[Linux-aus] Encryption bill and open source

Russell Stuart russell-linuxaus at stuart.id.au
Fri Dec 7 11:15:32 AEDT 2018 

On Fri, 2018-12-07 at 08:19 +1000, Paul Gear via linux-aus wrote:
> Is there still time to call our MPs?  (Not being a mainstream news
> watcher/reader, I don't know the best source to find this out.)

The bill has been passed by both houses without Labor's promised
amendments, so for example there is no definition of what a systemic
weakness might be.  It is now effectively law.  Any efforts you make
will be to get the law changed.

> The measures will be ineffective, because the terrorists and
> paedophiles will switch to technologies not covered by Australian
> law.

This is harder than you might expect.  The issue is software comes in
stacks, and generally bits lower down in the stack have access to
everything above them.

For example, you might decide to use Signal instead of Google Hangouts
because while Google has a presence in Australia and will almost
certainly comply with any legal request, Signal is open source, not
based in Australia, and Moxie Marlinspike seems a man of some
conviction.

The problem is Signal runs in Android's JVM, and so uses java libraries
provided by Google to read the keyboard and display the messages.  OK,
so we will re-write Signal to use its own libraries.  But you are still
running in the JVM, so all data will be visible to that.  OK, so you
re-write it in C.  In that case you will be using the C POSIX library
(as was the JVM and the Java Libraries), and it has access to
everything.  So bugger it, my new Signal application won't use a
library - it will talk directly to the kernel.  Well, Google controls
the kernel.

So I will build my own kernel.  I'm not sure what happens in ARM land,
but in Intel land the CPU runs it's own kernel in the Management
Engine. (ARM provides similar kernels running in what they call a Trust
Zone, but I'm not familiar with them.)  The whole point of this
Management Engine is to allow the sysadmin to take over the machine
when the OS fails.  It's sees the screen, keyboard, allows you to load
firmware and modify disks.

This stuff is _very_ hard to escape.  But lets say you put in a guts
effort and create your own secure world with a dumb TV, driving a VW
Beetle without a radio, and of course no internet connection because
you can't trust the modem in whatever NTU you have to use.  The
problems remains that you have to interact with others, and when you
talk to them their devices can record you say, when you see them they
can video you, when you email them their can read your emails, when you
travel with them their GPS will know the position of your phone MAC
address and bluetooth.  The root cause is communication of this has two
endpoints, and you can only secure yours.  We sink or swim together on
this one.

> The measures put IT companies based in Australia at a competitive
> disadvantage.

This is a serious issue.  The senate committee heard testimony from Mr
Andrew Wilson, Chief Executive Officer of Senetas.  It was his
testimony I posted a link to earlier.  Senetas makes encryption
equipment that is exported around the world.  It is used by the Israeli
parliament, for example.

The one thing a company that exports equipment to people like the
Israeli's is the possibly of a foreign government controlled back door
inserted into their equipment. One of the suppliers to Senetas wrote a
submission effectively saying "hey, you could send these guys broke,
and that would break me too".

The committee didn't sound particularly sympathetic, and given the bill
was passed without amendments I guess they weren't.  I presume the
attitude is "maybe it's true, maybe not, but its not a big deal.  If we
end up sending a few firms broke we can always patch the bill".

That's an attitude you should share.  The law is not something set in
stone.  In particular politicians are the people who change the laws -
it's their day job.  To them it's not so much stone as putty that can
be moulded, sculptured and refined.  The first attempt is never the
final attempt.

Finally, here is are of some of people who took the time out of their
day to appear before an Australian Senate committee and be grilled.  I
don't know what they said (the video of their testimony is available
online if you are interested), but my guess is they were all ignored:

    
- Mr Matthew Carling, Cisco, Security Architect
- Mr Daniel J. Weitzner, Founding Director – MIT Internet Policy Research Initiative
- Mr Martin Thomson, Member, Internet Architecture Board
- Dr Elizabeth Coombs, University of Malta, UN Rapporteur on privacy

More information about the linux-aus mailing list