In regard to the so called expert advisers, Spy Chief, and Key Politicians.
I think they do understand how encryption works.
It is they that are hoping it is us who do not understand.
I suspect that a great many of us do not understand. (excluding those who are adding to this topic of course)
The strength of the broader public argument may be carried solely on who do you believe most?
If it was only ScoMo and P Dutton promoting the legislated outcomes, it is likely many of us would be cautious. We now have senior members of our Police and Security Services say they need the powers. Powers which they will use wisely only against bad guys. If you can’t trust these senior good guys, who can you trust? Powerful messaging, this looks like a sell from marketing 101, backing up the claims for a dodgy product with a person wearing thick rimmed spectacles and a long white lab coat.
The problem with the encryption breaking powers is that if you are a smart user of encryption and want to dodge the Govt snoop powers you generate your own personal keys (public and private certificate keys) then load your public key to the web repositories using a key generating program, then encrypt your message using the public key of the receiver and then send it to whomever you want it to go to. They decrypt the message with their in home private key and this defeats the snooping by the Govt.
What these snoop powers do is open up a can of worms for everyday users who rely on the apps keys rather than home generated ones and then the Govt can intercept the key as it is passed during the app negotiations and then listen freely to the conversations such as banking transactions, messaging apps and the like. Who is it catching? Only the dumb terrorists who don’t encrypt first or the normal household user…and why do they want the normal household users data? If I was paranoid and thought paranoid thoughts then I would say so they have mass control of the population with no one game to critique the Govt because they will blackmail (coerce) you.
So it will only be the really smart criminals, foreign agents and dangerous radicals that will be able to evade the encryption net?
Expect that with that degree of cleverness their plans will be equally clever and effective!
i still wonder how big business is going to respond, given the value to others of corporate employee communication, financial data and IP? Or even the political parties, depending on who is in government on the day?
Download the program and implement the processes and the Govt is outdone unless they raid the home/premises and obtain the private keys…but even further the person just needs to use veracrypt or similar to encrypt the key database and use plausible deniability to obscure those keys. The Govt’s so called powers are stuffed but the ordinary user of secure SSL messaging, banking and so on is an open book and even worse once the holes have been made the nefarious elements will use those very same backdoors to obtain much more than they ever could before.
Absolutely not! Bad law is bad whether it is new or old. In the case of the ‘Assistance and Access’ Bill, the government’s clear intent was to wedge Labor on ‘security’ - an area in which the LNP has over the last couple of decades sought political advantage (‘people overboard’, ‘stop the boats’, etc.). Labor failed to do the right thing, instead choosing “protect Australians over the Christmas break and we’ll have a closer look in 2019”. Meaning the bill has passed and is now law, and will almost certainly not be amended in any meaningful way unless voters make their disgust for it clear.
In ‘our current world’, governments and companies actually have access to far more data and information about individuals than they have ever had at any time in the past. Even the East German Stasi would be amazed at the amount of data that is being collected now. I heard an analogy a few days ago to a monitor with a few dead pixels. Wouldn’t it be nice if we could turn those pixels on? Well, that’s what this legislation seeks - the ‘going dark’ problem is an invention that is being used to persuade us that our government should be able to spy on us.
This legislation is not just going to affect Australians’ privacy. Companies will not want to work in a country that has explicitly stated “we have the right to read all of your secrets”. There is a commercial impact to this that has not been considered by our all-too-focused-on-the-next-election politicians, and that may well drive our standard of living down even further as jobs leave.
Of course, that assumes other ‘democratic’ countries won’t follow Australia’s lead. They almost certainly will, if we as citizens sit on our hands and say nothing to protect our own privacy against our government.
One wonders if they could use the ‘warrant canary’ system that was proposed in the US for when companies were compelled to hand over information without telling anyone. The company has a statement on its website, saying “We have not been compelled by any government to decrypt any information or insert any means for government to access decrypted information”. If that message disappears, then the statement is no longer true - while not actually breaking the law by divulging the fact of a decryption/back door demand.
I heard a story last week about a Queensland police officer finally being charged over providing the subject of a Domestic Violence Order the details of where his wife and children were hiding! This occurred five years ago, the police knew about it five years ago, and dropped the police officer by one pay grade. Do I trust our police to act in our best interests at all times? What about our spy agencies? Seriously? The guy is lying in his analogy!
I, in common with Malcolm Turnbull and many other politicians, use Signal for text messaging. Even it has things to say about this legislative farce.
Many say it’s a good thing, and has the support of two very respected crypto experts on it’s front page - shame about the support from the other two clowns … it’s not like they expertise or credibility in the area, just notoriety.
