Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Australia Communications Encryption Privacy The Internet Technology

Australia To Compel Technology Firms To Provide Access To Encrypted Missives (reuters.com) 230

Australia on Friday proposed new laws to compel companies such as U.S. social media giant Facebook and device manufacturer Apple to provide security agencies access to encrypted messages. From a report: The measures will be the first in an expected wave of global legislation as pressure mounts on technology companies to provide such access after several terror suspects used encrypted applications ahead of attacks. Australia, a staunch U.S. ally, is on heightened alert for attacks by home-grown radicals since 2014 and authorities have said they have thwarted several plots, although Prime Minister Malcolm Turnbull said law enforcement needed more help. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."
This discussion has been archived. No new comments can be posted.

Australia To Compel Technology Firms To Provide Access To Encrypted Missives

Comments Filter:
    • by j-b0y ( 449975 ) on Friday July 14, 2017 @10:51AM (#54808499)

      Will happen, eventually. But it will not solve the underlying problem of encryption technology being widely available. That stable door has been open for so long that the horse has bolted, galloped, cantered and eventually settled down to raise a family somewhere in Wyoming.

      • by Desler ( 1608317 )

        And it's also silly to think they won't just use an encrypted messaging program outside of Australian jurisdiction.

  • by fredrated ( 639554 ) on Friday July 14, 2017 @10:48AM (#54808475) Journal

    are also being used by people who mean us harm. Shall we shut them all down?

    • Your analogy makes no sense. They want intelligence agencies to be able to see what's going on over the internet, and they can already see what's going on over the roads.

      It is a car analogy.

    • Re:The roads (Score:4, Insightful)

      by Rick Schumann ( 4662797 ) on Friday July 14, 2017 @11:49AM (#54809011) Journal
      Give them time. We've been warned for decades now that the full-on Police State is coming, and now I'm starting to think that's what's going to happen. Then all the terrorists in the world will throw a big party, because they will have won.

      Apropos of nothing, I see why Humans can never be immortal: After you put up with a hundred years of the continual BULLSHIT that your own species perpetrates on itself, you just don't want to see any more and WISH to die.
    • Re: (Score:2, Insightful)

      I've heard that terrorists consume dihydrogen monoxide. We really need to ban this horrible substance once and for all!

  • by HalAtWork ( 926717 ) on Friday July 14, 2017 @10:50AM (#54808495)

    If there's no place for terrorists to hide then there's no place for *anyone* to hide, and that is unacceptable considering how valuable it is to hide from oppression or the abusers of the system used to ensure there are no hiding spots, those who operate the system are disproportionately advantaged and with access comes the capability of concealing themselves, censoring, framing content and concealing context, etc.

    This idea is ridiculous and imbalanced off the bat.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Terrorists don't spout their plans all over Twitter's mail like a Trump family member. It won't make any difference to them.

      If they backdoor encryption, they backdoor their own security. Putin's boys must be laughing their cocks off at these idiots. All of those backdoors would soon be in their hands, and with it control of Australia. Do they really think only *they* the 'good' guys will use the backdoors they put in?

      Do they also want to leave some of the border unguarded?

      Why not move their elections online

      • Terrorists don't spout their plans all over Twitter's mail like a Trump family member.

        Yes the do, but law enforcement takes no notice.

        It won't make any difference to them.Correct.

      • by Rakarra ( 112805 )

        Putin's boys must be laughing their cocks off at these idiots.

        I guess that's a round-about way of fighting the Russians and reducing their population.

    • by gweihir ( 88907 )

      It is a fundamentally fascist idea: The individual does not count and the state-ideology is perfect, hence everybody has to follow it or be a traitor to be eradicated. And because the state-ideology is to great and perfect, of course nobody needs to hide except evildoers.

      This of course ignores the little fact that states are the most evil and immoral constructs known to man and need to be kept tightly under control. That control has slipped recently, and what happens as a consequence is not a surprise.

