1. OCAU Merchandise now available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion here.
    Dismiss Notice

Concerns about Data Retention, Surveillance and Privacy

Discussion in 'Networking, Telephony & Internet' started by Agg, Jul 18, 2012.

  1. jarryd98

    jarryd98 Member

    Joined:
    Apr 4, 2005
    Messages:
    1,936
    Location:
    Brisbane
    It's possible - just more difficult (and, expensive). On that basis, there's need for consideration of cost:benefit.

    For the (as yet unspecified) outlay, can this scheme genuinely prove more successful (to an extent that justifies associated expense) than existing legislative process?
    I tend to think not. There's no provision or, metric within the proposal for measuring success in comparison to the current legislative scenario - seems pretty likely this is intentional.
     
    Last edited: Jul 20, 2012
  2. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    I certainly can. I just don't want to because you CBF learning for yourself.
     
  3. orcone

    orcone (Banned or Deleted)

    Joined:
    Aug 11, 2009
    Messages:
    334
    Please stop ruining this thread with your drivel.
     
  4. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    That old chestnut... your asking me to google something, that you incorrectly think is a counter to a legal proposal you haven't read, and I have drivel? ;)


    Fine:
    Tor and VPN is not some magic ticket you portray it to be. Tor is constantly being thwarted/impacted by randoms, and the Chinese, and other nation states, its a fact of the internet.
    Either broken (functionality) or broken via JS tracking, or exit node snooping.

    Keep in mind that JUST exit node trickery is enough to compromise your PC completely, anything else on top of that is simply yet another attack vector, and any 'baddy' can run a HUGE number of exit nodes, and they don't need access to your sessions very long to bare fruit.

    That is not to say that Australia is going to be doing any of this stuff, certainly not at the scale of Iran/China (one sure hopes not), but it is technically easy for 'them' to target specific people.

    https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors
    https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372
    https://blog.torproject.org/blog/update-censorship-ethiopia

    VPN (Specifically SSLVPN which is what 90% of randoms on the net use) is also similarly broken, SSL/TLS MITM is commonplace today, the vast majority of web content filtering companies provide this as part of their standard feature set.
    As part of standard security testing, most security providers will MITM the SSL sessions to read/manipulate the data to compromise the communication. This is not advanced, or uncommon.
    It is standard run of the mill public level attacks, that is discounting targeted attacks, and sponsored issue motivated groups.

    Here is a nice little simple video from 3 years ago, made by a bunch of regular nerds:
    http://revision3.com/hak5/mitm

    The reason I CBF googling this for you, is you present this as some defense against the proposed legal changes, if you read those changes you would realise that it is not a defense, because technically they are easy to break, and legally, they can force you to provide your encryption keys anyway.

    In addition to direct attacks on 'VPN and Tor' they would have the legal right to manipulate content on your computer, and thus the use of any VPN or transport level encryption is void anyway.

    The fact I need to explain this to you means a few things.

    You haven't read the document (kinda key because thats the point right?).
    You don't understand existing laws
    You don't understand the proposed laws (probably because you havent read it)
    You don't understand current technology
    You don't understand current attack vectors and vulnerabilities.

    As I have said all along, come up with VALID reasons this proposed change is poorly thought out, wrong, over reaching etc, and argue those points. Arguing the garbage you are spouting wont get ANYTHING changed, and will make you look stoopider in the meantime.
     
  5. orcone

    orcone (Banned or Deleted)

    Joined:
    Aug 11, 2009
    Messages:
    334
    Man in the middle is not a vulnerability of a compromised ssl tunnel, nor is snooping clearnet activity from a tor exit node. Nor is your "compromised pc" scenario got anything to do with these technologies (a live bootdisc will thwart that).

    This has everything to do with this proposal because it's evident, even by their own admission in the paper which I doubt you've read, that those targeted are sophisticated and will not fall victim to the proposed changes. So it's useless and needless in scope and will just create a honeypot of data of innocent people.
     
  6. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    You orcone:

    I said "ahahha, that won't work" (paraphrased)


    I said "ahahaha, that won't work (paraphrased)

    I answered it, as per post above. But you still don't understand, hence why I didn't want to bother in the first place, but then you had a hissy fit. :(


    MITM is most certainly a vulnerability with SSL. But more importantly it shows that your stupid sweeping statement that you cant be monitored through VPN/Tor is laughable.

    However it is done, (direct SSL attack, exit node, JS tracking, client compromise) the end result is the same. People see what you are looking at.

    All of the SSL VPN/Tor arguments you put forward due to the requirement to provide access to encrypted information, so even if you were right and that VPN/SSL/Tor is some magic protection (which I have shown it is not), they will just jail you for not providing your private key anyway... so really, your argument is totally broken. It is for this reason I assume you didn't read it, because the technology is irrelevant, they win legally regardless.

    I do wish you would try harder with your arguments, this is pretty boring. And you are REALLY not helping make positive changes to the proposal.
     
    Last edited: Jul 20, 2012
  7. fredhoon

    fredhoon Member

    Joined:
    Jun 27, 2003
    Messages:
    2,643
    Location:
    Brisbane
    IAC, from your educated standpoint, do you have any criticisms or propose any changes to the current legislation? I am genuinely interested (not trying to be a dick) as I fall under the category of not fully understanding current legislation and therefore not understanding the changes / impact of this proposed legislation.


    I'm also interested in your opinion as to whether this legislation should be coupled with increased electronic privacy legislation (as discussed on and off in previous luz CC data release threads).

