
Commandeering Australian citizens to become spies - alfiedotwtf
https://twitter.com/alfiedotwtf/status/1070047303275175936
======
stephen_g
If you're wondering why this kind of thing happens all the time in Australia,
the late Donald Horne summed it up beautifully in the 1960s:

"Australia is a lucky country run mainly by second rate people who share its
luck" [1]

Australia has many intelligent, brilliant people. For some reason, the design
of our political system results in almost none of them getting into
Government. This awful, fundamentally flawed law (literally only passed into
law because our opposition was terrified of being called "soft on crime" in
the media over Christmas) is just one in a long line of disappointments.

1\.
[https://en.wikipedia.org/wiki/The_Lucky_Country](https://en.wikipedia.org/wiki/The_Lucky_Country)

~~~
kodablah
From a selfish American-centric perspective, sometimes it feels like different
west-aligned countries/regions use these attempts as test beds to gauge
acceptableness in other countries/regions.

~~~
majormajor
I worry "grand conspiracy" views distract from the problem of public opinion
often being in _favor_ of the bad ideas.

After Snowden I had a couple people I barely knew comment to me something like
I should "stop there from being more Snowdens" as a software developer, since
they saw it in very simplistic terms as "my country = good, this guy =
sabotaging my country" but I didn't run into anyone offline who shared the
privacy-conscious reaction with me.

I think that explains why these things pop up everywhere much more simply. And
without changing that perception, the other battles seem like losing fights.

~~~
kodablah
> I worry "grand conspiracy" views distract from the problem of public opinion
> often being in favor of the bad ideas.

The cynic in me is not concerned because I feel public opinion can be swayed
and/or the issue is not the biggest/most-important issue in representative
democracies. I admit being overly cynical on the importance of public opinion
and therefore my disagreement efforts manifest more in counteracting
technologies than politicking (and even then, the efforts are little and of
limited consequence).

------
BLKNSLVR
Something interesting about this is that proper code management practices
would mean there would have to be a chain-of-command having knowledge of the
need for a specific code commit that targets a single user with a surveillance
backdoor.

Could an approached employee say "I have to run this past software engineer X"
before it will even be allowed to commit, so software engineer X is read-in,
but he has to get auth from Middle Manager Y, and so on. The more people who
are read-in, the more chance there is of a leak or someone overhearing a
conversation or people questioning a stream of progressively higher-tiered
employees being brought into a meeting with strange men wearing sunglasses,
fedoras, with knife-sharp pleats in their slacks, and using company meeting
rooms like they own the place.

This is making assumptions about the quality of company Z's code publishing
process, but I'd be guessing that there would be a lot more "targets" using
popular software from big vendors that have these QA processes in place.

The other interesting thing about this is that it may spur far more interest
in both using and regularly auditing open source software. Proprietary
software is far more at risk of losing reputation in this situation simply
because of its opacity.

P.S.

[https://blog.cryptoaustralia.org.au/2017/03/21/run-your-
end-...](https://blog.cryptoaustralia.org.au/2017/03/21/run-your-end-to-end-
encrypted-chat-server-matrix-riot/)

~~~
phoe-krk
Also, what exactly happens if the code is worked on in teams and/or available
for any people in the company (and it sure is), and if another developer
questions the committed code or attempts to change or remove it? Does such
code gets explicitly painted "don't remove, don't edit, don't ask any
questions"? Suddenly we get code in our product that nobody cannot talk about,
nobody should understand, and nobody can fix if it introduces any other bugs
into the product.

It's a complete disaster.

~~~
BLKNSLVR
_" Does such code gets explicitly painted "don't remove, don't edit, don't ask
any questions"_

This would flag the code as 'interesting' to any other members of the
development team, and it would likely make it obvious which account is being
specifically targeted, which works against the secrecy required of the whole
thing.

------
vermilingua
This is based on a false premise, that the Govt will ask _developers_ , and
that they would care if it is difficult/infeasible/impossible to actually
complete.

In reality, they issue a notice to the company, give them a timeframe, and
expect it to be done. They don’t care about the intricacies of git.

~~~
cyphar
The law explicitly allows them to target individuals. I don't believe that
they gave themselves this power for no reason -- it's much easier to coerce an
individual developer (who doesn't have fancy legal council) than force a
company to do something. I'm sure they'll do it both ways of course, but I
disagree that they'll only target companies.

~~~
3pt14159
That's a mischaracterization. _Any type of entity_ can be targeted, but not
_any agent_. That's an important distinction to stop people acting as private
individuals on their own time from being exempt from the law.

Not that I think this will work—it wont in the long run—but I'd rather argue
against the strongest case of an argument.

