«
»

Lies, Damned Lies and National Security

Posted by Jacques Chester on Tuesday, April 15, 2008

So yesterday I lost my temper at a monumentally silly bit of policy making on-the-run by the new ALP government. After that tantrum I learnt that there was both more — and less — than met the eye.

To start with, let’s review what Julia Gillard said yesterday to start the whole shitstorm:

“We want to make sure that they are safe from terrorist attack,” Gillard said. “Part of doing that is making sure we’ve got the right powers to ensure that we can tell if there’s something unusual going on in the system.”

Any changes to the Telecommunications Act would be based on national security and not “an unseemly interest in people’s private emails”.

As I and others pointed out yesterday, companies already have this power. They own the equipment and generally, control of email and web access is a contractual rider. It couldn’t make a difference to detecting terrorism (or indeed any other criminal activity) over what already exists.

I was angry about the proposal, mostly because of the tragic ignorance it highlighted. So I decided to ring my local member’s office. They told me to ring Julia Gillard’s office. Her office told me to ring the Attorney-General’s office. And there I found out what the proposal actually was.

What is Actually Going On

Let’s take a slight detour into the Telecommunications (Interceptions and Access) Act 1979. This Act makes it illegal for an unauthorised person to intercept or listen into stuff being carried over a telecommunications system:

6 Interception of a communication
(1) For the purposes of this Act, but subject to this section, interception of a communication passing over a telecommunications system consists of listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication.

7 Telecommunications not to be intercepted
(1) A person shall not:
(a) intercept;
(b) authorize, suffer or permit another person to intercept; or
(c) do any act or thing that will enable him or her or another person to intercept;
a communication passing over a telecommunications system.

As you might expect, there’s pages of exceptions. Telco workers testing the line at the local phone node, for example, are exempted; so too coppers clutching a fistful of warrants. But not included are companies watching email passing in and out of their systems.

You see, most companies have a setup like this one:

See that bit in the middle? The filtering-and-maybe-storing bit? The legal question at hand is whether that’s an interception under the terms of the Act. If it is and an employee has somehow evaded signing the standard forms for IT access, then the company is in direct contravention of a fairly serious bit of Federal legislation. If not, no worries.

Instead of letting this come up in some future court case, the government decided simply to legislate the problem away by expanding the exempted class to include companies who scan emails and web traffic. That’s it, that’s the whole damn thing.

Except that …

ZOMG TERRORISTS!!1!

Julia Gillard, or Robert McClelland, decided to turn this into being tough on terrorism. In technical terms their argument is apparently that without email scanning, companies will be compromised. Some of those companies might be important institutions. Then, terrorists! Also, Estonia!

Here’s the problem: either these two Ministers of the Crown don’t understand what they’re talking about, or they’re doing a hyped beatup which backfired, or both. Because by drawing the long bow they looked like idiots, rather than people closing a boring loophole to save a bit of lawsuit angst.

But just to sink the slipper a bit more, it should be pointed out that most infrastructural IT is not connected to the Internet. Rail has its own fibre, power plants have closed LANs, banks rent ISDNs and dark fibre for their needs and so on. What’s really at stake here is the possibility of end-user PCs being turned into zombies; machines which can be controlled remotely by persons with nefarious purposes. This is possible mainly because Windows has a promiscuous, insecure-by-default model of security — though don’t tell Gillard that or she’ll announce Microsoft will be investigated by the AFP for aiding and abetting terrorists.

Editorial Incompetence

Now it took me about 15 minutes to find out what this was about. I noticed absolutely no such checking by the journalists. Actually, they didn’t cover themselves with glory at any point. None of them asked pertinent questions that every nerd was screaming at the top of his or her lungs. Probably because they know about as much as the Ministers do. So they took their half-baked conception of a half-baked spin exercise to the smart people who were, when given sour biscuits, justifiably angry and inclined to spit.

This story did not break late in the afternoon. It broke in the morning, at the very start of the news cycle. Journalists had all day to double check what the policy was about. I reckon “Minister Full of Shit And We Prove It” would have made a great evening news followup, compared to “Minister Doesn’t Understand Shit And Neither Do We”.

