Image: iStockphoto

Here we go again: the Australian government is the latest to plan new laws that will require companies to be able to unscramble encrypted communications.

In particular, the government wants tech companies to be able to hand over communications currently protected by end-to-end encryption, which scrambles messages so they can only be read by the sender and the recipient, and not by the tech company itself.

"The laws of Australia prevail in Australia, I can assure you of that," Australian Prime Minister Malcolm Turnbull told reporters. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

The Australian stance is modelled on the one taken by the UK government, which last year passed the Investigatory Powers Act that aims to do something similar. At the time it was making its way through Parliament there were warning the law, known either as the 'Snoopers Charter' or "the most extreme surveillance in the history of western democracy", would spark copycat legislation elsewhere and this was clearly correct.

The argument that criminals should not be allowed to plot in secret is a legitimate one. When the UK law was being debated, the government said that intercepted communications form between 15 and 20 percent of the intelligence picture in counter-terrorism investigations.

Here's the problem. It's not realistic to legislate encryption out of existence. You can't outlaw the application of maths. Even 20 years ago, when it was relatively rare and harder to use, governments accepted that that the benefits of encryption -- like privacy and security -- vastly outweighed the genuine concerns that encryption could help bad people to do evil in secret.

And it's worth remembering that many companies started to use end-to-end encryption recently to protect their customers' data precisely because intelligence agencies around the world have been shown to have a tendency to scoop up as much data as they can, whenever they can.

The new UK law demonstrates these difficulties, and it's worth looking at how it has played out. This law requires UK internet companies to be able to remove any encryption they apply to messages. That makes it hard for any UK company to offer an end-to-end encrypted service themselves, but there's at least one major issue with this: UK law only extends so far, and the tech industry is a global one.

Few of the companies that offer the secure (end-to-end encrypted) services that worry the government are actually based in the UK.

Persuading companies to change the way they run their business just for the UK market is unlikely to succeed. And, even if the biggest companies could be forced to change their policies, which is deeply unlikely, then criminals could easily find another company, somewhere in the world, that will offer them an encrypted service. Or they could even build one themselves.

Banning end-to-end encryption would make it easier to snoop on some conversations, for sure. But it's likely to have a bigger effect on disorganised crime -- crooks that don't know how to or care about covering their tracks.

There is a benefit in being able to tackle any crime, of course, but it's worth being at least aware that any local -- that is, national -- ban on encryption is likely to have an extremely limited impact on organised criminals.

But what a ban will certainly do is weaken security for tens of millions of people.

We already know far too well that both cyber-crooks out for cash and hackers backed by governments are trying to snoop on and steal data from political parties, businesses, and individuals on a daily basis. Weakening the security that protects those communications will make it much easier.

The tech companies that hold those 'golden keys' that can decode all the messages that flow over their networks will be a huge target for hackers and history has shown us that few organisations are capable of protecting themselves forever.

There is perhaps an outside chance that there will be a domino effect: that as successive governments start passing legislation like this, that we could eventually end up in a position where end-to-end encryption is effectively outlawed worldwide. But that is extremely, extremely unlikely. Realistically, without the same legislation in the US (which has up to now rejected such a move) the impact of any other nations' laws will be limited.

What is better is for governments to accept the existence of end-to-end encryption as something that is, for the most part, a beneficial part of the landscape.

And there are ways to get round it. For example, many PCs and smartphones are inherently insecure and relatively easy to hack into; in the UK police and intelligence agencies now have the powers to hack individual devices should they need to. That means investigators can get access to most communications but can't routinely access everything.

This seems to me to be a much better, targeted use of powers rather than making us all insecure. It's the equivalent of giving the police a battering ram versus requiring everyone to hand in a copy of their front door key. In addition, investigators already have access to huge amounts of metadata -- information about the communications if not the actual contents. The problem in many cases is not too little information, but too much.

In reality it is unlikely to be possible to prevent the use of end-to-end encryption, and even if it were, the side-effects of doing so could be very significant for modern, connected, societies.

In a fight between maths and politics it's unlikely the politicians are going to emerge the winners: they should instead think of better ways to get access to communications to keep us all safer.

Originally posted here:
Encryption: In the battle between maths and politics there is only one winner - ZDNet

This is the first post in our new regular series on data center security. Scroll to the bottom of the article to learn more about the column and its author.

Researchers at top university and corporate labs around the world are in a furious race to create the first practical, usable quantum computer. Quantum computers which use quantum bits, or qubits are capable of running computations impossible for existing technology. It promises to open up new possibilities in areas like medical research, artificial intelligence, and security.

Oh, and they would also easily crack current encryption algorithms.

How close are quantum computers to becoming reality? The point at which quantum computers would surpass our current computers in capability is at about 50 cubits.

