Deeply flawed
Therefore: full steam ahead!
If the Australian government was hoping its encryption legislation would have a smooth run, it'll probably be disappointed. Not only has the exposure draft landed with a political storm, reactions from technologists range from guarded to sharply critical. On the political front, the Australian Greens came out most strongly …
Dr Vanessa Teague of Melbourne University: “Most of the firm guarantees and comforting protections described in the explanatory memorandum do not actually appear in the bill, or appear only in a weakened, ambiguous or limited form,”
In other words, it's going to provide the ability for agencies and others to embark on data fishing expeditions that will make Moby Dick look like Nemo.
I wonder if Prince Leonard of Hutt has any IT vacancies going...
When it comes to Australian politicians the only attitude to have is "fuck them and the horse they rode in on". You cannot engage or debate with these people, they are fucking idiots. What's more they are sock puppets. They all bullshit about becoming tech orientated and no longer a dig shit out the ground country but this will put a swift end to that. Australia will end up as just a beach for people to piss about on and little more. It sickens me how these duplicitous little weasels are turning every Western nation into a Stasi ruled hell hole. Any law that requires zero disclosure and thus builds in an inability to seek proper defense against it, or is enforced through secret courts, is a shit law and it's proposer should be retroactively aborted.
<Rant
VPN's? Journalists right to protect their sources for, say, telling Australia what a bunch of scumbags their own govt/military is.
Is the suggestion here seriously that the govt can legally and without a warrant install a piece of malware on one of my users laptops, have them bring it in here, gather a bunch of keys, hack a bunch of info, potentially use that to get at their target and then ..... what? When the investigation finishes they remove said malware. Advise us its happened and that we should zap said laptop. Obviously like the US they would ensure they don't 'accidentally' gather information from say my UK or Dubai office and accidentally realise they have a big fat pipe to those govts to accidentally advise them whats going on, and of course there would be no danger of non govt sources accessing my now compromised network. AND it definitely isn't a backdoor.
/Rant>
Thank you for your attention :-)
I think one of the elephants in the room here is being missed, it's not the how, the why or the whether, it's the where?
They want access to communications either in real time or after the fact, that requires potentially storing the communications. Who stores it? If it's the provider then there is no way to access it without a backdoor in the key, if it's the owner then again there needs to be a way to access it on the device which means a back door. Therefore I believe it's not possible to do what they want without a back door. What if someone destroys their phone on arrest? Will the provider still be responsible for providing the information? There's also the cost to store these communications, who pays for that? Why would you do business in Australia with extra costs for little benefit when your business model is built around ads? Would people even use your product if they knew the government was using it to spy on you? Lets face it there are plenty of foreign alternatives that the Australian government won't be able to force to do their bidding and the people they claim to be targeting will do just that.
This is just another knee jerk throw the toys out of the pram reaction by politicians to something they really don't understand and it's a slap in the face for the people that the government want to spy on. Did they read peoples post back in the day? They most certainly did not, so why should this be acceptable?
The most worrying thing is peoples apathy to all this and I fear once people in all countries (because that's where were going) realise what the governments are trying to achieve it'll be too late.
Did they read peoples post back in the day?
In the UK, according to MI5 they did. Firstly they required a warrant to open each individual letter, and faced with WW1 and german espionage they did a blanket authorisation to open the letters of suspects.
This however was a manual process that involved individually intercepting the message from the post, redirecting it to a centre where it was opened by steaming it with a kettle to make the glue stop sticking, reading the letter and checking for invisible ink etc, followed by then copying the contents down, resealing said letter and getting it back in the Royal Mail delivery system so a delay wasn't noticed.
This required a lot of work. Setting a scanning program up that searches for certain key words in every electronic communication sent by anybody in the country is a bit more intrusive, and probably more tedious as it results in a few useful bits of information buried in such a mass of false positives that I suspect it's practically useless.
"In the UK, according to MI5 they did."
In 1660 King Charles II's Royal Mail was specifically created as a monopoly replacing several private enterprises. All mail had to go via a central office. There it could be carefully opened, copied if necessary, and resealed. Even a supposedly secure wax seal did not get broken. The Royal mail museum still has some of the copies made of intercepted letters.
"Did they read peoples post back in the day? "
Depends on which 'they' you are talking about. I've been to the museum in East Berlin where they have the equipment the STASI used to do exactly that on display.
You'd be naïve to think that the STASI differed from any other security service in anything other than the scale of their operations.
The IT department of a nhs offices i worked at not long ago demanded we (the contracting company who did their jobs for them) enable them to read any of their users email. probly still do.