  • by rkhalloran ( 136467 ) on Friday July 14, 2017 @10:58AM (#54808537) Homepage
    IIRC, the Bouncy Castle crypto package , developed to get around the 90's US export controls on strong ciphers, originates from Down Under. Funny their govt is now expecting developers to install Magic Good-Guys-Only Backdoors into their software so the Five-Eyes Panopticon can snoop as wanted.
  • Anyone remember when it was illegal in the US to export encryption technology? This really needs to stop. From a bird's eye perspective, governments are trying to throw out the baby with the bath water. Or, is it all about $$$? I just want to live in peace please.
  • by houghi ( 78078 ) on Friday July 14, 2017 @11:02AM (#54808569)

    I repeat:
    Jean has a big moustache.

    Aunt Marie is doing well.
    I repeat:
    Aunt Marie is doing well.

    These where the message from Radio Free Internet.

    • by NoNonAlphaCharsHere ( 2201864 ) on Friday July 14, 2017 @11:11AM (#54808663)
      Exactly. Or a simple book cipher [wikipedia.org], or steganography [wikipedia.org]. It's just too laughably easy for REAL terrorist types to communicate in perfect secrecy. What measures like this are about is for Law Enforcement(TM) types to trivially easily spy on the general populace.
      • Exactly. Or a simple book cipher [wikipedia.org], or steganography [wikipedia.org]. It's just too laughably easy for REAL terrorist types to communicate in perfect secrecy. What measures like this are about is for Law Enforcement(TM) types to trivially easily spy on the general populace.

        This is the US intelligence services using the Australian intelligence services and Australian law as a monkey's-paw to do an end-run around US restrictions on their collection abilities. The '5-Eyes' sharing agreements means that US 4th-Amensment protections mean squat.

        Strat

      • by houghi ( 78078 )

        If I where to communicate with others and I do want it to be secret, I would use a combination of things.
        1) Post images every day to a Usenet group(Wait, I already do that)
        2) Use steganography to add info to the image or just add a comment like a quote in the comment section of the image. (Wait I already do that)
        3) Read another group like alt.test to see replies (Wait I already do that)

        Why Usenet? Because then there is no provable connection between two people. It is broadcasting and the different servers w

        • by AHuxley ( 892839 )
          Re "Messages will be send, regardless of the difficulties you put in the way."

          Its nice to create and read plain text messages on a smart phone.
          Interesting people will soon understand the difference between privacy and anonymity.
          The communication was seen between person A and B. Both accounts are been watched by a gov. No more anonymity
          The hardware is sent some gov malware or gets a code to start police storage.
          That will remove any privacy.
          Person A creates a nice long message in plain text and the
          • You are right, manufacturers will be forced to comply. I wrote to Brandis about this in 2015, it set the stage for what is happening now and was predictable. Not only is the state not interested in protecting her citizens, it is quite clear that monitoring the civilian population is a priority over everything else.

            I see little sincerity in the Australian Government on this issue and judging from previous legislations this proposed one will contain as many flaws as the one I wrote about in 2015. We will h

  • I have often remarked that no nation would ever really tolerate free speech. Here we have government offering an excuse to eliminate free speech completely. Frankly there are numerous issues mixed in with this. Criminal activity is now so common that we simply can not detain, arrest or imprison more people. There are already problems concerning which laws get enforced and against whom they are enforced. if we had high quality investigation of all our people the nation would collapse due to the vast
  • by UnknowingFool ( 672806 ) on Friday July 14, 2017 @11:22AM (#54808757)

    Does the Australian government know that even if they could compel companies like Apple access to their systems, they won't get access to what their users send especially if users are using end-to-end encryption.

