[Linux-aus] Encryption bill and open source

[Russell Stuart]

On Thu, 2018-12-06 at 16:19 +1100, Hugh Blemings via linux-aus wrote:
> One thing I would urge all of you to consider doing is call your
> local MP.  Seriously.  Respectfully ask that your views (presumably
> against) be noted and give one or two reasons why - EFFA have written
> concisely on this aspect[0].

With due respect to Hugh, I suspect there are quite a few here who
don't know what is being proposed will refrain from contacting their MP
on the grounds they don't really have a clue what they are talking
about.  The fix is easy: read the 400 odd pages of dull legalise the
government has published at [0].

If for some reason you don't want to do that, here is my take (which
turned out to be only slightly shorter).  Beware I've take considerably
liberties in translating [0] into what I think is the intended
implementation.

The problem they are trying to solve is the internet is going dark
"post Snowden".

"Going dark" refers to existing legislation when allows them to ask
Telco's (think Telstra, TPG, Optus, ...) to place taps on their network
so information passing through it goes to the Law Enforcement Agencies
(think police, AFP, ASIO).  The problem is post Snowden that
information is now encrypted, so it is no longer useful to them.

"Post Snowden" is meant to obfuscate the real cause: to wit, at a
security conference NSA presented some slides of places that had put
taps and there happen to be some Google Security engineers in the
audience who recognised the place as one of Google's own interconnects.
   Apparently Google was pissed, so pissed they pretty much single
handedly forced the the internet to encrypt everything by penalising
non https URL's in their search results.  The use of "single handedly"
is meant to signal to you that I am indeed doing as I warned and
applying some of my own spin here: obviously at the very least "Lets
Encrypt" also had a hand in moving the web to https.

The first idea that came to the LEA's collective minds was to mandate a
backdoor in encryption, and many high ranking police officers have
asked for just that in public.  But the suggestion didn't go down so
well, probably because it was tried before and was by-passed by someone
walking through customers the PERL code for RSA on their t-shirt. 

This is the second attempt.  It is based on the observation that the
information must be unencrypted at the end points: ie, when human
sender composes it, and when the intended recipients read it.  The
Assistance and Access bill just extends the existing legislation from
the Telco's to all software providers, so that the LEA's can force any
software or hardware provider to create "tap", and install it for them
at the end point, where the data isn't encrypted.  Like the existing
taps, it must be done in secret: a provider ordered to do this can not
reveal it to anyone.

The current legislation has been in use for a long time.  From the
perspective of the LEA's and the politicians, it has proved an
effective tool for law enforcement while having enough checks and
balances to ensure it hasn't been abused.  For example, it explicitly
forbids mass surveillance: these each taps must be authorised, they
must target particular individuals who must be suspected of committing
a crime and each one must be authorised by a judge who checks these
things.  These existing protections will apply to the new taps enabled
by the Assistance and Access bill.

Now onto the implementation details.  The word "Assistance" in the
bill's name is another piece of spin.  The bill is worded as if the
software providers may be asked to give "assistance" in creating the
taps.  The bill helpfully lists many kinds of assistance that might be
asked for - like API's and schematics. I not sure why as does as in
reality they can ask for anything as the bill very noticability doesn't
place any limit what the software providers can be asked to do,
provided they pay for it.

As an example, the bill says the tap must be undetectable by the user. 
This is at odds with Android's current power monitoring notifications. 
Without special "assistance" I would get a notification that the "ASIO
Remote Spy Tool" is running in the background and consuming power.  In
fact without special assistance, I would get notified "ASIO Remote Spy
Tool" wanted permission to access everything.  If they are going to re-
write the internals of Android, so for example the SELINUX protections
provided by the kernel are by-passed, it's going to take a little more
than the provision of a few API's.  Since SELINUX was created by NSA
(with able assistance from our very own Russell Coker) I doubt it can
be by-passed by a normal application - although assistance could be
demanded from Russell for that.  (We would never know.)