Then they demanded all users email is encrypted
Then kicked off that they couldnt snoop on it anymore
Then demanded the best of both worlds ... i think they got told to choose eventually.
a microcosm of gov eh?
"Therefore I believe it's not possible to do what they want without a back door."
That is correct. From what the article says, it appears the government is arguing that because they don't want a back door in the encryption process, everything is absolutely fine and dandy. Because who could possibly have a problem with legally mandated back doors on all communication devices? You can send messages with no possibility of them being intercepted, it's just that anyone who likes can read them at either end. Surely that's fine, right?
This, and other measures, I'm not picking on Oz, will be ineffectual against those who have sufficient resources or incentives. Those people will get their messages through, in secrecy, with plausible deniability, all the time. The pen-pushers will never catch any of them. But it will be an excuse for a government to further restrict the freedoms of its citizens, and to expend more of the country's resources building some bureaucratic creep's empire. Meantime, ordinary people will get stuck in a web. It's like "law and order" campaigns that, for every real crook they don't catch, issue jaywalking tickets to twenty.
Internet. That was a cool idea.
Please downvote if you detect pessimism.
It seems to me there are only two options to give law enforcement access to cleartext messages:
1. Find and exploit unintended vulnerabilities in devices and/or algorithms
2. Get manufacturers to add specific mechanisms to allow law enforcement access
If 2 isn't adding a "backdoor", I don't know what is.
I think it's all part of the joys of legislating in a global environment.
1) Is almost certainly done by SIGINT types at places like Pine Gap. But that's also something hackers are doing all over the world. We want and expect our suppliers to have no exploits or vulnerabilities, and to quickly patch them when they're discovered. It's also where agencies have helped, eg the NSA famously suggested modifications to DES's S-boxes to strengthen it's security.
2) Is already done, eg the US and CALEA requirements. So the US has a lawful intercept mechanism. But Australia can't use that at their end, and it won't really help if the communication is encrypted. So back doors already exist, but might be country specific. Or would need to be globally implemented so there's a 'standard' lawful intercept provision.. But that could mean something that's exploited & risky.
I think legislation's working around this by defining CSPs because traditional intercepts aren't practical. So a telco won't know what you're posting on Facebook, but they're a CSP and do. Same with Apple and the iPhone test case. Apple probably could crack it, but they didn't, and that was a US challenge. If Australia asked the same thing, they've got less leverage because they can only legislate within their own jurisdiction. How LEA's communicate with CSPs is another one of those fun global challenges.
How would use of Tor Browser be handled? Would they attempt to block Tor altogether? Also, what about VPNs? When end-to-end encryption is employed, the only remaining 'solution' might seem to be malware on the device. Waiting patiently to see what people like Pavel Durov will say. Iran and Russia couldn't stop Telegram so there could be an almighty fight on the way.
So is that doublespeak? "We'll make you install backdoors, but pretend not to", "we'll install malware, but pretend that's not happening", that sort of thing?
I'm confused, but maybe that was the idea of the legislation - leave everything so vague there's room for any shenanigans they can think of
Alice and Bob have developed their own private cipher. They only communicate using equipment in internet cafes. They post cipher text on publicly available web pages (like this one), making the intended recipients hard to identify. They change keys on a pre-agreed schedule.
*
How does this legislation, with or without backdoors, help the so called "good guys" gain access to their messages?
> How does this legislation, with or without backdoors, help the so called "good guys" gain access to their messages?
AFAICS, it doesn't. It would apply only if a "service provider" were helping them to keep their messages secret: such as the vendor of the equipment they were using, or some managed encryption service they were using.
If they build their own devices and write their own software, then it seems they are not affected.
However, if they provide these devices and software to others, then they become service providers and so may be required to add law enforcement back doors (even though they're not called "back doors")
The assumptions seem to be:
1. Most people are lazy and/or don't have the skills to build this stuff themselves
2. There won't be a black market in genuinely secure devices for use by criminals
(1) is a reasonable assumption, (2) rather less so.
If manufacturers or distributors of secure devices refuse to comply with back door requirements, I guess they will be in violation of the law. But what does that do for open-source crypto apps? Does github need to be blocked?
How do the "good guys" gain access? Good guys or jack-booted thugs, same thing, will find it simple - at the point of a gun. In Oz, all citizens were effectively disarmed years ago. The trend is inevitable - lose your rights to defend yourself, lose all your other rights to the gov'mnt. The laughable thing is, NOW the Greens object. Too little, too late.
As far as I can see the spooks are perfectly within their rights (under the proposed jackboot, sorry legislation) to pop around to see Bob and demand the original clear text or more likely the keys / decryption method that Alice is using. If they don't? 5 years in the chokey for both of em
All this legalisation will do is to catch amateurs and fools (not to mention inconvenience lawful users, further subvert democracy etc.). Perhaps this is the Government's main aim. There's also little doubt that this legislation is meant to intimidate the citizenry.