    And then there's the issue of once they get access to one thing, another app would soon appear that would thwart their suvelliance

    Short summary of the issues [youtu.be]

    • by AHuxley ( 892839 )
      Per device low level access will get past any user app layer thats doing the encryption or decryption.
      If its plain text at any time on the device, thats what gov/mil malware will keep.
      • Only if the message is ever stored in plain text locally. Otherwise that requires malware to be installed and surveillance software from the device. That's more than access. For example if a user is using end-to-end encrypted messaging app done well the message shows up only as plain text is within the app on the screen. In order to access that text, either the phone/device has to be capturing what is happening on screen. The app could also be set to never save the message once it's been shown.

        The other alt

  • by Sique ( 173459 ) on Friday July 14, 2017 @11:25AM (#54808785) Homepage
    For now, it means that end-to-end-encryption will be more common. If you use the chat app only as a means for encrypted input and output, you could have a second app on both ends that does the cryptographic work for you by sending your text encrypted and scraping the answer from the output screen and decrypt it. Then the messenger app firm will not be able to decrypt what you are sending, as they are just providing the dumb pipe your communication flows through.

    We had similar encrypted channels already in IRC, where some clients provided facilities to encrypt a query with a shared key on both ends.

    Currently, with the centralized messenger services running through the infrastructure of big companies, there is a big attack vector on the privacy of communication: Go directly to the provider of the infrastructure. If the encryption runs totally on the client side piggy-backing on the "official" infrastructure, a big single point of failure is removed, although it is still easy to determine when and with whom you communicate.

  • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday July 14, 2017 @11:29AM (#54808819) Homepage Journal

    The obvious response of technology firms is to structure their encryption so that it becomes impossible for them to decrypt the content because they don't have the keys themselves. The security guys at pretty much every such company would prefer to build such systems anyway. They generally don't because doing so adds some additional layers of complexity. It's simpler and more cost-effective to instead build a key management system that is secure against compromise even by internal attackers, relying on the typical tools (secure hardware, affirmative control, responsibility splitting, etc.).

    But... it's not *that* much harder to build a system in which no one but the parties communicating have the keys. Compared to the legal and administrative costs involved in having to deal with an unending stream of government requests for data (which governments almost always expect companies to comply with at their own expense, as a cost of doing business), it's a no-brainer. Much cheaper to build the more complicated decentralized security model, enabling the company to respond to government requests with "Can't. Here's our security design. You can see that we have no access to the decryption keys."

    Of course, the obvious response of legislators is then to mandate government-accessible backdoors. That, however, creates an entirely new public perception of the request, making it a very different game, politically.

    • I thought, from the way I understood the system, that Apple's iMessage already worked in this manner. I'm not under any delusion that any electronic communications are actually secure and I operate accordingly, but the publicly released documents seem to point to Apple not having access to the keys.

      There are other ways around this, of course, such as allowing access to your account to an adversary so they can get their own copy of the keys, etc. This method, at the very least, keeps out the script kiddie ha

      • I think its likely that Apple will be asked to provide a back door into the OS so that plain text can be captured before it is encrypted.

    • by sims 2 ( 994794 )

      Now if I remember correctly lavabit had a setup like this so they couldn't access the information so the gov't demanded their SSL key so they could pull a MITM and intercept the user's key.

      • Now if I remember correctly lavabit had a setup like this so they couldn't access the information so the gov't demanded their SSL key so they could pull a MITM and intercept the user's key.

        Sort of true. Lavabit did have access to the data the government wanted, but avoided logging it so they had only ephemeral access, and no ability to provide the historical records being requested. They could have worked out a deal to provide the future information about the one account in question (Edward Snowden's as it turned out), but were uncooperative, and fairly stupidly so. After Lavabit's obstructionism, the government didn't trust them to selectively provide the information, so the court agreed to

    • But... it's not *that* much harder to build a system in which no one but the parties communicating have the keys.

      Of course, the obvious response of legislators is then to mandate government-accessible backdoors.

