1 00:00:00,000 --> 00:00:08,469 foreign 2 00:00:00,500 --> 00:00:08,469 [Music] 3 00:00:11,580 --> 00:00:16,199 welcome back everyone now this afternoon 4 00:00:14,040 --> 00:00:17,760 we've got Jeffrey Huntley with what is 5 00:00:16,199 --> 00:00:20,160 clearly quite a topical subject 6 00:00:17,760 --> 00:00:22,680 considering how big helpful the room is 7 00:00:20,160 --> 00:00:24,480 now Jess the software engineer who lives 8 00:00:22,680 --> 00:00:27,240 a minimalist lifestyle in a van that's 9 00:00:24,480 --> 00:00:29,340 slowly working its way around Australia 10 00:00:27,240 --> 00:00:31,740 now today Jeffrey's going to talk about 11 00:00:29,340 --> 00:00:33,719 covert safe which is the Australian 12 00:00:31,740 --> 00:00:36,180 government's phone app that was designed 13 00:00:33,719 --> 00:00:38,280 to help with the pandemic he's going to 14 00:00:36,180 --> 00:00:41,219 cover the technical reasons that the app 15 00:00:38,280 --> 00:00:45,260 failed to help and the security problems 16 00:00:41,219 --> 00:00:45,260 that it caused please welcome Jeffrey 17 00:00:49,440 --> 00:00:54,360 hello everyone thanks for coming here 18 00:00:51,840 --> 00:00:57,960 today my acknowledgments is everyone 19 00:00:54,360 --> 00:01:00,300 here in attendance and original owners 20 00:00:57,960 --> 00:01:01,860 of the land and also to linuxconf 21 00:01:00,300 --> 00:01:03,359 Australia for actually making it 22 00:01:01,860 --> 00:01:05,280 possible for me to be in attendance 23 00:01:03,359 --> 00:01:07,619 throughout the talk there's going to be 24 00:01:05,280 --> 00:01:09,180 a whole bunch of QR codes there were so 25 00:01:07,619 --> 00:01:11,760 many things that went wrong with this 26 00:01:09,180 --> 00:01:13,799 application and as I go through it I 27 00:01:11,760 --> 00:01:17,640 would encourage you to actually have a 28 00:01:13,799 --> 00:01:20,880 look at the things that are cited 29 00:01:17,640 --> 00:01:23,939 so first this is kind of personal right 30 00:01:20,880 --> 00:01:26,939 if you remember what it was like back in 31 00:01:23,939 --> 00:01:26,939 2012. 32 00:01:28,200 --> 00:01:33,180 um 33 00:01:28,860 --> 00:01:33,960 so what it was like back in 2020 34 00:01:33,180 --> 00:01:35,700 um 35 00:01:33,960 --> 00:01:38,159 this is my story 36 00:01:35,700 --> 00:01:40,799 I was coming out of a long relationship 37 00:01:38,159 --> 00:01:43,979 and I it just figured out it wasn't 38 00:01:40,799 --> 00:01:45,840 working so 39 00:01:43,979 --> 00:01:48,659 it was also the start of the pandemic 40 00:01:45,840 --> 00:01:50,880 that's another reason why it's like to 41 00:01:48,659 --> 00:01:54,119 me it was a huge point 42 00:01:50,880 --> 00:01:55,740 so early February I was camping with a 43 00:01:54,119 --> 00:01:58,619 whole bunch of hippies down in Tasmania 44 00:01:55,740 --> 00:02:01,020 and if you ever wanted to learn about 45 00:01:58,619 --> 00:02:02,340 the e-force of Open Source I encourage 46 00:02:01,020 --> 00:02:04,259 you go back to the origins I understand 47 00:02:02,340 --> 00:02:06,240 the gift-based economy 48 00:02:04,259 --> 00:02:10,319 this is really cool so here I was 49 00:02:06,240 --> 00:02:12,480 camping like early 2000s and like in 50 00:02:10,319 --> 00:02:15,239 January and wood was starting getting 51 00:02:12,480 --> 00:02:18,480 out that over in Babylon the world was 52 00:02:15,239 --> 00:02:20,400 changing like love was free everyone was 53 00:02:18,480 --> 00:02:23,819 hugging and everything was there was no 54 00:02:20,400 --> 00:02:26,760 there was no like social distancing it 55 00:02:23,819 --> 00:02:28,560 was strange love and hugs were free and 56 00:02:26,760 --> 00:02:32,220 plentiful everywhere 57 00:02:28,560 --> 00:02:34,560 and every day I would go out check in my 58 00:02:32,220 --> 00:02:38,099 parents let them know that I'm safe and 59 00:02:34,560 --> 00:02:40,680 the call was made like well it's uh 60 00:02:38,099 --> 00:02:43,680 getting a little bit hectic so got on a 61 00:02:40,680 --> 00:02:47,099 plane from Scottsdale Scottsdale has 62 00:02:43,680 --> 00:02:48,599 more than potatoes by the way and um 63 00:02:47,099 --> 00:02:49,860 that's what that's what it's like back 64 00:02:48,599 --> 00:02:51,360 in January 65 00:02:49,860 --> 00:02:53,940 January like 66 00:02:51,360 --> 00:02:56,040 Society was starting to fall apart 67 00:02:53,940 --> 00:02:58,560 like all the flights have been canceled 68 00:02:56,040 --> 00:03:01,620 there were signs everywhere that the 69 00:02:58,560 --> 00:03:02,879 cafes are shut down social distancing 70 00:03:01,620 --> 00:03:05,040 and 71 00:03:02,879 --> 00:03:07,920 Society kind of entered into a point 72 00:03:05,040 --> 00:03:10,440 where like time had no meaning if you 73 00:03:07,920 --> 00:03:12,360 remember back back then when the 74 00:03:10,440 --> 00:03:14,700 pandemic was first rolling through 75 00:03:12,360 --> 00:03:16,440 like everyone was just kind of sitting 76 00:03:14,700 --> 00:03:19,200 at home and time was bleeding into each 77 00:03:16,440 --> 00:03:20,700 other myself I started building a van 78 00:03:19,200 --> 00:03:22,800 with my father 79 00:03:20,700 --> 00:03:24,900 and that was quite great 80 00:03:22,800 --> 00:03:28,200 but there was a problem 81 00:03:24,900 --> 00:03:29,099 I'd recently separated and myself my 82 00:03:28,200 --> 00:03:31,920 kids 83 00:03:29,099 --> 00:03:35,519 were in New South Wales I'm in 84 00:03:31,920 --> 00:03:38,340 Queensland this is why it's personal 85 00:03:35,519 --> 00:03:41,040 so the borders were shut and I was 86 00:03:38,340 --> 00:03:42,720 separated by by two governments who just 87 00:03:41,040 --> 00:03:45,000 really couldn't get their act into gear 88 00:03:42,720 --> 00:03:48,200 at all 89 00:03:45,000 --> 00:03:51,360 like I went into this in my blog post 90 00:03:48,200 --> 00:03:53,640 and how much this personally affected me 91 00:03:51,360 --> 00:03:55,860 everyone has their story but it was 13 92 00:03:53,640 --> 00:03:58,440 weeks since I last saw my children 93 00:03:55,860 --> 00:04:00,599 because of these lockdowns 94 00:03:58,440 --> 00:04:03,120 I missed both of their birthdays 95 00:04:00,599 --> 00:04:05,040 and Mr School holiday period this is 96 00:04:03,120 --> 00:04:08,340 really personal 97 00:04:05,040 --> 00:04:10,200 and I was separated by two governments I 98 00:04:08,340 --> 00:04:13,620 never really thought much about state 99 00:04:10,200 --> 00:04:16,019 and federal until covert covert really 100 00:04:13,620 --> 00:04:18,120 showed the differences of how the 101 00:04:16,019 --> 00:04:20,940 Australian government is constructed 102 00:04:18,120 --> 00:04:23,220 and every time I went across that border 103 00:04:20,940 --> 00:04:24,479 it was five thousand dollars 104 00:04:23,220 --> 00:04:26,040 every time I entered back into 105 00:04:24,479 --> 00:04:28,259 Queensland so if I was to venture down 106 00:04:26,040 --> 00:04:30,660 quickly to see my children 107 00:04:28,259 --> 00:04:33,180 that's five thousand dollars and 14 days 108 00:04:30,660 --> 00:04:35,340 Hotel isolation 109 00:04:33,180 --> 00:04:38,580 it was pretty Grim times everyone has 110 00:04:35,340 --> 00:04:40,860 everyone has a story this is mine so the 111 00:04:38,580 --> 00:04:44,639 government launched this covert safe 112 00:04:40,860 --> 00:04:45,780 application I'm sitting at home 113 00:04:44,639 --> 00:04:47,580 and 114 00:04:45,780 --> 00:04:49,320 I'm faced with that I want to see my 115 00:04:47,580 --> 00:04:51,780 kids 116 00:04:49,320 --> 00:04:53,639 so they launched this application with 117 00:04:51,780 --> 00:04:56,100 grand affair 118 00:04:53,639 --> 00:04:57,840 it was essentially the idea that a 119 00:04:56,100 --> 00:04:59,940 mobile technology could fix all our 120 00:04:57,840 --> 00:05:02,340 problems there's some application could 121 00:04:59,940 --> 00:05:05,340 open back up Society 122 00:05:02,340 --> 00:05:07,800 and well sitting there had nothing else 123 00:05:05,340 --> 00:05:10,320 to do I jumped straight at it right I 124 00:05:07,800 --> 00:05:13,380 just want to get back and see my kids 125 00:05:10,320 --> 00:05:15,840 and the government spent 21 million 126 00:05:13,380 --> 00:05:18,960 dollars on this application by the way 127 00:05:15,840 --> 00:05:21,300 21 million dollars only a fraction was 128 00:05:18,960 --> 00:05:23,220 done on the software development and 129 00:05:21,300 --> 00:05:26,039 it's not even worth mentioning how much 130 00:05:23,220 --> 00:05:28,080 would spend on the security assessment 131 00:05:26,039 --> 00:05:29,460 that was all spent on advertising and 132 00:05:28,080 --> 00:05:32,360 marketing 133 00:05:29,460 --> 00:05:32,360 ludicrous 134 00:05:33,180 --> 00:05:39,419 so the application itself was based upon 135 00:05:36,660 --> 00:05:42,479 the Singapore application 136 00:05:39,419 --> 00:05:44,759 now the Australian government 137 00:05:42,479 --> 00:05:47,100 the Australian government publicly said 138 00:05:44,759 --> 00:05:50,460 many times that the Australian 139 00:05:47,100 --> 00:05:52,860 application was based off the Singapore 140 00:05:50,460 --> 00:05:54,840 application blue trace and it would fix 141 00:05:52,860 --> 00:05:56,400 all the problems that blue Trace had 142 00:05:54,840 --> 00:05:58,500 and we're like how's that possible 143 00:05:56,400 --> 00:06:00,600 because the problems that Singapore is 144 00:05:58,500 --> 00:06:02,039 having is like it's a userland 145 00:06:00,600 --> 00:06:03,780 application if it goes into the 146 00:06:02,039 --> 00:06:06,120 background it doesn't work that's how 147 00:06:03,780 --> 00:06:08,039 the application life cycle works on 148 00:06:06,120 --> 00:06:10,199 iPhone how could they fix that 149 00:06:08,039 --> 00:06:12,539 it was so strange so the Australian 150 00:06:10,199 --> 00:06:14,759 government got a drop of source code 151 00:06:12,539 --> 00:06:18,000 from the Singapore government 152 00:06:14,759 --> 00:06:19,680 and many weeks went by and the Singapore 153 00:06:18,000 --> 00:06:21,840 government is updating its source code 154 00:06:19,680 --> 00:06:25,259 they're fixing they're fixing problems 155 00:06:21,840 --> 00:06:26,759 in the source code and it turns out the 156 00:06:25,259 --> 00:06:28,919 what had actually happened in the 157 00:06:26,759 --> 00:06:30,600 procurement the Australian government 158 00:06:28,919 --> 00:06:32,639 had been given like essentially a table 159 00:06:30,600 --> 00:06:34,680 and I've just