The Weekly Cybers #36
Australian cops and their global colleagues take down the Ghost encrypted messaging network, a robodebt ringleader has a great big sook, and much more.
Welcome
The big story this week is the global infiltration and takedown of the Ghost encrypted messaging network — and it was Australian! (Allegedly.)
I’d love to do a so-called “deep dive” into this one — commissioning editors please note! — but for now you’ve got my initial summary.
There’s also some unimpressive whining from one of the architects of the robodebt misery machine, a bunch of inquiries into new legislation, and the usual mixed bag of smaller items.
How’s my selection this week? Please let me know by replying to this email.
Cops take down Ghost, but was it legal?
It’s a fantastic true crime story. Australian police and their international colleagues infiltrated the Ghost encrypted communications network, leading to dozens of arrests in this country and many more globally.
The app’s alleged administrator, Jay Je Yoon Jung, 32, appeared in a Sydney court Wednesday on charges including supporting a criminal organisation and benefitting from proceeds of crime.
The Australian Federal Police (AFP) issued a flurry of press releases about this operation, named Operation Kraken, and related wins, and there’s been a tsunami of stories globally — and it checks off so many cliches.
Jung is from Narwee in Sydney’s south, lives with his parents, and has no criminal record. As Guardian Australia describes it, he was hit with a raid at 4am.
[AFP] said it was important for officers to gain quick entry to the house. “Our tactical teams were able to secure him and [some] devices in under 30 seconds,” the AFP assistant commissioner Kirsty Schofield said.
The allegations are that Jung sold modified iPhones for AUD 2,350 (about USD 1,600) with a 6-month subscription and tech support. There were 376 active devices in Australia, with “more than 7,200 devices provisioned globally over the life of the platform”.
Again from Guardian Australia:
The AFP alleges hundreds of criminals — including motorcycle gang members and Italian, Middle Eastern, and Korean organised crime members — have used Ghost in Australia and overseas to “import illicit drugs and other crimes”.
AFP also says they engineered a “technological solution” to access the platform and de-encrypt devices. It appears they could intercept the app’s software updates and substitute their own.
I’ll admit I haven’t had time to read everything related to this. Despite the story breaking mid-week, this is very much a first reaction.
However I did see, and now can’t find, a story about how prosecutors now need to establish that the messages they’ve gathered from people who used Ghost can be used in evidence.
Which is to say, was this evidence gathered legally?
Disrupting criminal networks is a win for the cops, sure, and at one level that’s certainly Mission Accomplished.
But successful prosecutions are a tougher ask, especially when we move beyond Jung’s alleged geekery.
Indeed, AFP deputy commissioner Ian McCartney said: “Will we face challenges in court? I think we will, but I think that’s the nature of the business.”
In this context, it’s worth noting that earlier this year there was a challenge to the legality of evidence gathered during AFP’s infiltration of the AN0M encrypted network.
That was different, however, in that AFP and the FBI were themselves were by then running AN0M as a sting operation. But we still don’t know the answer. Maybe next year. Maybe after a High Court challenge.
CORRECTION: South Australia’s Court of Appeal ruled that the AN0M evidence admissible back in June.
And speaking of maybes, maybe I’ll be persuaded to do some deeper analysis and commentary on this, because there are so many angles. Stay tuned.
Finally, I guess this also highlights that you don’t need to be able to decrypt messages in transit if you can “just” infiltrate the network — although that’s going to be more difficult in certain kinds of networks.
Kathryn Campbell’s unedifying robodebt sookage
The former secretary of the Department of Human Services, Kathryn Campbell, whined in The Australian on the weekend that she’d been scapegoated over robodebt ($), the petal.
Minister Bill Shorten is furious, as well he might be.
“Robodebt was a shocking betrayal and failure of empathy towards vulnerable people who needed support from the government,” Shorten said on Saturday. “And today and yesterday, we’ve seen one of the key central actors in the tragedy of robodebt yet again, in my opinion, (has) failed to show empathy to the victims.”