      Jesus Christ. Backdoors, smackdoors. Simply have the NSA produce their own public key and force all message suppliers to keep on doing whatever they're doing AND ALSO encrypt the original message with the NSA key while appending it to the coded message. That way "ONLY" the NSA or proxy can decode the 2nd message while leaving the application-normal routines in place.

      Of course it'll be illegal to remove the alternate key and most people won't know how to do that to start with. Thus
      (A) you can read an

      • But... it's not *that* much harder to build a system in which no one but the parties communicating have the keys. Of course, the obvious response of legislators is then to mandate government-accessible backdoors.

        Jesus Christ. Backdoors, smackdoors. Simply have the NSA produce...

        Um, what you described is a backdoor. Pretty much exactly the one proposed in 1993, intended to be implemented in the Clipper chip [wikipedia.org]. Notice how well that succeeded. That's what I meant when I said:

        That, however, creates an entirely new public perception of the request, making it a very different game, politically.

      • by bug1 ( 96678 )

        And what about messages that go outside of NSA jurisdiction.

        The Internet doesnt respect borders.

    • Apple does that already. It was an engineering solution to a legal problem. Now matter what the government can demand, Apple can't crack an iPhone. As such, can't fulfill the request, nor can they be held liable (because it's physically not possible). About the only thing they can do is reset an iCloud.com account password.

      Really, if Apple had a backdoor, or was forced to make one for the Gov, I guarantee that Apple would be forced to build an entire building that holds nothing but staff to respond to these

      • Apple does that already. It was an engineering solution to a legal problem.

        It's the obvious and predictable response of a security engineer.

        However, I don't think Apple has actually fixed that "hole" yet. What the FBI was asking them to do was to provide an updated version of the firmware which bypassed the brute force mitigations on password checks. There was much discussion back then about which iPhone versions have the "secure enclave" and which don't, but the secure enclave also has updatable firmware.

        However, there are ways to fix this, and I suspect that Apple is working on one for the iPhone8. I think the best solution (and I should note that my day job is Android crypto security, so I've given it more than a passing thought) is to make the firmware update process require that the user first unlock the device. There are a variety of ways to do that, and make the requirement cryptographically strong.

        It should be noted that this is a general-purpose security feature, not one specifically targeted at securing against law enforcement. Without it, the security of user data can never be stronger than the internal access controls around the firmware signing key. Any employee or group of employees who have access to that key (or anyone who can bribe, extort or otherwise coerce said employees) can sign new firmware that can erode the security. The fact that it was a government attempt to coerce them to do it doesn't mean the government is the only entity who could. It's much better for user security if no one can.

        Really, if Apple had a backdoor, or was forced to make one for the Gov, I guarantee that Apple would be forced to build an entire building that holds nothing but staff to respond to these requests 24/7.

        Not true. If Apple (or any other company) were forced to build a government backdoor, most likely it would be the government that holds the keys, so Apple would never be involved in any of the government accesses.

        Honestly, if you had a government agency that you could trust enough, such as the courts themselves, maybe, this might not be such a bad approach. That's a really, really big "if", though. The technical challenges in securing such high-value keys are not insurmountable, but they're very high, and if the keys leak, the damage to the companies who make the affected devices would be huge. Further, at least in the US the organization we would most trust to get the technical design and implementation right, the NSA, is the organization we'd want to keep furthest from the whole thing. And even if all of the technical infrastructure was perfect, then the agency would also have to make sure that its processes for approving access are airtight and have adequate oversight to prevent abuse.

        Yeah... let's just not go there. Police work is only easy in a police state, and we don't want a police state.

        • Not true. If Apple (or any other company) were forced to build a government backdoor, most likely it would be the government that holds the keys, so Apple would never be involved in any of the government accesses.

          It's quite possible they could do that, but then every other nation-state on Earth would be demanding the same type of access. So in effect, when you choose what region you live in (or traveling too) in iOS, it encrypts with that nations certificate that would allow said nation to access the conten

          • Not true. If Apple (or any other company) were forced to build a government backdoor, most likely it would be the government that holds the keys, so Apple would never be involved in any of the government accesses.

