An example might be, Law enforcement use a lawful instrument to tell say
Apple. Push firmware to a users phone (say based on apple id) that takes
a screen shot every time any instant messaging app updates the screen.
Pack up all those images and send them through to government-zyx every
5 minutes. You can hardly call there firmware update system a systemic
weakness. But then some changes might need to be made to allow push to
a specific device/user and without the user seeing the process. Is that
a weakness who knows someone more knowledgeable of the law then me.
Remember these are the same people that say the law's of math will bow
to the laws of Australia. They really dont care how it work's that's
someone ease's problem time to head to the parliament cafe for a
sandwich and check latest tweets from Paul Murry.
Matt.
On 12/12/18 2:41 pm, Paul Wilkins wrote:
Neither the law nor technology has a great record for interest in
epistemological questions, but Matt's question raises interesting
epistemological questions around the application of 317ZG and the
meaning of "systemic weakness".
The whole point of the Assistance and Access Act is to target end
point computing devices. So at some point, law enforcement has to
exercise a control plane function to extract data from that device.
The existence of this control plane function is additional to the
device's functionality, and so expands the attack surface of the
device. So it can be argued, that any attempt by law enforcement to
access end point devices via additional mechanisms introduced via
TCN/TAN notices, constitutes a systemic weakness, and gives rise to
the protections of 317ZG that forbid the introduction of systemic
weaknesses. Consequently, no TCN or TAN is enforceable in an
epistemological sense. (They may be enforceable at law, but I don't
pretend to be a legal expert).
Kind regards
Paul Wilkins
On Wed, 12 Dec 2018 at 13:21, Paul Wilkins <[email protected]
<mailto:[email protected]>> wrote:
The inclusion of judicial authorisation of notices is an important
safeguard, for no less reason than that it would provide the
necessary safeguard against a TCN or TAN being used as
constituting authorisation under section 313C(3) and s280(1)(b) of
the Telecommunications Act for the bulk disclosure of carrier
metadata.
Kind regards
Paul Wilkins
On Wed, 12 Dec 2018 at 13:14, Paul Brooks
<[email protected]
<mailto:[email protected]>> wrote:
Paul - those are the additional Opposition amendments, to have
been moved by Penny Wong, that were not introduced and are not
part of the current legislation. If the opposition crosses its
fingers, they might be allowed to try them in February.
Right now, the relevant part is 317WA Assessment and report
(regarding a TCN):
(1) If a consultation notice is given to a designated
communications provider under subsection 317W(1) in relation
to a proposed technical capability notice, the provider may,
within the time limit specified in the consultation notice,
give the Attorney-General a written notice requesting the
carrying out of an assessment of whether the proposed
technical capability notice should be given.
(2) If a designated communications provider gives the
Attorney-General a notice under subsection (1) in relation to
a proposed technical capability notice, the Attorney-General
must appoint 2 persons to carry out an assessment of whether
the proposed technical capability notice should be given.
(3) For the purposes of this section, the persons appointed
under subsection (2) are to be known as the /assessors./
(4) One of the assessors must be a person who:
(a) has knowledge that would enable the person to
assess whether proposed technical capability notices would
contravene section 317ZG; and
(b) is cleared for security purposes to:
(i) the highest level required by
staff members of ASIO; or
(ii) such lower level as the
Attorney-General approves.
(5) One of the assessors must be a person who:
(a) has served as a judge in one or more
prescribed courts for a period of 5 years; and
(b) no longer holds a commission as a judge of
a prescribed court.
etc.
On 12/12/2018 12:45 pm, Paul Wilkins wrote:
317V, substitute:
unless:
(a) the Attorney-General is satisfied that:
(i) the requirements imposed by the notice are reasonable and
proportionate; and
(ii) compliance with the notice is practicable and
technically feasible; and
*(b) an eligible Judge has approved the giving of the notice.*
On Wed, 12 Dec 2018 at 12:39, Paul Wilkins
<[email protected] <mailto:[email protected]>>
wrote:
https://parlinfo.aph.gov.au/parlInfo/download/legislation/amend/r6195_amend_96ffec08-558c-4ff9-9448-0a18c21cf1c7/upload_pdf/8627%20CW%20Telecommunications%20and%20Other%20Legislation%20Amendment%20(Assistance%20and%20Access)%20Bill%202018%20Wong.pdf;fileType=application/pdf
On Wed, 12 Dec 2018 at 12:25, Paul Brooks
<[email protected]
<mailto:[email protected]>> wrote:
@Matt - 'a screen capture and remote access ability',
if installed on all phones would surely be a
'systemic vulnerability' in anybody's view, and would
be a global disaster if the method of triggering this
ability escaped to the wider world. This would be an
example of precisely the dangerous and ill-advised
exploit that we are all concerned the agencies might
ask for in ignorance. Heck, this is exactly the
sort of malware exploit that after-market malware
scanners and virus checkers for phones should be
looking for to to detect and warn the user if an app
or the OS had been compromised and was attempting to
do these things. I can see a rapidly growing market
for malware checkers!
