[Linux-aus] Encryption bill and open source

Anthony Towns aj at erisian.com.au
Thu Dec 6 11:51:24 AEDT 2018

Hey *,

(Is this still a discussion list? Apologies if not)

It seems like the Assistance and Access bill is going to pass with
bi-partisan support because apparently national security needs a
Christmas present [0]. Like everyone has already said, this is utterly
unconscionable and a disaster for both Australians' privacy and trust
in Australian IT service providers.

But maybe (and maybe this is more of a contrarian take than a realistic
one) this is something open source can already protect itself against. The
whole "change the code to insert backdoors and ship it out to customers
without telling them" approach is one that only works if you've got
centralised control of what users run, and nobody able to identify
backdoors (and allowed to object to them) is reviewing the code.

If you're instead using best practices for open source development,
that's not an issue: to get the backdoor into users hands, you have to:

 a) get the backdoor published as source and passing review, even by
    independent co-contributors who might be outside the AA bill's
    jurisdiction; or

 b) get the backdoor published as a binary that doesn't match the
    published source and hence isn't a reproducible build; and have
    user's not build from source and not notice that the build they're
    using is non-reproducible

There's two *really* hard steps there:

 a) getting co-contributors who actively review patches to all the open
    source software people use; and

 b) making it so non-technical users can actually benefit from
    reproducible builds

But both those are already problems even with non-state-level
attackers; eg [1] or [2] for (a), and for (b) hopefully it's obvious that
deliberately adding backdoors in binaries is easy if that's what everyone
uses and no one can check it actually matches the published source.

So maybe we should be thinking about ways of improving the state of
the art in open source, and routing around ridiculous laws, rather than
relying on avoiding ridiculous laws, given the fix is already in? Like,
encouraging LUGs to have hackathons/talks on how to build your own
android system (OS and apps) from source; or encouraging conferences
to have sessions on how devs can find/encourage co-maintainers and do
reviews of patches and dependencies to avoid exploits slipping in?

I mean, the AA bill is still a horrible idea and both political parties
should have known better [3], but at least open source has *some*
prospect of defending users against it. At least until they talk to
Intel and just backdoor the system over built-in wifi from below the
kernel level of course...

An alternative approach be for many of us to say "complying with the
AA bill by inserting backdoors is unethical", and to back that up by
supporting those of us who actually resist it, eg by covering legal
costs for devs/admins who break the law by not implementing backdoors
when required, or by revealing their existence; and having a fund to
support their families if they're unable to get paid in the meantime,
etc.  If we had a simple, consistent, understandable set of principles
like that, it could be a strong way of preventing lawmaking that goes
against those ethics; in a similar way in which the Hippocratic oath
lets patients generally trust doctors. I'm not what a broadly acceptable
ethical principle would be exactly; if the principle was "software should
serve the end user's interest", that could make it unethical to work
for a whole bunch of data harvesting companies like Google and Facebook,
which... might not be wrong, but probably wouldn't be effective.

Kind of interesting that the end-to-end principle is topical again
just in time for lca's first return to the South Island of NZ since
Dan Jacobsen's talk on using that philosophy to get a high performance
network stack back at lca 2006...


[0] "Assistant Home Affairs Minister Linda Reynolds claimed the
     legislation needs to be rushed to help alleviate security threats
     over the coming summer break.

     "Christmas is a heightened security issue for us and we need to
     make sure people are as safe and as secure as possible," Reynolds
     said on Sunday.

     "It is the lives of Australians at risk, because the threat is real."
    " -- https://www.zdnet.com/article/coalition-and-labor-strike-deal-on-encryption-legislation/

[1] https://it.slashdot.org/story/18/12/01/2217231/nodejs-event-stream-hack-reveals-open-source-developer-infrastructure-exploit

[2] https://lists.debian.org/debian-devel/2003/02/msg00771.html

[3] The AA bill seems like a potential disaster for small IT outsourcing
    companies. Without the AA bill, you could at least meet the people
    involved and say "yeah, they seem trustworthy, I don't think they'll
    login as root and read all my email if I get them to run my mail
    server". With the AA bill, even otherwise trustworthy people can
    be forced to forward all your emails to the govt, so any loss of
    trust in the govt's handling of private info seems like it flow
    pretty quickly into job losses there, if people start preferring
    to outsource to foreign IT companies instead.

    It seems like it could be bad for internal admin jobs too; if eg
    the ATO manages to use the bill to get an admin to add a hook to
    bcc all company executives' emails to their tax avoidance squad,
    which is after all just a 21st century way of investigating potential
    crimes, and a budget surplus is probably a national security issue,
    right? Why employ an Australian as an admin if they can be forced to
    forward your emails to govt agencies on fishing expeditions? Maybe
    multinationals who can have admins checking over each others changes
    will have less of a problem; but still why hire Australian's who
    you have to check not just for mistakes or corruption, but also
    government directed malfeasance?

More information about the linux-aus mailing list