the data.

 

Warrants and the laws around them differ across countries, if warrants covered encrypted data and data stored out of country in Australia you think they would actually need this law change at all?

 

Companies like Microsoft and Google comply with data requests from law enforcement mostly on a good will basis because if they don't laws like this would get proposed, something they very much don't want to be a thing.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
8 hours ago, LAwLz said:

Since the process happens before the encryption is applied, it is technically not "breaking" any existing encryption, but still renders all the data readable to the government.

Sorry but what is actually the problem with that? Darn the evidence they needed can now be obtained, how horrible. Law enforcement does not equal evil by default. Every other user is, or could be, completely unaffected by such a change.

 

Your solution still seems to be status quo which cuts off all possibilities of evidence collection in cases where is encryption is used.

 

Law enforcement could do bad things is such an inane arrangement to put forward, they can do that before in many other ways and isn't a systemic problem. Guess what, the way law enforcement does work is that the populous does put trust in to them (not unchecked and regulated) but the trust is there so they can do the job they need to do. Part of that trust is granting them abilities and rights to do things others should not have or be able to do.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 hours ago, LAwLz said:

Worth noting that what is and isn't a "systemic weakness" is not defined in the bill and will be left up to someone working for or in the government to decide, not software developers who actually know the implications of the changes on a technical level. 

A systemic weakness is a weakness that would occur during the operation of the program, as opposed to a random weakness. 

15 hours ago, LAwLz said:

It is also worth noting that the law makes it legal for the government to target and demand changes to systems from an individual, as well as forbid the individual from mentioning it to for example their boss or colleagues. Breaking that silence is illegal and punishable by jail time. 

If you make a back door, best not to tell everyone about it. They'd have a hard time enforcing it however. 

15 hours ago, LAwLz said:

Look, you can claim that the media are just spreading bullshit all you want, but when the EFF are also saying "stop, this is a terrible idea and very dangerous" then you should actually stop and listen.

That article is an opinion piece.

15 hours ago, LAwLz said:

I can see it now, because of this law several people will have their data compromised because of governmental backdoors and weaknesses in software. Then the people who like having their privacy and security violated by their governments will band together and just say it's a conspiracy.

Whats to stop the government changing the backdoors? These things take time to find. 

15 hours ago, LAwLz said:

Because clearly, nothing bad has ever happened because government toolkits has leaked *cough* Wannacry *cough*. Nope, never happened. And no government data has ever been leaked either...

There are exploits in many programs undiscovered. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 minutes ago, leadeater said:

Sorry but what is actually the problem with that? Darn the evidence they needed can now be obtained, how horrible. Law enforcement does not equal evil by default. Every other user is, or could be, completely unaffected by such a change.

 

Your solution still seems to be status quo which cuts off all possibilities of evidence collection in cases where is encryption is used.

 

Law enforcement could do bad things is such an inane arrangement to put forward, they can do that before in many other ways and isn't a systemic problem. Guess what, the way law enforcement does work is that the populous does put trust in to them (not unchecked and regulated) but the trust is there so they can do the job they need to do. Part of that trust is granting them abilities and rights to do things others should not have or be able to do.

 

Anything that allows something else into the data before it's encrypted can be used to access the data. It's the very definition of a systematic weakness.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, CarlBar said:

 

Anything that allows something else into the data before it's encrypted can be used to access the data. It's the very definition of a systematic weakness.

except that's not what this bill does....If the capability to do so is already there, then it can be used,. so it's not the government is not telling them to "create" a systemic weakness, because the weakness already existed

.

think of it this way.

 

Company A makes an electronic lock that will replace the front door key to your house. when you open the box there is a Auto generated password tied to your specific lock, not even the manufactures had access to this information. if you forget it, you're out of luck, someone will need to break down the door and you will need to replace the entire thing.

 

Company B makes an electronic lock that will replace the front door key to your house. when you open the box there is a Auto generated password tied to your specific lock, but this is known to the manufacture who will be able to tell you the code to unlock your door if you forget it. If the police need to access your house for the purpose of a legitimate investigation, they go through all relevant channels to get warrants, court approval etc, they can contact your lock company and get the code to let them in, but ONLY if the correct legal channels have been followed.

 

This bill will apply to Company B. if they tried to do the same with Company A they would not be able to gain access through the lock (since this is what the bill is about), since no one but you knows what the code is. Are there other ways for them to get access to your house? sure, but this bill doesn't cover those.

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, CarlBar said:

Anything that allows something else into the data before it's encrypted can be used to access the data. It's the very definition of a systematic weakness.

It would be systemic if it applied to every user, applied to 1 user that would not be systemic. Literally any method that would allow access to encrypted data the way you see it would be a systemic weakness.

 

Any such change could be done in such a way to make it systemic, doesn't mean it will or was, and such a method could be used beyond the bounds of a warrant under the proposed law change, doesn't mean it will.

 

The change could require a specific account be specified, I could systematically go through every single user yet it wasn't actually using a systemic weakness though you can argue that because it was used in such a way it was a systemic weakness. This is very similar to Apple's submission in response to this proposed law. It's not a case of not being able to see how it could be abused but I don't just close doors to possibilities so quickly, I also think you can put in multiple authorization steps from more than one person to make it harder to widely abuse like that, not impossible. 

https://www.computerworld.com.au/article/648483/encryption-bill-what-systemic-weakness-it-depends-government-says/

 

In relation to other comments about key handling there is this

Quote

He confirmed, however, that requiring a company to implement a key escrow arrangement would violate the bill’s provisions.

 

The issue in reality comes down to if you are willing to reach a middle ground or not. Few are, but few also want to acknowledge the real issues that exist. Simply saying law enforcement need to find another way to get the evidence is rather naive and also relies that any other evidence that may be found is enough on it's own to satisfy the court to lay charges and get a conviction.   

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×