[lokopodium]

Australia requires companies to provide backdoors. It does not (and can't) require that non-companies do the same. This means every Jihadi with half a brain will be using XMPP with OTR or something like that.

At the same time, it provides a requirement for EMPLOYEES to make backdoors when asked without letting their employers know.

[gregmac]

> it provides a requirement for EMPLOYEES to make backdoors when asked without letting their employers know.

I'm very curious about how this will actually work, in practice, anywhere that uses any form of source control and even a modicum of process.

I mean, do you sneak this into an unrelated pull request and hope everyone reviewing it doesn't catch it? Do these changes by committing directly to master (assuming you even can do that), and just hope no one notices? What commit message do you use?

Even if you don't put this in source control, how do you get it deployed? Do you just tell your ops team "uh, don't use the automated deployment or the artifacts the build server produced, instead install from this zip file I made on my machine"? What happens if they are deploying a new version on a day you happen to not be there?

Even assuming you manage to do all this, what happens when you're eventually caught? For example, someone finds a remote exploit bug in the code, does a blame, sees your name next to an innocent-sounding-but-clearly-misleading commit message and injection of an apparent deliberate exploit... are you allowed to explain? I would assume, especially if you can't/won't explain, that the employer could fire you on the spot, so do you just have to go along with that?

[justinclift]

> I'm very curious about how this will actually work, in practice, anywhere that uses any form of source control and even a modicum of process.

A capable ;) agency wouldn't target the developers. They'd target the SysAdmin's who look after the build servers.

With agency backed er... malware added to the build servers, they'd be capable of adding on-the-fly exploit code to the shipped binaries.

Things like reproducible builds - gaining popularity among some OSS Communities for few years now - help to at least detect this.

Could be very difficult to detect for lots of situations. eg side loaded mobile apps, proprietary desktop apps, likely others too

[baroffoos]

>This means every Jihadi with half a brain will be using XMPP with OTR or something like that.

Or they could just use SMS and still be fine because the government has no idea how to actually identify problem data in the sea of data they have.

[lokopodium]

In this case it doesn't appear that the government intends to mass-decrypt data, but rather only tap into targeted individuals' communications.

[acct1771]

Today.

[toufiqbarhamov]

As I said, I don’t agree with either their methods or their goals. It’s because I don’t want these kinds of laws in the world that I want to see shallow dismissals of them replaced by effective arguments. No one here needs convincing, what they need is to improve their ability to communicate beyond the tech bubble.