141 points by alfiedotwtf 5 days ago
If you're wondering why this kind of thing happens all the time in Australia, the late Donald Horne summed it up beautifully in the 1960s:
"Australia is a lucky country run mainly by second rate people who share its luck" 
Australia has many intelligent, brilliant people. For some reason, the design of our political system results in almost none of them getting into Government. This awful, fundamentally flawed law (literally only passed into law because our opposition was terrified of being called "soft on crime" in the media over Christmas) is just one in a long line of disappointments.
Don't worry, that pretty much describes all of western government. If they aren't trying to spy on their own people, they're getting into slapfights over social media corporations or invading random third world countries
"Democracy is the worst form of government, except for all the others"
From a selfish American-centric perspective, sometimes it feels like different west-aligned countries/regions use these attempts as test beds to gauge acceptableness in other countries/regions.
I worry "grand conspiracy" views distract from the problem of public opinion often being in favor of the bad ideas.
After Snowden I had a couple people I barely knew comment to me something like I should "stop there from being more Snowdens" as a software developer, since they saw it in very simplistic terms as "my country = good, this guy = sabotaging my country" but I didn't run into anyone offline who shared the privacy-conscious reaction with me.
I think that explains why these things pop up everywhere much more simply. And without changing that perception, the other battles seem like losing fights.
> I worry "grand conspiracy" views distract from the problem of public opinion often being in favor of the bad ideas.
The cynic in me is not concerned because I feel public opinion can be swayed and/or the issue is not the biggest/most-important issue in representative democracies. I admit being overly cynical on the importance of public opinion and therefore my disagreement efforts manifest more in counteracting technologies than politicking (and even then, the efforts are little and of limited consequence).
Isn't that exactly what has happened here? IIRC there was a Five Eyes get together not too long ago where they all decided this was the direction they should follow and Australia would take the lead.
See also https://independentaustralia.net/life/life-display/queenslan...
I'm from Italy originally, and visited Australia several times.
Your comment could be applied to Italy verbatim :(
Maybe. But I really-really wish we had Australia’s STV system here in the USA.
What is Australia's STV system? I went Googling a bit, and the only quick hit was https://en.wikipedia.org/wiki/STV_(TV_station) , which seems unlikely to be what you meant.
erentz was probably referring to the single transferable vote system (https://en.wikipedia.org/wiki/Single_transferable_vote), which uses a ranked ballot in elections and results in relatively proportional representation. CGP grey explains it pretty well: https://www.youtube.com/watch?v=l8XOZJkozfI
Thanks! That makes much more sense than a TV station.
Something interesting about this is that proper code management practices would mean there would have to be a chain-of-command having knowledge of the need for a specific code commit that targets a single user with a surveillance backdoor.
Could an approached employee say "I have to run this past software engineer X" before it will even be allowed to commit, so software engineer X is read-in, but he has to get auth from Middle Manager Y, and so on. The more people who are read-in, the more chance there is of a leak or someone overhearing a conversation or people questioning a stream of progressively higher-tiered employees being brought into a meeting with strange men wearing sunglasses, fedoras, with knife-sharp pleats in their slacks, and using company meeting rooms like they own the place.
This is making assumptions about the quality of company Z's code publishing process, but I'd be guessing that there would be a lot more "targets" using popular software from big vendors that have these QA processes in place.
The other interesting thing about this is that it may spur far more interest in both using and regularly auditing open source software. Proprietary software is far more at risk of losing reputation in this situation simply because of its opacity.
Also, what exactly happens if the code is worked on in teams and/or available for any people in the company (and it sure is), and if another developer questions the committed code or attempts to change or remove it? Does such code gets explicitly painted "don't remove, don't edit, don't ask any questions"? Suddenly we get code in our product that nobody cannot talk about, nobody should understand, and nobody can fix if it introduces any other bugs into the product.
It's a complete disaster.