Serious players, criminals, terrorists, etc., will simply revert to computer-generated one-time password/key systems where neither Alice nor Bob have the passwords and messages are destroyed after sending/receipt (i.e.: plaintext never saved anywhere).
Alice and Bob will have effectively reverted to what happens in older POTS communications; therein the only information that is recoverable at the conclusion of transmission exists in the minds of the participants.
This ought to be damn obvious to everyone – even legislators.
@Neon Teepe
As far as I can see the spooks are perfectly within their rights (under the proposed jackboot, sorry legislation) to pop around to see Bob and demand the original clear text or more likely the keys / decryption method that Alice is using. If they don't? 5 years in the chokey for both of em
Re-read the OP. The point is that the post states Alice and Bob are communicating but the method by which they are doing so makes it very difficult for the Government to know that Alice is communicating with Bob at all. That's the point of encrypted/coded public postings. Done carefully it'll be bloody hard to prove either made a particular post and hence ask for the keys. You think you're identifying the author of a post on a public forum made using a TOR/VPN or TOR/proxy combo? I don't.
The point most people miss is that this is never ever about terrorists, paedos and other criminals. This is now and always about control. Controlling dissent. Jailing whistle-blowers and journalists. Controlling the population at large and leaving them as piss-weak financial cattle to be milked.
@mark65
I don't want to get into a war of words about it but there's no such thing as completely untraceable, you, a friend, a colleague, your cat, whatever, will, at some point, make a mistake. I'm not saying its quick, easy or cheap, but if they think your activities are interesting enough they will find you, it just takes time.
Think back to the way they caught Hector Monsegur (Sabu) and then dismantled lulz sec / anonymous.
Maybe Bob's auto-updated browser became leaky or able to be fingerprinted, maybe they manage to stick a tracer cookie on Bob's machine from the public board he is posting on, the management of which will almost certainly be changing their underwear after a visit from a 3 letter agency. No amount of VPN hops, TOR layers or proxies will save him from that.
It's always the soft squishy bits that give the gig up. Book codes, Enigma, Lorenz, Steganography, Quantum Cryptography. Take your pick they are all (practically) un-crackable as long as people don't get involved,
The cat and mouse is never ending.
In the OP's example the public board will be seen as a provider and will get visited / spoken to. Even if they tough it out and refuse to allow monitoring tools on their server the various agencies involved can legally demand logs from them. Once they know where the post came from, they get the IP of the VPN connection used, and yes the VPN may not keep logs but once the cops have that info they will start to watch and break the traffic in and out, BAM up pops your identifier. I cant speak for all countries but you can be sure that every packet that leaves Australia is reflected, analysed and recorded. Are they going to go to those lengths if you are downloading the latest Hollywood blockbuster or called the Prime Minister a snot nosed prick - of course not, but they might if you are a journo talking about a big scoop you are investigating concerning the government.
Now re-read my post and you will see where I was coming from.
It will just take a few high profile stories to allow them to be, as you so eloquently put it, "Controlling the population at large and leaving them as piss-weak financial cattle to be milked."
1) Alice and Bob are invited to take an all expenses paid trip on a private jet to a tropical location, where they could stay for as long as they liked. Or until they handed over the messages.
2) An field expedient version of the above could involve asking Alice or Bob the questions whilst their hands are clamped in a sandwich toaster. It's a cafe. There are options.
3) Fred, or several Freds follow and observe Alice and/or Bob so they can get warrants to monitor Internet cafe connections or to see what's being posted. Which may or may not include warrants to install keyloggers, trojans etc. If the messages are enciphered on the cafe PC, a key may be extracted. If the text is already enciphered, there's the possibility to try and slip something onto a USB stick that may end up on Alice or Bob's private machine.
4) Alice & Bob are fed into a threat profiling system that casts a virtual hairy eyeball over all the personal information commercially available and determines Alice and Bob are no threat.
Much like the similar UK Act, there seems to be a steam roller of 'avoid legal warrants at all costs'. I don't know why but side-stepping the traditional rule of law - allowing Judges or magistrates to make clear decisions about validity of individual communication 'taps' - and putting that power directly into the hands of 'enforcement agencies' or, worse, one or two politicians in a secret way smacks of Big Brother.
This juggernaut needs to be stopped.
If the same Act was presented with 'with judicial oversight' sprinkled at each point I think there would be less bad feeling and general suspicion about it.