In March, IBM announced that it had a 20-qubit quantum computer, and that outside researchers and developers could already start running simulations on the IBM Quantum Experience.

In June, Google raised the ante. Alan Ho, an engineer from Googles quantum AI lab, told a conference in Germany that Google already had a 20-qubit system, and was planning to built a 49-qubit computer by the end of the year.

See also:Googles Quantum Computing Push Opens New Front in Cloud Battle

Quantum computers are now commercially available if you have a lot of money, said Mike Stute, chief scientist at Masergy, a networking, security and cloud communications technology company headquartered in Plano, Texas.

The problem is that dealing with qubits requires some tricky engineering involving quantum physics. Plus, quantum computers require built-in error correction to deal with the fact that qubits are not as well-behaved as the traditional zero-or-one bits of classical computing. These two challenges combine to make the development of larger quantum computer a difficult task.

Meanwhile, its not enough to just surpass current computers. In order to crack todays encryption, quantum computers have to be a lot better than what we have today.

That will take between 500 and 2,000 qubits, said Kevin Curran, a senior member at IEEE and cybersecurity professor at Ulster University.

See also:One Click and Voil, Your Entire Data Center is Encrypted

So, run-of-the-mill hackers wont be breaking into banking systems right away. Government agencies, however, may have quantum computing technology a generation or two ahead of whats commercially available, said Masergys Stute.

That means companies protecting data of interest to China, Russia, or the NSA might need to be particularly careful.

Current encryption is based on the idea that there are some mathematical problems that are really hard for computers to solve.

For example, public-key encryption where one key is used to encrypt the data, and a different key to unlock it typically relies on just those kinds of problems.

When quantum computing becomes a reality, then many public-key algorithms will be obsolete, said Curran.

Symmetric encryption, where the same key is used to both encrypt and decrypt the data, is more robust and will last longer.

Companies that have data they want to protect may want to start planning ahead to make more use of symmetric encryption, as well as switch to longer keys.

In addition, researchers are already working on new, quantum-proof encryption methods and will start testing them as soon as quantum computers become more widely available.

For companies that depend on having good encryption in place the most important thing is not to hard-wire encryption systems into their applications.

Instead, they need to adopt a modular approach, so that they can easily replace old, obsolete algorithms with new, effective ones. With some advanced planning, thats not hard to do.

Cyberattacks with wide-reaching consequences are now commonplace. Last months attack on FedExs TNT Express will hurt its quarterly results. The same month, thousands of members of the British Parliament and their staff lost access to email as a precautionary measure taken to limit the damage from a massive cyberattack on the legislative body. If your job has anything to do with your organizations data centers, cybersecurity is becoming a bigger and bigger part of it, which is why were introducing a new column focused exclusively on data center security.

Its a great pleasure to introduce Maria Korolov, who will author the column. She is a Massachusetts-based technology journalist who writes about cybersecurity and virtual reality.

During her 20 years of experience covering financial technology and cybersecurity she wrote for Computerworld, was a columnist for Securities Industry News, ran a business news bureau in China, and founded a publication covering virtual reality. She has reported for the Chicago Tribune, Reuters, UPI, and the Associated Press.

Before switching to business and technology journalism, she was a war correspondent in the republics of the former Soviet Union and has reported from Chechnya, Afghanistan, and other war zones.

See more here:
Quantum Computing Could Make Today's Encryption Obsolete - Data Center Knowledge

Australia is proposing laws that would require companies like Apple and Facebook to give the government access to our personal encrypted data, and now the countrys attorney general thinks he can convince Apple thats a good idea. Australia Attorney General George Brandis is meeting with Apple this week in a effort to coax the iPhone maker into voluntarily building back doors into it encryption.

Australia wants access to our encrypted data

His argument for access into encrypted data is in line with the ongoing government fight in the United States for the same: criminals, terrorists, and pedophiles can act cover their trails and act with impunity. Brandis says hed like to see tech companies voluntarily cooperate, but wants legislation to force compliance, too.

Australias stance isnt new or even innovative. Its the same position the U.S. and U.K. have taken on encryption, and like the U.S., Australia is saying it doesnt want a back door. Instead, it wants a way to bypass security protections that prohibit anyone from decrypting data without a passcode.

The government is also saying it isnt seeking to weaken encryption, but instead simply wants the access to user data.

Apple argued thats the same thing as a back door into our data and it weakens security for everyone. That was part of Apples stance during the very public fight with the FBI over a 2015 mass shooting in San Bernardino, California.

In that case, the FBI sought a court order forcing Apple to create a special version of iOS the agency could hack so it could see what was on the shooters iPhone. Apple argued that doing so would expose millions of iPhone to attack, and that even though the FBI promised it wouldnt be used on other phone or ever released, the hack would eventually leak.

