back to article When's a backdoor not a backdoor? When the Oz government says it isn't

Australia's promised “not-a-backdoor” crypto-busting bill is out and the government has kept its word - it doesn't want a backdoor, just the keys to your front one. The draft of The Assistance and Access Bill 2018 calls for anyone using or selling communications services in Australia to be subject to police orders for access …

Richard51

Re: Who would pay?

Simple book codes, if only used once would be unbreakable even then. Without foreknowledge of the book in question and where in the book the encryption starts they are totally unbreakable.

Charles 9
Silver badge

Re: Who would pay?

Not even to a Utah-class data center and/or a secret quantum computer?

Anonymous Coward
Anonymous Coward

Re: Who would pay?

Simple book codes, if only used once would be unbreakable even then. Without foreknowledge of the book in question and where in the book the encryption starts they are totally unbreakable.

---------------------------------------------------------------------------------------------------------

No, they are not.

Read up on the history of cryptanalysis.

There is too much order in a book.

mark l 2
Silver badge

Unfortunately I can see the UK government looking at this bill and thinking it sounds great, once they have finished with the fiasco of leaving the European Union I suspect we will have something very similar on the cards (refuse to call it Brexit as it is a word that sounds like something a child would make up)

Doctor Syntax
Silver badge

"a word that sounds like something a child would make up"

OK, someone had to

If we have to wait until they finish dealing with the fiasco we don't have to worry. That'll be a very long time.

Wolfclaw
Silver badge

So any member of 5eyes, can come up with BS excuse that they are using Aussie comms services and the Aussies will invetsigate on their behalf and order a company to open up and they can't even complain or go to court incase it gets leaked .. is Australia becoming the enxt Nazis state ?

Christoph
Silver badge

" the powers would only be invoked for “serious crimes” involving sentences of three years or greater."

And we know that they will stick to those limitations, because?

If nobody is allowed to know what they are doing because any whistle-blower gets a 5 year sentence, then they will misuse it. Any time some group gets completely unsupervised power, it gets misused.

This is well known - the Snowden revelations showed that security agencies go way past what they are theoretically allowed to do as a matter of routine every day operation.

swampdog

Make it easy

I've always said the best way around this is to tell the security agencies they can do whatever they want but if they get caught doing it the people responsible face the same laws as the rest of us.

After all, a security agency worth having, shouldn't be getting caught in the first place.

Charles 9
Silver badge

Re: Make it easy

Ever heard of, "Screw the Rules, We MAKE Them"?

tallenglish

And we thought China was bad

China and its great wall is starting to look progressive. Australia is obviously trying to get rid of all the criminals we didn't want from the UK.

Providers from USA and others need to ban Australia out of principle like we do to China to protect encryption products and people in Australia are going to need to get VPN and slow down their already shite connection speeds.

Yay, you gotta love Aussy progress from the land that dredges the great barrier reef to let coal mining ships through.

tallenglish

David Ike was right

Problem: government creates the problem by not doing the job they are already paid to do. (underfunding police, creating weapons, etc).

Reaction: government reacts by hyping up all their failures (terrorism, pedophiles, organised crime).

Solution: government provides the solution to greater control, requiring more government. (more taxes, more usless laws).

Real Solution: get rid of the problem, get rid of the idiots in charge that are just creating more work for themselves to feed their massive egos.

Anonymous Coward
Anonymous Coward

Re: David Ike was right

You forgot that the politicians are usually reacting to the "popular" public demands stirred by various media outfits or organisations with a vested interest.

Solution: Education

Oh I forgot - that's another area where the government has cut funding - and outsourced control to commercial and religious bodies with a dogma interest in limiting educational knowledge.

GIRZiM

Re: David Ike was right

So this is what a psychotic break must feel like then - except that it's reality that's bent not my mind.

You know that the entire universe has jumped the shark into unknown territory and disappeared down the rabbit hole in the middle when sentences like "David Ike was right" actually make sense.

Anonymous Coward
Anonymous Coward

RE: PGP?

@Duncan Macdonald -- PGP?

