<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Thanks aj for getting the conversation started. <br>
</p>
<p>The proposed legislation is deeply flawed, ill-conceived, poorly
consulted and no doubt will be improperly executed. The list of
submissions to PJCIS [0] is staggering in its volume, how many big
players responded, and the overarching message that the AAbill is
flawed. What's even more appalling is how the submissions have
been resoundingly ignored over vague, specious national security
claims. And yes, passing of this bill undoubtedly jeopardises the
Australian technology industry. <br>
</p>
<p><br>
</p>
<h4>Would improving the state of the art in open source help to
defray its effects? <br>
</h4>
<p>Yes, but no-one's going to do it. <br>
</p>
<p>Open * / free * / libre * groups internationally all face the
same set of problems Nadia Eghbal set out in her excellent paper
"Roads and bridges" - essentially everyone uses open source
software, but no one's paying for it to be maintained [1]. <br>
</p>
<p>Linux Australia - and LUGs - which are rapidly dying out - don't
have the bandwidth to help put together the education and advocacy
programs you talk about. Instead, what's happening is that these
are becoming the domain of Developer Advocate / Developer
Relations roles (full disclosure: I work in a similar role) which
are funded by for-profit companies to further the uptake of their
product or platform. Community management and community building
takes time, energy and effort - and many open source / Linux User
groups - have none left. <br>
</p>
<p>Where I do see some possibilities is in partnering with digital
rights groups - such as EFA or DRW - to put together material
which can be used as the basis for talks - easily consumable,
easily reused. I've had some very initial conversations with EFA
around this - but again this requires people to actually do the
work. Perhaps that's something that could be funded under a Grant
Request. <br>
</p>
<p>Looking at platforms and tools, knowledge of GitLab, GitHub, Git,
BitBucket etc - is required to effectively review and assure code
changes. What we're increasingly seeing in this space is the
monetisation of platforms through third party plugins, addons etc
that purport to make CI / CD pipelines "easier" and "hassle free"
- effectively removing testers further and further away from the
codebase itself. Herein lies the great paradox - the easier we
make it for people to use, the more we're abstracting it away from
the very place that malicious changes are made. <br>
</p>
<p><br>
</p>
<h4>Would collective action from technology practitioners help to
defray its effects? <br>
</h4>
<p>Yes, but there are significant forces working to stop this. <br>
</p>
<p>ITPA, with kudos to Robert Hudson, has been very vocal about its
objection to the bill and its consequences, urging members to take
action to contact parliamentarians to vote against the bill [2]. <br>
</p>
<p>The ACS has been less vocal, but did make a submission [3].
Remember that 457/482 visa holders working in IT need to be a
member of a "professional association". <br>
</p>
<p>However, in an era of offshoring, stagnant wages growth,
consolidation of technology companies, particularly those with
open source leanings (ohai, ex-Red Hatters), individuals will be
fearful of non-compliance. Sure, we can ask the community to
support people whose livelihoods are threatened, but how many
instances will it take before donor fatigue hits in? We see this
countless times with Patreon, with Wikipedia's donation requests
on every page, and so on. The collective will, I believe, just
isn't there. <br>
</p>
<p>There will always be those brave souls who put themselves out as
beacons - and respect to them - but I think generally the tech
community has too much to lose. <br>
</p>
<p>The Google walkouts we've seen in recent times only work because
of the specialist talent they have. Imagine an ASX100 company's
tech staff walking out like that - next day the IT function is
outsourced to India. <br>
</p>
<p><br>
</p>
<h4>What would help overturn the bill? <br>
</h4>
<p>Given that the entirety of technical expertise is being ignored,
technical explanations won't win. <br>
</p>
<p>Perhaps a list of the Australian based companies who would be
subject to the legislation? A list of companies to use that are
_not_ subject to it? </p>
<p>It seems even the threat of moving Australian tech jobs overseas
is not enough to deter both major political parties. <br>
</p>
<p><br>
</p>
<p>[0]
<a class="moz-txt-link-freetext" href="https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions">https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions</a><br>
</p>
<p>[1]
<a class="moz-txt-link-freetext" href="https://www.fordfoundation.org/about/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure">https://www.fordfoundation.org/about/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure</a></p>
<p>[2]
<a class="moz-txt-link-freetext" href="https://www.technologydecisions.com.au/content/information-technology-professionals-association/article/act-now-help-stop-the-aabill-dead-in-its-tracks-206398004">https://www.technologydecisions.com.au/content/information-technology-professionals-association/article/act-now-help-stop-the-aabill-dead-in-its-tracks-206398004</a></p>
<p>[3]
<a class="moz-txt-link-freetext" href="https://www.aph.gov.au/DocumentStore.ashx?id=b46fc472-5d30-496a-8b74-393e2b80a07a&subId=660366">https://www.aph.gov.au/DocumentStore.ashx?id=b46fc472-5d30-496a-8b74-393e2b80a07a&subId=660366</a><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 6/12/18 11:51 am, Anthony Towns via
linux-aus wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20181206005124.af4z764bwwkdk7k4@erisian.com.au">
<pre class="moz-quote-pre" wrap="">Hey *,
(Is this still a discussion list? Apologies if not)
It seems like the Assistance and Access bill is going to pass with
bi-partisan support because apparently national security needs a
Christmas present [0]. Like everyone has already said, this is utterly
unconscionable and a disaster for both Australians' privacy and trust
in Australian IT service providers.
But maybe (and maybe this is more of a contrarian take than a realistic
one) this is something open source can already protect itself against. The
whole "change the code to insert backdoors and ship it out to customers
without telling them" approach is one that only works if you've got
centralised control of what users run, and nobody able to identify
backdoors (and allowed to object to them) is reviewing the code.
