The Victorian government has backtracked on claims it would directly brief the new phone bugging and surveillance watchdog.
The minister responsible for the establishment of an anti-corruption commission, Andrew McIntosh, introduced a bill into parliament on Thursday to establish a body called the Public Interest Monitor (PIM).
The PIM will be made up of lawyers registered to appear in courts and tribunals to test the merits of applications from Victoria Police, the Office of Police Integrity (OPI) and the yet to be established Independent Broadbased Anti-Corruption Commission for permission use phone bugging and surveillance devices during investigations.
Mr McIntosh told reporters it would be the state government, probably himself, who would brief the PIMs.
“It will probably be, no doubt, the minister responsible for the establishment of the anti-corruption commission or it may be the department,” he told reporters.
“But the reality is, you know, it will be the government that will do the briefing of the person to appear on behalf of the public interest.”
Later, after the opposition accused him of politicising the new body, Mr McIntosh told parliament he had made a mistake during the heated press conference.
“The Public Interest Monitor will be completely independent of government,” he said.
“The fact is there will be no briefing … there will be absolutely no input from the government agency, minister or department whatsoever.”
Opposition anti-corruption commission spokeswoman Jill Hennessy seized on Mr McIntosh’s gaffe.
“We have to remember so-called independent bodies may indeed have to investigate their masters, that is the government,” she told reporters.
“It’s quite extraordinary for a minister to suggest that it would be he who would be issuing the instructions to a so-called independent body.”
A spokesman for Mr McIntosh said PIMs would have access to documents presented to the court or tribunal by the police or integrity body in their application.
They will be bound by confidentiality rules and could be jailed for a year for breaching those obligations.
Mr McIntosh rejected suggestions the government did not trust judges to properly take into account the public interest when deciding whether or not to grant phone tap and surveillance device warrant applications.
But he said none of the 424 applications made by Victoria Police and the OPI for telephone intercept warrants were rejected in 2009-10, and only two of 141 applications for surveillance device warrants were knocked back.
Mr McIntosh continued to refuse to reveal when he expected the IBAC would be operational, only saying the legislation would be introduced into parliament before Christmas.
Before winning office, the Baillieu government promised the IBAC would be operational by July this year.
A wireless network offers lots of advantages over being tethered to your desk. But “no wires” doesn’t mean you can forgo security. These are the six most common Wi-Fi security mistakes people make when setting up a wireless network. Avoid them, and you can rest easier knowing that both your network and your data are safer.
Read More
Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in Firefox.
The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).
Read More
Civil liberties groups are asking a judge to force the New York Police Department to turn over documents about its efforts to spy on and infiltrate the Muslim community.
The documents filed in federal court in Manhattan are based largely on reporting from The Associated Press that showed police monitoring all aspects of daily life in Muslim neighborhoods. Documents showed that plainclothes officers were being dispatched to eavesdrop inside businesses. Hundreds of mosques were investigated. Dozens were infiltrated. And police maintained a list of 28 countries that, along with “American Black Muslim,” were labeled “ancestries of interest.”
Lawyers said that could violate a longstanding court order prohibiting the NYPD from maintaining information on people not involved with criminal activity. The NYPD didn’t immediately respond to a message for comment.
This screenshot shows the researcher’s demo in action on a PayPal account.
(Credit:
Juliano Rizzo and Thai Duong)
Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in
Firefox.
The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).
The researchers created software called BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site. More details and a video of the demo are on Duong’s blog.
Here are responses from representatives of the major browsers:
Firefox
“We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” a Mozilla Security blog post says. “Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution.”
Internet Explorer
“We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns,” Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available.”
Chrome
A Google representative referred CNET to a blog post from late last week written by Adam Langley, a member of the Chrome team, that said the company was preparing and testing a workaround. “The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim,” the post says. “Nonetheless, it’s a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page. (Incidentally, we pushed out a fix to all Chrome users for such a Flash bug only a few days ago.)”
Opera
Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were “incomprehensible to thousands of servers around the world,” Opera’s Sigbjorn Vik wrote in a blog post. “This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward. We have test systems in place which can connect to millions of secure sites around the world and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.”
Safari
Apple representatives did not respond to e-mail or telephone requests for comment about the
Safari browser.
Just upgrading to TLS 1.1, which is not vulnerable to the threat, won’t work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported on by Dan Goodin at The Register, which broke the BEAST story. In addition, “upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies,” he wrote.