Not that this is any great shock. Any specialist in any field is used to journalists routinely botching, over-simplifying or flat out fibbing about the meaning of a news story in their world. Doctors are inundated by parents every time some quack remedy is promoted or a new miracle cure pronounced based on preliminary small-group trials. Lawyers see the legal process and legal arguments misrepresented by ignoramuses with dozens of lawyer friends from their uni days. Computer scientists, sysadmins, software engineers and allied nerds are sick of every. damn. story. about computer problems including the cliched fingers-on-keyboard-in-darkened-room shot, with a voice over comprehensively butchering any semblance of correctness.

Journalists really do take themselves seriously, and like Arts Council grantees, wonder why nobody else will join in the acclaim. Here’s a clue, ladies and gents, it’s because you’re jokers.

So Now What?

It might have helped if Julia Gillard had any sort of technical background. But she was a lawyer and union hack. It would have helped if Robert McClelland had some sort of technical background, but he was a lawyer and union hack too.

In actual fact, the Parliament is stuffed to the rafters with lawyers. There are a smattering of other professions (including, you may not have heard this two dozen times already, a doctor!) present but the lawyers tend to wind up in ministries and positions of influence.

Politics suits lawyers. The lawyerly skills of argumentation, forensic disputation and the ability to believe in nothing but prosecute a case for anyone are all useful to the professional politician. Meanwhile the stereotypical engineer, programmer, physicist, chemist, biologist, architect etc are not argumentative, confrontational, glib or able to adopt whatever argument is facing most into the wind. Reality is a hard taskmaster.

I think we need more nerds in Parliament. Programmers, scientists, engineers: anyone of a technical or scientific background is desperately needed in organs of law making and policy. Because it’s pretty damn clear that the lawyers and hacks don’t understand them when time comes to announce policy.



 This entry was posted on Tuesday, April 15th, 2008 at 11:56 AM and filed under Geeky Musings, IT and Internet, Journalism, Politics - national. Follow comments here with the RSS 2.0 feed. Apologies. Comments and trackbacks are both currently closed.

33 Responses to “Lies, Damned Lies and National Security”

  1. Laura said:

    Microsoft will be investigated by the AFP for aiding and abetting terrorists.

    Could be good actually. The incompetent investigating the insane.

    Posted on 15-Apr-08 at 12:15 pm | Permalink
  2. Gummo Trotsky said:

    Neither Fairfax nor News Ltd covered themselves with glory on this story, but I’d give the prize for alarmist hyperbole to this guy (I found the piece by Googling “Julia Gillard”).

    Now all we need is an Australian Nerd Party logo and we’re in business!

    Posted on 15-Apr-08 at 12:25 pm | Permalink
  3. Jacques Chester said:

    Gummo;

    In the NT there was a multi-party group for promoting women getting into politics. They ran seminars on speaking to the media, how to campaign etc. It’s been very successful in making the NT Parliament one of the best in the country for gender balance.

    I think a program like that is needed. Something non-partisan, perhaps a joint program of Engineering Australia, the ACS and others. I’ll be yakking to my uncle who used to run the Engineers Aust. branch here a few years back.

    Posted on 15-Apr-08 at 12:32 pm | Permalink
  4. Chris said:

    Great post!

    I haven’t been very impressed with Labor’s IT policies so far – this and the intent to try to censor the internet don’t encourage much confidence in their technical understandings of the issues.

    Will see how they go on the issue of encouraging the use of open source and open standards based software as previously they seem to have been quite supportive.

    Posted on 15-Apr-08 at 1:08 pm | Permalink
  5. Chade said:

    Good to see there’s someone following up a story like this… :-/

    Gummo: something like this? :p

    Posted on 15-Apr-08 at 1:19 pm | Permalink
  6. Ken Lovell said:

    I suspect Jacques that amongst other things, most politicians are incapable of answering a question “I don’t know”. Including, apparently, Julia Gillard. Prime ministers and deputy prime ministers are expected to know everything about everything and they encourage that mentality by blathering on instead of giving a truthful answer that it’s being handled by the appropriate minister and they’re too bloody busy to be across everything.