*

Two points:

- There's nothing any individual can do about governments having prying access to corporately managed communications (e.g. mobile phone, online banking, online shopping, etc. etc.). However, although it's less convenient and slower, each of these can be avoided by using CASH! In the case of mobile phones, a new mobile, cash for a SIM, cash for minutes means that the communication, although not private is at least anonymous if used carefully.

- There IS something that a group of individuals can do for messaging -- namely use a privately implemented cipher scheme. To some extent it doesn't matter if it can be broken, as long as the breaking takes months or weeks. The eavesdroppers need near real-time access, which only the owners of the cipher scheme possess! This gets round the possibility (remote I know) that even PGP can be broken quickly. The private scheme might only be implemented for text messages.

*

Example of a randomised word replacement scheme for a short message:

quivery Ivesdale laboredly vacations derotreme creamless Genucius DLS rhodanate admonitory Witte unprovisioned dragman starboards maggle correlatives Stillingia colibertus inclinatory diarticular Gallicolae snake-eyed microphonic rain-soaked entoplasm uranorrhaphy scoliorachitic redacts chevalier lumen whip-corrected rencontres aquariist contractors subpectinate imperceivable hough overborne sophronizing audacious pachypleuritic nukes time-tested rainbows unclotting diskery

Omgwtfbbqtime
Silver badge
Thumb Up

Re: RE: PGP?

Frottage biennial customised psycho-the-rapist.

Anonymous Coward
Anonymous Coward

Re: RE: PGP?

"In the case of mobile phones, a new mobile, cash for a SIM, cash for minutes means that the communication, although not private is at least anonymous if used carefully. "

* * *

Only if used in only conjunction with other equally well managed anonymous phones.

In particular:

You cannot use it to phone non-anonymous phones except on a one time basis, to numbers that have zero connection to you.

You cannot leave it turned on, or it can be de-anonymised relatively easily.

You should probably disable or cover the you-facing camera, the other camera, and the microphone.

You cannot turn it on where you have had a non-anonymous phone turned on - not just on the network, the phone will store location data whether or not it is in aeroplane mode.

You cannot talk on it without a text to voice converter, or your voiceprint will identify you. Again, disable the microphone, as many apps ask for or get access.

SMS messages are probably trackable.

You cannot turn it on in places associated with you.

You cannot turn it on in places where surveillance can put you or your vehicle.

You cannot use it in respect of a number of different issues or interests, or that constellation will identify you, along with metadata, including time and place of use.

You cannot continue to use it. When you replace it, you have to avoid contacting previously contacted anonymous phones - the whole network has to roll over at the same time - an identity, metadata, and connection graph reset.

Your best bet is probably anonymised encrypted IP based text messaging using electronic drops, supported by VPNs, MAC changers, Tor, antifingerprinting techniques, etc.

A paper based one time pad helps with some issues but raises others... worth thinking about, but there are several potential weaknesses. Use inside other secure encryption.

You have to pay attention to surveillance, including dashcams, traffic cams, and cell tower records for other phones when buying anonymous phones.

Note that connected cars are inherently trackable all the time.

Any card based public transport is trackable and generally under heavy surveillance, and data is likely retained almost forever.

You cannot trust CAs, certificates, etc.

Privacy and security are not easy, and getting harder.

A non-connected car can be tracked by the tire pressure monitor transmitters on the wheels - mandatory in the US. In the EU, all cars need cell transmitters in case of accident.

I have left some things out, and don't know about others... nor do you.

onefang

Re: RE: PGP?

"I have left some things out, and don't know about others... nor do you."

One thing I keep seeing being left out of any discussion about burner phones in Australia, by law you need to provide identification to get mobile service. This makes things a bit more difficult for the burner phone consumer, and a bit more lucrative for the fake / stolen ID market.

Charles 9
Silver badge

Re: RE: PGP?

"There IS something that a group of individuals can do for messaging -- namely use a privately implemented cipher scheme. To some extent it doesn't matter if it can be broken, as long as the breaking takes months or weeks. The eavesdroppers need near real-time access, which only the owners of the cipher scheme possess! This gets round the possibility (remote I know) that even PGP can be broken quickly. The private scheme might only be implemented for text messages."