been emailed around 160 00:06:32,639 --> 00:06:36,600 various agencies 161 00:06:34,680 --> 00:06:38,940 meanwhile the Singapore government is 162 00:06:36,600 --> 00:06:41,520 releasing their stuff open source and 163 00:06:38,940 --> 00:06:43,919 it's possible to contact and work with 164 00:06:41,520 --> 00:06:45,180 the engineers and we're working off an 165 00:06:43,919 --> 00:06:47,100 old table 166 00:06:45,180 --> 00:06:48,960 and we'll we've actually started looking 167 00:06:47,100 --> 00:06:51,960 at this source code I'll get into that 168 00:06:48,960 --> 00:06:54,060 and there were fixes in the Singapore 169 00:06:51,960 --> 00:06:55,979 source code that we just didn't have so 170 00:06:54,060 --> 00:06:57,539 some of these claims didn't just didn't 171 00:06:55,979 --> 00:07:00,240 make sense 172 00:06:57,539 --> 00:07:02,819 and to make matters worse we started to 173 00:07:00,240 --> 00:07:05,639 um we started to get like corporate 174 00:07:02,819 --> 00:07:08,100 entities pushing have you installed the 175 00:07:05,639 --> 00:07:10,860 application we had foxtel saying you 176 00:07:08,100 --> 00:07:13,020 should install the application we had uh 177 00:07:10,860 --> 00:07:14,580 fast food fast food stores sending push 178 00:07:13,020 --> 00:07:16,020 notifications from the macca's app 179 00:07:14,580 --> 00:07:17,639 saying have you installed the app 180 00:07:16,020 --> 00:07:19,080 install the app we want to get back to 181 00:07:17,639 --> 00:07:22,740 into business 182 00:07:19,080 --> 00:07:24,539 and even though it was a complete breach 183 00:07:22,740 --> 00:07:26,759 of legislation 184 00:07:24,539 --> 00:07:28,380 we started to get like real estate 185 00:07:26,759 --> 00:07:30,599 agents saying You must have the 186 00:07:28,380 --> 00:07:32,160 application installed to be able to do a 187 00:07:30,599 --> 00:07:34,979 property inspection 188 00:07:32,160 --> 00:07:36,660 so strange the legislation specifically 189 00:07:34,979 --> 00:07:38,340 said you cannot require someone to 190 00:07:36,660 --> 00:07:40,139 install the application 191 00:07:38,340 --> 00:07:41,699 yet we started entering into that 192 00:07:40,139 --> 00:07:45,599 territory 193 00:07:41,699 --> 00:07:47,280 and if you're wondering how we got to 194 00:07:45,599 --> 00:07:49,979 this place I think one of the things 195 00:07:47,280 --> 00:07:51,960 first was we can start with was this 196 00:07:49,979 --> 00:07:54,000 application was launched with no 197 00:07:51,960 --> 00:07:55,860 technologists 198 00:07:54,000 --> 00:07:59,639 right it was 199 00:07:55,860 --> 00:08:03,300 a medical tool 200 00:07:59,639 --> 00:08:05,460 like with all due respect to people in 201 00:08:03,300 --> 00:08:07,259 health 202 00:08:05,460 --> 00:08:10,020 they had a need 203 00:08:07,259 --> 00:08:12,060 they've gone to the market the market is 204 00:08:10,020 --> 00:08:14,400 the digital transformation agency and 205 00:08:12,060 --> 00:08:16,560 saying we need a nut built 206 00:08:14,400 --> 00:08:18,419 and they did this big launch in the 207 00:08:16,560 --> 00:08:20,580 launch there was just they're talking 208 00:08:18,419 --> 00:08:22,620 about the health benefits but there was 209 00:08:20,580 --> 00:08:24,180 no one there that was actually technical 210 00:08:22,620 --> 00:08:26,520 at all 211 00:08:24,180 --> 00:08:28,620 and that's wrong 212 00:08:26,520 --> 00:08:31,880 because what happened was we got some 213 00:08:28,620 --> 00:08:34,620 absolute numpty step up in the absence 214 00:08:31,880 --> 00:08:37,140 in the absence of a technologist being 215 00:08:34,620 --> 00:08:39,539 provided at these press conferences who 216 00:08:37,140 --> 00:08:41,700 could explain how it worked we got 217 00:08:39,539 --> 00:08:43,440 people who should have known better they 218 00:08:41,700 --> 00:08:45,540 just signed a petition without even 219 00:08:43,440 --> 00:08:48,000 looking at how the application worked 220 00:08:45,540 --> 00:08:49,260 like a sure at this time the source code 221 00:08:48,000 --> 00:08:51,060 wasn't available 222 00:08:49,260 --> 00:08:53,100 but like you can take a pile an 223 00:08:51,060 --> 00:08:55,620 application you can see how it worked 224 00:08:53,100 --> 00:08:58,140 people started blindly advocating to 225 00:08:55,620 --> 00:08:59,880 install the application without any 226 00:08:58,140 --> 00:09:03,060 technical due diligence 227 00:08:59,880 --> 00:09:05,459 we had people who just outright when we 228 00:09:03,060 --> 00:09:07,860 decompiled the application just blocked 229 00:09:05,459 --> 00:09:10,380 us like we're explaining how it worked 230 00:09:07,860 --> 00:09:13,980 and just absolute dumpties 231 00:09:10,380 --> 00:09:16,080 and meanwhile we had ministers talking 232 00:09:13,980 --> 00:09:18,420 about this application and they're 233 00:09:16,080 --> 00:09:19,620 putting all their blame on Apple and 234 00:09:18,420 --> 00:09:22,440 Google 235 00:09:19,620 --> 00:09:23,580 now covert safe worked as a userland 236 00:09:22,440 --> 00:09:25,800 application 237 00:09:23,580 --> 00:09:28,200 on mobile phones particularly iPhone 238 00:09:25,800 --> 00:09:29,580 what happens is a userline application 239 00:09:28,200 --> 00:09:32,040 when it goes into the background 240 00:09:29,580 --> 00:09:33,540 terminates after 10 minutes 241 00:09:32,040 --> 00:09:35,160 it's actually worse than that when it 242 00:09:33,540 --> 00:09:38,160 terminates it takes a screenshot of the 243 00:09:35,160 --> 00:09:40,560 application so what happened was the the 244 00:09:38,160 --> 00:09:41,640 end user the General Public 245 00:09:40,560 --> 00:09:43,140 where they actually thought the 246 00:09:41,640 --> 00:09:44,640 applications running it was just a 247 00:09:43,140 --> 00:09:47,640 screenshot 248 00:09:44,640 --> 00:09:50,040 so all this blame was being put onto 249 00:09:47,640 --> 00:09:52,860 Apple and Google meanwhile they weren't 250 00:09:50,040 --> 00:09:56,360 using the devices as they're intended 251 00:09:52,860 --> 00:09:56,360 like the life cycle was wrong 252 00:09:56,540 --> 00:10:01,380 so with a little bit of coaxing from for 253 00:09:59,760 --> 00:10:03,420 Paul Fenwick 254 00:10:01,380 --> 00:10:04,860 he was saying like there's a few people 255 00:10:03,420 --> 00:10:07,560 they're talking about the application 256 00:10:04,860 --> 00:10:09,360 and I'm like hey 257 00:10:07,560 --> 00:10:11,339 I'm going to start pulling it apart 258 00:10:09,360 --> 00:10:13,560 decompile the application 259 00:10:11,339 --> 00:10:15,240 and with Reckless about abandon I 260 00:10:13,560 --> 00:10:16,980 compiled the application and dumped it 261 00:10:15,240 --> 00:10:18,120 so decompiled the application and dumped 262 00:10:16,980 --> 00:10:21,180 it on GitHub 263 00:10:18,120 --> 00:10:21,959 like licensing whatever just dumped it 264 00:10:21,180 --> 00:10:24,959 there 265 00:10:21,959 --> 00:10:27,000 because source code is truth right we've 266 00:10:24,959 --> 00:10:28,860 got all these people talking about this 267 00:10:27,000 --> 00:10:30,959 application we've got these companies 268 00:10:28,860 --> 00:10:32,459 saying download the app before you 269 00:10:30,959 --> 00:10:34,560 connect before you can come into the 270 00:10:32,459 --> 00:10:38,339 workforce and what else have you 271 00:10:34,560 --> 00:10:41,820 and so I decompiled the application and 272 00:10:38,339 --> 00:10:46,200 put together a report of the findings 273 00:10:41,820 --> 00:10:48,240 and um we held our own press conference 274 00:10:46,200 --> 00:10:50,399 right we held our own press conference 275 00:10:48,240 --> 00:10:53,459 we explained how the application worked 276 00:10:50,399 --> 00:10:55,320 and we started talking primary from fact 277 00:10:53,459 --> 00:10:56,760 now this is something anyone here in 278 00:10:55,320 --> 00:10:58,079 this room or anyone watching this talk 279 00:10:56,760 --> 00:10:59,880 can do 280 00:10:58,079 --> 00:11:02,820 right if you ever see such such 281 00:10:59,880 --> 00:11:05,700 circumstances a lack of technical 282 00:11:02,820 --> 00:11:07,740 expertise like 283 00:11:05,700 --> 00:11:09,300 if you if you know something you should 284 00:11:07,740 --> 00:11:11,700 say something because there's a good 285 00:11:09,300 --> 00:11:13,200 chance of what you know someone else 286 00:11:11,700 --> 00:11:15,120 might not know 287 00:11:13,200 --> 00:11:17,279 and the absence of that knowledge you 288 00:11:15,120 --> 00:11:19,800 get numpties right 289 00:11:17,279 --> 00:11:21,839 absolute numpties 290 00:11:19,800 --> 00:11:24,120 so 291 00:11:21,839 --> 00:11:26,279 would you believe 292 00:11:24,120 --> 00:11:29,700 in the year 2000 293 00:11:26,279 --> 00:11:31,920 we launched a national product to all 294 00:11:29,700 --> 00:11:35,880 the consumers of Australia and there was 295 00:11:31,920 --> 00:11:37,620 no monitoring on social media none 296 00:11:35,880 --> 00:11:40,019 like we've got this thing you must 297 00:11:37,620 --> 00:11:42,120 download and install the application 298 00:11:40,019 --> 00:11:43,500 but there's no one monitoring social 299 00:11:42,120 --> 00:11:45,360 media 300 00:11:43,500 --> 00:11:47,399 so was myself and a bunch of other 301 00:11:45,360 --> 00:11:50,040 people we started collecting some of the 302 00:11:47,399 --> 00:11:53,160 the problems that people are having 303 00:11:50,040 --> 00:11:55,320 and sure Twitter is a little subsection 304 00:11:53,160 --> 00:11:56,459 but it was it was really weird times 305 00:11:55,320 --> 00:11:58,680 like 306 00:11:56,459 --> 00:12:01,980 for example you couldn't install the 307 00:11:58,680 --> 00:12:03,660 application if you had you were 308 00:12:01,980 --> 00:12:06,360 traveling from the UK 309 00:12:03,660 --> 00:12:07,920 like if you had if you the app wasn't 310 00:12:06,360 --> 00:12:09,360 available into the international App 311 00:12:07,920 --> 00:12:10,800 Store it was only available in the 312 00:12:09,360 --> 00:12:12,839 Australian App Store 313 00:12:10,800 --> 00:12:15,120 strange okay that's simple just switch 314 00:12:12,839 --> 00:12:16,380 your app location but you can't you 315 00:12:15,120 --> 00:12:18,360 would have to cancel all your 316 00:12:16,380 --> 00:12:20,040 subscriptions with that account to be 317 00:12:18,360 --> 00:12:21,540 able to switch 318 00:12:20,040 --> 00:12:23,880 and 319 00:12:21,540 --> 00:12:26,339 we just started collecting these these 320 00:12:23,880 --> 00:12:27,480 faults right we