Which brings us to the next word in the bill's title, "Access".  Access
means "you will download our taps onto the devices for us".  In other
words, if they want to spy on me they ask Google to auto download their
taps onto my phone via the app store.  This isn't a big ask.  I can get
the app store to download any application to a phone on the other side
of the planet via a web page now.  (The act doesn't say this of course
- but it is very explicit in saying the tap must be able to be
installed remotely, and silently.  And it must send the data it gathers
securely back to the LEA.)

Try as I might, I can't shake the image of a bored police officer
lazing back in his chain in his Canberra office, pressing a button, and
seeing a live feed of some perp's camera in a escort agency appear on
his monitor. But lets put such wild thoughts aside, as the legal checks
and balances in the bill are there to ensure that can't happen.  The
way the Assistance and Access bill is imagined, it will be _very_
precisely targeted:

  -  A person suspected of a crime will be identified.
  -  A judge will vet LEA's reasoning.
  -  If the judge approves lots of legally weighty papers are
     signed by great numbers of very important people.
  -  On presentation of said paper the person employed to press
     the "install tap" button will check it carefully, and then
     enter the IMEI, UUID or whatever, and press the button.
  -  The tap will be installed, and data will flow to Canberra.

There is even a provision for transparency.  After a suitable time has
elapsed (potentially years), we get to know how many times the button
was pressed (and nothing else).

The bill has specific wording to assure us it can not happen any other
way.  It explicitly prohibits LEA's from asking for a systemic
weakness.  A systemic weakness is one that weakens security of all of
us.  A cryptography back door would weaken cryptography in general, so
that is out.  Presumably introducing a special public key signature
that allows an application to by-pass SELINUX also weakens the entire
system so it would be out too.  I used the word "presumably" because as
the bill stands it does not define "systemic weakness" so it could have
been potentially weaselled away, however Labor has insisted that loop
hole be fixed before they will accept it.

I'm guessing the supporters of the bill get a lot of confidence from
their faith in Australia's democracy and institutions.  From their
point of view even if the bill does go awry it will be fixed without
too much damage occurring.  My guess is that belief so strong any
argument's about creating a surveillance or police state will get you
branded as a nutter.

Perhaps they are right.  I have enormous confidence in Australia's
institutions myself.  What makes me uneasy is the bill does not seem to
limit the sort of information that can be collected.  It's no longer
just email, SMS and voice.  Its your GPS position and speed in real
time, your microphone, your cameras, the MAC's of other devices around
you, your banking passwords (as they can see you type them).  And your
Tor browsing habits and microcode Intel installed into its CPU.  And it
isn't just your phone - it's anything that auto installs software
patches.  So it's your PC, your TV, your car, your router, your watch,
my vacuum, and perhaps even Karen Sanders pace maker.  They will
probably say most of these things aren't their intention right now. 
But the bill doesn't say that.  They also said they intended to keep
our meta data private, and now it's available to man+dog.

There is no hiding from this sort of surveillance.  It isn't just the
stuff we would encrypt.  It's the stuff we would never write down or
record at all.  It's your pins, lastpass and GPG passwords, your Debian
repository signatures.  It's boardroom conversations about billion
dollar takeovers.  It's not just your device you have to worry about -
it's every one in the room, and the security camera behind the pot
plant pointed at your keyboard.

We've got TV shows like Person of Interest exploring of what a world
like this might look like, but they got it wrong.  In this one (only?)
instance TV didn't go far enough - it really didn't scratch the surface
of what a world without secrets would look like.  For example secrets
are a major way we hold people accountable: only your credit card knows
secure key, it will only lock with the pin, only you know the pin
therefore you authorised the expenditure.

In fact the bill does not discuss risks at all.  Those risks it does
seek to mitigate are only those that can be solved with law and order. 
I guess the mentality behind it is every risk can be managed by a
"sneak an unauthorised peek and we will crush you and throw away the
key" strategy.  To be fair, it's kept murder at workable rates for
centuries - which is something that should inspire some faith in the
system.