    I’ll suspend judgement on McClelland until I know what he, as opposed to a spokesperson, actually said.

    Posted on 15-Apr-08 at 1:42 pm | Permalink
  7. Fyodor said:

    Nice work, Chester.

    I was beginning to sweat over the apparent inadequacies of ECHELON until the truth came out yesterday arvo. WTFF? The government is recruiting companies to read employees’ email? What Le Feuck is going on at DSD and ASIO? Who’s running this Michael F. Mouse operation? Und so weite.

    Pissing away tax dollars on secretive sigint networks is fine, particularly when they piss off the frogs; pissing away tax dollars on secretive sigint networks that can’t find their arse with both hands? Not so much.

    Posted on 15-Apr-08 at 1:50 pm | Permalink
  8. Jacques Chester said:

    Ken;

    At least Kevin Rudd has the sense to say “I’ll get back to you on that”.

    Posted on 15-Apr-08 at 2:05 pm | Permalink
  9. Amanda said:

    Julia Gillard was a “union hack”? How so? Robert McClelland was a “union hack”? How so?

    Posted on 15-Apr-08 at 2:10 pm | Permalink
  10. Amanda said:

    The comments from JG seem to have come from her Today Show interview. It would be interesting to see the whole context of them. I will try and chase that up.

    I do cringe everytime the Fed Govt mentions IT based on the wackiness so far, before this.

    Posted on 15-Apr-08 at 2:13 pm | Permalink
  11. Jacques Chester said:

    Amanda;

    Gillard worked for Slater & Gordon. That’s union hackery as far as I’m concerned. But I was wrong about McClelland.

    I’ve struck out the ‘union hack’ from both because it detracts from my point about lawyers.

    Posted on 15-Apr-08 at 2:14 pm | Permalink
  12. Ken Parish said:

    Excellent work Jacques. AFAIK the MSM still haven’t corrected/clarified their original story.

    However, even if Gillard etc were spinning for all they were worth to introduce a terrorism element, and even if there actually isn’t one, it still doesn’t remove the proposal from being a very real infringement of privacy concern. We still need to know whether the legislation will merely authorise transient storage of emails for virus and spam auto-scanning (which I have no problem with) or whether it will authorise employers to actually read employee emails without their employees’ express consent or knowledge. Even though quite a few employers (though by no means all) require employeees to contractually sign away this privacy right as a term of employment, it’s a significant step to legislate to remove it irrespective of knowledge or consent. Whether there’s a genuine terrorism aspect is really irrelevant to the fundamental privacy issue. I have certainly never signed a document authorising my employer CDU to physically read my emails (as opposed to auto-scanning them for spam and viruses), and I would hope that the academics’ trade union would object strenuously if universities began demanding that academics agree to such surveillance.

    Posted on 15-Apr-08 at 3:04 pm | Permalink
  13. Jacques Chester said:

    AFAIK the MSM still havent corrected/clarified their original story.

    They won’t. They only report “the current story”, and by mysterious coincidence, “media too lazy to make phone call” is never a current story.

    Or, if they do, they’ll pick up my own mislabelling of McClelland as a union hack. They’ll snigger a bit about my own mistake and consider it to be a brutal rebuttal.

    Posted on 15-Apr-08 at 4:44 pm | Permalink
  14. saint said:

    Nice work JC. Amanda may yet prove me incorrect, but I suspect Julia was in full scale spin mode and really should have been taken to task by the MSM (but I guess too many journos have believed their own spin on how smart and sexy she is or something. Bleh.) Then again, the Opposition seemed to have swallowed the line as well given their response.

    KP – anyone who wants to read my work email line by line is welcome to. I delete a good half to a third without opening it; don’t want to think of the time it would take some schmuck to read it all. And then, who would read their email?