"Does such code gets explicitly painted "don't remove, don't edit, don't ask any questions"
This would flag the code as 'interesting' to any other members of the development team, and it would likely make it obvious which account is being specifically targeted, which works against the secrecy required of the whole thing.
This is based on a false premise, that the Govt will ask developers, and that they would care if it is difficult/infeasible/impossible to actually complete.
In reality, they issue a notice to the company, give them a timeframe, and expect it to be done. They don’t care about the intricacies of git.
The law explicitly allows them to target individuals. I don't believe that they gave themselves this power for no reason -- it's much easier to coerce an individual developer (who doesn't have fancy legal council) than force a company to do something. I'm sure they'll do it both ways of course, but I disagree that they'll only target companies.
I also think they would normally approach this top-down. The provision to target individuals might have been added just for the odd case were the normal approach is not feasible.
I still wonder how this law doesn't go against individual rights provided by the Constitution or other fundamental laws.
Either way this law is hilariously clueless and extremely worrying at the same time.
That's a mischaracterization. Any type of entity can be targeted, but not any agent. That's an important distinction to stop people acting as private individuals on their own time from being exempt from the law.
Not that I think this will work—it wont in the long run—but I'd rather argue against the strongest case of an argument.
According to Sect 317C, a "designated communications provider" includes:
A person is a designated communications provider if ...
6. the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one or more end-users in Australia
... and the eligible activities of the person are ...
(a) the development by the person of any such software; or
(b) the supply by the person of any such software; or
(c) the updating by the person of any such software
The difference between can and will be is huge.
Look at it from their point of view... they approach some developer and it's amateur hour. The dev might get stroppy, there's all sorts of infrastructure problems, they might not do it right... it's a mess.
But if they approach the CEO, it gets done right. The CEO brings in Legal, who promptly shit themselves. They bring in the CTO, who is told to shut up, sign this NDA, and work out how to make this happen as fast and painlessly as possible. No problems, the bad things get done, no-one gets told anything, all good. Shit continues to roll downhill...
But now you have a dozen or more people who know what's happening and we all know, three people can keep a secret if two of them are dead.
I'm not sure the point is actually to keep it secret, but (as with all government "services") to cover the arse.
Also, if you were an employee in a company in this situation, and you'd been told that the security of the nation depended on your silence, and more to the point, you'd be locked up and your career ruined if you went public, what would you do? Whistleblowers are pretty rare, because the consequences of doing that are huge.
It also applies to former employees. Yes, you can be asked to hack into previous job's systems
Wait... would this also apply to foreign developers who travel to Australia for their vacation?
Like any law, it applies to those that Australia has jurisdiction over. Visitors to Australia are under the jurisdiction of Australian law.
Which means that the developer will be asked to stick a USB stick on a server, or pick a certain RNG; not submit a PR on a dumb backdoor such as described in this ... rant I guess.
Companies, of course, are already cooperating. For petes sake, all you need to do is talk to a couple of admins in the Bay Area to know what alphabet soup are visiting what companies (pro tip: basically all of them).
The most likely thing is going to be that Apple is going to be asked to allow police devices to be added to a user's iMessage account without alerting the user (but giving them access to their messages).
The real problem is that the law allows them to ask an individual to become a saboteur and it's unclear if you had a system that was explicitly resilient to such attacks (signed GPLv3 code with a threshold signing scheme with each key owned by people under different jurisdictions) whether you would be forced to dismantle such a system.
I think we'll need to start rethinking threat models.
You're "reality" doesn't match the historical record how FVEY agencies work. Programs like the NSA's BULLRUN or GCHQ's EDGEHILL are well funded ($B/yr) target individuals, companies, standards committees, and anything else that serves the purpose of preventing or compromising encryption.
One well documented example where individuals were "tasked" (spy on) directly is the compromise of satellite ISP Stellar:
> The document lists "key staff" at the company. The document states they should be identified and "tasked." "Tasking" somebody in signals intelligence jargon means that they are to be targeted for surveillance. In addition to CEO Christian Steffen, nine other employees are named in the document.