@Paul - where is the requirement for 'judicial
approval'? - it doesn't go anywhere near a court.
The TCN can be issued by the Attorney General. If
(and only if) the recipient thinks it might be able
to be pushed back on, they can ask for a review by a
*retired* judge and a tech expert with a high
security clearance. A *retired* judge is not a
'judicial approval', and the easiest place to source
the other expert from is from within ASIO - hardly
independent. The AGD chooses the two reviewers, not
the recipient. The legislation as passed also doesn't
deal with the situation if the two experts disagree
on whether it is allowable or not. And there is no
requirement for a warrant to have been issued - the
whole point of a TCN is to preemptively create a
capability that can be exploited later, on the off
chance there will be a future warrant that requires
the exploit to be triggered.
Paul.
On 12/12/2018 12:02 pm, Paul Wilkins wrote:
Matt, (IINAL)
But it appears on my reading that both 317ZG and
more specifically the new 317ZGA would arguably
prohibit this.
The (pending?) amendments are worth a read. Stronger
terms on 317ZG and importantly - *requirement for
judicial approval of TCNs*.
317P (5)(2)(d) the designated communications
provider has, if reasonably practicable, been
consulted and given a reasonable opportunity to make
submissions on whether the requirements to be
imposed by the notice are reasonable and
proportionate and whether compliance with the notice
is practicable and technically feasible.
On Wed, 12 Dec 2018 at 11:30, Matt Perkins
<[email protected] <mailto:[email protected]>>
wrote:
It strikes me that all that will be needed is
the phone manufacturers to put a screen capture
and remote access ability on the phones. Then
Law enforcement need to do is read the screens
no need to involve the individual app makers at
all. They are after a wide and non savvy
audience here. Looking over the shoulder of
phone users is what we are talking about. I
would say expect to see a boost in convictions
of medium size drug distributors and small
amateur terror type people.
These are the same people that used sms before
they just want that capability back.
Matt
--
/* Matt Perkins
Direct 1300 137 379 Spectrum Networks
Ptd. Ltd.
Office 1300 133 299 [email protected]
<mailto:[email protected]>
Fax 1300 133 255 Level 6, 350
George Street Sydney 2000
SIP [email protected]
<mailto:[email protected]>
Google Talk [email protected]
<mailto:[email protected]>
PGP/GNUPG Public Key can be found at
http://pgp.mit.edu
*/
> On 12 Dec 2018, at 8:27 am, Paul Brooks
<[email protected]
<mailto:[email protected]>> wrote:
>
>> On 12/12/2018 3:54 am, Scott Weeks wrote:
>>
>> -----------------
>> The Bill was passed on Thursday
>> -----------------
>>
>>
>> Damn, I'm gonna need a bigger bag of popcorn!
>> Waaaay bigger. I can't wait to see how this
>> plays out.
>
> We'll probably never know how this plays out,
unless one of the major global brands
> pulls out of the Australian market.
>
> Tech companies doing development in Aust will
put in independent code reviews by an
> offshore team to protect against onshore
employees, or will quietly close Australian
> development shops over years. Some tech
companies will move overseas - gradually,
> over months and years. Net result - lower
demand for Australian IT staff, lower
> export figures in the DFAT stats over years.
>
> Many 'component manufacturers or suppliers'
will blithely carry on, unaware this might
> apply to them at all until they receive a notice
>
> A massive data breach in 3 years time may not
be traced back to a system change caused
> as a result of a notice, or if an
investigation does uncover the root cause, is likely
> to be quietly hushed up.
>
> It'll take a massive
ASIC-website-blocking-like event own-goal to
generate demand for
> popcorn. That or a majority of politicians
starting to listen to experts rather than
> agencies and repealing it, and there's
precious few Andrew Wilkies around at the
> moment so that's even less likely.
>
> P.
>
>
>
>
>
>>
>> scott
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> [email protected]
<mailto:[email protected]>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> [email protected]
<mailto:[email protected]>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> [email protected]
<mailto:[email protected]>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> [email protected]
<mailto:[email protected]>
> http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
<mailto:[email protected]>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected] <mailto:[email protected]>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected] <mailto:[email protected]>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
http://lists.ausnog.net/mailman/listinfo/ausnog
--
/* Matt Perkins
Direct 1300 137 379 Spectrum Networks Ptd. Ltd.
Office 1300 133 299 [email protected]
Level 6, 350 George Street Sydney 2000
Spectrum Networks is a member of the Communications Alliance & TIO
*/
_______________________________________________
AusNOG mailing list
[email protected]
http://lists.ausnog.net/mailman/listinfo/ausnog
