Australia Becomes First Western Nation to Ban Secure Encryption

by Guest 13/12/2018, 18:18

Australia is now the first Western nation to ban security, following a decision by its parliament to pass a bill forcing companies to hand over encrypted data to police upon demand. The government will be allowed to demand this without judicial review or oversight of any kind, beyond the requirement to get a warrant in the first place. Furthermore, the law requires corporations to build tools to give them the ability to intercept data sought by police when such tools do not already exist. While the bill has only passed Australia’s lower chamber, the upper chamber has indicated it will pass the legislation provided there are later votes on unspecified amendments to the current bill.
Australia has become the first nation to enact into legislation what both the UK and US governments very much want — government-mandated backdoors into encryption systems that require corporations to hand over data on demand. The response of the tech industry has been straightforward: There is no way to perform this task that does not fundamentally weaken security. And for all that journalism is often the process of laying out multiple sides to an argument or debate, there’s no actual debate to be had, here — not, at least, as far as the security principles are concerned. We can certainly debate whether people should be entitled to privacy, or if the governments of nominally free countries should have access to this information in the first place. But as to whether it’s actually possible to build secret backdoors into security systems without fundamentally weakening them, the evidence is simple: No.
As Cindy Cohn wrote in a recent post on Lawfare Blog:

Even without compromising the cryptography, there is no way to allow access for only the good guys (for instance, law enforcement with a Title III warrant) and not for the bad guys (hostile governments, commercial spies, thieves, harassers, bad cops and more). The NSA has had several incidents in just the past few years where it lost control of its bag of tricks, so the old government idea called NOBUS—that “nobody but us” could use these attacks—isn’t grounded in reality. Putting the keys in the hands of technology companies instead of governments just moves the target for hostile actors. And it’s unrealistic to expect companies to both protect the keys and get it right each time in their responses to hundreds of thousands of law enforcement and national security requests per year from local, state, federal and foreign jurisdictions. History has shown that it’s only a matter of time before bad actors figure out how to co-opt the same mechanisms that good guys use—whether corporate or governmental—and become “stalkers” themselves.

There simply is no debate within the security community on this topic. Creating keys to an encryption system, or, alternately, maintaining the encryption but forcing companies to create tools that allow them to attach a “stalker” to the system to monitor communications invisibly (the UK is proposing this method of surveillance, and the aforementioned Lawfare Blog post has more on this), automatically creates an enormous incentive for anyone aware of the existence of such tools to either try to steal them (if they’re black hats) or leverage them for their own use (if they’re governments). Once companies are forced to create these tools to operate in the Australian market, they’ll be pressured to bring them to other countries.
The idea that corporations can be trusted to safeguard these vital tools or hold vital data in escrow accounts doesn’t survive contact with reality. Even without government-mandated backdoors, companies regularly suffer breaches and attacks, often leaking personal details of dozens to hundreds of millions of people. The need for better data security is enormous and the solution to this problem is not to create tools that can be used to attack the very concept. Products from Facebook, Google, Apple, Microsoft, and all such similar efforts will now be required to include systemic weaknesses, while open source products will not be affected for now. In case you’re wondering, according to a survey of the 343 comments made on the bill while it was under discussion, only one of them — and not an Australian citizen at that — was in support. The Australian Parliament simply didn’t care.

LNX

by Guest 13/12/2018, 18:18

trenutno imam 256bitno kriptiranje..vjerovatno 20 godina zatvora bih dobijo.. :sherlock

by catabbath 13/12/2018, 18:41

Ma da ali nije to nenarodni totalitarni režim kao npr.sj.Koreja, ovo je za dobrobit drađana i liberalne demokracije :)

by Guest 13/12/2018, 18:57

slozit cu se...ne zna Narod sto je dobro za njega... :clown

by Guest 13/12/2018, 19:23

Labor caved in last Thursday. Despite spending hours telling Parliament why the Assistance and Access Bill was dangerous garbage, and complaining about the rushed process, they dropped all of their proposed amendments and voted in the sitting government's version anyway.
So now it's law.

WHAT IS THE ASSISTANCE AND ACCESS BILL?

Its full name is the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which is now an Act [PDF]. It makes changes to more than a dozen pieces of legislation in an effort to combat what the government refers to in its explanatory memorandum [PDF] as "the challenges posed by ubiquitous encryption".
The most controversial part is the "frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies" to help government access the content of encrypted communications.
It is Australia's contribution to the Five Eyes nations' tougher attitudes to the regulation of online communications. Information and communications technology vendors and service providers have a "mutual responsibility" to offer "further assistance" to law enforcement agencies, they said in August this year.
See: Australian encryption Bill raises bar for outrageous legislation

IT'S ABOUT BANNING STRONG ENCRYPTION, RIGHT?