started just collecting 321 00:12:26,339 --> 00:12:30,720 these faults 322 00:12:27,480 --> 00:12:32,820 and the application itself like there 323 00:12:30,720 --> 00:12:34,920 were sections on launch that actually if 324 00:12:32,820 --> 00:12:38,100 you tapped in the wrong area it actually 325 00:12:34,920 --> 00:12:40,200 said you have covered it was literally a 326 00:12:38,100 --> 00:12:43,160 button that said you have covered 327 00:12:40,200 --> 00:12:46,380 and on launch we started communicating 328 00:12:43,160 --> 00:12:48,839 publicly and collating working the Press 329 00:12:46,380 --> 00:12:50,820 because there was no real way to engage 330 00:12:48,839 --> 00:12:53,399 with government agencies and we said 331 00:12:50,820 --> 00:12:56,519 look this is going to cause hysteria and 332 00:12:53,399 --> 00:12:58,800 what do you know a week later nine news 333 00:12:56,519 --> 00:13:00,959 some person in Frankston here in 334 00:12:58,800 --> 00:13:03,540 Melbourne went into complete lockdown 335 00:13:00,959 --> 00:13:06,839 because she thought that the app had 336 00:13:03,540 --> 00:13:08,220 diagnosed her we've covered 337 00:13:06,839 --> 00:13:10,920 anyway 338 00:13:08,220 --> 00:13:12,720 yeah so 339 00:13:10,920 --> 00:13:14,639 up there you'll see everything we've 340 00:13:12,720 --> 00:13:15,899 been reading through bad reviews on the 341 00:13:14,639 --> 00:13:17,519 App Store 342 00:13:15,899 --> 00:13:19,320 that's how the general public of 343 00:13:17,519 --> 00:13:21,340 Australia was working they were doing 344 00:13:19,320 --> 00:13:23,100 tech support on App Store reviews 345 00:13:21,340 --> 00:13:27,240 [Music] 346 00:13:23,100 --> 00:13:28,920 there was just a support at inbox no 347 00:13:27,240 --> 00:13:31,260 customer would be no social media 348 00:13:28,920 --> 00:13:33,420 support politicians Gathering every day 349 00:13:31,260 --> 00:13:36,720 we're in a pandemic and the Australian 350 00:13:33,420 --> 00:13:38,579 public is left doing App Store support 351 00:13:36,720 --> 00:13:41,220 reviews and one of the things we found 352 00:13:38,579 --> 00:13:44,760 was well you could only register the 353 00:13:41,220 --> 00:13:47,339 application if you were on 4G 354 00:13:44,760 --> 00:13:49,139 what so everyone's trapped at home and 355 00:13:47,339 --> 00:13:51,060 they can't register for covert safe 356 00:13:49,139 --> 00:13:53,700 because they're on the Wi-Fi 357 00:13:51,060 --> 00:13:55,800 it turned out that there were firewall 358 00:13:53,700 --> 00:13:57,779 rules on the back end that blocked 359 00:13:55,800 --> 00:13:59,279 connectivity if it was not an Australian 360 00:13:57,779 --> 00:14:01,740 IP address 361 00:13:59,279 --> 00:14:04,380 so if anyone does anything with block 362 00:14:01,740 --> 00:14:06,660 lists with ipe ranges you know that 363 00:14:04,380 --> 00:14:07,740 they're notoriously bad 364 00:14:06,660 --> 00:14:10,380 so 365 00:14:07,740 --> 00:14:11,820 we've got people sitting at home unable 366 00:14:10,380 --> 00:14:13,500 to register the application the 367 00:14:11,820 --> 00:14:17,240 government's saying please download the 368 00:14:13,500 --> 00:14:20,899 app to be able to do and resume Society 369 00:14:17,240 --> 00:14:24,600 and we had that wasn't it it wasn't just 370 00:14:20,899 --> 00:14:26,820 like Wi-Fi what about people from 371 00:14:24,600 --> 00:14:28,620 Norfolk Island Norfolk Island start with 372 00:14:26,820 --> 00:14:31,500 a 6-4 phone number 373 00:14:28,620 --> 00:14:33,959 right so it mandated that you needed a 374 00:14:31,500 --> 00:14:36,959 plus six one phone number so Australia 375 00:14:33,959 --> 00:14:38,820 is made up of many different areas and 376 00:14:36,959 --> 00:14:40,620 it's not just Norfolk Island it's like 377 00:14:38,820 --> 00:14:43,440 what about all the Backpackers all the 378 00:14:40,620 --> 00:14:45,120 fruit Pickers or the borders are shut 379 00:14:43,440 --> 00:14:46,980 the borders are shot and people can't 380 00:14:45,120 --> 00:14:49,800 register this application 381 00:14:46,980 --> 00:14:52,800 and times going by and we're becoming 382 00:14:49,800 --> 00:14:55,800 even more vocal on social media and 383 00:14:52,800 --> 00:14:59,040 actually contacting the agencies 384 00:14:55,800 --> 00:15:02,399 the uh this is a classic I can't believe 385 00:14:59,040 --> 00:15:04,980 this one the support contacts to direct 386 00:15:02,399 --> 00:15:07,339 people how to fix their problems was 387 00:15:04,980 --> 00:15:09,899 only displayed if you could register 388 00:15:07,339 --> 00:15:12,120 yeah so people couldn't register the 389 00:15:09,899 --> 00:15:13,860 application because they had a non-6-1 390 00:15:12,120 --> 00:15:16,500 phone number they're on they're sitting 391 00:15:13,860 --> 00:15:18,120 on a Wi-Fi because they're at home and 392 00:15:16,500 --> 00:15:19,560 under isolation 393 00:15:18,120 --> 00:15:22,260 and 394 00:15:19,560 --> 00:15:25,680 even worse is we're finding all these 395 00:15:22,260 --> 00:15:28,399 problems and security art is an alias of 396 00:15:25,680 --> 00:15:28,399 support at 397 00:15:29,519 --> 00:15:35,160 so there's no real way to really engage 398 00:15:32,160 --> 00:15:36,839 like we found problems with the actual 399 00:15:35,160 --> 00:15:39,720 application but there's no way to engage 400 00:15:36,839 --> 00:15:41,940 with them because like we're stuck there 401 00:15:39,720 --> 00:15:43,320 with all the people who try to configure 402 00:15:41,940 --> 00:15:46,139 that application it's not properly 403 00:15:43,320 --> 00:15:47,699 triaged no real way to engage with the 404 00:15:46,139 --> 00:15:49,079 government 405 00:15:47,699 --> 00:15:51,120 and 406 00:15:49,079 --> 00:15:52,860 for studying of the source code it was 407 00:15:51,120 --> 00:15:55,860 determined that the application was in 408 00:15:52,860 --> 00:15:57,660 reach of the legislation and also the 409 00:15:55,860 --> 00:16:00,720 privacy policy 410 00:15:57,660 --> 00:16:03,959 like identifiers they were meant to be 411 00:16:00,720 --> 00:16:05,639 private that are meant to rotate was 412 00:16:03,959 --> 00:16:08,399 constant 413 00:16:05,639 --> 00:16:10,500 so that meant that it was possible to 414 00:16:08,399 --> 00:16:13,380 identify who someone was and your 415 00:16:10,500 --> 00:16:14,279 proximity to that person 416 00:16:13,380 --> 00:16:17,600 ouch 417 00:16:14,279 --> 00:16:17,600 some safety issues there 418 00:16:17,820 --> 00:16:20,180 so 419 00:16:20,880 --> 00:16:27,420 we started emailing ministers 420 00:16:23,399 --> 00:16:29,160 we started emailing media contacts got 421 00:16:27,420 --> 00:16:30,959 on the phone and called I was like Hey 422 00:16:29,160 --> 00:16:34,139 we're going to be I'm doing an interview 423 00:16:30,959 --> 00:16:36,060 shortly about our findings they have 424 00:16:34,139 --> 00:16:38,160 awareness of us 425 00:16:36,060 --> 00:16:40,259 and nothing 426 00:16:38,160 --> 00:16:43,980 absolutely nothing from ministers to 427 00:16:40,259 --> 00:16:46,980 media contact to privacy like we even 428 00:16:43,980 --> 00:16:48,720 contacted a law firm that was named on 429 00:16:46,980 --> 00:16:51,060 the privacy policy 430 00:16:48,720 --> 00:16:53,759 absolutely nothing what is the point of 431 00:16:51,060 --> 00:16:56,399 privacy policy if the people who offered 432 00:16:53,759 --> 00:16:58,980 it ordered it and implemented it are 433 00:16:56,399 --> 00:17:00,300 uncontactable and unaccountable 434 00:16:58,980 --> 00:17:03,000 right 435 00:17:00,300 --> 00:17:05,699 all the players 436 00:17:03,000 --> 00:17:07,860 were completely mad 437 00:17:05,699 --> 00:17:10,079 we found an implementation error in the 438 00:17:07,860 --> 00:17:14,220 Singapore application 439 00:17:10,079 --> 00:17:16,199 think of that engineer fixed it same day 440 00:17:14,220 --> 00:17:17,939 we can link to the GitHub commit where 441 00:17:16,199 --> 00:17:21,140 they fix that and that because we're 442 00:17:17,939 --> 00:17:21,140 based off that source code 443 00:17:21,299 --> 00:17:25,260 nothing 444 00:17:23,640 --> 00:17:27,360 so 445 00:17:25,260 --> 00:17:29,160 this is the part where it gets very 446 00:17:27,360 --> 00:17:31,860 interesting 447 00:17:29,160 --> 00:17:33,480 the application was in serious breach of 448 00:17:31,860 --> 00:17:35,220 the privacy policy and legislation 449 00:17:33,480 --> 00:17:36,720 people can't register for the 450 00:17:35,220 --> 00:17:38,400 application 451 00:17:36,720 --> 00:17:40,799 and 452 00:17:38,400 --> 00:17:42,840 the various media contacts because your 453 00:17:40,799 --> 00:17:44,400 journalism you asked for a right of 454 00:17:42,840 --> 00:17:46,200 reply and a quote it's like oh we're 455 00:17:44,400 --> 00:17:48,539 following agile 456 00:17:46,200 --> 00:17:50,700 we're following our job 457 00:17:48,539 --> 00:17:53,100 he said we will fix it 458 00:17:50,700 --> 00:17:54,900 so meanwhile myself and a bunch of 459 00:17:53,100 --> 00:17:57,299 researchers we were decompiling the 460 00:17:54,900 --> 00:17:58,860 application we actually automated to 461 00:17:57,299 --> 00:18:00,720 actually decompile the application and 462 00:17:58,860 --> 00:18:03,299 we're looking at the source code 463 00:18:00,720 --> 00:18:06,000 and they shipped their first iteration 464 00:18:03,299 --> 00:18:08,400 they're in complete awareness that this 465 00:18:06,000 --> 00:18:10,200 application like people having issues 466 00:18:08,400 --> 00:18:12,000 being diagnosed with covert and they tap 467 00:18:10,200 --> 00:18:14,220 the wrong location 468 00:18:12,000 --> 00:18:16,799 and they shipped a new coat of paint 469 00:18:14,220 --> 00:18:19,020 the first release of the application 470 00:18:16,799 --> 00:18:20,880 was a brand new logo and a brand new 471 00:18:19,020 --> 00:18:23,220 look and fresh look they didn't fix the 472 00:18:20,880 --> 00:18:25,500 privacy policy issues the thing that 473 00:18:23,220 --> 00:18:26,940 actually even made it possible to 474 00:18:25,500 --> 00:18:29,460 actually exist or in breach of 475 00:18:26,940 --> 00:18:32,160 legislation new coat of paint they're 476 00:18:29,460 --> 00:18:33,600 doing agile or capital a 477 00:18:32,160 --> 00:18:37,260 so 478 00:18:33,600 --> 00:18:41,520 we took our findings took it to the ABC 479 00:18:37,260 --> 00:18:43,320 7 30 a.m slot Radio National 480 00:18:41,520 --> 00:18:46,020 we've expressed our concerns that 481 00:18:43,320 --> 00:18:48,299 critical faults have