I see from The Guardian that Australian officials are making the most of their existing abilities to access all our stuffs…
So - a population of 25 million, and our governments/law enforcement agencies make more requests to Apple than China - beaten only by Germany and the United States of Fear. (China’s fewer requests related to a far greater number of devices - and Apple provided data in 94% of those requests, compared to 84% of Australia’s.)
The UK has experienced more terrorist incidents than Australia, yet in the reporting period made less than a quarter of the number of requests for device information - in dealing with well over double the number of people! (The UK has the highest number of monitoring cameras per person in the world.)
Then there’s the problem with the Intel Management Engine in modern Intel chips. It can communicate (and be communicated with) without the parent hardware having a clue. It is at level -2 in the hardware stack, which gives it access an operating system can only dream of… and has access to your network port. The only way to ‘disable’ this ‘feature’ is to use a secondary network port (on a PCI card or via USB) - as the IME can only communicate externally via the in-built network functionality.
All of this, without even trying to access those security keys while they’re in your machine’s RAM (Spectre and Meltdown, along with Rowhammer). “Attacks never get weaker” (Bruce Schneier, I think).
Ladar Levison can also tell you how secure your communications are likely to be over any online channel.
So if you want real security, you need to design and construct all of your hardware, your own firmware, your operating system and all of the software. And even then, you will almost certainly have made mistakes that someone can use to break your security.
Good luck - and if you keep your head down you may be able to avoid the worst side-effects of our incredibly shrinking privacy.
Sure, but you still have to deal with the other vulnerabilities I mentioned, as well as the video card memory attack that has just been published (but may well have been in use by government(s) for years, given our understanding of how classified/government sponsored/created IT exploits are generally a long way ahead of the academic research).
My optimistic view is that precisely nothing is secure and privacy is a ancient myth. What is thought to be secure or private today by whatever definition one thinks ‘secure’ or ‘private’ is, will be shown in hindsight not to be so. It’s ok to try to obscure or obfuscate your activities - but best not to be in denial about the efficacy of any measure if you are ‘interesting’ to an actor of any significance.
Prudent precautions deny many opportunistic attacks. I agree that privacy is a nowadays myth but in general if you use decent precautions your level of security is better than none or very little.
The idea that to leave a wide open “book” because you have nothing to hide is probably at best foolhardy at worst is idiotic. Choosing methods that deny most scrutiny is a better choice. @draughtrider uses a pi hole to help secure his network, I definitely use in home encryption for my storage whether cloud or home based (I don’t rely on a internet business to encrypt what I send them). I use reasonable AV protection but also monitor my traffic for anything I shouldn’t be seeing, I visit sites that have some reasonable reputation or use a VM to sandbox anything less safe, a lot of the time I still use VM even for day to day stuff including here. I like open source software over proprietary as many tend to look at the code of open source so holes tend to be found and fixed rather than the system we have with Apple and Microsoft. I use MS and Linux but anything super critical to me is on Linux and air gapped. I find TAILS highly useful for internet based, but wanting some stronger security, tasks.
Nothing is perfect and I’m not foolish enough to think we are safe but if the bad guys are savvy enough for the most part they can elude for some time the intrusion by Govts and semi Govt organisations and can obfuscate a lot of their data so that currently they become almost unreadable.
I agree that privacy is a nowadays myth but in general if you use decent precautions your level of security is better than none or very little
I always look at it this way. In most cases you don’t have to be the most secure, just not the least secure. For most of us doing unimportant things someone’s unlikely to waste time breaking decent security. It’s much easier to generate mass phishing emails etc.
Where it’s a big problem is when you are dealing with something important and can’t be secure…
I know you’ve been following the passage of the Assistance and Access #AAbill closely and, like me, are pretty concerned about the horrifying lack of scrutiny this bill received and the potential impacts it could have for the online privacy, security and safety of every Australian. Not to mention the devastating consequences it could have for the long-term prosperity of the Australian tech sector!
Encryption is a fundamental principle and we know that since this bill passed in December, there have already been hundreds of requests for “assistance and access” to encrypted messages. We’re sure that they will be fought, but ultimately there will be a point – if we’re not already there – when backdoors are created into existing technology that all of use, every day.
I’m hosting a digital rights online forum on Zoom to discuss next steps in this space and I’d love for you to take part!
Wednesday the 6th of March @5:30 pm AWST (8:30 pm AEST)
Joining me on the discussion panel will be former Australian Greens Senator Scott Ludlam, Crypto Party founder Asher Wolf. The call will be MC’d by Digital Rights Watch chair Tim Singleton-Norton.
If you’d like more information before signing up, please email firstname.lastname@example.org.