The tendency to populist elected governments goes with the political executive attempting to control the other branches that were intended to act as independent checks and balances. This is done by attempting to limit powers - and intimidating or replacing uncooperative incumbents in those branches..
Trump is doing it in the USA. The EU is currently taking to task some member countries whose populist politicians are similarly trying the same grab for unfettered power in their countries.
Western democracies are laying up all the necessary infrastructure to go full blown tyranny.
The funny bit is that nothing this would do if pass will address the primary problem, they try to alleviate the secondary symptoms which will exacerbate the problem and lead to the inevitable outcome.
Anyway, all the the Australian government has to do is that all the IT infrastructure and devices is made by cisco, they seem to come with plenty backdoors as standard.
These measures, ostensibly to protect against some few "enemies of the state" are not actually meant to hamper say, criminals or spies.
The enemies of the state in this case, and it's not just OZ - are the ever growing group of people who don't buy the obviously flawed narrative pushed by the status quo and who are becoming ever more upset about the lies that hold us down, get our children killed- while making enemies to ensure the ongoing justification to sell war, and part us from what we earn. While the things we people need, like infrastructure, collapse around us.
One old crank, like myself - no problem. The first hint of organization..that's what extreme rendition is for. But the plod are too lazy and too few to do it the old fashioned way, and even they have some morals, so it has to be spun as it is to fly.
This sort of thing is the symptom of a government afraid of its citizens for all the wrong reasons - torches and pitchforks, not being voted out of office (though they of course aren't stopping voter fraud, only making it harder for non-government actors to commit).
"“Are we going to see software moving overseas?” he asked."
In the Bad Old Days in the US, when you weren't allowed to export strong crypto, this was precisely the effect: almost no serious crypto development took place in the US, and as a result the bulk of crypto talent and advancement in the technology was no longer in the US.
Instead of the intended result (keep strong crypto out of the hands of whoever we considered "enemies" at the time), the actual result was the exact opposite.
Phair said he would prefer to see governments better engage with the industry: “It's not legislation or ten million dollar fines, it's working with companies on next product suites so there can be lawful interception.”
This is dumb. Oz gov can't work with every company, so either the relationships become legislated state secrets or the ppl wanting to avoid compromise use untampered products.
@AC, @Neon TeePee
If you look through the article, it seems that the legislation is aimed squarely at companies who provide the means to deliver "end-to-end" communications services. So:
- Service providers
- Manufacturers and suppliers of devices
Since Alice and Bob are private citizens, and do not fall into either category, it would seem that their very limited role as users (not suppliers) of communications services is not covered by the proposed legislation.
Of course, this would not prevent the authorities from breaking other laws by sending round "jack-booted thugs". But we all know that governments never break the law!
This post has been deleted by its author
...at another politician boning up on all the technical terms but still ending up with "Hello, fellow kids!"
installing software or legislating some other means to capture data as it is unencrypted on the receiving device undermines the very principle of end-to-end-encryption,” Steele-Joh [of the Greens said.]
Firstly: no it doesn't, it circumvents E2EE by going after content in plain at each end of the encryption tunnel. Unless the Greens have a plan to teach everyone to do memorise keys and do AES in their heads, it has to be in plain somewhere between the user's eyeballs and the phone or computer. The actual crypto is unaffected and works exactly as intended. Evidently Steel-Joh has not heard of the concept of a crypto SYSTEM, that there's more to it than the bit with the complicated maths.
Secondly, getting access to the plaintext is the whole point of the exercise. If they just don't want their domestic LEA / IC carrying out any surveillance at all, of anyone, under any circumstances, come out and say so. I don't think they'd get very far. If they accept that sometimes the state has a legitimate need to surveil, presumably they agree the state should do so as effectively as possible.
@AC posted earlier under the title "Still Puzzled!".
*
Alice and Bob only copy enciphered text (say from a thumb drive) when they send their enciphered messages. Plod can undo the end-to-end-encryption, and all they will find is Alice's enciphered message! There never was plain text on the end-point device!
*
The *wince* is not needed -- the flaw is in the assumption that everyone using public communication services is using their end point device for encipherment AS WELL AS FOR COMMUNICATION. Bad assumption!
Here's the sort of thing Plod might find -- AFTER they've used their backdoor:
0AFDF1EEBC4D3BA590341BD35430461AB476B65F36999422A450CF90650E743C420B5D55B012F0F3
6E30A0054D30F565EBD222A0C23C1F5B64B2B7815970D7242B59D2B65C516BD153EEC549D200E17D
307AC6672D3BA4074EBC701CB2311D17B8C1585E4C5A30E3273A7F0668C61F4A20D61E1A89D2F83A
28B407489154F4C370FF6FD67374C2