No. Read on.

"VOLUNTARY AND MANDATORY INDUSTRY ASSISTANCE" MEANS WHAT?

Under the new laws, Australian government agencies can issue three kinds of notices:

Technical Assistance Notices (TAN), which are compulsory notices for a "designated communication provider" to use an interception capability they already have;
Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
Technical Assistance Requests (TAR), which are "voluntary" requests, but which have been described by experts as the most dangerous of the three because there was less oversight, at least in the original version of the law.

From here on, we'll refer to these collectively as "notices".

WHO CAN ISSUE THESE NOTICES?

A voluntary TAR can be issued by the directors-general of the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), or the Australian Signals Directorate (ASD), or by the chief officer of an "interception agency".
A compulsory TAN can be issued by the director-general of ASIO, or by the chief officer of an "interception agency".
That last category includes the Australian Federal Police (AFP), the Australian Crime Commission (ACC), and the state and territory police forces provided they get the approval of the AFP Commissioner.
However the government amendments removed the various anti-corruption bodies from this category. It's not clear why.
There's no requirement for independent approval of a notice by, say, a judge issuing a warrant. However there must be an underlying warrant to access communications under the Telecommunications (Interception and Access) Act or the Surveillance Devices Act or state-level equivalents.
A notice must be in writing, unless there is "an imminent risk of serious harm to a person or substantial damage to property exists", the notice is "necessary for the purpose of dealing with that risk", and "it is not practicable in the circumstances to make the variation in writing". A notice given orally must be confirmed in writing within 48 hours.
The same goes for variations to a notice, extensions, and revocations.
All notices, extensions, and revocations must be notified to the Inspector-General of Intelligence and Security (IGIS) within seven days.
A TCN can only be issued by the Attorney-General following a request from ASIO or an interception agency, and only with the approval of the Minister for Communications.
The Attorney-General must also give written notice of the intention to issue a TCN to the communications provider, inviting them to make a submission, and respond. Except in a "matter of urgency", that process has to run for at least 28 days.
Also: Hasty PJCIS examination of encryption Bill produces rushed and contemptuous report

IS THIS ABOUT FIGHTING TERRORISM AND CHILD ABUSE?

Kinda. "Safeguarding national security" is in there, but so is "enforcing the criminal law, so far as it relates to serious Australian offences". That's defined as any crime "punishable by a maximum term of imprisonment of 3 years or more or for life".
There's also "assisting the enforcement of the criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences".
The ASD can also ask for "material, advice and other assistance on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means".
ASIS can also ask for assistance in relation to "the interests of Australia's foreign relations or the interests of Australia's national economic well-being".

WHO COUNTS AS A "DESIGNATED COMMUNICATION PROVIDER"?

Pretty much anyone and everyone who provides any kind of online service or communications equipment to anyone in Australia, and anyone who even installs or maintains the kit. Yes, that includes anyone who has a website.
The table listing all the categories runs for three pages.
It includes obvious players like "carrier or carriage service provider[s]" -- that's the telcos.
But it also includes anyone who "provides an electronic service that has one or more end-users in Australia", anyone who "develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia", device manufacturers, and even anyone who "manufactures or supplies components for use, or likely to be used, in the manufacture of customer equipment for use, or likely to be used, in Australia".
Read: How government haste is ruining its own anti-encryption law

ISN'T THIS ABOUT FORCING COMPANIES TO PUT BACKDOORS IN THEIR PRODUCTS?

It depends what you mean by "backdoor".
If you mean having any method by which a third party can access the content of a specific communication, that's obviously a "Yes". That's the whole point of a communications intercept.
If you mean a method that allows any communication to be accessed at will, well, the government has been trying very hard to make that a "No".
A notice must not have the effect of "(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection".
They cannot ask a provider to "implement or build a new decryption capability", or "render systemic methods of authentication or encryption less effective", or introduce a "selective" vulnerability or weakness that would "jeopardise the security of any information held by any other person", or create "a material risk that otherwise secure information can be accessed by an unauthorised third party".
These two definitions were added to the legislation:

systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.

