"Australia is a lucky country run mainly by second rate people who share its luck" 
Australia has many intelligent, brilliant people. For some reason, the design of our political system results in almost none of them getting into Government. This awful, fundamentally flawed law (literally only passed into law because our opposition was terrified of being called "soft on crime" in the media over Christmas) is just one in a long line of disappointments.
"Democracy is the worst form of government, except for all the others"
After Snowden I had a couple people I barely knew comment to me something like I should "stop there from being more Snowdens" as a software developer, since they saw it in very simplistic terms as "my country = good, this guy = sabotaging my country" but I didn't run into anyone offline who shared the privacy-conscious reaction with me.
I think that explains why these things pop up everywhere much more simply. And without changing that perception, the other battles seem like losing fights.
The cynic in me is not concerned because I feel public opinion can be swayed and/or the issue is not the biggest/most-important issue in representative democracies. I admit being overly cynical on the importance of public opinion and therefore my disagreement efforts manifest more in counteracting technologies than politicking (and even then, the efforts are little and of limited consequence).
Your comment could be applied to Italy verbatim :(
Could an approached employee say "I have to run this past software engineer X" before it will even be allowed to commit, so software engineer X is read-in, but he has to get auth from Middle Manager Y, and so on. The more people who are read-in, the more chance there is of a leak or someone overhearing a conversation or people questioning a stream of progressively higher-tiered employees being brought into a meeting with strange men wearing sunglasses, fedoras, with knife-sharp pleats in their slacks, and using company meeting rooms like they own the place.
This is making assumptions about the quality of company Z's code publishing process, but I'd be guessing that there would be a lot more "targets" using popular software from big vendors that have these QA processes in place.
The other interesting thing about this is that it may spur far more interest in both using and regularly auditing open source software. Proprietary software is far more at risk of losing reputation in this situation simply because of its opacity.
It's a complete disaster.
This would flag the code as 'interesting' to any other members of the development team, and it would likely make it obvious which account is being specifically targeted, which works against the secrecy required of the whole thing.
In reality, they issue a notice to the company, give them a timeframe, and expect it to be done. They don’t care about the intricacies of git.
I still wonder how this law doesn't go against individual rights provided by the Constitution or other fundamental laws.
Either way this law is hilariously clueless and extremely worrying at the same time.
Not that I think this will work—it wont in the long run—but I'd rather argue against the strongest case of an argument.
A person is a designated communications provider if ...
6. the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one or more end-users in Australia
... and the eligible activities of the person are ...
(a) the development by the person of any such software; or
(b) the supply by the person of any such software; or
(c) the updating by the person of any such software
Look at it from their point of view... they approach some developer and it's amateur hour. The dev might get stroppy, there's all sorts of infrastructure problems, they might not do it right... it's a mess.
But if they approach the CEO, it gets done right. The CEO brings in Legal, who promptly shit themselves. They bring in the CTO, who is told to shut up, sign this NDA, and work out how to make this happen as fast and painlessly as possible. No problems, the bad things get done, no-one gets told anything, all good. Shit continues to roll downhill...
Companies, of course, are already cooperating. For petes sake, all you need to do is talk to a couple of admins in the Bay Area to know what alphabet soup are visiting what companies (pro tip: basically all of them).
The real problem is that the law allows them to ask an individual to become a saboteur and it's unclear if you had a system that was explicitly resilient to such attacks (signed GPLv3 code with a threshold signing scheme with each key owned by people under different jurisdictions) whether you would be forced to dismantle such a system.
I think we'll need to start rethinking threat models.
One well documented example where individuals were "tasked" (spy on) directly is the compromise of satellite ISP Stellar:
> The document lists "key staff" at the company. The document states they should be identified and "tasked." "Tasking" somebody in signals intelligence jargon means that they are to be targeted for surveillance. In addition to CEO Christian Steffen, nine other employees are named in the document.
The shock on the IT chief's face when he saw his name in an NSA document...
If the Govt strongarms a developer into implanting a backdoor, they won't care that they can't do it without breaking company policy or QA or workflow or even the law, because they cease to be primarily an employee, and become an asset of ASIO.
Sure, this strategy may work in China but Australia is a Western nation where freedom is taken seriously.
Edit later: by 'freedom taken seriously I mean by the people, not by the government.'
That’s the carefully cultivated reality distortion field at work.
It may look that way from the outside, but it’s a tightly controlled, aging and fearful society. Anyone who steps out of line is dealt with harshly and swiftly. The government may loosen the leash on those who align with their political philosophy (so figures who vilify vulnerable groups are given a bit of freedom under the current government) but the jackboot of the state isn’t far away.
Re your edit: there is compulsory voting, so the people obviously like it that way.
Oh, you sweet summer child.
and for a laugh at the sad state of affairs https://www.youtube.com/watch?v=eW-OMR-iWOE
Much easier to subvert technology produced locally or in allied countries (and the other Five Eyes members will undoubtedly adopt similar laws soon, if they haven't already).
Exactly. For those getting wound up over this in other western countries - Australia is often used as a testing ground for this kind of legislation. It will be your country next.
I didn't know that. Can you mention any notable examples?
Not that I give a damn if the AUS gov looks at my stuff, but that's completely beside the point. These appear to be real possibilities with this law, and I hope Atlassian and other AUS companies address them.
While they could potentially be asked to change your code stored in Bitbucket, Git will refuse to pull if the commit hashes in Bitbucket don't match your local copy, so I don't think intelligence agencies are likely to request this as it is too easily detected.
I predict altering the binaries would be a better way for intelligence agencies to covertly inject a "capability" into your software. E.g. they could ask Atlassian to introduce a hidden code injection step as part of Bitbucket Pipelines, which would be very difficult to detect unless you have deterministic builds and manually verify the output.
Aside from your code, I expect intelligence agencies would be very interested to read your product's issue tracking database (all those "minor" security vulnerabilities that your team knows they should fix someday but don't have time for right now).
What is new is an army of people who will now be forced to make a choice between making and submitting destructive patches and facing penalties and jail.
Incidentally, all of these people are the ones who are subject to Australian law. I feel sorry for them, but I expect that, as an effect of this legislation, many people will stop accepting submissions from these people to keep their software secure - be it proprietary programs or free software.
So far my impression is that all that is required is to gain access to Jenkins one way or another and you have the keys of the whole infrastructure.
Also other shops that actually obey SOX, and actually care about two-key systems (or multi-key) will not be able to keep this a secret.
The same protections that work for SOX and "sysadmins kid was kidnapped and they demand a backdoor be inserted" will work for this.
Sure, companies that protect against none of these will fail. But if you actually have systems in place to protect against "rogue employee" then this kind of order requires breaking ALL of these systems. I expect most companies to have no such systems, but the important ones do.
Now you have to fire him to deploy the backdoor. I expect the law doesn't require you to fire people. Even if it does, he or she is not bound by the gag order and could be a canary to the rest of the world.
Whatever happened to Agile as "we have come to value: Individuals and interactions over processes and tools" ??