    Posted on 15-Apr-08 at 4:51 pm | Permalink
  15. Jacques Chester said:

    As for your second concern, Ken, therein lies a tale. Employers can already read your email. As I noted in my first rant, you need a Mandatory Access Control scheme — at the least — to prevent privacy infringements in a technical fashion. Neither Windows nor Mac OS X can provide that level of security. You need something like SELinux or Trusted Solaris to do the job.

    You can of course introduce offences in this area, or simply be narrow in the expansion of the Act to only cover automatic screening, but there is no technical solution which is widely available at the company level to balance both concerns.

    There is a technical solution that works at a personal level: encryption. If you and your correspondent use PGP or similar with a suitably large key, no third party can read the contents of the communications. Ditto web browsing and IM over SSL (ie any site with https:// in the URL). The communications can be stored and traffic analysis used, but the content itself is rendered opaque.

    Posted on 15-Apr-08 at 4:54 pm | Permalink
  16. banana said:

    Amanda;

    Gillard worked for Slater & Gordon. Thats union hackery as far as Im concerned. But I was wrong about McClelland.

    Ive struck out the union hack from both because it detracts from my point about lawyers.

    struck out hmm yes I see so uh still there but with a line through it
    working for a law firm as a lawyer; unionism definitely definitely

    *complains about bad journalism*
    *deliberately lies in blog*

    Posted on 15-Apr-08 at 5:15 pm | Permalink
  17. Jacques Chester said:

    banana;

    Slater & Gordon is a firm which frequently represents unions in lawsuits and there’s a lot of ex-partners in high places in the Labor movement and unions in particular.

    It was a mistake on my part, but please, feel free to contrast my honest mistake (and willingness to admit it) with total spinning bullshit.

    Posted on 15-Apr-08 at 5:25 pm | Permalink
  18. Jacques Chester said:

    struck out hmm yes I see so uh still there but with a line through it

    Incidentally, that’s what “struck out” means. Still there with a line through it. When you cockup on a blog it’s considered good form to admit it but not remove the original offending words for honesty’s sake.

    If you’re a journo, you get away with shrugging and ignoring angry letters.

    Posted on 15-Apr-08 at 5:27 pm | Permalink
  19. banana said:

    free to contrast my honest mistake (and willingness to admit it) with total spinning bullshit

    OK, always happy to give someone the benefit of the doubt :)
    I’m sure it’s not really at all like making a statement on something without bothering to research that thing.

    Posted on 15-Apr-08 at 5:32 pm | Permalink
  20. Jacques Chester said:

    banana;

    You’re entitled to your opinion that two wrongs make a right.

    Posted on 15-Apr-08 at 5:59 pm | Permalink
  21. Chris said:

    Even though quite a few employers (though by no means all) require employeees to contractually sign away this privacy right as a term of employment, its a significant step to legislate to remove it irrespective of knowledge or consent

    I think its a good idea to notify (just like video surveillance for example), though I don’t think consent should be required. Too many people out there who believe that email they send is confidential, whereas in reality anybody sitting on the network between you and the receiver can easily intercept it (its a *lot* easier than intercepting a phone call for example).

    The best rule of thumb I’ve heard is that you shouldn’t write anything in an email (unencrypted) that you wouldn’t write on the back of a postcard.

    KP – anyone who wants to read my work email line by line is welcome to. I delete a good half to a third without opening it; dont want to think of the time it would take some schmuck to read it all. And then, who would read their email?

    I’d encourage people to read my email if the promised to remove the spam :-)

    Posted on 15-Apr-08 at 6:14 pm | Permalink
  22. wpd said:

    Congratulations on a job well done.

    Posted on 15-Apr-08 at 6:31 pm | Permalink
  23. SJ said:

    Ken Says:

    We still need to know whether the legislation will merely authorise transient storage of emails for virus and spam auto-scanning (which I have no problem with) or whether it will authorise employers to actually read employee emails without their employees express consent or knowledge.

    Settle down, Ken. The existing situation in NSW is as follows:

    Privacy and your private mail, email, lockers, drawers

    All workplaces would benefit from a clear understanding of the degree of privacy which employees can expect at work in relation to issues like personal mail, email, desk and locker searches.

