[Linux-aus] Encryption bill and open source

Thu Dec 6 15:47:22 AEDT 2018

Thanks aj for getting the conversation started.

The proposed legislation is deeply flawed, ill-conceived, poorly 
consulted and no doubt will be improperly executed. The list of 
submissions to PJCIS [0] is staggering in its volume, how many big 
players responded, and the overarching message that the AAbill is 
flawed. What's even more appalling is how the submissions have been 
resoundingly ignored over vague, specious national security claims. And 
yes, passing of this bill undoubtedly jeopardises the Australian 
technology industry.

        Would improving the state of the art in open source help to
        defray its effects?

Yes, but no-one's going to do it.

Open * / free * / libre * groups internationally all face the same set 
of problems Nadia Eghbal set out in her excellent paper "Roads and 
bridges" - essentially everyone uses open source software, but no one's 
paying for it to be maintained [1].

Linux Australia - and LUGs - which are rapidly dying out - don't have 
the bandwidth to help put together the education and advocacy programs 
you talk about. Instead, what's happening is that these are becoming the 
domain of Developer Advocate / Developer Relations roles (full 
disclosure: I work in a similar role) which are funded by for-profit 
companies to further the uptake of their product or platform. Community 
management and community building takes time, energy and effort - and 
many open source  / Linux User groups - have none left.

Where I do see some possibilities is in partnering with digital rights 
groups - such as EFA or DRW - to put together material which can be used 
as the basis for talks - easily consumable, easily reused. I've had some 
very initial conversations with EFA around this - but again this 
requires people to actually do the work. Perhaps that's something that 
could be funded under a Grant Request.

Looking at platforms and tools, knowledge of GitLab, GitHub, Git, 
BitBucket etc - is required to effectively review and assure code 
changes. What we're increasingly seeing in this space is the 
monetisation of platforms through third party plugins, addons etc that 
purport to make CI / CD pipelines "easier" and "hassle free" - 
effectively removing testers further and further away from the codebase 
itself. Herein lies the great paradox - the easier we make it for people 
to use, the more we're abstracting it away from the very place that 
malicious changes are made.

        Would collective action from technology practitioners help to
        defray its effects?

Yes, but there are significant forces working to stop  this.

ITPA, with kudos to Robert Hudson, has been very vocal about its 
objection to the bill and its consequences, urging members to take 
action to contact parliamentarians to vote against the bill [2].

The ACS has been less vocal, but did make a submission [3]. Remember 
that 457/482 visa holders working in IT need to be a member of a 
"professional association".

However, in an era of offshoring, stagnant wages growth, consolidation 
of technology companies, particularly those with open source leanings 
(ohai, ex-Red Hatters), individuals will be fearful of non-compliance. 
Sure, we can ask the community to support people whose livelihoods are 
threatened, but how many instances will it take before donor fatigue 
hits in? We see this countless times with Patreon, with Wikipedia's 
donation requests on every page, and so on. The collective will, I 
believe, just isn't there.

There will always be those brave souls who put themselves out as beacons 
- and respect to them - but I think generally the tech community has too 
much to lose.

The Google walkouts we've seen in recent times only work because of the 
specialist talent they have. Imagine an ASX100 company's tech staff 
walking out like that - next day the IT function is outsourced to India.

        What would help overturn the bill?

Given that the entirety of technical expertise is being ignored, 
technical explanations won't win.

Perhaps a list of the Australian based companies who would be subject to 
the legislation? A list of companies to use that are _not_ subject to it?

It seems even the threat of moving Australian tech jobs overseas is not 
enough to deter both major political parties.

[0] 
https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions

[1] 
https://www.fordfoundation.org/about/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure

[2] 
https://www.technologydecisions.com.au/content/information-technology-professionals-association/article/act-now-help-stop-the-aabill-dead-in-its-tracks-206398004

[3] 
https://www.aph.gov.au/DocumentStore.ashx?id=b46fc472-5d30-496a-8b74-393e2b80a07a&subId=660366