~~~
cyphar
According to Sect 317C, a "designated communications provider" includes:

    
    
        A person is a designated communications provider if ...
    
        6. the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
    
          (a) a listed carriage service; or
          (b) an electronic service that has one or more end-users in Australia
    
        ... and the eligible activities of the person are ...
    
          (a) the development by the person of any such software; or
          (b) the supply by the person of any such software; or
          (c) the updating by the person of any such software
    

So individuals can definitely be targeted -- it's specifically in the bill. In
your parlance, all individuals that "develop, supply, or update software that
is likely to be used by an electronic service that has one or more end-users
in Australia" are _entities_ and not _agents_. They are defined to be a
"designated communications provider" and the same rules apply to them as any
other "designated communications provider".

~~~
marcus_holmes
The difference between can and will be is huge.

Look at it from their point of view... they approach some developer and it's
amateur hour. The dev might get stroppy, there's all sorts of infrastructure
problems, they might not do it right... it's a mess.

But if they approach the CEO, it gets done right. The CEO brings in Legal, who
promptly shit themselves. They bring in the CTO, who is told to shut up, sign
this NDA, and work out how to make this happen as fast and painlessly as
possible. No problems, the bad things get done, no-one gets told anything, all
good. Shit continues to roll downhill...

~~~
celticninja
But now you have a dozen or more people who know what's happening and we all
know, three people can keep a secret if two of them are dead.

~~~
marcus_holmes
I'm not sure the point is actually to keep it secret, but (as with all
government "services") to cover the arse.

Also, if you were an employee in a company in this situation, and you'd been
told that the security of the nation depended on your silence, and more to the
point, you'd be locked up and your career ruined if you went public, what
would you do? Whistleblowers are pretty rare, because the consequences of
doing that are huge.

~~~
alfiedotwtf
It also applies to _former_ employees. Yes, you can be asked to hack into
previous job's systems

------
nicwilson
See also
[https://old.reddit.com/r/programming/comments/a3kk7u/austral...](https://old.reddit.com/r/programming/comments/a3kk7u/australian_programmers_could_be_fired_by_their/)

[https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...](https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195)

and for a laugh at the sad state of affairs
[https://www.youtube.com/watch?v=eW-OMR-
iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

~~~
jjgreen
Interesting comment on that thread. Since all Australian SSL certs are now
compromised (we must assume that), shouldn't all Australian certifying
authorities be de-trusted?

~~~
g45y45
There are none. [https://ccadb-
public.secure.force.com/mozilla/IncludedCACert...](https://ccadb-
public.secure.force.com/mozilla/IncludedCACertificateReport)

~~~
yarosv
Now question is who with Australian passport work there and have access to
keys.

------
jaketay
This legislation has support from both major parties, it's set to pass either
this week or next. I don't know why Google, Facebook, Tesla, Microsoft,
Atlassian and other big tech companies with investments in Australia don't
push back. Nothing pressures Australian politicians more than an advertising
campaign. The mineral resources industry spent just $8m on advertising to
prevent a new mining tax that would have cost them several billion dollars.
Better yet, as the Government is currently being held together by a few
minority seats just spend a few hundred thousand in the most at risk seats.
That alone would be enough to completely abandon or water down this
legislation.

~~~
hannasanarion
It passed earlier today, it's law now.

~~~
cyphar
It's not law until it gets Royal Assent, but yes it's passed both houses and
will be law very shortly.

------
fryry
As an Australian Dev living in the U.K. this is absolutely terrifying. I'm
compelled to somehow deploy a backdoor at whatever company I'm working for if
they have a single Australian user on threat of jail time???

~~~
g45y45
You are not bound to the laws of Australia in the UK. Foreign nationals in
Australia are. That being said, this is coming to the UK too.

~~~
marak830
Yes he is, and at risk of a felony charge waiting for him if he returns to
Aus. Not sure about extradition but I assume that could be on the table too.

------
decentralised
So in short, don't hire Australian employees because they may be compelled to
spy on my business by their government.

------
TACIXAT
Isn't this the exact thing that China has in law that is causing everyone to
dump Huawei over?

~~~
peterkelly
This is probably the _reason_ they want to dump Huawei.

Much easier to subvert technology produced locally or in allied countries (and
the other Five Eyes members will undoubtedly adopt similar laws soon, if they
haven't already).

~~~
nineteen999
> other Five Eyes members will undoubtedly adopt similar laws soon, if they
> haven't already

Exactly. For those getting wound up over this in other western countries -
Australia is often used as a testing ground for this kind of legislation. It
will be your country next.