    There is no automatic legal right to privacy for personal mail delivered to a work address. Many employers reserve the right to open and inspect all mail received at work, to properly receipt cheques and remittances, as a precaution against fraud or to limit employees running their own businesses during work time.

    At the same time many businesses and public agencies ask employees to provide a work address or phone number and it is not unusual for them to contact people at work. Most employers allow employees to receive private mail and phone calls as long as they do not interfere with their work.

    Some people complain that letters addressed to them at work and marked personal or confidential have been opened. It is recommended that when an employer who has a policy of opening all mail receives letters marked personal or confidential, they are opened in the presence of the addressee or by the addressee in the presence of the person responsible for receipting mail. This allows the employer to be satisfied that it is genuine personal mail and gives the addressee some assurance that it is not being read or copied.

    Even where confidentially addressed mail is opened and read by another person, it does not necessarily lose its status as confidential. You could have a basis for a complaint or , in extreme cases, possible legal action if the letter is copied or the information contained in the letter is used inappropriately.

    A debt collecting agency which deliberately contacts you at work and discloses their reasons for calling to other employees or your employer may be breaching licensing legislation.

    Electronic Mail

    Unlike items of personal property that you keep in a desk drawer or locker, electronic messages you send or receive at work are not legally considered to be your personal property. Therefore an employer who owns the server or personal computer on which your email is stored is entitled to look at or copy it. Many employers reserve the right to check e-mail as a precaution against fraud, workplace harassment or breaches of confidence by employees.

    However employees also have legitimate expectations of privacy in relation to their e-mail communications. A failure to acknowledge these expectations can affect the overall usefulness of providing e-mail facilities. It is strongly recommended that employers adopt clear policy statements on what rights employees can and cannot expect in relation to their electronic messages which reflect the specific needs of their organisations. All employees should be made aware of the policy.

    Policies should cover:

    * the requirements for storing e-mail where it relates to core business of the firm;
    * whether back-up copies are stored on the server and who has access to them;
    * the level of privacy employees can generally expect for their e-mail;
    * the circumstances in which management reserves a right to read and take action on employee email;
    * the fact that e-mail can be subject to production in litigation or other investigations;
    * that it is unacceptable to use e-mail to abuse or harass other employees.

    New South Wales public sector agencies should also follow the Premier’s Department Policy and Guidelines on Employer Communications Devices published in January 1999 and Protocol for the Acceptable Use of the Internet and Electronic Mail, issued in March 1999.

    I think that what the Privacy Commissioner says might be incomplete, because I recall some measure introduced a few years ago where employees had to be notified, but I could be wrong if that requirement has subsequently been removed, or was only being discussed and never actually became law.

    Posted on 15-Apr-08 at 6:38 pm | Permalink
  24. clarencegirl said:

    Second reading speech for Telecommunications (Interception and Access) Amendment Bill 2008.
    Robert McClelland:
    The need for effective protection of corporate networks was also recognised in the Report of the review of the regulation of access to communications conducted by Mr Anthony Blunn AO. That report was tabled in parliament in September 2005. The Blunn report, as it has become known, recommended that access be allowed to the content of communications, outside of the warrant regime, for the protection of corporate communication systems. Recent media reports highlight the importance of private companies also protecting their networks.
    Sounds as if more than a technical amendment is about to take place.

    Posted on 16-Apr-08 at 3:38 am | Permalink
  25. Ken Parish said:

    The bills digest on this legislation deals with precisely the issue I canvassed in my previous comment (quote is from A-Gs consultant Anthony Blunn, whose report led to this legislation and eerlier amendments):

    Given the rights of owners to protect their system, the potential consequences of not doing so, the universality of the need and the time-critical nature of the required response, it is not in my opinion possible to meet the reasonable needs to protect systems by amending the Interception Act to provide specific exemptions.

    However from a privacy point of view uncontrolled access is simply not satisfactory. An access regime should be established which provides appropriate protections and prevents back-door use and access to obtain content. Those protections should in my view restrict access to that required for the identified purpose i.e. the protection of the system. There should be clear authorisation and the persons with that authority should be clearly identified. Those persons should be required to protect the privacy of any data accessed in the same way that the employees of C/CSPs are required to protect data accessed in the course of their employment.

    However, as the bills digest goes on to note, this legislation does not in fact contain the privacy protections recommended by its own consultant Anthony Blunn:

    The proposed 18-month extension of the sunset clause in the current Bill is to allow the drafting of a permanent legislative solution to implement the Blunn Report recommendation. In his second reading speech for the bill the Attorney-General stated:

    The proposed 18-month extension of the existing network protection provisions will ensure law enforcement and security agencies can continue to protect their networks while a comprehensive long-term solution is developed. My department has already undertaken extensive work on legislative changes that would implement the Blunn report recommendation. As mentioned, these measures will have implications across government, corporate and private networks. They must also address complex issues associated with privacy, and state and territory laws. It is important not to rush those changes, and there must be enough time to consult widely on their impact. An 18-month extension will enable full consideration of a more complete solution across all networks.

    Comment

    The proposed extension of the network protection provisions sunset clauses by another 18 months means that over 20 Commonwealth and state/territory law enforcement and security agencies will be given access exemptions until the end of 2009. Blunn noted that unrestricted access is unsatisfactory and recommended an authorisation process including a requirement that the access is strictly for the purpose of maintaining network security, and that the people who are given authorisation are clearly identified. While the Minister states that resolving the Blunn recommendation is complex and requires separate legislation, it could be possible to insert such authorisation processes into the interim legislation.

    Posted on 16-Apr-08 at 7:14 am | Permalink
  26. SJ said:

    The relevant passage of the Blunn Report follows:

    7. Protective Access
    7.1 Both the Telco Act and the Interception Act presently recognise that some
    functions related to the provision or operation and maintenance of services need to be exempted from the strict application of the general prohibitions against
    interception, access and disclosure e.g. acts done by an employee of a carrier in the course of installing equipment or by a person providing an emergency service.
    7.2 Understandably and properly those exceptions are tightly drawn and tightly
    controlled.
    7.3 During the review it became obvious that there are circumstances which are not appropriately catered for by the existing exemptions but which, although different, warrant special consideration.
    7.4 In the main, those circumstances were related to the need to protect enterprise systems against damage whether deliberate or accidental. An example is the need to protect computer systems against unauthorised entry (hacking) or damage from viruses or worms. Whilst much of this can be achieved through systems applications there is often a need for human intervention which it is argued can involve interception or access in contravention of the relevant legislation.
    7.5 There are two critical elements to interception: the first is the concept of the communication passing over the system and the second is the system that it is passing over. The concept of passing over has received a lot of attention and I think is effectively resolved by acceptance of the idea of the communication being automatically processed as electromagnetic energy up to the point at which it can be directly accessed by the intended recipient. However the issue of direct access does itself raise some issues about whether a communication is still passing over the system and therefore subject to the Interception Act when it has been downloaded but which, on its way to the recipient, is processed by equipment say a firewall installed by the recipient or more contentiously, an employer to protect their equipment, and as a consequence is viewed by an authorised person as part of that process.
    7.6 It is at least arguable that once such communications reach the equipment
    installed by the owner to protect their equipment they are no longer passing
    over the system or even within the system. If that were so they would no longer
    be subject to either the Telco Act or the Interception Act.
    7.7 If however such communications are still passing over the system access would require an interception warrant. If they are not passing over the system but are still within the system they would be treated as stored data. At the moment as stored data access would be in accordance with the Telco Act.
    7.8 The submissions were overwhelmingly opposed to access to such communications being governed by the Interception Act. I agree. Even as stored communications the requirements of the Telco Act would appear to effectively preclude access for the intended purpose, i.e. the protection of the system.
    7.9 The implications for the effective protection of systems if access is denied are serious including for very large users such as the States and the Commonwealth. The Department of Defence advises that without speedy access to the data major systems will be at risk with implications for essential functions and for costs. The current exclusion of stored data from the Interception Act is seen as enabling that speedy access.
    7.10 Given the rights of owners to protect their system, the potential consequences of not doing so, the universality of the need and the time-critical nature of the required response, it is not in my opinion possible to meet the reasonable needs to protect systems by amending the Interception Act to provide specific exemptions.
    7.11 However from a privacy point of view uncontrolled access is simply not
    satisfactory. An access regime should be established which provides appropriate
    protections and prevents back-door use and access to obtain content. Those
    protections should in my view restrict access to that required for the identified purpose i.e. the protection of the system. There should be clear authorisation and the persons with that authority should be clearly identified. Those persons should be required to protect the privacy of any data accessed in the same way that the employees of C/CSPs are required to protect data accessed in the course of their employment. The vexed question is what should happen where such access discloses evidence of criminal behaviour. This is similar to the situation previously discussed in relation to section 282. In my view in both situations the content of the communication should be protected but the person with access may report their view that there may be evidence of criminality etc. The data, presumably other than voice data, could then be accessed as if it were a stored communication i.e. by search warrant. The question of the use of the content of voice data raises significant evidentiary and other problems and should be separately considered.