            It's quite possible they could do that, but then every other nation-state on Earth would be demanding the same type of access. So in effect, when you choose what region you live in (or traveling too) in iOS, it encrypts with that nations certificate that would allow said nation to access the content on the iPhone upon request.

            Perhaps. I don't think that could happen secretly, though.

            It might be one of the many reasons Apple is building a datacenter in China in fact.

            That makes no sense. They wouldn't need to build a data center in China to include a Chinese backdoor public key in their devices, assuming they were willing to do that.

            • FYI, in case you haven't been paying attention to what's going on in China, the authorities are slowing clamping down on Internet access to the point of going full-tilt whitelisting of publics IPs (both individuals and in blocks). I shit you not. Also, it makes sense for logistical reasons that iCloud storage and iOS device backups occur locally and not flung across trans-pacific fiber. Oh, and ease of access to data. Why not right? it's in their backyard now.

        • Publish a readonly chain of all firmware builds that you have ever produced. Equivalent to a adding the firmware blob of every release version to a git commit history. Encourage other people to monitor that log.

          Then have the current firmware verify that its own hash, and the hash of the new firmware is in the commit history for the release log.

          • Publish a readonly chain of all firmware builds that you have ever produced. Equivalent to a adding the firmware blob of every release version to a git commit history. Encourage other people to monitor that log.

            Then have the current firmware verify that its own hash, and the hash of the new firmware is in the commit history for the release log.

            Not useful :-)

            It doesn't matter how many people are verifying that the official log of releases contains no funny business. It only matters that the device can be convinced to accept an update. The attacker just needs to force the device to download a log of his own creation, with his blob's hash appended. You can try to prevent this by having the device check the TLS server certificate when it downloads, or by signing the log, but the assumed attackers have access to internal, restricted private keys, so

    • Indeed, I run a small business https://matador.cloud/ [matador.cloud] which sells Tahoe-LAFS grids. And I'm not the only one; https://leastauthority.com/ [leastauthority.com] is another. I take pride and solace in how I cannot read my users' uploaded files.

      • Cool. I contributed a bit to Tahoe for a while. It's been a while since I talked to Zooko, I should email him...
  • by Rick Schumann ( 4662797 ) on Friday July 14, 2017 @11:46AM (#54808963) Journal
    What the actual fuck is wrong with these gods-be-damned politicians that they don't understand the simple FACT that if you put a gods-be-damned 'backdoor' into ANY encryption algorithm, that your DESTROY it's ability to keep sensitive data out of the hands of the very people you're trying to 'protect' against!? Does the entire gods-be-damned WORLD have lead in it's drinking water? THIS is the sort of thing I'm talking about when I say "People are getting DUMBER". Don't these politicians have techical advisors who are (hopefully!) competent and intelligent, telling them precisely what I said above (and a million times already)?
    • When mathematicians say something is impossible, they usually mean "logically inconsistent with published proofs, and those proofs are the basis of EVERYTHING".

      When scientists say something is impossible, they usually mean "inconsistent with published models, and those models are good enough to take us to the moon and back".

      When politicians say something is impossible, they usually mean "the current legislature will say no, but that can be changed".

      When politicians hear "secure encryption with back doors is impossible", they hear "impossible" in legislative terms when it's really at least in scientific terms, and very close to mathematical terms.

      • by gweihir ( 88907 )

        Indeed. Terminally dumb, unable to learn and unable to listen to actual experts. The human race cannot afford the politicians in power all over the globe.

      • Well then someone needs to slap some sense into them until they understand. I'll gladly volunteer, but I think there'll be a long, long line of people waiting for their chance to 'serve their country' in that capacity.