Does it HAVE to be real-time, or can they just use the whole "Give me Six Lines" bit and work from there?

Crisp
Silver badge

This sounds like a really well thought out piece of legislation

Unfortunately it isn't. And it is predicated on a massive misunderstanding around how encrypted services on the internet works.

If Alice sends an encrypted message to Bob, then the only point the message should be unencrypted when it's displayed on screen.

Charles 9
Silver badge

Re: This sounds like a really well thought out piece of legislation

But that's exactly the point where they get you: outside the envelope.

Anonymous Coward
Anonymous Coward

Re: This sounds like a really well thought out piece of legislation

"If Alice sends an encrypted message to Bob, then the only point the message should be unencrypted when it's displayed on screen."

And, according to their goals, it should not be encrypted wherever it is convenient for them to take a copy.

Remember, they are not interested in your privacy and security, they are interested in their power and ubiquitous surveillance of all your activity.

Milton
Silver badge

Disadvantages everyone—except the actual bad guys

Disadvantages everyone—except the actual bad guys, who will use any one of a dozen superb freely available encryption algorithms and code, along with nice big keys, to secure their data or messages, storing them among randomised data blocks on their systems providing plausible deniability if seized, thereafter to steganographically embed the encrypted data at a very low rate among some large but poorly-resolved, "noisy" images on the web (with only two billion per day to choose from).

Law enforcement will ultimately be in the position of having to demand passwords from suspects. Thus it will have to have been through the process in which it identified suspects, established in most jurisdictions some form of probable cause, got warrants, extradited or otherwise actually found and detained the supposed malefactor, proved that there even is some encrypted data, somewhere, and finally said "Give us the key". The latter part of the process will be conducted with defence lawyers present and the distinct possibility that even if you have arrested a Black Hat, you cannot be sure that s/he has encrypted anything in the places you've searched. Maybe that scruffy 5Mb image has some "off" byte values; or maybe it's just got noisy crap in it. Maybe that disk sector is a random mess of junk, or it's a diagram of beryllium straws for stage two of a nuke; maybe BH really has forgotten the password.

Not only will you have to prove your case through a jury, you might notice that almost all the work you did to get to the point of having a suspect to interrogate is the exact same shoe-leather-heavy, tedious, detail-oriented, human-based police work that you had to do in the past, before all these tech miracles and encryption came along.

In other words, while trying to create impossible and useless backdoor policies, you've proven that there are actually no magic technology bullets and that you should have concentrated on proper police work in the first place.

Anonymous Coward
Anonymous Coward

Re: Disadvantages everyone—except the actual bad guys

"maybe BH really has forgotten the password."

There might not even be a password for what is incorrectly suspected as being encrypted data. In which case the person is likely to go to prison indefinitely through a revolving door for "refusing to reveal the password".

GIRZiM

Re: Disadvantages everyone—except the actual bad guys

"In other words, while trying to create impossible and useless backdoor policies, you've proven that there are actually no magic technology bullets and that you should have concentrated on proper police work in the first place."

Colour me cynical if you like, but so what?

Are other agencies doing it?

Are they getting a bigger budget than mine as a result?

Right, well, we've got to do it too - can't have those other bastards lording it over everyone with how they've got a bigger budget .

Will the people paying the budget understand why we aren't solving any more crime than before or can we baffle them with bullshit blind them with science (toss some 'hi-tech' sounding buzzwords around, throw in a few 'procedural's, 'transaction's, 'target's and 'acquisition's), scare them with a few bogeymen ('anonymous actors', 'invisible intentions', 'public failure') and get the ignorant, simple-minded stuffed shirts to fund another two-to-five years before we have to talk to anyone again and, if the latter, what's the minimum time-frame to ensure the next people we speak to will be new to the role and just as gullible as the last lot were at the start?

Anonymous Coward
Anonymous Coward

Re: Disadvantages everyone—except the actual bad guys

"[...] what's the minimum time-frame to ensure the next people we speak to will be new to the role and just as gullible as the last lot were at the start?"

On the current Westminster trend - only a matter of weeks.