are not being 482 00:18:46,020 --> 00:18:50,340 resolved we've got no way to engage with 483 00:18:48,299 --> 00:18:52,500 the government our only choice is 484 00:18:50,340 --> 00:18:55,200 essentially drag the government for the 485 00:18:52,500 --> 00:18:56,460 media that's not really great that's not 486 00:18:55,200 --> 00:18:58,740 great at all 487 00:18:56,460 --> 00:19:00,660 so 488 00:18:58,740 --> 00:19:02,100 this is probably the best summary I can 489 00:19:00,660 --> 00:19:03,539 give of the attitude of Australian 490 00:19:02,100 --> 00:19:05,280 government it's really unfortunate if 491 00:19:03,539 --> 00:19:07,140 you contrast at say a New Zealand 492 00:19:05,280 --> 00:19:10,559 government or other governments through 493 00:19:07,140 --> 00:19:14,640 appearing on uh appearing on Radio 494 00:19:10,559 --> 00:19:16,919 National I got some backdoor contacts 495 00:19:14,640 --> 00:19:20,039 to the Federal pmo 496 00:19:16,919 --> 00:19:21,660 and essentially this was the attitude 497 00:19:20,039 --> 00:19:24,000 because you're speaking with the media 498 00:19:21,660 --> 00:19:26,280 first you can go f off 499 00:19:24,000 --> 00:19:28,260 like if I if I had a spoken women 500 00:19:26,280 --> 00:19:30,059 directly and gone to them and before 501 00:19:28,260 --> 00:19:32,280 speaking with the media they probably 502 00:19:30,059 --> 00:19:34,260 would have accepted our help 503 00:19:32,280 --> 00:19:35,460 but because we spoke with the media but 504 00:19:34,260 --> 00:19:37,440 we wouldn't have had these contacts 505 00:19:35,460 --> 00:19:39,360 unless we spoke to the media 506 00:19:37,440 --> 00:19:42,480 get lost 507 00:19:39,360 --> 00:19:45,840 so a couple good things came from 508 00:19:42,480 --> 00:19:48,059 ABC Radio National was we created this 509 00:19:45,840 --> 00:19:51,419 thing called Oz open Tech 510 00:19:48,059 --> 00:19:54,120 and Oz open Tech is a collective of 511 00:19:51,419 --> 00:19:56,700 Engineers so one of the engineers is 512 00:19:54,120 --> 00:19:59,940 here in the room today is Jim 513 00:19:56,700 --> 00:20:01,620 hopefully and uh Vanessa Richard and 514 00:19:59,940 --> 00:20:04,380 myself 515 00:20:01,620 --> 00:20:06,960 and basically we started pulling apart 516 00:20:04,380 --> 00:20:09,299 the application a lot more and we 517 00:20:06,960 --> 00:20:12,480 started looking at various other aspects 518 00:20:09,299 --> 00:20:15,059 so like Jim is a Bluetooth engineer 519 00:20:12,480 --> 00:20:17,640 right and this is uh application that's 520 00:20:15,059 --> 00:20:19,860 meant to be off Bluetooth not a single 521 00:20:17,640 --> 00:20:23,280 like Bluetooth engineer was consulted 522 00:20:19,860 --> 00:20:25,380 about its usage of radios not so ever so 523 00:20:23,280 --> 00:20:27,299 Jim started pulling it apart and we 524 00:20:25,380 --> 00:20:30,480 started really just publishing research 525 00:20:27,299 --> 00:20:32,940 so Aus open Tech is inspired by the 526 00:20:30,480 --> 00:20:35,880 sunflower movement we're just a bunch of 527 00:20:32,940 --> 00:20:38,160 Aussies pushing the status quo and just 528 00:20:35,880 --> 00:20:40,620 think that better technology should 529 00:20:38,160 --> 00:20:42,960 exist in the public sector 530 00:20:40,620 --> 00:20:45,299 you'll find us over here in GitHub so 531 00:20:42,960 --> 00:20:48,000 github.com ozopentech 532 00:20:45,299 --> 00:20:50,100 and right now we're a little bit dormant 533 00:20:48,000 --> 00:20:53,760 but the point being is if something pops 534 00:20:50,100 --> 00:20:55,500 up like the for example each of the each 535 00:20:53,760 --> 00:20:58,380 of the different governments started 536 00:20:55,500 --> 00:20:59,880 pushing these QR code apps and they 537 00:20:58,380 --> 00:21:01,799 started saying that Holograms are 538 00:20:59,880 --> 00:21:05,340 security and like a hologram was an 539 00:21:01,799 --> 00:21:07,320 animated gif right like 540 00:21:05,340 --> 00:21:09,059 so we started pulling that apart so 541 00:21:07,320 --> 00:21:10,980 anytime you see the Australian 542 00:21:09,059 --> 00:21:13,500 government doing something and you're 543 00:21:10,980 --> 00:21:15,900 wondering like this doesn't smell right 544 00:21:13,500 --> 00:21:18,840 come join us we're probably already 545 00:21:15,900 --> 00:21:20,880 picking it apart or it's very easy to 546 00:21:18,840 --> 00:21:22,559 call or call a rally to come pick it 547 00:21:20,880 --> 00:21:23,700 apart 548 00:21:22,559 --> 00:21:25,860 so 549 00:21:23,700 --> 00:21:29,520 we published our own report 550 00:21:25,860 --> 00:21:31,140 with no way to actually work with the 551 00:21:29,520 --> 00:21:33,299 government we just had to keep working 552 00:21:31,140 --> 00:21:35,700 within the media and that's not great 553 00:21:33,299 --> 00:21:38,520 for confidence in the application 554 00:21:35,700 --> 00:21:41,039 so this is our report I won't have 555 00:21:38,520 --> 00:21:44,159 enough time to get into the inner 556 00:21:41,039 --> 00:21:46,919 details of all our findings but I really 557 00:21:44,159 --> 00:21:48,860 recommend reading that that goes all the 558 00:21:46,919 --> 00:21:51,299 way into the privacy policy 559 00:21:48,860 --> 00:21:54,480 violations some of the problems are 560 00:21:51,299 --> 00:21:58,220 Bluetooth the engagement model 561 00:21:54,480 --> 00:22:01,080 and also I recommend 562 00:21:58,220 --> 00:22:03,600 this series by Royce 563 00:22:01,080 --> 00:22:05,640 Royce looks into the procurement of the 564 00:22:03,600 --> 00:22:07,320 application you can't just look at 565 00:22:05,640 --> 00:22:08,940 technology and isolation of its 566 00:22:07,320 --> 00:22:10,980 implementation its flaws you have to 567 00:22:08,940 --> 00:22:12,840 understand where it came from what were 568 00:22:10,980 --> 00:22:16,500 the circumstances 569 00:22:12,840 --> 00:22:20,400 like a lot of this a lot of this was 570 00:22:16,500 --> 00:22:22,500 created by contracts subbed out by 571 00:22:20,400 --> 00:22:24,240 digital transformation agency 572 00:22:22,500 --> 00:22:26,100 now these contracts are all commercial 573 00:22:24,240 --> 00:22:28,020 and confidence 574 00:22:26,100 --> 00:22:31,140 now commercial and confidence is a 575 00:22:28,020 --> 00:22:33,900 fantastic way to hinder Freedom of 576 00:22:31,140 --> 00:22:37,080 Information requests 577 00:22:33,900 --> 00:22:39,919 so you probably guess why they quite 578 00:22:37,080 --> 00:22:39,919 like this approach 579 00:22:40,440 --> 00:22:45,720 caught up with Jim the other day and he 580 00:22:42,720 --> 00:22:47,520 said the stakes of in Bluetooth for 581 00:22:45,720 --> 00:22:49,620 covert safe were 582 00:22:47,520 --> 00:22:51,539 obvious and predictable 583 00:22:49,620 --> 00:22:53,280 obviously predictable 584 00:22:51,539 --> 00:22:56,700 while pen tests were done on really 585 00:22:53,280 --> 00:22:58,980 basic things such as checking SSL so 586 00:22:56,700 --> 00:23:01,440 it's append 587 00:22:58,980 --> 00:23:03,240 a technology that hinged upon the usage 588 00:23:01,440 --> 00:23:05,760 of radio no one actually really looked 589 00:23:03,240 --> 00:23:07,860 Weber radio could actually do what it 590 00:23:05,760 --> 00:23:10,440 was said to do 591 00:23:07,860 --> 00:23:11,940 now the way covered safe Works in 592 00:23:10,440 --> 00:23:15,240 general is you have a mobile mobile 593 00:23:11,940 --> 00:23:17,520 operating system iPhone or Android and 594 00:23:15,240 --> 00:23:21,539 the application runs in userland 595 00:23:17,520 --> 00:23:24,780 and what happens is the application is 596 00:23:21,539 --> 00:23:27,600 divided two parts client and server 597 00:23:24,780 --> 00:23:28,799 and the server advertises hey I'm 598 00:23:27,600 --> 00:23:30,900 covered safe 599 00:23:28,799 --> 00:23:32,940 and then the client goes hey are you 600 00:23:30,900 --> 00:23:36,480 covered safe 601 00:23:32,940 --> 00:23:38,640 and if there's an agreeance because it 602 00:23:36,480 --> 00:23:40,740 you trust what the client says right 603 00:23:38,640 --> 00:23:43,760 this client the server says it does a 604 00:23:40,740 --> 00:23:43,760 Bluetooth pairing 605 00:23:45,120 --> 00:23:50,059 yeah 606 00:23:47,700 --> 00:23:52,860 so this was meant to be the application 607 00:23:50,059 --> 00:23:54,900 that we were told download the app and 608 00:23:52,860 --> 00:23:57,539 you can go to the footy 609 00:23:54,900 --> 00:23:59,820 when I said that no real 610 00:23:57,539 --> 00:24:03,240 fundamentals from a radio perspective 611 00:23:59,820 --> 00:24:05,640 were done or looking at from if from a 612 00:24:03,240 --> 00:24:08,100 time and space complexity this is 613 00:24:05,640 --> 00:24:12,740 essentially the N handshake problem 614 00:24:08,100 --> 00:24:16,080 right it's a stateful based protocol 615 00:24:12,740 --> 00:24:18,539 where it's going around and it's doing 616 00:24:16,080 --> 00:24:20,820 Bluetooth pairing with all the different 617 00:24:18,539 --> 00:24:22,620 devices in the stadium it's a no end 618 00:24:20,820 --> 00:24:25,020 problem right the more people you're 619 00:24:22,620 --> 00:24:26,760 around the worse it performs which is a 620 00:24:25,020 --> 00:24:29,640 complete opposite of what we actually 621 00:24:26,760 --> 00:24:32,159 needed what we needed was a stateless 622 00:24:29,640 --> 00:24:33,900 broadcast protocol so the more people 623 00:24:32,159 --> 00:24:35,880 around the better performed we're 624 00:24:33,900 --> 00:24:38,400 covered safe as it was 625 00:24:35,880 --> 00:24:42,179 just on a time and space basis is on 626 00:24:38,400 --> 00:24:45,120 right doesn't make sense now 627 00:24:42,179 --> 00:24:48,919 you probably caught something 628 00:24:45,120 --> 00:24:48,919 remember I said are you covered safe 629 00:24:49,440 --> 00:24:54,240 you should never trust the client ever 630 00:24:52,080 --> 00:24:56,580 and you never should the client should 631 00:24:54,240 --> 00:24:58,140 never trust the cert so the server 632 00:24:56,580 --> 00:25:00,900 should never trust the client and server 633 00:24:58,140 --> 00:25:03,780 should earns vice versa 634 00:25:00,900 --> 00:25:06,059 so it works by going are you covered 635 00:25:03,780 --> 00:25:09,020 safe 636 00:25:06,059 --> 00:25:09,020 you see the problem 637 00:25:09,059 --> 00:25:14,820 yeah 638 00:25:11,460 --> 00:25:16,919 so this is one of the research findings 639 00:25:14,820 --> 00:25:19,799 by Jim 640 00:25:16,919 --> 00:25:23,220 it's a 9.8 CV 641 00:25:19,799 --> 