On 6/12/18 11:51 am, Anthony Towns via linux-aus wrote:
> Hey *,
>
> (Is this still a discussion list? Apologies if not)
>
> It seems like the Assistance and Access bill is going to pass with
> bi-partisan support because apparently national security needs a
> Christmas present [0]. Like everyone has already said, this is utterly
> unconscionable and a disaster for both Australians' privacy and trust
> in Australian IT service providers.
>
> But maybe (and maybe this is more of a contrarian take than a realistic
> one) this is something open source can already protect itself against. The
> whole "change the code to insert backdoors and ship it out to customers
> without telling them" approach is one that only works if you've got
> centralised control of what users run, and nobody able to identify
> backdoors (and allowed to object to them) is reviewing the code.
>
> If you're instead using best practices for open source development,
> that's not an issue: to get the backdoor into users hands, you have to:
>
>   a) get the backdoor published as source and passing review, even by
>      independent co-contributors who might be outside the AA bill's
>      jurisdiction; or
>
>   b) get the backdoor published as a binary that doesn't match the
>      published source and hence isn't a reproducible build; and have
>      user's not build from source and not notice that the build they're
>      using is non-reproducible
>
> There's two *really* hard steps there:
>
>   a) getting co-contributors who actively review patches to all the open
>      source software people use; and
>
>   b) making it so non-technical users can actually benefit from
>      reproducible builds
>
> But both those are already problems even with non-state-level
> attackers; eg [1] or [2] for (a), and for (b) hopefully it's obvious that
> deliberately adding backdoors in binaries is easy if that's what everyone
> uses and no one can check it actually matches the published source.
>
> So maybe we should be thinking about ways of improving the state of
> the art in open source, and routing around ridiculous laws, rather than
> relying on avoiding ridiculous laws, given the fix is already in? Like,
> encouraging LUGs to have hackathons/talks on how to build your own
> android system (OS and apps) from source; or encouraging conferences
> to have sessions on how devs can find/encourage co-maintainers and do
> reviews of patches and dependencies to avoid exploits slipping in?
>
> I mean, the AA bill is still a horrible idea and both political parties
> should have known better [3], but at least open source has *some*
> prospect of defending users against it. At least until they talk to
> Intel and just backdoor the system over built-in wifi from below the
> kernel level of course...
>
> An alternative approach be for many of us to say "complying with the
> AA bill by inserting backdoors is unethical", and to back that up by
> supporting those of us who actually resist it, eg by covering legal
> costs for devs/admins who break the law by not implementing backdoors
> when required, or by revealing their existence; and having a fund to
> support their families if they're unable to get paid in the meantime,
> etc.  If we had a simple, consistent, understandable set of principles
> like that, it could be a strong way of preventing lawmaking that goes
> against those ethics; in a similar way in which the Hippocratic oath
> lets patients generally trust doctors. I'm not what a broadly acceptable
> ethical principle would be exactly; if the principle was "software should
> serve the end user's interest", that could make it unethical to work
> for a whole bunch of data harvesting companies like Google and Facebook,
> which... might not be wrong, but probably wouldn't be effective.
>
> Kind of interesting that the end-to-end principle is topical again
> just in time for lca's first return to the South Island of NZ since
> Dan Jacobsen's talk on using that philosophy to get a high performance
> network stack back at lca 2006...
>
> Cheers,
> aj
>
> [0] "Assistant Home Affairs Minister Linda Reynolds claimed the
>       legislation needs to be rushed to help alleviate security threats
>       over the coming summer break.
>
>       "Christmas is a heightened security issue for us and we need to
>       make sure people are as safe and as secure as possible," Reynolds
>       said on Sunday.
>
>       "It is the lives of Australians at risk, because the threat is real."
>      " -- https://www.zdnet.com/article/coalition-and-labor-strike-deal-on-encryption-legislation/
>
> [1] https://it.slashdot.org/story/18/12/01/2217231/nodejs-event-stream-hack-reveals-open-source-developer-infrastructure-exploit
>
> [2] https://lists.debian.org/debian-devel/2003/02/msg00771.html
>
> [3] The AA bill seems like a potential disaster for small IT outsourcing
>      companies. Without the AA bill, you could at least meet the people
>      involved and say "yeah, they seem trustworthy, I don't think they'll
>      login as root and read all my email if I get them to run my mail
>      server". With the AA bill, even otherwise trustworthy people can
>      be forced to forward all your emails to the govt, so any loss of
>      trust in the govt's handling of private info seems like it flow
>      pretty quickly into job losses there, if people start preferring
>      to outsource to foreign IT companies instead.
>
>      It seems like it could be bad for internal admin jobs too; if eg
>      the ATO manages to use the bill to get an admin to add a hook to
>      bcc all company executives' emails to their tax avoidance squad,
>      which is after all just a 21st century way of investigating potential
>      crimes, and a budget surplus is probably a national security issue,
>      right? Why employ an Australian as an admin if they can be forced to
>      forward your emails to govt agencies on fishing expeditions? Maybe
>      multinationals who can have admins checking over each others changes
>      will have less of a problem; but still why hire Australian's who
>      you have to check not just for mistakes or corruption, but also
>      government directed malfeasance?
>
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
>
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au

-- 
Kathy Reid
President
Linux Australia

0418 130 636

president at linux.org.au
http://linux.org.au

Linux Australia Inc
GPO Box 4788
Sydney NSW 2001
Australia

ABN 56 987 117 479

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.org.au/pipermail/linux-aus/attachments/20181206/e853c5ca/attachment-0001.html>