At The Mandarin, the redoubtable Julian Bajkowski is well unimpressed.
“It’s a deeply unedifying look for the Australian Public Service, which has now proven that as an institution, it can outwait and outwit those seeking to create material disincentives and accountability for inadequate performance, substandard delivery and even maladministration.”
Indeed.
Your writer is very much of the opinion that with the wet-lettuce response rather than actual punishment, the National Anti-Corruption Commission (NACC) choosing not to investigate, and Campbell’s woe-is-me reaction after moving on to another sweet job at AUKUS — she has since resigned — everyone involved is failing to read the room.
FINDING THIS NEWSLETTER USEFUL? It’s currently an unfunded time-consuming side project, so do please consider throwing in a tip.
Also in the news
- The government continues to hint at what might be in a new Cyber Security Bill due later this year. This week home affairs and cybersecurity Minister Tony Burke said businesses would get get “safe harbour” protections, meaning they could let the cyberspooks into their networks to help defend them “without the fear of that information being used in regulatory action against them”.
- Meta says it’s putting under-18 Instagram users into new “teen accounts” to allow allow parents greater control over their activities. Australia’s social media age restrictions will still go ahead, however. This story also reminded me that Meta’s president of global affairs is Nick Clegg, former deputy prime minister of the UK and leader of the Liberal Democrats there.
- Government agencies have reported 44 data breaches in first six months of 2024. The latest report (PDF) from the Office of the Australian Information Commissioner (OAIC) says that’s up 65% on the previous period, making the government sector the second most-breached after health services.
- Overall there’s been a record number of data breach notifications in the past three and a half years, although to be fair organisations may just be paying more attention.
- “Misinformation reports produced by digital platform providers like Meta, Google, and TikTok are plagued with data integrity issues for the fourth year running,” reports InnovationAus. The Australian Communications and Media Authority (ACMA) is not happy, and may step in.
- New from Treasury and the Reserve Bank, Central bank digital currency [CBDC] and the future of digital money in Australia. The conclusion is clear: “There is no strong case for a retail CBDC in Australia at this time. Australia’s current payment system is working well and meets people’s needs.”
- Defence is looking to use Starlink satellite internet on navy vessels as a “quality of life” improvement for sailors.
- I missed this one last week. The Australian Taxation Office (ATO) is looking to invest in “unattributable exploration” of social media and the internet as part of their open-source intelligence (OSINT) program for enforcement. Check the tender documents.
- If you are so inclined, you might enjoy the latest Australian Government Crisis Management Framework (AGCMF).
Elsewhere
- Just like Meta, LinkedIn started harvesting user-generated content to train its AI without asking for permission. Their privacy policy was only updated after the fact.
- Cyber Daily is reporting cybernaughty activity hitting Total Tools and Compass Group.
- The Australian Strategic Policy Institute (ASPI) has an interesting piece on protecting our software supply chains. Maybe the crew at Ghost should’ve read it.
- At The Conversation, Monash Uni’s Professor Stephen King argues that The best way to regulate AI might be not to specifically regulate AI. “Most of the potential uses of AI are already covered by existing rules and regulations designed to do things such as protect consumers, protect privacy, and outlaw discrimination,” he writes.
- A survey published in the journal BMJ Health and Care Informatics reports that one in five UK GPs already use AI such as ChatGPT for daily tasks.
Inquiries of note
With all the new legislation introduced last week, we now have all the committee reviews kicking off.
- There’s the inquiry into the Privacy and Other Legislation Amendment Bill 2024. Submissions close 11 October.
- The inquiry into the Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024. No stated deadline for submissions yet, so just get on with it.
- The inquiry into the Criminal Code Amendment (Hate Crimes) Bill 2024. Submissions close 7 November.
What’s next?
Parliament is now on a break until Tuesday 8 October.
The Senate Select Committee on Adopting AI was due to report this week, but that’s been pushed back to 26 November.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.