Unfortunately, law and order has stopped working for some edge cases in
today's world.  Sending spam is against the law, yet over 1/2 the email
travelling across the wire is spam.  I have no doubt the law
enforcement officers receive the same amount of spam I do - and I have
no doubt they also given up on law and order and don't report it. 
Attempts to hack my VOIP servers is illegal, yet it happens so quickly
the trace in my logs makes debugging legitimate problems almost
impossible if I don't ignore the attempts, which of course I do. 
Taking Sony down was illegal yet no one is in jail.  Stealing the
EternalBlue exploit the NSA had developed was illegal as was the 10's
of thousands of routers it was used to hack, I wonder who the NSA
reported the crime to?

I saw a similar point being made in the senate hearings on the
Assistance and Access bill [1].  It was like the proverbial elephant in
the room made a surprise appearance - everybody thought there must be
something they were missing and was keen to move on.  They were missing
something.  I'm sure after reflecting on it, and if they didn't reflect
they were told by ASIO, the police, and the ASD this would be very well
guarded facility, and the people who do it have a very good track
record government secrets (the BOM hack [2] and missing filing cabinets
notwithstanding [3]).  Indeed, I have no doubt no effort will be spared
once they realise what they have created.

Perhaps unbeknowns to them, they will create something worth a huge
amount of money.  Knowing trade secrets is worth millions, as is
knowing what the reserve bank governor will say tomorrow. Knowing a BHP
takeover is about to happen is worth billions.  Knowing all these
things without anybody knowing you know gives you the potential to earn
trillions before you destroy the economy.

Still, there are other unimaginable things, right?  What is in Fort
Knox is unimaginable, or at least was once.  Yet they kept it safe.  It
was safe because blowing a hole in Fort Knox is bound to be noticed by
a whole pile of people, some of whom couldn't be corrupted for love or
money.  And even if the hole wasn't noticed, someone is probably going
to notice the gold is gone and the hounds would be unleashed in very
short order.

Nobody has to blow a hole in ASIO to use this thing.  The reality is
the companies they compel will want as little to do with it as
possible.  When the duly authorised important man pushes the button to
infect someone with a tap, that will probably be the last human
involved in the chain.  Thereafter it will be managed by software. 
Probably proprietary software our government, LEA's and judges will
never be allowed to see.  In fact not just software, but software
stacks with each level written by lots of different programmers in
different countries, all running in monolithic kernels where every line
of code has access to everything.  It will be big complex code with
bugs, bugs that must be patched regularly. If the price of any one of
these people is found and they send a copy of some data somewhere, no
one will know.  Unlike Fort Knox, data doesn't change when it is
copied. 

The thing they didn't notice is they are vulnerable to the same attack
they are proposing to use on us.  The feature they probably love -
being able to launch it from the safety of an office also applies.  The
attackers probably won't be within reach of their laws, as it can come
from anywhere on the planet.  Or possibly their own home router, hacked
with EternalBlue.  And the reward for pull this off this is almost
unimaginably huge.

Since I wrote this to give you ammunition, I have one final round to
add.  A common retort from the LEA's is: well we need this information,
do you know of any other way to get it.  The answer they usually get is
"no".  A "yes" answer is: add one more element to the legislation. 
Make mandatory to get physical access to the device to install your
taps.  It could be a USB connection, opening it and shorting a pin, a
special NFC device.  It doesn't matter.  What matters is it requires
several people to cooperate with the venture to effect something in the
real world, something that could be noticed.  You will be able to do it
once or twice and not be noticed: but doing it enough to break an
entire country is near impossible.



[0] https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195

[1] http://parlview.aph.gov.au/mediaPlayer.php?videoID=427993 (downloadable)

[2] https://www.abc.net.au/news/7923770

[3] https://www.abc.net.au/news/9168442