There's now also a lengthy definition of "target technology" that refers to a service, device, piece of software, or "particular update of software" or whatever that "is used, or is likely to be used, (whether directly or indirectly) by a particular person" whether or not the person can be identified.
That's the law's intent anyway. What this might mean in practice is still unknown. Whether any of this is even technically feasible is a question for another time.
Must read: Everyone will use encryption, Australia should get over it

WHAT CAN AGENCIES ASK FOR?

The list of "acts or things" that can be requested runs for two pages. The first is "removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider". Electronic protection is defined as an authentication system or encryption.
It also includes providing technical information, "installing, maintaining, testing or using software or equipment", "assisting with the testing, modification, development or maintenance of a technology or capability", "modifying, or facilitating the modification of, any of the characteristics of a service", and "substituting, or facilitating the substitution of, a service provided by the designated communications provider" with another service.
And quite a bit more.

ARE THERE ANY LIMITS ON THIS?

Notices can't be given unless they're "reasonable and proportionate", and the compliance with the request is "practicable" and "technically feasible".
The decision-maker has to take into account things such as the interests of national security; the interests of law enforcement; the legitimate interests of the designated communications provider; the objectives of the request; the availability of other means to achieve the objectives; whether the request is the least intrusive form of assistance with respect to "persons whose activities are not of interest"; and "the legitimate expectations of the Australian community relating to privacy and cybersecurity".

WHO DECIDES WHAT'S REASONABLE, ETC?

The person issuing the notice.

HOW MUCH OF THIS WILL BE PUBLIC?

Almost none of it. There are hefty penalties for revealing any aspect of a notice, except in situations such as referring a complaint to IGIS or the Commonwealth Ombudsman, or in other legal proceedings.
Agencies will report the number of notices issued annually. Communications providers can report the number of notices they've received in periods no shorter than six months.

WHAT ELSE IS IN THE NEW LAW?

There's changes to the computer access warrant system, including giving covert computer access powers to "law enforcement agencies investigating certain federal offences".
An electronic device found while executing a warrant can now be moved to another place for analysis for 30 days, up from 14 days. Australian Border Force can now seize and examine an electronic device for 30 days, up from 72 hours.
ASIO can now "require a person with knowledge of a computer or a computer system to provide assistance that is reasonable and necessary to gain access to data on a device that is subject to an ASIO warrant".
Also see: Encryption debate reminiscent of climate change arguments

IT'S THE LAW NOW, SO WHAT HAPPENS NEXT?

Agencies can start issuing notices as soon as they like.
Labor reckons its amendments to the legislation will be considered when Parliament resumes sitting in February 2019. The Parliamentary Joint Committee on Intelligence and Security will continue its examination of the legislation through to April.
The Independent National Security Legislation Monitor must "review the operation, effectiveness and implications" of the new laws after 18 months, so around June 2020.

https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/?utm_referrer=https%3A%2F%2Fzen.yandex.com

by Guest 13/12/2018, 19:35

pismejker wrote:trenutno imam 256bitno kriptiranje...

imaš da

a spajaš se na web stranice i internet općenito preko nekog CDN

https://en.wikipedia.org/wiki/Content_delivery_network

poput CloudFlare-a

https://en.wikipedia.org/wiki/Cloudflare

oni su "Man in the middle", imaju ključ i mogu čitati tvoju enripciju

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

https://security.stackexchange.com/questions/107835/does-a-content-delivery-network-cdn-interrupt-end-to-end-security

https://security.stackexchange.com/questions/177291/why-cloudflare-is-a-mitm-attack

by Guest 13/12/2018, 20:09

regularni migrant wrote:
pismejker wrote:trenutno imam 256bitno kriptiranje...

imaš da

a spajaš se na web stranice i internet općenito preko nekog CDN

https://en.wikipedia.org/wiki/Content_delivery_network

poput CloudFlare-a

https://en.wikipedia.org/wiki/Cloudflare

oni su "Man in the middle", imaju ključ i mogu čitati tvoju enripciju

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

https://security.stackexchange.com/questions/107835/does-a-content-delivery-network-cdn-interrupt-end-to-end-security

https://security.stackexchange.com/questions/177291/why-cloudflare-is-a-mitm-attack

Gnječo??Ljubi te brat..!!! cheers

..CDNovi me ne brinu,nego do njih i poslije njih,kad mi je promet kriptiran..
E sad,koristim VPN Cajberghost,koji podrzava P2P protokol u punom smislu i 256bitnu enkripciju...
CDNovi su "moji" serveri,odnosno od CajberGusta,pa tak opodaci ostaju "unutar obitelji"..bar se nadam..

