<div dir="ltr"><div>Anecdotes are rarely the basis for good decisions. One person not having a problem does not generalise easily. The actual risk is that a vulnerability exists in their implementation and public disclosure of the source code may enable that vulnerability to be discovered and exploited. There have been examples of this in other open source projects before.</div><div><br></div><div>Under the government classification framework, anything that can cause harm (even if very minor) attracts some level of national security classification, and as such is exempt from FOI requests. This is probably where the attempt to force disclosure will end up.</div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-Matthew Lye<br><br>"Speech is conveniently located midway between thought and action, where it often substitutes for both."
- John Andrew Holmes<br></div></div></div><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sat, 6 Dec 2025 at 20:09, Adam Nielsen via linux-aus <<a href="mailto:linux-aus@lists.linux.org.au">linux-aus@lists.linux.org.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> My case is primarily about cybersecurity and "security by<br>
> obscurity".<br>
<br>
Bit of a weird claim they make about security by obscurity. The<br>
algorithm they use to generate the codes is RFC 6238 so the open source<br>
oathtool utility can be used to generate them. The hard part is<br>
extracting the secrets from the Android app because they are<br>
obfuscated, but not long after I was forced to set it up I found<br>
instructions online how to do it[1], for which I am very grateful to<br>
the individual who took the time to post them.<br>
<br>
Since then I haven't opened the Android app, I just use a shortcut to<br>
oathtool that generates the myGov MFA code along with all my other MFA<br>
codes, which I can copy and paste into the login page.<br>
<br>
It's WAY nicer than using the app, but just a shame it was so much<br>
effort to get the secret out of the app in the first place. I trust my<br>
Linux server way more than I trust my phone as far as security is<br>
concerned, and I *really* don't want to get locked out when (not if) my<br>
phone breaks.<br>
<br>
You say one of the risks is that the tribunal could agree with the<br>
security by obscurity arguments, but this would be surprising given<br>
that there has been no obscurity since at least 2021 when those<br>
instructions were posted. Like all security by obscurity, it has a<br>
100% failure rate, as someone always figures it out in the end. This<br>
is just more evidence that security by obscurity never works for long.<br>
<br>
The secret I extracted from my phone years ago still works today to log<br>
me in, so since 2021 they've made no effort to change the algorithm,<br>
which tells me the release of this information hasn't affected their<br>
security one bit. Their concern that the release of this information<br>
would lead to "myGov account compromise" has turned out to be factually<br>
untrue, as it is not a hypothetical situation, it has been the case for<br>
a few years now - and nobody has hacked my myGov account yet.<br>
<br>
Cheers,<br>
Adam.<br>
<br>
[1]: <a href="https://gist.github.com/hacker1024/5d0845863e2dced27fd5eebc4ac95a39" rel="noreferrer" target="_blank">https://gist.github.com/hacker1024/5d0845863e2dced27fd5eebc4ac95a39</a><br>
_______________________________________________<br>
linux-aus mailing list<br>
<a href="mailto:linux-aus@lists.linux.org.au" target="_blank">linux-aus@lists.linux.org.au</a><br>
<a href="https://lists.linux.org.au/mailman/listinfo/linux-aus" rel="noreferrer" target="_blank">https://lists.linux.org.au/mailman/listinfo/linux-aus</a><br>
<br>
To unsubscribe from this list, send a blank email to<br>
<a href="mailto:linux-aus-unsubscribe@lists.linux.org.au" target="_blank">linux-aus-unsubscribe@lists.linux.org.au</a><br>
</blockquote></div>