~~~
ByThyGrace
> Australia is often used as a testing ground for this kind of legislation.

I didn't know that. Can you mention any notable examples?

~~~
nineteen999
[https://en.wikipedia.org/wiki/Internet_censorship_in_Austral...](https://en.wikipedia.org/wiki/Internet_censorship_in_Australia#Proposed_mandatory_filtering_legislation)

------
dreamcompiler
Atlassian's an AUS company. Let's say I store code on Bitbucket, or I use
Atlassian's hosted Confluence service. Does this mean Atlassian might have to
notify the AUS government when I change my code, or add something to my
Confluence pages? Or that they might have to secretly change _my_ code (which
means I'd have to carefully check it all the time for changes)? What if I
self-host Confluence? Could a software upgrade contain a backdoor that sends
my Confluence data to the AUS gov?

Not that I give a damn if the AUS gov looks at my stuff, but that's completely
beside the point. These appear to be real possibilities with this law, and I
hope Atlassian and other AUS companies address them.

~~~
anjsimmo
Yep, Atlassian headquarters are in Sydney, so they could be issued a Technical
Assistance Request to covertly undermine any repo they host (or have indirect
control over via pushing out software updates).

While they could potentially be asked to change your code stored in Bitbucket,
Git will refuse to pull if the commit hashes in Bitbucket don't match your
local copy, so I don't think intelligence agencies are likely to request this
as it is too easily detected.

I predict altering the binaries would be a better way for intelligence
agencies to covertly inject a "capability" into your software. E.g. they could
ask Atlassian to introduce a hidden code injection step as part of Bitbucket
Pipelines, which would be very difficult to detect unless you have
deterministic builds and manually verify the output.

Aside from your code, I expect intelligence agencies would be very interested
to read your product's issue tracking database (all those "minor" security
vulnerabilities that your team knows they should fix someday but don't have
time for right now).

------
alfiedotwtf
And for more clarity on the commandeering bit:

[https://twitter.com/alfiedotwtf/status/1070658693409079296](https://twitter.com/alfiedotwtf/status/1070658693409079296)

------
mostlyjason
Could this be a threat to open source software? If they require developers to
insert backdoors to decrypt data, and the company uses open source software
for security, how do we know they won’t attempt to weaken it? Most open source
projects don’t have the resources or manpower to review every commit,
especially when the person submitting is prevented from disclosing their true
purpose and under threat from their government. This could be a threat to
companies all around the world that use OSS.

~~~
phoe-krk
This threat to free and open source software isn't new. Governments have been
trying to sneak vulnerabilities for a long time now.

What is new is an army of people who will now be forced to make a choice
between making and submitting destructive patches and facing penalties and
jail.

Incidentally, all of these people are the ones who are subject to Australian
law. I feel sorry for them, but I expect that, as an effect of this
legislation, many people will stop accepting submissions from these people to
keep their software secure - be it proprietary programs or free software.

------
zimbatm
Has anyone worked at a company where Change Management was so good that there
was no possible backdoor? Every system change would have to be approved by at
least one other engineer and there is no ssh/sudo access on production
systems?

So far my impression is that all that is required is to gain access to Jenkins
one way or another and you have the keys of the whole infrastructure.

~~~
knorker
There's never no _possible_ backdoor, but yes I think in order to effectively
do this and not involve my whole company like the article described you may
have to have to involve Intel (and AMD is coming back, so them too) to go all
"trusting trust" on this problem. And even then people may notice that their
FDO profiles seem to be broken, and other "huh, that's funny".

Also other shops that actually obey SOX, and actually care about two-key
systems (or multi-key) will not be able to keep this a secret.

The same protections that work for SOX and "sysadmins kid was kidnapped and
they demand a backdoor be inserted" will work for this.

Sure, companies that protect against none of these will fail. But if you
actually have systems in place to protect against "rogue employee" then this
kind of order requires breaking ALL of these systems. I expect most companies
to have no such systems, but the important ones do.

------
aljungberg
It seems like a work-around for an Australian company would be to always have
a non-Australian employee have final say in what's deployed to production.

Now you have to fire him to deploy the backdoor. I expect the law doesn't
require you to fire people. Even if it does, he or she is not bound by the gag
order and could be a canary to the rest of the world.

------
SideburnsOfDoom
> Now to time management. When do these taps actually get done? In today’s
> micromanaged Agile-Scrum-Kanban environment, every minute is tracked, and
> tracked to JIRA tickets.

Whatever happened to Agile as "we have come to value: Individuals and
interactions over processes and tools" ??

[https://agilemanifesto.org/](https://agilemanifesto.org/)