The shock on the IT chief's face when he saw his name in an NSA document...
I may have phrased it badly, but my point wasn't that they would/could not target individuals, but more that they don't really care about their capacity as developers; more that these people are simply government implants in the target org, and that whether they are unable to provide the capability through ordinary channels is simply irrelevant.
If the Govt strongarms a developer into implanting a backdoor, they won't care that they can't do it without breaking company policy or QA or workflow or even the law, because they cease to be primarily an employee, and become an asset of ASIO.
This is why I'm choosing to stick to the term commandeering
Yeah you just go to the CEO or legal counsel, threaten loss of licenses, seizure of personal assets
CEO or legal counsel? They can directly compel current and former individual employees:
Former employees? So you can't even resign? WTF?
But the problem remains the same: how do you keep it a secret? How does the backdoor not get leaked immediately to the press, to the customers of the software, etc?
Sure, this strategy may work in China but Australia is a Western nation where freedom is taken seriously.
Edit later: by 'freedom taken seriously I mean by the people, not by the government.'
That’s the carefully cultivated reality distortion field at work.
It may look that way from the outside, but it’s a tightly controlled, aging and fearful society. Anyone who steps out of line is dealt with harshly and swiftly. The government may loosen the leash on those who align with their political philosophy (so figures who vilify vulnerable groups are given a bit of freedom under the current government) but the jackboot of the state isn’t far away.
Re your edit: there is compulsory voting, so the people obviously like it that way.
> where freedom is taken seriously.
>Australia is a Western nation where freedom is taken seriously.
Oh, you sweet summer child.
See also https://old.reddit.com/r/programming/comments/a3kk7u/austral...
and for a laugh at the sad state of affairs https://www.youtube.com/watch?v=eW-OMR-iWOE
Interesting comment on that thread. Since all Australian SSL certs are now compromised (we must assume that), shouldn't all Australian certifying authorities be de-trusted?
There are none. https://ccadb-public.secure.force.com/mozilla/IncludedCACert...
Not true. Symantec have offices in Australia
Now question is who with Australian passport work there and have access to keys.
This legislation has support from both major parties, it's set to pass either this week or next. I don't know why Google, Facebook, Tesla, Microsoft, Atlassian and other big tech companies with investments in Australia don't push back. Nothing pressures Australian politicians more than an advertising campaign. The mineral resources industry spent just $8m on advertising to prevent a new mining tax that would have cost them several billion dollars. Better yet, as the Government is currently being held together by a few minority seats just spend a few hundred thousand in the most at risk seats. That alone would be enough to completely abandon or water down this legislation.
The legislation has already passed both houses, and is headed for Royal Assent. They'd need to repeal it, and given that Labor unanimously voted for it, I have no doubt it's never going to be repealed.
It passed earlier today, it's law now.
It's not law until it gets Royal Assent, but yes it's passed both houses and will be law very shortly.
As an Australian Dev living in the U.K. this is absolutely terrifying. I'm compelled to somehow deploy a backdoor at whatever company I'm working for if they have a single Australian user on threat of jail time???
You are not bound to the laws of Australia in the UK. Foreign nationals in Australia are. That being said, this is coming to the UK too.
Yes he is, and at risk of a felony charge waiting for him if he returns to Aus. Not sure about extradition but I assume that could be on the table too.
So in short, don't hire Australian employees because they may be compelled to spy on my business by their government.
Isn't this the exact thing that China has in law that is causing everyone to dump Huawei over?
This is probably the reason they want to dump Huawei.
Much easier to subvert technology produced locally or in allied countries (and the other Five Eyes members will undoubtedly adopt similar laws soon, if they haven't already).
> other Five Eyes members will undoubtedly adopt similar laws soon, if they haven't already
Exactly. For those getting wound up over this in other western countries - Australia is often used as a testing ground for this kind of legislation. It will be your country next.