00:25:25,500 and what happens is if 642 00:25:23,220 --> 00:25:27,539 someone says that they're covered safe 643 00:25:25,500 --> 00:25:29,760 the phone if it's running covered safe 644 00:25:27,539 --> 00:25:32,400 would certainly pair 645 00:25:29,760 --> 00:25:35,100 do a Bluetooth pairing 646 00:25:32,400 --> 00:25:37,980 with that device 647 00:25:35,100 --> 00:25:40,320 so anyone could just walk around and say 648 00:25:37,980 --> 00:25:41,760 I am covered safe and your phone would 649 00:25:40,320 --> 00:25:43,559 pair to it 650 00:25:41,760 --> 00:25:46,740 now the thing about how Bluetooth works 651 00:25:43,559 --> 00:25:48,120 is Bluetooth has profiles 652 00:25:46,740 --> 00:25:50,600 and a different type of profiles 653 00:25:48,120 --> 00:25:52,520 headphones 654 00:25:50,600 --> 00:25:55,140 mice 655 00:25:52,520 --> 00:25:56,760 keyboards network adapters you name it 656 00:25:55,140 --> 00:25:58,200 all the capabilities so once you've done 657 00:25:56,760 --> 00:25:59,640 a Bluetooth pairing you switch the 658 00:25:58,200 --> 00:26:02,640 profile 659 00:25:59,640 --> 00:26:06,779 so in the midst of a map it emits of a 660 00:26:02,640 --> 00:26:08,400 like a mass cyber scare about telerate 661 00:26:06,779 --> 00:26:10,440 controls and all the rest of you 662 00:26:08,400 --> 00:26:11,580 remember back then 663 00:26:10,440 --> 00:26:13,500 we had the Australian government 664 00:26:11,580 --> 00:26:15,299 advocating everyone to download the app 665 00:26:13,500 --> 00:26:18,360 install the app and it just allowed 666 00:26:15,299 --> 00:26:20,000 anyone to just silently pair with you 667 00:26:18,360 --> 00:26:22,500 and then switch the Bluetooth profile 668 00:26:20,000 --> 00:26:24,720 wild now 669 00:26:22,500 --> 00:26:26,279 there was a talk a couple of days ago 670 00:26:24,720 --> 00:26:29,220 they were talking about I think it was 671 00:26:26,279 --> 00:26:30,179 on terminals and people implement the 672 00:26:29,220 --> 00:26:34,200 spec 673 00:26:30,179 --> 00:26:36,480 and they they aren't aware of cves that 674 00:26:34,200 --> 00:26:40,679 reflect that spec this is something here 675 00:26:36,480 --> 00:26:43,440 this is not just covered safe I see uh 676 00:26:40,679 --> 00:26:44,700 there's uh someone working in the active 677 00:26:43,440 --> 00:26:48,960 business space they want to do a 678 00:26:44,700 --> 00:26:51,240 mesh-based SMS type being well this type 679 00:26:48,960 --> 00:26:53,760 of CB still exists if you use Bluetooth 680 00:26:51,240 --> 00:26:56,820 to randomly pair with random people 681 00:26:53,760 --> 00:26:59,340 you're going to have this cve keep it in 682 00:26:56,820 --> 00:27:00,779 mind anytime someone says Bluetooth and 683 00:26:59,340 --> 00:27:03,059 they're starting using Bluetooth in this 684 00:27:00,779 --> 00:27:04,200 manner you're going to run against this 685 00:27:03,059 --> 00:27:05,760 the same problem the Australian 686 00:27:04,200 --> 00:27:07,740 government had 687 00:27:05,760 --> 00:27:09,059 and 688 00:27:07,740 --> 00:27:11,039 essentially 689 00:27:09,059 --> 00:27:13,020 one of the things that's really sad is 690 00:27:11,039 --> 00:27:15,200 the Australian government focused on 691 00:27:13,020 --> 00:27:18,059 kind of like an All or Nothing approach 692 00:27:15,200 --> 00:27:20,580 they they focused on that the 693 00:27:18,059 --> 00:27:22,500 application should be centralized 694 00:27:20,580 --> 00:27:25,260 right it must be centralized because 695 00:27:22,500 --> 00:27:28,080 because the health professionals need a 696 00:27:25,260 --> 00:27:31,200 centralized system but that focus on a 697 00:27:28,080 --> 00:27:35,820 centralized system lost trust in the 698 00:27:31,200 --> 00:27:38,279 community it spawned media Cycles 699 00:27:35,820 --> 00:27:40,980 about whether like where is the data 700 00:27:38,279 --> 00:27:42,960 stored it's stored in AWS Etc that 701 00:27:40,980 --> 00:27:45,299 entire thing that eroded public 702 00:27:42,960 --> 00:27:47,100 confidence could have been avoided with 703 00:27:45,299 --> 00:27:50,220 a decentralized system 704 00:27:47,100 --> 00:27:52,140 and by focusing on centralization 705 00:27:50,220 --> 00:27:54,659 that constrained what they could 706 00:27:52,140 --> 00:27:57,179 actually do to be essentially running as 707 00:27:54,659 --> 00:27:59,700 a user-led application Google and apple 708 00:27:57,179 --> 00:28:02,279 came across came with an alternative 709 00:27:59,700 --> 00:28:04,919 approach which was broadcast based and 710 00:28:02,279 --> 00:28:08,100 other countries deployed this system and 711 00:28:04,919 --> 00:28:09,539 it allowed for the ability for people to 712 00:28:08,100 --> 00:28:12,539 actually opt in and communicate with 713 00:28:09,539 --> 00:28:15,299 health professionals but by focusing all 714 00:28:12,539 --> 00:28:17,220 on centralized they lost the trust of 715 00:28:15,299 --> 00:28:20,360 the Australian public 716 00:28:17,220 --> 00:28:20,360 and they got nothing 717 00:28:20,880 --> 00:28:25,400 and it was just really just a missed 718 00:28:22,919 --> 00:28:25,400 opportunity 719 00:28:25,500 --> 00:28:29,100 because 720 00:28:27,179 --> 00:28:31,320 we started to see the individual State 721 00:28:29,100 --> 00:28:32,580 departments the state departments don't 722 00:28:31,320 --> 00:28:35,159 develop their own individual 723 00:28:32,580 --> 00:28:36,840 applications and they started saying you 724 00:28:35,159 --> 00:28:39,000 need to register for this application 725 00:28:36,840 --> 00:28:40,620 you need to scan the QR code if you 726 00:28:39,000 --> 00:28:43,200 wanted to go to the cafe 727 00:28:40,620 --> 00:28:45,120 and the missed opportunity is well I'm 728 00:28:43,200 --> 00:28:47,460 traveling around Australia in a van and 729 00:28:45,120 --> 00:28:48,779 let me tell you I had to install all 730 00:28:47,460 --> 00:28:51,000 these apps 731 00:28:48,779 --> 00:28:52,440 and the registration flow for each one 732 00:28:51,000 --> 00:28:53,840 of these apps was all completely 733 00:28:52,440 --> 00:28:56,520 different 734 00:28:53,840 --> 00:28:57,900 and I'm technically literate like they 735 00:28:56,520 --> 00:28:59,760 they were 736 00:28:57,900 --> 00:29:02,340 on the borders with New South Wales in 737 00:28:59,760 --> 00:29:04,740 Victoria there was gray Nomads like 738 00:29:02,340 --> 00:29:06,179 creating little Villages either side and 739 00:29:04,740 --> 00:29:07,860 they're trying to get the apps installed 740 00:29:06,179 --> 00:29:09,419 they couldn't get it installed 741 00:29:07,860 --> 00:29:11,820 and this could have been a federal 742 00:29:09,419 --> 00:29:13,080 system this could have been the QR codes 743 00:29:11,820 --> 00:29:15,659 could have been in the federal 744 00:29:13,080 --> 00:29:18,480 application 745 00:29:15,659 --> 00:29:20,580 New Zealand did this that one app that 746 00:29:18,480 --> 00:29:22,919 worked everywhere in Australia we had 747 00:29:20,580 --> 00:29:25,440 each individual each individual state 748 00:29:22,919 --> 00:29:27,539 had their own individual implementation 749 00:29:25,440 --> 00:29:30,179 and the implementations weren't 750 00:29:27,539 --> 00:29:32,340 protected by by strong privacy and 751 00:29:30,179 --> 00:29:34,740 legislation so for example Western 752 00:29:32,340 --> 00:29:36,360 Australia the police started using the 753 00:29:34,740 --> 00:29:37,559 collection centralized collection of 754 00:29:36,360 --> 00:29:39,659 data 755 00:29:37,559 --> 00:29:42,179 to go after criminals which further 756 00:29:39,659 --> 00:29:43,200 eroded trust in the application this 757 00:29:42,179 --> 00:29:45,299 could have been a centralized 758 00:29:43,200 --> 00:29:47,100 application 759 00:29:45,299 --> 00:29:49,120 and what we got was 760 00:29:47,100 --> 00:29:50,399 an addiction to press conferences 761 00:29:49,120 --> 00:29:51,659 [Music] 762 00:29:50,399 --> 00:29:55,760 right 763 00:29:51,659 --> 00:29:58,620 like we're in Melbourne this says enough 764 00:29:55,760 --> 00:30:00,960 this says enough 765 00:29:58,620 --> 00:30:03,080 right wow 766 00:30:00,960 --> 00:30:05,399 and it wasn't just Melbourne it was 767 00:30:03,080 --> 00:30:06,600 every state 768 00:30:05,399 --> 00:30:10,200 now 769 00:30:06,600 --> 00:30:11,760 it's now 2023. entire generations of 770 00:30:10,200 --> 00:30:14,039 people have been raised without 771 00:30:11,760 --> 00:30:15,840 television they don't know who Molly 772 00:30:14,039 --> 00:30:17,820 Meldrum is they don't watch the Oscars 773 00:30:15,840 --> 00:30:18,960 they don't know anything but for some 774 00:30:17,820 --> 00:30:21,360 reason 775 00:30:18,960 --> 00:30:23,220 for this particular thing they need to 776 00:30:21,360 --> 00:30:25,320 turn on this TV and they'd find the coax 777 00:30:23,220 --> 00:30:26,279 cable and plug in their TV or find some 778 00:30:25,320 --> 00:30:27,779 way to connect 779 00:30:26,279 --> 00:30:30,840 and it's such a missed opportunity 780 00:30:27,779 --> 00:30:31,740 because everyone had an app on their 781 00:30:30,840 --> 00:30:33,539 phone 782 00:30:31,740 --> 00:30:35,279 the app on their phone could have been 783 00:30:33,539 --> 00:30:37,080 like a weather report it could have 784 00:30:35,279 --> 00:30:40,380 shown all the information of relevance 785 00:30:37,080 --> 00:30:42,240 and need to allow them to convey the 786 00:30:40,380 --> 00:30:43,500 information instead they do press 787 00:30:42,240 --> 00:30:45,899 conferences 788 00:30:43,500 --> 00:30:47,760 and from then it turned into Chinese 789 00:30:45,899 --> 00:30:50,640 Whispers people would 790 00:30:47,760 --> 00:30:52,260 like report upon what was said they had 791 00:30:50,640 --> 00:30:53,580 the power of distribution it was on 792 00:30:52,260 --> 00:30:56,340 everyone's phones 793 00:30:53,580 --> 00:30:57,600 but press conferences that makes no 794 00:30:56,340 --> 00:30:59,760 sense 795 00:30:57,600 --> 00:31:01,940 like we just got a bunch of Bin chickens 796 00:30:59,760 --> 00:31:04,919 on television 797 00:31:01,940 --> 00:31:07,679 and it's just so sad because the 798 00:31:04,919 --> 00:31:11,100 underlying problems that affected covert 799 00:31:07,679 --> 00:31:12,899 and covert safe are still here today 800 00:31:11,100 --> 00:31:14,580 like I can talk about the technology 801 00:31:12,899 --> 00:31:16,380 problems and all the implementations 802 00:31:14,580 --> 00:31:19,020 launches never go right 803 00:31:16,380 --> 00:31:21,360 but the