by Guest 13/12/2018, 20:20

pismejker wrote:
E sad,koristim VPN Cajberghost,koji podrzava P2P protokol u punom smislu i 256bitnu enkripciju...

da, ti imaš VPN, tvoj ISP ne vidi što radiš, no CDN vidi jer mu tvoj VPN šalje ključ, tamo te hvata NSA / CIA

ako si nebitan lik ne trebaš brinuti, nikog nije briza za tvoju pornografiju

by Guest 13/12/2018, 20:23

regularni migrant wrote:
pismejker wrote:
E sad,koristim VPN Cajberghost,koji podrzava P2P protokol u punom smislu i 256bitnu enkripciju...

da, ti imaš VPN, tvoj ISP ne vidi što radiš, no CDN vidi jer mu tvoj VPN šalje ključ, tamo te hvata NSA / CIA

ako si nebitan lik ne trebaš brinuti, nikog nije briza za tvoju pornografiju

to se trazi...Golotinja ostaje samo moja..ebo one bolesnike iz napomenutih troslovnih devijantnih organizacija...PUJ..!!!

Nego,kako si ti,sto se nadurio?

by Guest 13/12/2018, 23:19

dobro dakle,vlasti brine kriptiranje podataka..bas dobro...ameri se to nisu usudili staviti pod ban,nisu Kanadjani,niti zapadna Europa...

vidjet cemo kako to prodje u Australiji.. :clown

by Guest 14/12/2018, 01:33

Hacked files suggest NSA monitored Middle East banks

https://www.aljazeera.com/news/2017/04/hacked-files-suggest-nsa-monitored-middle-east-banks-170415040035301.html

Hackers release files indicating NSA monitored global bank transfers

https://www.reuters.com/article/us-usa-cyber-swift/hackers-release-files-indicating-nsa-monitored-global-bank-transfers-idUSKBN17G1HC

vide sve, enkripcija ne pomaže

još par godina i imat će AI, SkyNet

by **AssadNaPodmornici** 14/12/2018, 01:35

neman ništa bitno jebe me se. neka gledaju sve.

by Guest 14/12/2018, 01:38

AssadNaPodmornici wrote:neka gledaju sve.

nemaš flaster na kameri?
i mikrofonu*

by **AssadNaPodmornici** 14/12/2018, 01:45

Osoba wrote:
AssadNaPodmornici wrote:neka gledaju sve.
nemaš flaster na kameri?
i mikrofonu*

neman ni mikrofon niti kameru :D

a šta će mi vidjeti? gadnu facu i slušat tvrdi slavenski jezik čudnog dijalekta :D

by catabbath 14/12/2018, 09:10

AssadNaPodmornici wrote:
Osoba wrote:
AssadNaPodmornici wrote:neka gledaju sve.
nemaš flaster na kameri?
i mikrofonu*
neman ni mikrofon niti kameru :D

a šta će mi vidjeti? gadnu facu i slušat tvrdi slavenski jezik čudnog dijalekta :D

Pa ti onda lik hakira laptop, ukrade kućne porno uradke i slike i stavi ih na Xhamster, Burek i Volafile :)

by Guest 14/12/2018, 16:47

catabbath wrote:
AssadNaPodmornici wrote:
Osoba wrote:
AssadNaPodmornici wrote:neka gledaju sve.
nemaš flaster na kameri?
i mikrofonu*
neman ni mikrofon niti kameru :D

a šta će mi vidjeti? gadnu facu i slušat tvrdi slavenski jezik čudnog dijalekta :D

Pa ti onda lik hakira laptop, ukrade kućne porno uradke i slike i stavi ih na Xhamster, Burek i Volafile :)

besplatna reklama..ako je cura u prigodnim godinama,onda je dobra reklama..

nastranu zajebancija...

Nije bas jednostavno niti Ciji niti onim drugim usrancima razbiti 256bitnu enkripciju..doduse,sad postoje cak 2048 bitne enkripcije,no komercijalni alati to ne nudju..

Onijahi CND ovi,isto izmedju sebe kriptiraju ali ne svi..Dakle dobiju od tebe posiljku,dekriptiraju,odaberu najbolji nacin za komprimiranje podataka i ostalo,pa ponovno kriptiraju istim kljucem..
Osta onda Cija suha kurtza.. :cleanteeth

by Sponsored content

Australia Becomes First Western Nation to Ban Secure Encryption