Cybersecurity Minister Angus Taylor
The government has partially unveiled its long-awaited plans to establish backdoors in encrypted communications despite insisting it will not seek such backdoors. This slip-up happened via a clumsily reported version of a speech by junior minister Angus Taylor that hinted at the government’s preferred approach to undermining encryption.
The government has long claimed it intends to defeat encryption but without forcing encryption manufacturers such as the big tech companies to insert backdoors into encryption systems that could be stolen from security agencies, as has happened in recent years to both the CIA and the NSA. Many encryption systems in any event have no centralised system to backdoor, but simply provide end-to-end encryption on devices themselves. Others, such as Signal, are provided by organisations specifically established to prevent governments from violating privacy, and who would never co-operate with any decryption effort.
It seems, however, that the government wants a pseudo-backdoor that potentially poses exactly the same threat to security as a backdoor: it wants to be able to force service providers (and presumably hardware and app manufacturers, as necessary) to secretly install malware on devices that would enable authorities to see communications in unencrypted form. According to the government’s drop to a News Corp journalist, encryption can be overridden by “dropping surveillance code into a suspect’s phone” because “at some point in any transmission or the storage of data, that data is decrypted”.
What this means is that Papers Please Pezzullo’s officials would require your mobile provider, perhaps in conjunction with your phone manufacturer, to help get malware onto your phone that would log your keystrokes and/or take screenshots and send these to authorities without you being aware — if they have been unable to physically access your device in order to install such malware directly. There would be no systematic breach of encryption, but a breach of a device’s security settings, presumably with the approval of the manufacturer of the device and operating system.
Police-installed malware has been around for many years — and the past illustrates exactly what kind of problems can result. The most famous example of police-planted malware was the Bundestrojaner, malware used by German police that was uncovered in 2011 and shown to have massive security flaws, potentially allowing a third party not merely to access the targeted device (in that case, a computer) thereby destroying the evidentiary value of whatever was on it, but even allowing access to the police database to which information was being sent by the malware. Supposedly, the government also intends to dramatically escalate the punishment of people who refuse to provide passwords to authorities.
To the extent that such malware would also require the overriding of security protections already installed on mobile devices by the manufacturer, it would also create opportunities for malicious actors to use the same exploits on any similar device — exactly the problem that avoiding direct backdoors is intended to avoid.
How the government’s legislation will address these challenges remains to be seen; despite the careful drop to a friendly journalist, we apparently won’t see the legislation for several more weeks.
Angus Taylor? FFS seriously depleted pack of idiots in the Coalition spared any scrutiny by Murdoch; but not here by Gadfly:
“Of course, Gadfly was just as flummoxed by Q&A compere Tony Jones’s introduction last Monday of Nasty Party minister Angus Taylor as an “Oxford-educated economist”.
What an overlarded piece of badging. Maybe Taylor himself asked for this catchline. While it is true that the minister for lawn order did attend New College, Oxford, his master’s thesis was an analysis of the relationship between the brewing industry and the pubs – not exactly in the realm of pressing macro policy.
On the other hand, the infinitely better qualified economist in parliament, Labor’s Dr Andrew Leigh, did a PhD at Harvard, is a fellow of the Academy of the Social Sciences in Australia and was professor of economics at the Australian National University between 2004 and 2010.
Yet he was introduced on a recent edition of Q&A with a minimum of flourish as “Labor’s assistant shadow treasurer”. Talk about Aunty’s right-wing bias
https://www.thesaturdaypaper.com.au/2018/05/19/gadfly-hot-the-press-council/15266520006239
The Coalition are not interested in cyber security. There was a program last year on ABC RN about it and it was a joke the lack of money and interest in the issue by the Coalition.
And facial recognition now being touted? And recall the debacle of the 2016 Census and the data breaches by Centrelink. Dunn and Bradstreet and Probe are being paid millions literally to bovver those the failed Robodebt extortion racket are pursuing.
D&B CEO Bligh: “opening government data to public use is happening just as businesses are beginning to understand the importance of making it available commercially,” he said.
Dun & Bradstreet’s new boss, Simon Bligh, predicted that Australia “will catch up once people are comfortable about sharing their personal information”.
The corporate world’s agitation for the ‘commercialization’ of government data is the reason behind the chaotic failed Coalition Census debacle – whereby names and addresses were to be supplied for the first time and retained.
But only our data. Not the data of business. That is always “Commercial in Confidence”.
“What this means is that Papers Please Pezzullo’s officials would require your mobile provider, perhaps in conjunction with your phone manufacturer, to help get malware onto your phone that would log your keystrokes and/or take screenshots and send these to authorities without you being aware — if they have been unable to physically access your device in order to install such malware directly. There would be no systematic breach of encryption, but a breach of a device’s security settings, presumably with the approval of the manufacturer of the device and operating system.”
Facial recognition is now being mooted as well!
Coalition could allow firms to buy access to facial recognition data
“Partially redacted documents from attorney general disclose private sector’s interest in facial verification service
The federal government is considering allowing private companies to use its national facial recognition database for a fee, documents released under Freedom of Information laws reveal.
The partially redacted documents show that the Attorney General’s Department is in discussions with major telecommunications companies about pilot programs for private sector use of the Facial Verification Service in 2018. The documents also indicate strong interest from financial institutions in using the database.
The recent mass data breach at Equifax, which exposed highly sensitive personal information such as medical histories, credit scores and social security numbers belonging to over 143 million US citizens, added to concern. Equifax is currently one of the approved gateway service providers for the Australian DVS.”
https://www.theguardian.com/technology/2017/nov/26/government-could-allow-firms-to-buy-access-to-facial-recognition-data
Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.
Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017,where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers’ personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. ”
Equifax also confirmed at least 209,000 consumers’ credit card credentials were taken in the attack.”
https://en.wikipedia.org/wiki/Equifax#Security_failings
https://en.wikipedia.org/wiki/Equifax#Lawsuits_and_fines
Serious kudos to whichever Crikey hamster wrote that header.
Such a perfect description of a fine article.
“MAL-WARE
OF THE
DOG”