Australia To Compel Technology Firms To Provide Access To Encrypted Missives

Australia on Friday proposed new laws to compel companies such as U.S. social media giant Facebook and device manufacturer Apple to provide security agencies access to encrypted messages. From a report: The measures will be the first in an expected wave of global legislation as pressure mounts on technology companies to provide such access after several terror suspects used encrypted applications ahead of attacks. Australia, a staunch U.S. ally, is on heightened alert for attacks by home-grown radicals since 2014 and authorities have said they have thwarted several plots, although Prime Minister Malcolm Turnbull said law enforcement needed more help. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."

Funny this is from Australia...

[rkhalloran]

IIRC, the Bouncy Castle crypto package , developed to get around the 90's US export controls on strong ciphers, originates from Down Under. Funny their govt is now expecting developers to install Magic Good-Guys-Only Backdoors into their software so the Five-Eyes Panopticon can snoop as wanted.

Re: Obvious response of technology firms

[swillden]

Apple does that already. It was an engineering solution to a legal problem.

It's the obvious and predictable response of a security engineer.

However, I don't think Apple has actually fixed that "hole" yet. What the FBI was asking them to do was to provide an updated version of the firmware which bypassed the brute force mitigations on password checks. There was much discussion back then about which iPhone versions have the "secure enclave" and which don't, but the secure enclave also has updatable firmware.

However, there are ways to fix this, and I suspect that Apple is working on one for the iPhone8. I think the best solution (and I should note that my day job is Android crypto security, so I've given it more than a passing thought) is to make the firmware update process require that the user first unlock the device. There are a variety of ways to do that, and make the requirement cryptographically strong.

It should be noted that this is a general-purpose security feature, not one specifically targeted at securing against law enforcement. Without it, the security of user data can never be stronger than the internal access controls around the firmware signing key. Any employee or group of employees who have access to that key (or anyone who can bribe, extort or otherwise coerce said employees) can sign new firmware that can erode the security. The fact that it was a government attempt to coerce them to do it doesn't mean the government is the only entity who could. It's much better for user security if no one can.

Really, if Apple had a backdoor, or was forced to make one for the Gov, I guarantee that Apple would be forced to build an entire building that holds nothing but staff to respond to these requests 24/7.

Not true. If Apple (or any other company) were forced to build a government backdoor, most likely it would be the government that holds the keys, so Apple would never be involved in any of the government accesses.

Honestly, if you had a government agency that you could trust enough, such as the courts themselves, maybe, this might not be such a bad approach. That's a really, really big "if", though. The technical challenges in securing such high-value keys are not insurmountable, but they're very high, and if the keys leak, the damage to the companies who make the affected devices would be huge. Further, at least in the US the organization we would most trust to get the technical design and implementation right, the NSA, is the organization we'd want to keep furthest from the whole thing. And even if all of the technical infrastructure was perfect, then the agency would also have to make sure that its processes for approving access are airtight and have adequate oversight to prevent abuse.

Yeah... let's just not go there. Police work is only easy in a police state, and we don't want a police state.

Re:Here's a thought....

[GameboyRMH]

I'm aware that Ward Churchill has fraudulently claimed that the 1837 outbreak was caused by an attempt at genocide by the US military using plague blankets. However, that was not the only incident. In fact there is hard evidence of intentional genocide using plague blankets as bioweapons against the native Americans by the British military.