> Australia is often used as a testing ground for this kind of legislation.
I didn't know that. Can you mention any notable examples?
It's the cypherpunk future I've always dreamed of.
The Chinese legislation you refer to is much more expansive in scope as it is not limited to "communications providers". Refer to  and .
Atlassian's an AUS company. Let's say I store code on Bitbucket, or I use Atlassian's hosted Confluence service.
Does this mean Atlassian might have to notify the AUS government when I change my code, or add something to my Confluence pages? Or that they might have to secretly change my code (which means I'd have to carefully check it all the time for changes)? What if I self-host Confluence? Could a software upgrade contain a backdoor that sends my Confluence data to the AUS gov?
Not that I give a damn if the AUS gov looks at my stuff, but that's completely beside the point. These appear to be real possibilities with this law, and I hope Atlassian and other AUS companies address them.
Yep, Atlassian headquarters are in Sydney, so they could be issued a Technical Assistance Request to covertly undermine any repo they host (or have indirect control over via pushing out software updates).
While they could potentially be asked to change your code stored in Bitbucket, Git will refuse to pull if the commit hashes in Bitbucket don't match your local copy, so I don't think intelligence agencies are likely to request this as it is too easily detected.
I predict altering the binaries would be a better way for intelligence agencies to covertly inject a "capability" into your software. E.g. they could ask Atlassian to introduce a hidden code injection step as part of Bitbucket Pipelines, which would be very difficult to detect unless you have deterministic builds and manually verify the output.
Aside from your code, I expect intelligence agencies would be very interested to read your product's issue tracking database (all those "minor" security vulnerabilities that your team knows they should fix someday but don't have time for right now).
And for more clarity on the commandeering bit:
Could this be a threat to open source software? If they require developers to insert backdoors to decrypt data, and the company uses open source software for security, how do we know they won’t attempt to weaken it? Most open source projects don’t have the resources or manpower to review every commit, especially when the person submitting is prevented from disclosing their true purpose and under threat from their government. This could be a threat to companies all around the world that use OSS.
This threat to free and open source software isn't new. Governments have been trying to sneak vulnerabilities for a long time now.
What is new is an army of people who will now be forced to make a choice between making and submitting destructive patches and facing penalties and jail.
Incidentally, all of these people are the ones who are subject to Australian law. I feel sorry for them, but I expect that, as an effect of this legislation, many people will stop accepting submissions from these people to keep their software secure - be it proprietary programs or free software.
Has anyone worked at a company where Change Management was so good that there was no possible backdoor? Every system change would have to be approved by at least one other engineer and there is no ssh/sudo access on production systems?
So far my impression is that all that is required is to gain access to Jenkins one way or another and you have the keys of the whole infrastructure.
There's never no possible backdoor, but yes I think in order to effectively do this and not involve my whole company like the article described you may have to have to involve Intel (and AMD is coming back, so them too) to go all "trusting trust" on this problem. And even then people may notice that their FDO profiles seem to be broken, and other "huh, that's funny".
Also other shops that actually obey SOX, and actually care about two-key systems (or multi-key) will not be able to keep this a secret.
The same protections that work for SOX and "sysadmins kid was kidnapped and they demand a backdoor be inserted" will work for this.
Sure, companies that protect against none of these will fail. But if you actually have systems in place to protect against "rogue employee" then this kind of order requires breaking ALL of these systems. I expect most companies to have no such systems, but the important ones do.
It seems like a work-around for an Australian company would be to always have a non-Australian employee have final say in what's deployed to production.
Now you have to fire him to deploy the backdoor. I expect the law doesn't require you to fire people. Even if it does, he or she is not bound by the gag order and could be a canary to the rest of the world.
> Now to time management. When do these taps actually get done? In today’s micromanaged Agile-Scrum-Kanban environment, every minute is tracked, and tracked to JIRA tickets.
Whatever happened to Agile as "we have come to value: Individuals and interactions over processes and tools" ??