underlying problems have not 804 00:31:19,020 --> 00:31:23,580 been resolved 805 00:31:21,360 --> 00:31:25,440 for one 806 00:31:23,580 --> 00:31:26,700 the Australian government is still not a 807 00:31:25,440 --> 00:31:29,880 CNA 808 00:31:26,700 --> 00:31:33,179 now the CNA is responsible for the 809 00:31:29,880 --> 00:31:35,820 numbering when you raise a cve if you 810 00:31:33,179 --> 00:31:37,860 have a product 811 00:31:35,820 --> 00:31:40,140 your and you want to be involved in the 812 00:31:37,860 --> 00:31:41,640 process and someone raising a security 813 00:31:40,140 --> 00:31:44,279 defect 814 00:31:41,640 --> 00:31:47,700 then you should be a CNA 815 00:31:44,279 --> 00:31:49,500 in this case we raised the cve there was 816 00:31:47,700 --> 00:31:51,299 a 9.8 and the Australian government 817 00:31:49,500 --> 00:31:54,059 tried to actually get it downgraded 818 00:31:51,299 --> 00:31:55,500 because it didn't look politically great 819 00:31:54,059 --> 00:31:57,179 so 820 00:31:55,500 --> 00:32:00,200 you're still not a CNA 821 00:31:57,179 --> 00:32:00,200 we should be a senior 822 00:32:00,299 --> 00:32:04,140 we still don't have a vulnerability 823 00:32:01,740 --> 00:32:05,399 disclosure program 824 00:32:04,140 --> 00:32:08,159 right 825 00:32:05,399 --> 00:32:11,100 the uh the ASD 826 00:32:08,159 --> 00:32:12,179 so 1300 cyber one you try calling and 827 00:32:11,100 --> 00:32:14,700 they're like oh yeah thanks for your 828 00:32:12,179 --> 00:32:16,080 report and goodbye I don't even know if 829 00:32:14,700 --> 00:32:19,320 like some of the stuff we were working 830 00:32:16,080 --> 00:32:22,080 on like it was it was strange like that 831 00:32:19,320 --> 00:32:24,000 that vulnerability Jim was like on 832 00:32:22,080 --> 00:32:25,740 LinkedIn sending messages to governments 833 00:32:24,000 --> 00:32:28,080 in Morocco and all these other company 834 00:32:25,740 --> 00:32:29,640 countries that use this application 835 00:32:28,080 --> 00:32:30,659 we've got no security clearances and 836 00:32:29,640 --> 00:32:33,779 we're just randomly connecting with 837 00:32:30,659 --> 00:32:35,580 different countries like we're in murky 838 00:32:33,779 --> 00:32:37,980 Waters right we've got no security 839 00:32:35,580 --> 00:32:40,020 clearances we don't even know if it's 840 00:32:37,980 --> 00:32:42,000 safe what we're doing we just want to 841 00:32:40,020 --> 00:32:43,320 help the general public and what we 842 00:32:42,000 --> 00:32:44,820 found in Australia affected other 843 00:32:43,320 --> 00:32:46,380 countries as well 844 00:32:44,820 --> 00:32:48,659 we sort of have a vulnerability 845 00:32:46,380 --> 00:32:51,240 disclosure program some people focus on 846 00:32:48,659 --> 00:32:53,820 the bug Bounty which is the idea of 847 00:32:51,240 --> 00:32:56,520 payout payouts Etc but Bounty is not it 848 00:32:53,820 --> 00:32:58,140 it's actually about a process to engage 849 00:32:56,520 --> 00:33:00,480 the government and to coordinate 850 00:32:58,140 --> 00:33:02,220 releases we still don't have that and 851 00:33:00,480 --> 00:33:05,419 that's sad 852 00:33:02,220 --> 00:33:09,240 there Still Remains no way to build 853 00:33:05,419 --> 00:33:11,460 software openly with the government 854 00:33:09,240 --> 00:33:12,659 the example I'd like to give here is the 855 00:33:11,460 --> 00:33:14,640 Dutch government that's why we've got 856 00:33:12,659 --> 00:33:16,679 windmills 857 00:33:14,640 --> 00:33:18,419 the Dutch government 858 00:33:16,679 --> 00:33:20,399 they were stuffing up as hard as the 859 00:33:18,419 --> 00:33:22,380 Australian government 860 00:33:20,399 --> 00:33:24,240 now they decided they're going to fix 861 00:33:22,380 --> 00:33:26,960 their problems by holding a hackathon 862 00:33:24,240 --> 00:33:29,940 with pizza 863 00:33:26,960 --> 00:33:31,799 Innovation Theater now what they got was 864 00:33:29,940 --> 00:33:33,960 in that competition they held they got 865 00:33:31,799 --> 00:33:36,659 they got companies re-badging the 866 00:33:33,960 --> 00:33:38,279 Singapore application as if it was their 867 00:33:36,659 --> 00:33:39,799 own application 868 00:33:38,279 --> 00:33:42,299 they got 869 00:33:39,799 --> 00:33:45,779 so many things that just would not be 870 00:33:42,299 --> 00:33:48,419 compliant it was essentially pizzaware 871 00:33:45,779 --> 00:33:50,100 now this is the part that's wild 872 00:33:48,419 --> 00:33:53,159 the 873 00:33:50,100 --> 00:33:55,140 the intelligence organization in the 874 00:33:53,159 --> 00:33:59,299 Netherlands actually did their own 875 00:33:55,140 --> 00:33:59,299 assessment they leaked it to the Press 876 00:34:00,720 --> 00:34:05,700 that's how they managed to change their 877 00:34:02,700 --> 00:34:08,099 the the political landscape in there 878 00:34:05,700 --> 00:34:10,260 they were going in a bad place 879 00:34:08,099 --> 00:34:13,320 they were going in a bad place as a 880 00:34:10,260 --> 00:34:16,200 result of that leak a wise idea came up 881 00:34:13,320 --> 00:34:18,720 let's build in the open like all the 882 00:34:16,200 --> 00:34:21,300 software Engineers are just sitting here 883 00:34:18,720 --> 00:34:22,980 like time is meaningless and they all 884 00:34:21,300 --> 00:34:24,899 want to help out 885 00:34:22,980 --> 00:34:27,839 so they started they opened the GitHub 886 00:34:24,899 --> 00:34:30,359 repo and the minister for health 887 00:34:27,839 --> 00:34:32,580 actually committed a git commit 888 00:34:30,359 --> 00:34:34,980 first get commit and it was essentially 889 00:34:32,580 --> 00:34:36,599 top to bottom of the application being 890 00:34:34,980 --> 00:34:38,220 open source and inviting people to come 891 00:34:36,599 --> 00:34:41,580 build it with them 892 00:34:38,220 --> 00:34:43,320 they started doing sprints where you 893 00:34:41,580 --> 00:34:45,839 could anyone in Australia I was here in 894 00:34:43,320 --> 00:34:47,280 Australia dialing into a Dutch call and 895 00:34:45,839 --> 00:34:50,159 were just sharing knowledge backwards 896 00:34:47,280 --> 00:34:53,460 and forwards it was lovely 897 00:34:50,159 --> 00:34:57,420 um the ux was designed by the engineer 898 00:34:53,460 --> 00:34:58,680 of uber here's Dutch right and all these 899 00:34:57,420 --> 00:35:00,300 people started contributing their Time 900 00:34:58,680 --> 00:35:02,880 pro bono 901 00:35:00,300 --> 00:35:04,560 there's no such thing to be able to do 902 00:35:02,880 --> 00:35:06,420 that here in Australia at this stage and 903 00:35:04,560 --> 00:35:07,800 that's really sad 904 00:35:06,420 --> 00:35:09,900 now 905 00:35:07,800 --> 00:35:11,760 something that was good that came out of 906 00:35:09,900 --> 00:35:14,880 the Dutch government was they actually 907 00:35:11,760 --> 00:35:17,220 held a symposium at the end end of it 908 00:35:14,880 --> 00:35:18,540 and they between different governments 909 00:35:17,220 --> 00:35:19,920 of different countries with the public 910 00:35:18,540 --> 00:35:22,260 sector workers 911 00:35:19,920 --> 00:35:24,000 and they actually shared Lessons Learned 912 00:35:22,260 --> 00:35:25,920 the UK were there and a few other 913 00:35:24,000 --> 00:35:27,540 countries noticeably absent was 914 00:35:25,920 --> 00:35:29,520 Australia 915 00:35:27,540 --> 00:35:33,560 I was there 916 00:35:29,520 --> 00:35:33,560 so we need to fix that 917 00:35:34,680 --> 00:35:38,700 hmm 918 00:35:36,480 --> 00:35:41,640 because the status quo that we have now 919 00:35:38,700 --> 00:35:42,960 is essentially if you know something you 920 00:35:41,640 --> 00:35:44,220 say something you could drag the 921 00:35:42,960 --> 00:35:45,900 government for the media and that's not 922 00:35:44,220 --> 00:35:48,420 that really doesn't help 923 00:35:45,900 --> 00:35:51,240 so we were pushing very hard for source 924 00:35:48,420 --> 00:35:52,560 code to be released very hard to source 925 00:35:51,240 --> 00:35:55,140 code to get released 926 00:35:52,560 --> 00:35:58,020 and in the end they did start releasing 927 00:35:55,140 --> 00:36:00,720 source code it was nice kinda 928 00:35:58,020 --> 00:36:04,320 kinda this probably sum up the attitude 929 00:36:00,720 --> 00:36:05,520 and like skill set that we have here 930 00:36:04,320 --> 00:36:08,160 um essentially what they were doing 931 00:36:05,520 --> 00:36:09,960 every release was unzipping a tar ball 932 00:36:08,160 --> 00:36:12,599 on top of the repo and then committing 933 00:36:09,960 --> 00:36:15,300 that that repo that that was that was 934 00:36:12,599 --> 00:36:17,400 great and the software license that it 935 00:36:15,300 --> 00:36:19,020 was released under was not open source 936 00:36:17,400 --> 00:36:22,140 whatsoever 937 00:36:19,020 --> 00:36:25,859 it contained this absolute Corker 938 00:36:22,140 --> 00:36:28,440 and this was quite alarming 939 00:36:25,859 --> 00:36:30,660 buried down in a couple paragraphs it 940 00:36:28,440 --> 00:36:33,780 says by viewing this source code I am 941 00:36:30,660 --> 00:36:36,180 responsible for any costs of third-party 942 00:36:33,780 --> 00:36:37,560 claims associated with my access to this 943 00:36:36,180 --> 00:36:40,440 source code 944 00:36:37,560 --> 00:36:43,140 and must pay those claims on request 945 00:36:40,440 --> 00:36:44,760 what 946 00:36:43,140 --> 00:36:47,280 it's right there on the repo you can go 947 00:36:44,760 --> 00:36:49,320 have a look so meanwhile this software 948 00:36:47,280 --> 00:36:51,300 is being built commercial and competence 949 00:36:49,320 --> 00:36:53,280 by all these business by all these 950 00:36:51,300 --> 00:36:54,540 corporations and we're a bunch of 951 00:36:53,280 --> 00:36:57,119 technologists talking about this 952 00:36:54,540 --> 00:37:00,300 application and the problems right 953 00:36:57,119 --> 00:37:03,720 well there's Rites of Remedy right like 954 00:37:00,300 --> 00:37:06,000 what happens are we what legal place are 955 00:37:03,720 --> 00:37:09,480 we as researchers are we causing damage 956 00:37:06,000 --> 00:37:11,579 to them and by viewing that source code 957 00:37:09,480 --> 00:37:14,220 can they come after us 958 00:37:11,579 --> 00:37:15,480 so we never looked at the source code we 959 00:37:14,220 --> 00:37:17,339 just kept looking at our decompiled 960 00:37:15,480 --> 00:37:19,140 source code because that that worked for 961 00:37:17,339 --> 00:37:21,599 us 962 00:37:19,140 --> 00:37:24,540 anyway so now the application is 963 00:37:21,599 --> 00:37:26,040 scrapped it cost us 21 