    IE assuming ISP's are responsible for storing this data, what industry standard or enforceable legislation makes sure it is adequately protected and will there be mandatory reporting of breeches? In this scenario I am assuming that collected metadata will be stored in a format that is identifiable to a particular account holder and seamless electronic (not offline) access is available to law enforcement.
     
  8. Ninja_Harbinger

    Ninja_Harbinger Member

    Joined:
    Jun 2, 2011
    Messages:
    1,032
    Location:
    A warp pipe near you
    Is there a tl;dr post anywhere here?
     
  9. orcone

    orcone (Banned or Deleted)

    Joined:
    Aug 11, 2009
    Messages:
    334
    IAC, you're going off saying TOR is vulnerable because of things not related to TOR at all. You sound educated, so why don't you realise most common tor browser packages ship their browses with javascript disabled and enhanced https security?

    A compromised pc is not a fault of tor or vpn
    Exit nodes cannot magically compromise a system as you've said
    Javascript is disabled by default
    Man in the middle is rendered useless if data is already encrypted with your own cipher prior to transmision, so breaking through ssl protection might have well been for nothing.

    If you drive people to be more paranoid, suddenly they realise relying on one layer of security is nuts and will take extra precautions. Which is what these people most likely do.
     
  10. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    Lets try again:

    Regardless of if the attack is directly against Tor or SSL (basically the same thing anyway) or what have you, any side channel attacks still have the same effect of negating the protection you claim they provide.

    Let me make this simple - Using VPN or Tor, will NOT protect you from a determined attacker (at all). Using VPn or Tor will NOT protect you from 'the govt." if you under surveillance.

    Even if the did technically, they legally would have the right to have you give up the keys regardless.

    Thus, your statements and advice on using Tor and VPN is incorrect, in all contexts.

    How many other ways do you wish for me to explain this?
     
  11. orcone

    orcone (Banned or Deleted)

    Joined:
    Aug 11, 2009
    Messages:
    334
    Just the correct way that doesn't resort to silly variables akin to "using tor won't work if they've got cameras pointing at your keyboard". You're listing failures of security that have nothing to do with tor or ssl. Stop it, put up a sensible argument.

    There are many more techniques that can be used to further obfuscate communications, these proposals quite frankly don't do shit to stop that.
     
  12. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    You said Tor/VPN will get around it. I say it wont, I have shown why it won't.

    At the moment, you are just making up unsubstantiated comments. You cant isolate technology from other attack vectors, otherwise you could claim things like telnet are secure, because you are selectively removing any attack vectors that would make it insecure. It doesn't work that way. You need to use these things (Tor/SSL included) in the real world, with real world threat models.

    You tell me to put up a sensible argument? I am refuting yours, I am not putting up any additional ideas, the argument is yours to make.
    Engllish is my 3rd/4th language, and even I know your doing it wrong.



    Please explain these two statements, and how they will get around the proposed changes:


    "ll be educating people on how to circumvent their snooping via vpn and T.O.R technologies"

    "There is no way to monitor these activities if it performed through secure VPN, the TOR"
     
    Last edited: Jul 22, 2012
  13. gaakor

    gaakor Member

    Joined:
    Dec 19, 2011
    Messages:
    157
    Bad news all,

    http://ten.com.au/video-player.htm?movideo_m=208501&movideo_p=41949

    7:06 in you will see the relevant question to Stephen Conroy about these proposed changes, where he says basically that he supports a review and some changes to the laws.

    He was quite vague and referred to organised crime & terrorism.

    At least he was asked the question on national TV but even I didnt catch what they were talking about until Latika Bourke mentioned on twitter that:

    https://mobile.twitter.com/#!/latikambourke/status/226949209969020928

    Oh, and a late add from #MTP this morning. Stephen Conroy accepts spy agencies request for interest data to be kept for 2 years.
    30 minutes ago

    So were losing this one, I believe this will be buried and pushed through in a midnight sitting when parliament resumes.
     
  14. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    You think? With arguments such as those presented in this thread, of course noone is making inroads.
    [admin: any more personal abuse from you and you win a free holiday]
     
    Last edited by a moderator: Jul 22, 2012
  15. orcone

    orcone (Banned or Deleted)

    Joined:
    Aug 11, 2009
    Messages:
    334
    I wonder what can be done to rile people up to get more publicity to this sham.
     
  16. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    Maybe relating it to SOPA and other unrelated despised proposals.. doesn't matter if its correct or not though :)
     
  17. gaakor

    gaakor Member

    Joined:
    Dec 19, 2011
    Messages:
    157
    Im highly surprised that ISPs are not up in arms over having to store user data for 2 years.

    None of them have said a word about it publicly, maybe they are going to submit to the senate enquiry?
     
  18. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg
    fucking lolz

    nice work anon:
    hacked:

    sunshinecoast.qld.gov.au
    regions.qld.gov.au
    sd.qld.gov.au
    dtrdi.qld.gov.au
    science.qld.gov.au
    createitmakeitliveit.qld.gov.au
    smartawards.qld.gov
    tourism.industry.qld.gov.au
    workliveplay.qld.gov.au
    lib.qld.gov.au

    in response to the proposal, now Theree is a way to get some attention
     
  19. atech

    atech Member

    Joined:
    Jul 15, 2008
    Messages:
    238
    That's a lot of QLD sites - maybe I Newman stopped firing people this could have been avoided lol
     
  20. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    759
    Location:
    ork.sg

Share This Page

Advertisement: