IP: More on -- Aussies Lead in Legitimizing LEA Hacking

[Dave Farber <farber@cis.upenn.edu>]

>To: farber@cis.upenn.edu
>From: Vin McLellan <vin@shore.net>
>
>Hi Dave:
>
>        Fyi. Might this be of interest to IP?
>
>        Regards,
>                        _Vin
>
>--- ---- ---- ---- --- --- ----
>
>To: cryptography@c2.net
>From: Vin McLellan <vin@shore.net>
>Subject: Aussies Lead in Legitimizing LEA Hacking
>Date: Fri, 26 Mar 1999 18:28:07 -0500
>
>        The report below -- announcing changes in Australian law to permit
>the lead Australian LEA to hack into targeted computers with a Ministerial
>warrant -- may mark an important event. I suspect it is a precursor of
>things to come in the US and elsehwere as LEAs and intelligence agencies
>come to terms with the widespread availability and use of strong cryptography.  
>
>        While crypto effectively protects data in transit and (to a lesser
>extent) operationally stored data, the relative vulnerability of the common
>Wintel PC and other computers -- the end points of a crypto link -- make
>them an obvious target for eavesdroppers foiled by cryptography.  
>
>        This is not a new insight. The Australians (and the famous Aussie
>Walsh Report on AU Crypto Policy) are only more public than other nations in
>their shift to focus on the end-point computers as the primary vulnerability
>of encrypted communicaton links. 
>
>        One approach is to develop specialized black bag techniques, where a
>burglar "under color of law" -- or with minimal or no concern for local Law,
>in "intelligence" ops -- slips into a target's home or office to steal
>disk-stored crypto keys, or to replace a target's crypto apps (SSL, SSH,
>S/MIME, PGP, RSA SecurPC, etc.) with a corrupted or backdoored versions.  
>
>        (I recall that a CIA operative arrested in the US on espionage
>charges last year was described as a specialist in this. I think everyone
>can take it for granted that such skills (both burglary and subversive
>programming) are in great demand throughout the international intelligence
>community, and will soon figure prominently in warranted LEA surveillance. 
>        In Australia now; elsewhere soon. Perhaps everywhere eventually. 
>
>        A burglar or a penetration agent who can switch copy crypto keys,
>switch smartcards or a smartcard reader, load keyboard sniffers, or install
>"dual purpose" crypto packages on a target's computer will probably always
>be the most effective way of attacking an end-point computer --- but there
>is also a huge universe of active network attacks (viruses, worms, ActiveX
>modules, and more) that can also be used against networked computers. 
>
>        This is a range of vulnerabilities, particularly for PCs, that
>should be much more widely discussed and categorized. The elite Bugtraq and
>NTBugtraq readers, black hat and white, may be on top of this stuff, but the
>typical sysadmin just waits for his OS vendor to send him a patch, and the
>typical user ignores it all in blissful ignorance.  
>
>        And it isn't as if the vendors can just change their priorities and
>make the world a better place. As W.H. Murray keeps pointing out, we install
>more flawed new computers daily than the number which are, daily, being
>fixed, patched, or upgraded. More to the point, some reports suggest that no
>more than one percent of Unix sysadmin have actually installed all the
>security patches that have been made available to them.  <sigh>)
>
>        The NSA is still largely dependent upon passive intercept, according
>to Agency lore, but it is also well-known in the intelligence community that
>former CIA Director John Deutch in 1996 ordered a major redirection in NSA
>budget priorities to foster more research into active attacks on target
>computer and communication systems.
>
>        Of course, hackers, vandals, and cyber-savvy crooks are probably
>also far more likely to exploit host vulnerabilities over the Internet than
>they are to burglarize corporate offices. 
>
>        Suerte,
>                _Vin 
>
>
>-----------------------------
>
>The Sidney Morning Herald (Au)
>"ASIO cleared to hack into computers"
>
>Friday, March 26, 1999
>http://www.smh.com.au/news/9903/26/pageone/pageone3.html
>By BERNARD LAGAN and BEN POWER 
>
>Australia's domestic spy agency, ASIO, will be given sweeping powers to
>hack into computers and place tracking devices on people and cars. 
>
>In the most far-reaching upgrade in a decade to ASIO's powers, the agency
>will also be permitted to collect foreign intelligence in Australia and
>pass the information to the Australian Secret Intelligence Service (ASIS),
>the foreign spy agency. 
>
>The Federal Government is acting on the recommendations of a secret report
>by ASIO's former deputy director, Mr Gerard Walsh, which was mistakenly
>sent to public libraries and published on the Internet late last year. 
>
>His report - copies of which were later recalled by the Attorney-General's
>Department - urged that ASIO be given the power to "hack" a nominated
>computer system to "secure access to that system or evidence of an
>electronic attack on a computer system". 
>
>The Attorney-General, Mr Williams, told Parliament yesterday the agency
>would be able to access data stored on computers "through other means
>which cannot presently be used". 
>
>The changes will allow ASIO officers, with ministerial approval, to gain
>access to data stored in computers by "remote access" - commonly referred
>to as hacking. 
>
>The change appears to give ASIO very broad powers to hack into any
>computer system. 
>
>An explanatory memorandum issued by the Government about the changes says:
>"The effect is to provide the minister with the power to authorise ASIO to
>access and copy computer data where unauthorised access is otherwise
>prohibited by Commonwealth or State or Territory law." 
>
>For the first time ASIO will have the powers to install tracking devices
>on vehicles or even people - the devices are small beacons which transmit
>signals to other locations. 
>
>Mr Williams told Parliament the devices were necessary for the more
>efficient use of ASIO's resources. 
>
>The Walsh report had strongly urged that ASIO be allowed to use tracking
>devices, saying "the absence of this investigative tool is a privation for
>the Australian Federal Police, the National Crime Authority and ASIO". 
>
>Other changes will allow ASIO to expand its foreign intelligence gathering
>within Australia by dispensing with the present need for it to obtain a
>special warrant for each case. 
>
>According to the Government the change will allow ASIO to supplement
>foreign intelligence gathered by other agencies, such as ASIS. 
>
>ASIO will be able to use information from the Australian Transaction
>Reports and Analysis Centre (AUSTRAC) to follow money trails. 
>
>The changes also mean ASIO will be permitted to carry out security
>assessments during the Olympics. 
>
>-----------------------------
>  "Cryptography is like literacy in the Dark Ages. Infinitely potent,
>for good and ill... yet basically an intellectual construct, an idea,
>which by its nature will resist efforts to restrict it to bureaucrats
>and others who deem only themselves worthy of such Privilege."  
>  _A Thinking Man's Creed for Crypto  _vbm.
>
> *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *
>      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548