million and a lot 964 00:37:24,540 --> 00:37:28,020 of the a lot of the things that cause 965 00:37:26,040 --> 00:37:30,000 the application to be a failure are 966 00:37:28,020 --> 00:37:31,980 still here because we don't have a way 967 00:37:30,000 --> 00:37:33,780 to publicly engage 968 00:37:31,980 --> 00:37:36,660 we're from the Department 969 00:37:33,780 --> 00:37:38,339 now one thing I can ask is check your 970 00:37:36,660 --> 00:37:39,839 parents phone check your grandparents 971 00:37:38,339 --> 00:37:42,720 phone they're probably still got the app 972 00:37:39,839 --> 00:37:45,300 installed I come along I come along a 973 00:37:42,720 --> 00:37:47,400 lot of people in my travels and they 974 00:37:45,300 --> 00:37:48,599 still have the app installed 975 00:37:47,400 --> 00:37:50,280 so 976 00:37:48,599 --> 00:37:51,660 help them get rid of the app delete the 977 00:37:50,280 --> 00:37:54,599 app 978 00:37:51,660 --> 00:37:56,700 and I suppose one of the underlying 979 00:37:54,599 --> 00:37:59,220 things of why really personally got 980 00:37:56,700 --> 00:38:01,800 involved apart from like trying to see 981 00:37:59,220 --> 00:38:03,240 what I can do to expedite seeing my kids 982 00:38:01,800 --> 00:38:05,160 Etc because this was meant to be the app 983 00:38:03,240 --> 00:38:07,500 that's going to open up the economy Etc 984 00:38:05,160 --> 00:38:08,760 the idea is if the app you had the app 985 00:38:07,500 --> 00:38:11,520 you maybe you could cross the border 986 00:38:08,760 --> 00:38:14,460 sooner hell yeah I'm in now medical 987 00:38:11,520 --> 00:38:16,440 professionals deserve tools that work 988 00:38:14,460 --> 00:38:18,480 right this this is a product that is 989 00:38:16,440 --> 00:38:20,640 launched without any technology 990 00:38:18,480 --> 00:38:22,859 represented representation we had an 991 00:38:20,640 --> 00:38:24,900 absolute numpty's talk up but turn up 992 00:38:22,859 --> 00:38:26,640 and talk about how the app worked 993 00:38:24,900 --> 00:38:29,700 without actually looking at how the app 994 00:38:26,640 --> 00:38:31,140 worked we had media continually like 995 00:38:29,700 --> 00:38:33,660 they're on the trail like the the 996 00:38:31,140 --> 00:38:36,060 speaking with us and they're going we 997 00:38:33,660 --> 00:38:38,700 know it's not working right and they 998 00:38:36,060 --> 00:38:39,839 said it started creating this forceful 999 00:38:38,700 --> 00:38:43,140 feedback cycle back to Medical 1000 00:38:39,839 --> 00:38:45,000 practitioners saying hey is the app 1001 00:38:43,140 --> 00:38:47,160 working can I get a comment it got 1002 00:38:45,000 --> 00:38:49,619 really politicized and it just really 1003 00:38:47,160 --> 00:38:51,780 sad because like 1004 00:38:49,619 --> 00:38:53,460 if they're getting this this pressure to 1005 00:38:51,780 --> 00:38:55,859 actually you must use the application 1006 00:38:53,460 --> 00:38:58,320 essentially what's happening is they're 1007 00:38:55,859 --> 00:38:59,460 being forced to use a tool that doesn't 1008 00:38:58,320 --> 00:39:01,560 work 1009 00:38:59,460 --> 00:39:03,599 and if you've got only eight hours a day 1010 00:39:01,560 --> 00:39:05,460 and you've been forced to use a tool 1011 00:39:03,599 --> 00:39:07,020 that we know is ineffective but they're 1012 00:39:05,460 --> 00:39:08,640 doing anyway for political reasons 1013 00:39:07,020 --> 00:39:10,740 that's robbing over time that they could 1014 00:39:08,640 --> 00:39:12,420 be better spent contract tracing through 1015 00:39:10,740 --> 00:39:13,619 traditional methods 1016 00:39:12,420 --> 00:39:15,780 and there are there were other 1017 00:39:13,619 --> 00:39:17,220 techniques that could have worked it's 1018 00:39:15,780 --> 00:39:20,460 just sad 1019 00:39:17,220 --> 00:39:22,680 anyway these days I'm building a little 1020 00:39:20,460 --> 00:39:24,960 hacker pad down in Kangaroo Island if 1021 00:39:22,680 --> 00:39:27,540 you're ever down that area in Adelaide 1022 00:39:24,960 --> 00:39:29,040 um please say hello just a nice little 1023 00:39:27,540 --> 00:39:31,859 place where you can come hack on open 1024 00:39:29,040 --> 00:39:35,119 source and a little bit later I'd like 1025 00:39:31,859 --> 00:39:35,119 to encourage you to get on the beers 1026 00:39:36,839 --> 00:39:41,280 um thank you so much for being here 1027 00:39:39,599 --> 00:39:44,339 um please have a look at these two 1028 00:39:41,280 --> 00:39:46,560 reports on the left is our independent 1029 00:39:44,339 --> 00:39:50,579 report that went into all the problems 1030 00:39:46,560 --> 00:39:53,520 we've and with timelines of how and when 1031 00:39:50,579 --> 00:39:55,560 and how it all went down over right 1032 00:39:53,520 --> 00:39:58,920 looks at the commercials and how all 1033 00:39:55,560 --> 00:40:00,660 these agreements between the DTA and the 1034 00:39:58,920 --> 00:40:02,780 rest of the organizations worked thank 1035 00:40:00,660 --> 00:40:02,780 you 1036 00:40:04,260 --> 00:40:06,859 thank you 1037 00:40:08,540 --> 00:40:12,839 we've got about five minutes so if 1038 00:40:11,220 --> 00:40:15,660 anyone's got some questions that would 1039 00:40:12,839 --> 00:40:19,880 be relative to be heard in this 1040 00:40:15,660 --> 00:40:19,880 environment please do put your hand down 1041 00:40:21,000 --> 00:40:25,140 frighten them all 1042 00:40:23,760 --> 00:40:26,880 you've not have been carrying this app 1043 00:40:25,140 --> 00:40:29,240 around in your pocket you must have 1044 00:40:26,880 --> 00:40:29,240 questions 1045 00:40:32,520 --> 00:40:36,599 thank you 1046 00:40:33,960 --> 00:40:38,099 um you said that uh you kind of I guess 1047 00:40:36,599 --> 00:40:39,540 wish the government had more of an 1048 00:40:38,099 --> 00:40:41,820 approach to kind of doing collaborative 1049 00:40:39,540 --> 00:40:43,680 open source development around things 1050 00:40:41,820 --> 00:40:46,320 like this and it should be a model for 1051 00:40:43,680 --> 00:40:47,339 that and how do we do that and I I guess 1052 00:40:46,320 --> 00:40:48,900 if you're having worked in the 1053 00:40:47,339 --> 00:40:50,760 government previously that that's 1054 00:40:48,900 --> 00:40:52,320 normally possible the government doesn't 1055 00:40:50,760 --> 00:40:54,420 really know how to do that it doesn't 1056 00:40:52,320 --> 00:40:57,900 have trust in community 1057 00:40:54,420 --> 00:41:00,480 do that for them but we have a huge 1058 00:40:57,900 --> 00:41:01,920 wealth of talent in a country and I I 1059 00:41:00,480 --> 00:41:04,500 guess it was perhaps a lost opportunity 1060 00:41:01,920 --> 00:41:05,940 that people didn't come together to 1061 00:41:04,500 --> 00:41:07,020 maybe try to build something like this 1062 00:41:05,940 --> 00:41:08,880 at the start of the pandemic 1063 00:41:07,020 --> 00:41:11,760 independently yeah and kind of deliver 1064 00:41:08,880 --> 00:41:13,500 that solution maybe in tandem or you 1065 00:41:11,760 --> 00:41:16,020 know as an example 1066 00:41:13,500 --> 00:41:17,700 and I guess I wonder how do we 1067 00:41:16,020 --> 00:41:19,140 how do we make sure we engage those 1068 00:41:17,700 --> 00:41:20,760 communities or you know stay in touch 1069 00:41:19,140 --> 00:41:23,040 with those communities to make that 1070 00:41:20,760 --> 00:41:24,660 stuff happen because ultimately to build 1071 00:41:23,040 --> 00:41:26,160 public good you need you need a 1072 00:41:24,660 --> 00:41:28,020 community around it that's what these 1073 00:41:26,160 --> 00:41:29,520 you know conversation and all this is 1074 00:41:28,020 --> 00:41:31,619 really about 1075 00:41:29,520 --> 00:41:33,540 um you know I just wonder how we how do 1076 00:41:31,619 --> 00:41:35,520 we do that do you have ideas yeah sure 1077 00:41:33,540 --> 00:41:40,260 so the question is how do we essentially 1078 00:41:35,520 --> 00:41:40,260 engage and build in public so 1079 00:41:40,740 --> 00:41:45,260 I attended peers talk yesterday that was 1080 00:41:42,900 --> 00:41:45,839 lovely she has some ideas 1081 00:41:45,260 --> 00:41:47,280 [Music] 1082 00:41:45,839 --> 00:41:50,339 um 1083 00:41:47,280 --> 00:41:51,780 as for engaging Community it was it was 1084 00:41:50,339 --> 00:41:53,700 such a missed opportunity everyone was 1085 00:41:51,780 --> 00:41:56,460 just sitting at home right the Dutch 1086 00:41:53,700 --> 00:41:57,000 government understood this eventually 1087 00:41:56,460 --> 00:41:59,700 um 1088 00:41:57,000 --> 00:42:01,800 the minister who was responsible for 1089 00:41:59,700 --> 00:42:03,599 that is now the head of the Dutch 1090 00:42:01,800 --> 00:42:05,820 minister of the Innovation he did quite 1091 00:42:03,599 --> 00:42:06,540 well out of it 1092 00:42:05,820 --> 00:42:08,760 um 1093 00:42:06,540 --> 00:42:10,560 what can we can do 1094 00:42:08,760 --> 00:42:12,119 I don't know 1095 00:42:10,560 --> 00:42:15,300 I honestly don't know 1096 00:42:12,119 --> 00:42:17,940 um I can recommend coming joining the Oz 1097 00:42:15,300 --> 00:42:19,380 open Tech Discord or if you see 1098 00:42:17,940 --> 00:42:20,520 something the government's launching 1099 00:42:19,380 --> 00:42:22,320 something 1100 00:42:20,520 --> 00:42:24,660 just come start a discussion in there 1101 00:42:22,320 --> 00:42:27,720 because we've so far we've pulled apart 1102 00:42:24,660 --> 00:42:30,540 everything from how voting machines and 1103 00:42:27,720 --> 00:42:34,260 election work through Vanessa's work to 1104 00:42:30,540 --> 00:42:36,060 the contract tracing apps to myself I 1105 00:42:34,260 --> 00:42:38,339 did a little application called jab 1106 00:42:36,060 --> 00:42:40,400 maker.com and it would generate a 1107 00:42:38,339 --> 00:42:42,839 covered vaccination certificate because 1108 00:42:40,400 --> 00:42:45,420 authenticity in Australia is apparently 1109 00:42:42,839 --> 00:42:49,020 just a PDF 1110 00:42:45,420 --> 00:42:50,760 yes but the point being is we've got a 1111 00:42:49,020 --> 00:42:52,800 whole bunch of essentially troublemakers 1112 00:42:50,760 --> 00:42:54,599 there who are technically confident will 1113 00:42:52,800 --> 00:42:55,800 pull apart the application so 1114 00:42:54,599 --> 00:43:00,599 it's been good because it's brought 1115 00:42:55,800 --> 00:43:03,180 together like like-minded Minds but like 1116 00:43:00,599 --> 00:43:06,420 throwing crap in the Press it's not the 1117 00:43:03,180 --> 00:43:09,000 best way to engage so something I hope 1118 00:43:06,420 --> 00:43:10,980 someone here or someone who watches