“Im from the government and you’re here to help” — The Assistance and Access Act is a hackers dream

By Ben Longstaff

I’m going to preface this by saying this is purely a thought experiment and that you should NOT try this at home. It is illegal to impersonate a law enforcement officer.

Hackers don’t care about that, so here we go.

Ronald Reagan once said

“The nine most terrifying words in the English language are: I’m from the government and I’m here to help” — Ronald Reagan.

But he didn’t have todays technology to deal with.

Imagine this, you work in a Minister’s Office in Australia. It’s a typical Tuesday afternoon and you are on a tight deadline to get your work done. Suddenly your phone rings, it’s an anonymous number.

“Hi Ben, it’s Joe I work for the Australian Security Intelligence Organisation. I am investigating case number S11341230. Your colleague Stephen is suspected of communicating with a known terrorist group. This is a matter of national security. Under the Telecommunications and Other Legislation Amendment, also known as the Assistance and Access Act, Part IIIBB, Section 29, paragraph 3(aaaa)(ii) we require your help to access Stephen’s data.”

Now if your scam conscious like me you might reply

“Sure thing, I just need to check with the legal team.”

To which Joe replies

“Unfortunately you can not disclose your assistance to anyone including your lawyer. Failure to comply will result in a $50,000 fine and up to 10 years in prison.”

So you reply

“Ok well can I call you back from a number that I can confirm belongs to ASIO?”

To which Joe replies

“The identity of ASIO officers, apart from the Director-General, is an official secret. There is no way for you to reach me through the publicly accessible phone numbers as I can not disclose my full name. This is a time sensitive matter of national security. One of our lawyers can serve you with an obstruction order. It would be better for you to comply.”

Working in a Minister’s office you have been following the Assistance and Access Act. All the things that Joe has told you sounds familiar, you can’t afford a $50,000 fine and people like you don’t do well in jail.

“All you have to do is open a website from Stephen’s computer and you will have done a great service for your country.”

So you now have a really hard choice to make. Do you roll the dice and infect Stephen’s computer or do you do nothing and roll the dice and hope that Joe is in fact a bad guy?

If you believe Joe then you have to make this decision on your own.

Or at least that’s how it seems.

So which dice would you roll?

Don’t just believe Joe, trust but verify … and checkout the act.

Division 6 — Unauthorised disclosure of information etc. 
317ZF Unauthorised disclosure of information
Authorised disclosures — general (3)(e)
“for the purpose of obtaining legal advice in relation to this Part; or”