GIRZiM

Re: Disadvantages everyone—except the actual bad guys

> On the current Westminster trend - only a matter of weeks.

Really?

I wish I still had faith in the human race the way you do.

Unfortunately, in my (embittered) experience, even a born retarded goldfish that has since acquired both dementia and Alzheimer's has a longer attention span than most people, never mind most of the people we elect to manage things on our behalf.

Myself, I don't reckon you need longer than it takes to ask them to leave the room, knock on the door and re-enter the room - long before they get back into the room they've not only forgotten that they were just in there but can't even remember why they're knocking on the door (if they even understood that much the first time!)

StuntMisanthrope
Bronze badge

The Perfect Crime.

It’s over. Done, dusted and sent to Australia. The problem is no human, government or indeed an agency or citizen is without mistake or fault.

The balance of justice is exactly that, in equilibrium.

Does the purpose, that leveraging technology against the populace, improve society as a whole or make it worse.

I’d personally prefer, to terrorise inequality and mental health with education for the many with the cost to a few, than the opposite. #thebuginthedatacentrewiththeterminal

The Central Scrutinizer

So it is a back door

If law enforcement gets the right to provide hardware or software that companies have to deploy then it's a bloody back door. What could possibly go wrong?

Mission creep would inevitability rear its ugly head. The temptation would be far too great. The next step will be to accuse people of using encryption that they must be up to no good.

Unfortunately most people just don't give a shit, as long as their Facebook feed isn't interrupted.

Herring`

I don't see the problem

As a vendor of encryption technology, you can point out to the government that they absolutely can break public key encryption. You can even tell them how to do it. All they need to do is apply sufficient computing resources.

Giovani Tapini

Re: I don't see the problem

Potentially true, however they don't want to go to the effort and cost of doing this privately like the Americans, they want business to go through all the cost and complexity of delivering this. Any comms provider will become part of the police state by proxy...

Chairman of the Bored
Silver badge

Anyone see the word "component"....

...in the list of compulsory collaborators? What's a component? Obvious switch 'n' router vendors will become part of the state. But are we also talking semiconductor components (clipper chip redux, anyone)?

What about software components... lets say I write kernel drivers for a video card. Large, complex, hard to audit, can have interesting privileges... whats to say under this legislation a software developer doing something like Linux kernel driver or xorg development wouldn't get a tap on the shoulder...?

Wensleydale Cheese
Silver badge

Re: Anyone see the word "component"....

"lets say I write kernel drivers for a video card."

...

"whats to say under this legislation a software developer doing something like Linux kernel driver or xorg development wouldn't get a tap on the shoulder...?"

If we are talking screen shots of decrypted messages, then quite likely that video developers could be targeted.

onefang

Re: Anyone see the word "component"....

What I kept seeing is the word "company", I'm not sure if any of these new laws apply outside of a company supplying goods or services.

"whats to say under this legislation a software developer doing something like Linux kernel driver or xorg development wouldn't get a tap on the shoulder"

So perhaps open source developers doing it for free are exempt? Shhh, don't let the gruberment know about this little loophole. I'm hoping the laws don't apply to my European server that doesn't sell anything.

Anonymous Coward
Anonymous Coward

As usual with all pronouncements

What or who is NOT on the list is probably more important.

Steve Graham

Progressive, democratic Australia

"Australian senator calls for 'final solution to immigration problem'."

https://www.theguardian.com/australia-news/2018/aug/14/australian-senator-calls-for-final-solution-to-immigration-problem

(He's not a member of the governing party, but the accusation is that the current government tolerates, perhaps even courts, such opinions.)

onefang

Re: Progressive, democratic Australia

'final solution to immigration problem'

Historically, anything called 'final solution' doesn't end well.

Franco
Silver badge

A mate of mine is off to Australia for a month, so I'd better exchange OTPs with him before he goes lest his pictures of the Great Barrier Reef be interpreted as scouting an attack on it.

Only making jokes because Australia will most certainly not be the last country to try and get this kind of nonsense in to law.