this 1119 00:43:09,000 --> 00:43:13,859 talk or does have you there needs to be 1120 00:43:10,980 --> 00:43:15,480 change because there are a lot of people 1121 00:43:13,859 --> 00:43:16,500 who are technically competent they know 1122 00:43:15,480 --> 00:43:19,140 what you're speaking about they're 1123 00:43:16,500 --> 00:43:22,260 starting to organize and the alternative 1124 00:43:19,140 --> 00:43:24,359 is you get dragged in the media 1125 00:43:22,260 --> 00:43:27,060 like it's just it's not it's not going 1126 00:43:24,359 --> 00:43:29,220 to work like the literacy is continually 1127 00:43:27,060 --> 00:43:30,780 to improve and people are able to see 1128 00:43:29,220 --> 00:43:33,599 something's wrong 1129 00:43:30,780 --> 00:43:36,119 like it it it was such a wasted 1130 00:43:33,599 --> 00:43:38,280 opportunity that like you look at the 1131 00:43:36,119 --> 00:43:41,520 Zoomers and all the rest and 1132 00:43:38,280 --> 00:43:43,380 they they've got no free to wear TV and 1133 00:43:41,520 --> 00:43:44,940 yet they had to tune in to free aware TV 1134 00:43:43,380 --> 00:43:48,599 it was weird 1135 00:43:44,940 --> 00:43:51,480 so that we need proper digital uh 1136 00:43:48,599 --> 00:43:54,420 engagement techniques and I'm not sure 1137 00:43:51,480 --> 00:43:58,220 how or what that's needed to be changed 1138 00:43:54,420 --> 00:43:58,220 but looking forward to it 1139 00:43:59,520 --> 00:44:04,079 which I enjoyed that mentally 1140 00:44:01,859 --> 00:44:07,560 um my question is maybe more practical 1141 00:44:04,079 --> 00:44:09,060 do you ever get a response from the 1142 00:44:07,560 --> 00:44:10,920 government or from the covert safe 1143 00:44:09,060 --> 00:44:13,980 people through their support team or did 1144 00:44:10,920 --> 00:44:16,040 you get any interaction at all 1145 00:44:13,980 --> 00:44:18,839 yeah so that's an interesting question 1146 00:44:16,040 --> 00:44:21,480 through appearing on so the question was 1147 00:44:18,839 --> 00:44:24,359 do we ever get into contacts with the 1148 00:44:21,480 --> 00:44:27,900 government as a result yes 1149 00:44:24,359 --> 00:44:29,880 uh one connection to the federal pmo 1150 00:44:27,900 --> 00:44:31,440 office that basically told us to go get 1151 00:44:29,880 --> 00:44:33,359 EFT 1152 00:44:31,440 --> 00:44:35,760 um and the other one was we got a 1153 00:44:33,359 --> 00:44:39,119 contact in the didn't Transformer and it 1154 00:44:35,760 --> 00:44:39,780 didn't transform anything Department 1155 00:44:39,119 --> 00:44:41,400 um 1156 00:44:39,780 --> 00:44:43,920 yeah 1157 00:44:41,400 --> 00:44:48,240 yeah there's some story there 1158 00:44:43,920 --> 00:44:49,319 um and yeah uh I suppose if you're in 1159 00:44:48,240 --> 00:44:53,220 that department you're in that 1160 00:44:49,319 --> 00:44:55,020 government and credible people who were 1161 00:44:53,220 --> 00:44:56,940 expert in their domain come up and speak 1162 00:44:55,020 --> 00:45:00,000 your one job if you're in that public 1163 00:44:56,940 --> 00:45:01,800 sector is essentially is connect your 1164 00:45:00,000 --> 00:45:03,900 agency with those knowledgeable 1165 00:45:01,800 --> 00:45:06,060 incredible people and help work towards 1166 00:45:03,900 --> 00:45:08,720 a good public outcome so yeah we've got 1167 00:45:06,060 --> 00:45:11,819 a contact there at a director level 1168 00:45:08,720 --> 00:45:13,740 looked at our our findings and then they 1169 00:45:11,819 --> 00:45:15,480 shipped a new coat of paint and at which 1170 00:45:13,740 --> 00:45:16,800 point we would like not stop this we're 1171 00:45:15,480 --> 00:45:17,760 just going to keep publishing our own 1172 00:45:16,800 --> 00:45:20,359 stuff 1173 00:45:17,760 --> 00:45:22,560 because 1174 00:45:20,359 --> 00:45:25,440 I encourage you to catch up the gym 1175 00:45:22,560 --> 00:45:27,660 hallway track myself and I can go into a 1176 00:45:25,440 --> 00:45:29,280 little bit more but essentially it was 1177 00:45:27,660 --> 00:45:31,500 all falling on deaf ears it was just a 1178 00:45:29,280 --> 00:45:32,339 stain 1179 00:45:31,500 --> 00:45:36,540 um 1180 00:45:32,339 --> 00:45:38,460 yeah they were for all this they've 1181 00:45:36,540 --> 00:45:41,040 never actually launched a initiative 1182 00:45:38,460 --> 00:45:44,339 direct to Consumer the agency 1183 00:45:41,040 --> 00:45:46,079 essentially they engage contracts to 1184 00:45:44,339 --> 00:45:47,280 between different Departments of the 1185 00:45:46,079 --> 00:45:49,800 government or they work with like 1186 00:45:47,280 --> 00:45:51,599 Enterprise wisdle the idea of a brand 1187 00:45:49,800 --> 00:45:54,060 new mobile phone release is something 1188 00:45:51,599 --> 00:45:55,260 that they've never done before 1189 00:45:54,060 --> 00:45:57,180 um and the fact there was no customer 1190 00:45:55,260 --> 00:45:58,920 support or all the rest it just wasn't 1191 00:45:57,180 --> 00:46:01,200 even thought of 1192 00:45:58,920 --> 00:46:03,180 um so fundamentally something needs to 1193 00:46:01,200 --> 00:46:05,700 change on that department so yeah we got 1194 00:46:03,180 --> 00:46:06,960 some contacts uh but we very quickly 1195 00:46:05,700 --> 00:46:09,560 discarded those contacts when they 1196 00:46:06,960 --> 00:46:09,560 discarded us 1197 00:46:11,420 --> 00:46:19,760 yes please Jim okay just I'll bring you 1198 00:46:15,480 --> 00:46:19,760 a microphone and then that's going to be 1199 00:46:20,880 --> 00:46:23,940 there and thank you Jeff there's 1200 00:46:22,260 --> 00:46:25,680 wonderful talk and also thank you for 1201 00:46:23,940 --> 00:46:27,900 all the work you did at the time and 1202 00:46:25,680 --> 00:46:30,660 subsequently I actually did get 1203 00:46:27,900 --> 00:46:32,160 contacted by the DTA much later in the 1204 00:46:30,660 --> 00:46:34,680 process and at this point the iPhone app 1205 00:46:32,160 --> 00:46:36,300 still doesn't work and despite all of 1206 00:46:34,680 --> 00:46:38,460 what Jeff has just told us 1207 00:46:36,300 --> 00:46:40,619 they actually came to us and asked for 1208 00:46:38,460 --> 00:46:41,760 help because they weren't able to make 1209 00:46:40,619 --> 00:46:43,380 the iPhone at work and I'm not an iPhone 1210 00:46:41,760 --> 00:46:45,060 developer and it wasn't 1211 00:46:43,380 --> 00:46:47,099 I was I was just trying to help convey 1212 00:46:45,060 --> 00:46:50,099 the technical details and mediate that 1213 00:46:47,099 --> 00:46:51,720 but Richard was another person yeah and 1214 00:46:50,099 --> 00:46:53,460 what was incredible to me and probably 1215 00:46:51,720 --> 00:46:55,800 one of one of a thousand different 1216 00:46:53,460 --> 00:46:58,140 moments that completely blew my mind was 1217 00:46:55,800 --> 00:46:59,819 that even in that moment asking for help 1218 00:46:58,140 --> 00:47:01,859 they seemed to be unable to figure out 1219 00:46:59,819 --> 00:47:04,140 how to engage with us properly and 1220 00:47:01,859 --> 00:47:06,240 because we wanted to we helped we wanted 1221 00:47:04,140 --> 00:47:07,920 to make the app work in whatever build 1222 00:47:06,240 --> 00:47:08,819 the credit that we needed to have them 1223 00:47:07,920 --> 00:47:10,560 listen 1224 00:47:08,819 --> 00:47:12,900 and in that process we still couldn't 1225 00:47:10,560 --> 00:47:15,180 seem to get across the line and get the 1226 00:47:12,900 --> 00:47:17,819 problem fixed and and it was incredible 1227 00:47:15,180 --> 00:47:19,140 how difficult they made even even when 1228 00:47:17,819 --> 00:47:22,040 they were on the back foot they still 1229 00:47:19,140 --> 00:47:22,040 made it hard to work with us 1230 00:47:22,380 --> 00:47:25,800 yeah and then subsequently all of the 1231 00:47:24,480 --> 00:47:27,359 things that involved reporting security 1232 00:47:25,800 --> 00:47:29,700 issues and things like that and there's 1233 00:47:27,359 --> 00:47:31,680 a lot of contacts that came a lot later 1234 00:47:29,700 --> 00:47:34,500 um this is kind of nine months into the 1235 00:47:31,680 --> 00:47:35,940 into the into the thing they still were 1236 00:47:34,500 --> 00:47:37,440 very selective about what they replied 1237 00:47:35,940 --> 00:47:39,240 to in emails they still were very 1238 00:47:37,440 --> 00:47:42,060 unclear what they wanted us to do and 1239 00:47:39,240 --> 00:47:43,619 how they wanted us to communicate so Jim 1240 00:47:42,060 --> 00:47:46,500 the problem was we're not a commercial 1241 00:47:43,619 --> 00:47:48,900 entity we're a collective community and 1242 00:47:46,500 --> 00:47:50,700 like a collector Community you can't put 1243 00:47:48,900 --> 00:47:52,680 that in a statement of work or paper 1244 00:47:50,700 --> 00:47:54,420 around it 1245 00:47:52,680 --> 00:47:56,940 um and 1246 00:47:54,420 --> 00:47:58,859 yeah so we we would have had more 1247 00:47:56,940 --> 00:48:01,740 success if we were 1248 00:47:58,859 --> 00:48:03,720 Oz open Tech as an as an entity that 1249 00:48:01,740 --> 00:48:05,280 could have like had some sort of joined 1250 00:48:03,720 --> 00:48:06,780 a like legal contract of like the 1251 00:48:05,280 --> 00:48:09,660 Liberals Etc they just didn't know how 1252 00:48:06,780 --> 00:48:11,640 to engage with a whole bunch of people 1253 00:48:09,660 --> 00:48:15,060 who are subject matter experts in their 1254 00:48:11,640 --> 00:48:18,380 own particular way like they just no 1255 00:48:15,060 --> 00:48:18,380 Playbook at all 1256 00:48:23,160 --> 00:48:25,460 foreign 1257 00:48:28,140 --> 00:48:31,330 [Music] 1258 00:48:32,119 --> 00:48:36,180 but it sounds like actually people would 1259 00:48:34,380 --> 00:48:37,360 hate it's your break you want to keep 1260 00:48:36,180 --> 00:48:38,760 talking 1261 00:48:37,360 --> 00:48:40,619 [Music] 1262 00:48:38,760 --> 00:48:44,160 so someone asked a question over there 1263 00:48:40,619 --> 00:48:45,599 how do we do this differently well it's 1264 00:48:44,160 --> 00:48:50,540 not a technical solution it's a 1265 00:48:45,599 --> 00:48:50,540 community solution and we can yeah 1266 00:48:54,540 --> 00:48:57,000 that's the wonderful thing about this 1267 00:48:56,160 --> 00:48:59,700 community 1268 00:48:57,000 --> 00:49:01,740 that's why you're here yeah so on behalf 1269 00:48:59,700 --> 00:49:03,900 of the people here it's a little gift 1270 00:49:01,740 --> 00:49:05,040 from thanks to you and thank you I hope 1271 00:49:03,900 --> 00:49:09,200 you've managed to spend time with your 1272 00:49:05,040 --> 00:49:09,200 children since then yep thank you