On Sat, 2020-05-09 at 12:15 +0000, Stephen Loosley wrote: > Yes well, to me it might seem normal to at least wait till after the > first update to release/publish source code?
If this were medicine, would you see it as appropriate to have administered the first 5 million doses to the public at large before allowing peer review of the research and testing? If this were a skyscraper, would you expect to have construction finished and the building occupied before anyone except the developers got to see the plans? > to produce a local secure app, for every mobile sold in Australia, in > such a really short time, then update it after one week, and then to > release the source code for it, and as well as all this, planning for > a series of updates is in my opinion something of which we might be > proud? No. First up, we don't yet know it's secure because we haven't necessarily seen the source code for the app that was actually released. Maybe we did, but there's no way to tell. Some of the more avid codesters out there may be able to tell us whether it is what it says on the box. To be fair, initial indications are positive. Second up, there was no need to produce it so quickly, to deploy it so quickly, or to hide the source code for two weeks after the release. It is questionable whether the app is really that groundbreakingly useful. It would appear, now that some of the dust has settled, that those who actually know about these things don't regard the app as likely to be of much practical use at all. It looks a lot like more security theatre from a Government that just loves security theatre. Third up, having to release an update after one week is not evidence of skill. It's mostly evidence of having released it without proper testing. And fourth up, we can only hope that future updates will be *preceded* by the source code for them. > But anyway, really, what would I know Hmmm. Further quotes not from you, but from the press release: > Prior to launching the application, the source code was reviewed by > government security agencies, academics and industry specialists. Yeah? Who? If they are not named then the code might as well have been shown to Peter Dutton's pet axolotl. > We are releasing the app code, but to ensure the privacy of > individuals and integrity of the overall system, the code that > relates to the COVIDSafe National Information Storage System will not > be released. Why not? If it is secure, no amount of inspection will make it less so. If it is not secure and they don't know it, the fastest way to find out is to let lots of eyes look at it. And if it is not secure and they DO know it, then believing that hiding the code will somehow protect the system is dangerously, foolishly naive. Three words that pretty well sum up the Australian Government's when it comes to large-scale IT. After CensusFail, Robodebt and My Health Record (to name just three recent high profile screwups[1])[2], I have no faith whatsoever in the Government's ability to do anything right when it comes to protecting Australian's privacy or indeed any other rights. I'd love to be proven wrong, especially with this app. Regards, K. [1] Very much not a strong enough term. [2] Not to mention an almost endless list of unremitting attacks on privacy and civil liberties -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer ([email protected]) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170 Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