Anonymous Coward
Anonymous Coward

I recommend

Little red cards with one time codes imprinted, folded in half then sealed in Perspex with a breakpoint. I may have been distracted with old school launch codes there....

Or perhaps a constantly changing keys e.g. RSA or google token generator style... This avoids accidental re-use of the same keys... Interestingly would also be a separate "component" not directly involved in the encryption process. Who knows, this may even take you out of scope.

Or simply confuse them by making all your comms in plaintext - they are probably not even looking at plaintext - just agree some codenames for your mates...Mr Pink, Mr Black, Mr Brown etc :)

Anonymous Coward
Anonymous Coward

Re: I recommend

There is also the method where you each have access to a standard edition of a chosen book or books. Each word is described by its position on a page in the selected book. In that way even the same word can have a different descriptor each time it is used.

You never use pages near the end of the book - as that limit could indicate a selection criterion in code breaking.

Not quick to encode and decode - but impossible? to break by interception.

Anonymous Coward
Anonymous Coward

When they say you have nothing to hide...

...ask them for their banking passwords

Stevie
Silver badge

Bah!

I can see this educating the masses on the use of burner phones, as used by serious terrorists for, well, since burner phones.

At least, if OBL's son can be believed.

Herring`

Re: Bah!

I would've thought that some in the security services see this sort of action as a problem. Take the pr0n age checking in the UK - before that, hardly anyone knew what a VPN was. In a bid to satisfy the Daily Mail brigade, the UK government have just made the security services' haystack a shedload bigger.

Anonymous Coward
Anonymous Coward

Oh, look, it's 9 months until the election and they're already talking about bending the laws of mathematics.

Good to know the colonies haven't lost the art.

Anonymous Coward
Anonymous Coward

they're already talking about bending the laws of mathematics.

-------------------------------------------------------------------------------------------------------

No, they are not.

Their scheme involves the 'legal' version of rubber hose cryptanalysis. No math needed.

Mycho
Silver badge

Still I just checked with an aussie compatriot and yes, they did just pass a key point in the process of calling an election just a few days ago.

This is pre-election bluster. As usual.

JohnFen
Silver badge

To their credit

They've found a solution that gives them everything they desire while still being able to claim that they aren't mandating backdoors.

It's called "lying".

EnviableOne
Bronze badge

Universal Human rights

Article 11.

(1) Everyone charged with a penal offence has the right to be presumed innocent until proved guilty according to law in a public trial at which he has had all the guarantees necessary for his defence.

(2) No one shall be held guilty of any penal offence on account of any act or omission which did not constitute a penal offence, under national or international law, at the time when it was committed. Nor shall a heavier penalty be imposed than the one that was applicable at the time the penal offence was committed.

Article 12.

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Anonymous Coward
Anonymous Coward

Re: Universal Human rights

In England - to be arrested without any subsequent charge means that in future you are officially considered less than innocent - even if it was only a police "fishing expedition". You are marked in records that might be retained indefinitely - and the contents made available to other people.

Anonymous Coward
Anonymous Coward

In other news...

Since I am in the USA, if someone in Oz gets a hold of the software that I write, the Oz government will have a hard time getting what they want because of the following reasons:

1. I am a US citizen. Therefore their laws do not apply to me.

2. Even if I did try to help them, my software is written in such a way that not even I can break it.

3. If the suspect hit the panic button, then nobody (not even the suspect) will be able to decrypt it.

I recently had to go before a Judge about my software. A court order was issued that I decrypt the data for an agency that was dealing with a pedophile. The suspect hit the panic button. Now in my software, once you hit the panic button, the master key is obliterated. And because the password only decrypts the master key, once the master key has been obliterated, there is no way that the files can be decrypted.

I can see something like this becoming law in the land of the free....

Jack of Shadows
Silver badge
Thumb Up

Re: In other news...

Nice design, meets my fail safe criteria. Similarly, I'm waiting for this to become law here in the states. Notice how Australia and New Zealand prominently feature in the next iteration of the Crypto Wars each and every iteration. Their the canary in the coal mine it seems. Or, more likely, subjecting their citizenry to see where the level of heat required to quietly bring the lobster or frog to a boil.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018