    Posted on 16-Apr-08 at 7:24 am | Permalink
  27. SJ said:

    Was responding to clarencegirl, not Ken.

    Posted on 16-Apr-08 at 7:25 am | Permalink
  28. Chui said:

    What’s there to stop would-be terrorists from going to uni, becoming a Microsoft Certified Systems Engineer, joining the (**name your target here**) as a I.T. engineer, and filtering emails to find out the password of the critical system and hitting the Big Red Button? :)

    Posted on 16-Apr-08 at 9:23 am | Permalink
  29. Dave Bath said:

    Apart from the incompetence of managers being the main threat to critical infrastructure and organizations (primarily because of a lack of understanding of risk management issues and appropriate standards), almost every discussion of privacy in Australian electronic communications systems misses the fact of Echelon, which goes through everything, voice included.

    Any right to private electronic communications disappeared years ago.

    Echelon Pact countries (including Oz and the US) have been abusing privacy this way for years.

    Have a look at the 2001 European Parliament Report on Echelon. Some of the rapporteurs even suggest that the UK should be kicked out of the EU if the UK continues doing this.

    This raises a very real issue for Australia: participation in Echelon makes us a primary target for any group (terrorist or national) that wants to hit US SIGINT and military capabilities. It’s likely to be one major reason why Oz agencies got hit in May 2001 by what seemed like a “dry run” electronic warfare attack – one quietly acknowledged by a CIA director as a “horror month”.

    And in the preamble to the Europarl report was the apt Juvenal quote: Sed quis custodiet ipsos custodes.

    Posted on 16-Apr-08 at 11:04 am | Permalink
  30. Dave Bath said:

    Oh, on a related note, http://www.privacy.gov.au/publications/breach_0408.html is a new consultation by the privacy commissioner on a code for notifying people of privacy breaches. Unfortunately, “Voluntary” is in the title. Submissions due mid June.

    Posted on 16-Apr-08 at 12:20 pm | Permalink
  31. Privacy Commissioner Consultation « Balneus said:

    [...] — Dave Bath For those following Jacques Chester’s recent Club Troppo posts (here and here) on our Federal Government’s cluelessness on IT security and privacy issues, [...]

    Posted on 16-Apr-08 at 12:27 pm | Permalink
  32. Stephen Bounds said:

    Chui: In theory, personnel security checks filter out the terrorists.

    Any organisation that routinely deals with sensitive information should have a security clearance requirement for IT Systems Administrators. Typically this is one level above the material being handled.

    So for Restricted material, sysadmins need Secret clearance, for systems that handle Protected material, they need Highly Protected clearance, and so on.

    Posted on 16-Apr-08 at 9:27 pm | Permalink
  33. KRudd becomes Big Brother « Balneus said:

    [...] Club Troppo posts by Jacques Chester are worth reading: "Lies, damned lies, and national security" (2008-04-15) and "And then a stupidity occurs" [...]

    Posted on 18-May-08 at 4:29 pm | Permalink