If you're instead using best practices for open source development,
that's not an issue: to get the backdoor into users hands, you have to:
a) get the backdoor published as source and passing review, even by
independent co-contributors who might be outside the AA bill's
jurisdiction; or
b) get the backdoor published as a binary that doesn't match the
published source and hence isn't a reproducible build; and have
user's not build from source and not notice that the build they're
using is non-reproducible
There's two *really* hard steps there:
a) getting co-contributors who actively review patches to all the open
source software people use; and
b) making it so non-technical users can actually benefit from
reproducible builds
But both those are already problems even with non-state-level
attackers; eg [1] or [2] for (a), and for (b) hopefully it's obvious that
deliberately adding backdoors in binaries is easy if that's what everyone
uses and no one can check it actually matches the published source.
So maybe we should be thinking about ways of improving the state of
the art in open source, and routing around ridiculous laws, rather than
relying on avoiding ridiculous laws, given the fix is already in? Like,
encouraging LUGs to have hackathons/talks on how to build your own
android system (OS and apps) from source; or encouraging conferences
to have sessions on how devs can find/encourage co-maintainers and do
reviews of patches and dependencies to avoid exploits slipping in?
I mean, the AA bill is still a horrible idea and both political parties
should have known better [3], but at least open source has *some*
prospect of defending users against it. At least until they talk to
Intel and just backdoor the system over built-in wifi from below the
kernel level of course...
An alternative approach be for many of us to say "complying with the
AA bill by inserting backdoors is unethical", and to back that up by
supporting those of us who actually resist it, eg by covering legal
costs for devs/admins who break the law by not implementing backdoors
when required, or by revealing their existence; and having a fund to
support their families if they're unable to get paid in the meantime,
etc. If we had a simple, consistent, understandable set of principles
like that, it could be a strong way of preventing lawmaking that goes
against those ethics; in a similar way in which the Hippocratic oath
lets patients generally trust doctors. I'm not what a broadly acceptable
ethical principle would be exactly; if the principle was "software should
serve the end user's interest", that could make it unethical to work
for a whole bunch of data harvesting companies like Google and Facebook,
which... might not be wrong, but probably wouldn't be effective.
Kind of interesting that the end-to-end principle is topical again
just in time for lca's first return to the South Island of NZ since
Dan Jacobsen's talk on using that philosophy to get a high performance
network stack back at lca 2006...
Cheers,
aj
[0] "Assistant Home Affairs Minister Linda Reynolds claimed the
legislation needs to be rushed to help alleviate security threats
over the coming summer break.
"Christmas is a heightened security issue for us and we need to
make sure people are as safe and as secure as possible," Reynolds
said on Sunday.
"It is the lives of Australians at risk, because the threat is real."
" -- <a class="moz-txt-link-freetext" href="https://www.zdnet.com/article/coalition-and-labor-strike-deal-on-encryption-legislation/">https://www.zdnet.com/article/coalition-and-labor-strike-deal-on-encryption-legislation/</a>
[1] <a class="moz-txt-link-freetext" href="https://it.slashdot.org/story/18/12/01/2217231/nodejs-event-stream-hack-reveals-open-source-developer-infrastructure-exploit">https://it.slashdot.org/story/18/12/01/2217231/nodejs-event-stream-hack-reveals-open-source-developer-infrastructure-exploit</a>
[2] <a class="moz-txt-link-freetext" href="https://lists.debian.org/debian-devel/2003/02/msg00771.html">https://lists.debian.org/debian-devel/2003/02/msg00771.html</a>
[3] The AA bill seems like a potential disaster for small IT outsourcing
companies. Without the AA bill, you could at least meet the people
involved and say "yeah, they seem trustworthy, I don't think they'll
login as root and read all my email if I get them to run my mail
server". With the AA bill, even otherwise trustworthy people can
be forced to forward all your emails to the govt, so any loss of
trust in the govt's handling of private info seems like it flow
pretty quickly into job losses there, if people start preferring
to outsource to foreign IT companies instead.
It seems like it could be bad for internal admin jobs too; if eg
the ATO manages to use the bill to get an admin to add a hook to
bcc all company executives' emails to their tax avoidance squad,
which is after all just a 21st century way of investigating potential
crimes, and a budget surplus is probably a national security issue,
right? Why employ an Australian as an admin if they can be forced to
forward your emails to govt agencies on fishing expeditions? Maybe
multinationals who can have admins checking over each others changes
will have less of a problem; but still why hire Australian's who
you have to check not just for mistakes or corruption, but also
government directed malfeasance?
_______________________________________________
linux-aus mailing list
<a class="moz-txt-link-abbreviated" href="mailto:linux-aus@lists.linux.org.au">linux-aus@lists.linux.org.au</a>
<a class="moz-txt-link-freetext" href="http://lists.linux.org.au/mailman/listinfo/linux-aus">http://lists.linux.org.au/mailman/listinfo/linux-aus</a>
To unsubscribe from this list, send a blank email to
<a class="moz-txt-link-abbreviated" href="mailto:linux-aus-unsubscribe@lists.linux.org.au">linux-aus-unsubscribe@lists.linux.org.au</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Kathy Reid
President
Linux Australia
0418 130 636
<a class="moz-txt-link-abbreviated" href="mailto:president@linux.org.au">president@linux.org.au</a>
<a class="moz-txt-link-freetext" href="http://linux.org.au">http://linux.org.au</a>
Linux Australia Inc
GPO Box 4788
Sydney NSW 2001
Australia
ABN 56 987 117 479 </pre>
</body>
</html>