        Really, honestly, in all seriousness: Are you saying that what happens here, is that these politicians have credible, credentialled, PhD-level, trusted expert technical advisors, telling them "What you want is inviting disaster, for X, Y, and Z reasons", and the politicians are saying "LOL,
    • by gweihir ( 88907 )

      Politicians are the poster-people for the Dunning-Kruger effect: They have the biggest egos and the smallest understanding of how things actually work. Of course they do not listen to advisers, because really dumb people think they already know all the truths. Unfortunately, democracy does not help either, because most voters are timid sheep and easily frightened to stampede in any direction desired. Hence fascism raises its ugly head gain. That did not take long.

      • This level of ignorant bullshit that our so-called 'leaders' and so-called 'legislators' perpetrate on the rest of us makes me want to vomit. Seriously.
    • by Rakarra ( 112805 )

      backdoor' into ANY encryption algorithm, that your DESTROY it's ability to keep sensitive data out of the hands of the very people you're trying to 'protect' against!?

      Does it really? Are you sure that encryption is the ONLY thing that keeps government secrets out of enemy hands?
      Before encryption, the government agencies were quite decent at keeping secrets. Maybe they think that they still can if encryption were weakened or gone.

  • rolleyes (Score:5, Insightful)

    by XSportSeeker ( 4641865 ) on Friday July 14, 2017 @12:00PM (#54809109)

    Encryption, the best tool to detect ignorance on politicians.
    We should all be using it to give politicians with stupid proposals the boot.

  • Good luck. (Score:4, Insightful)

    by ewhenn ( 647989 ) on Friday July 14, 2017 @12:48PM (#54809541)
    Good luck legislating math.
    • by Rakarra ( 112805 )

      Good luck legislating math.

      They've certainly done it before. Encryption above certain key lengths used to be illegal to export, and software that was secure came with enough restrictions that it was a pretty big barrier for use.

  • ...and only criminals will have privacy.

  • -----BEGIN PGP MESSAGE----- Version: BCPG C# v1.6.1.0 hQEMA6aWSBoheq/wAQgAmlMhXPe8IFZS1FFJlZSi5vox+rp2ERjJ/tkZIoDm6eyg NA2GGzmWlI9mu1DKlP0nOINNZV7oY2M8ovqW2AuHd2BpWEaIa58GC/v1hL02xr2P a50tR/FzRG2MkKIFhnW/z+cGZA9CXycusD0tlAnzyve7HZlA08FVFmPnBQ/CbwLe pYzzAVXvSOs3wuPakv57hHErdY0XjarqkBxmnvVzO8WgV93KmZ4caRySzchiBiQ/ Wb9D5PTUIkgS93HWeoQngOTPA1blKKLmSWRk699Wu9MIlcykxgpiNaDjrI6aaZwp ckCTWAwnyhbR8KTqdYo0qlqK0D8t+SC9C+V6XKkA78lQ50pYeazywBvcSNA4OJmx Tif2voDW0VzvSQdbnITUpw/AfuJsMQTYqsTcQaKFQsdoMf9KJiCQGWjjj9Cl3GtT v+
  • these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm

    So are roads. And toilets. Especially toilets.

  • Present day modern cryptography already can be secure "forever" (i.e. unless somebody finds a fundamental weakness in the cipher itself, brute-forcing will not ever be possible). That war has long been lost by the government creeps that feel threatened by anything they cannot control. All they can do now is a lot of damage.

    • by AHuxley ( 892839 )
      The chance is the same device was used to create the message, send the message, be networked with the other person and be to decrypt the response.
      People trust the app creator and the legal/freedom branding of their US OS. Governments just have to stay deeper in both smartphones.
      To get back to cryptography that can be secure the message would have to be created by hand or on an air gapped device. Then photographed as a code ready message.
      Move the code photo file to another computer at the other end, O
  • Here is the correct link: http://www.reuters.com/article... [reuters.com]

Basic is a high level languish. APL is a high level anguish.

Working...