The FBI dropped that fight only hours before a scheduled court hearing after paying US$900,000 to a company for a hack into suspects iPhone. Ultimately there wasnt anything of value on the phonesomething the San Bernardino police chief suspected from the beginning.

Now Senator Diane Feinstein has a bill she hopes will pass that gives the U.S. government authority to force companies to make their encryption unlockable by law enforcement agencies.

Like the U.S., Australia is pushing its stance that creating a way for governments to access our encrypted data isnt the same as a back door. That doesnt make it any less of a back dooror less of a security threatno matter how much Brandis argues.

His hope that Apple will voluntarily erode the privacy and security measures we see on the iPhone and Mac will only lead to disappointmentsomething the FBI learned very publicly last year.

[Thanks to Sky News for the heads up]

Originally posted here:
Australia's Attorney General Thinks He can Convince Apple Encryption Back Doors are Good - The Mac Observer

Much of the reaction to Malcolm Turnbulls press conference last Friday has cast his comments as the latest, and possibly worst example of political technological illiteracy. And just another instance of anti-technology bluster and rhetoric without any firm policy foundation.

Based on the level of detail and technical understanding the Australian Government has revealed so far, this is an understandable assessment. But reading between the (admittedly very blurred) lines, I would suggest that an eventual policy destination is slowly emerging.

Before assessing this policy proposal, there are three broad questions that need to be answered: What problem is the current policy approach not solving? Is what is being suggested feasible? And if so, will it address the problem?

The status quo

Firstly then, why all the rhetoric? Because, despite significant investment and a series of legislative changes, Australian law enforcement agencies are unable to access communications content, and increasingly, communications metadata in a timely manner.

The former challenge, particularly in relation to encryption, is not new. What is new is the combination of ubiquitous end-to-end encryption, and easy to use, free communication apps, that are typically hosted and headquartered outside of the reach of domestic law enforcement agencies.

As Turnbull himself noted prior to the introduction of mandatory metadata retention laws in 2015, using WhatsApp or Wickr is enough to ensure that your communications are encrypted, and that the metadata is stored outside of Australia.

For law enforcement, this means that they can no longer rely on access to the low hanging fruit, those within a conspiracy unable or unwilling to use secure communications methods. Or indeed, quickly conduct network metadata analysis to prioritise investigative leads.

Clearly, there are already ways around these limitations, particularly where an individual or group has been identified as a high priority. Most obviously, given the variety and number of apps most people use, why try to defeat (or indeed backdoor) a series of encrypted apps if instead, you can get access to the device theyre used on?

The UKs Investigatory Powers Act spelled out the extent of hacking powers currently available to UK intelligence agencies. And within law enforcement, weve learned about hacking in the US, but also by private sector contractors on an international level.

Recent global events might have suggested that hacking is easy; in reality, doing so within a government framework against a handful of individuals requires significant time and resources. And as the big technology companies make welcome progress at fixing vulnerabilities, this is only getting harder.

The policy solution

Up until now, the often baffling language used by government ministers across the Five Eyes alliance has made the feasibility of any potential solution too difficult to assess. But perhaps the clearest indication yet came last week in a revealing interview with Robert Hannigan, a former director of Britain's Government Communications Headquarters (GCHQ) . Hannigan largely echoed the views of the global infosec community - he refused to advocate building backdoors into encryption, which he described as overwhelmingly a good thing, and concluded that weakening security for everybody in order to tackle a minority was 'a bad idea'.

What was largely overlooked however, was Hannigans suggestion that authorities should instead 'go after the smartphone or laptops' of people abusing the system. And importantly, do so in cooperation with tech companies.

The specifics of how this cooperation might work remains unclear. But Hannigans comments point towards a solution that might satisfy some of the concerns of privacy and cyber security advocates, while also delivering a workable solution that delivers real value for law enforcement agencies - private sector-assisted hacking.

Cooperation would be compelled via a warrant, with all the accompanying oversight that this should imply. Its target would either be an app provider (such as Whats App) or perhaps more realistically, the operating system provider (largely Apple or Google). On receipt of a warrant, the provider could push a unique, tailored update to a targets device, containing device-specific malware that delivered ongoing law enforcement access to the device, and hence, the associated content and metadata.

Will it address the problem?

In a very obvious sense then, this proposal would help deliver access to the intelligence that law enforcement agencies need, increasing the scalability and success of law enforcement hacking operations but reducing their associated resource impact. And unlike an encryption backdoor, it might pass the technological feasibility test. Instead of weakening encryption, it would simply bypass it.

From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these updates to ensure that they couldnt be reverse engineered - they wouldnt need to be a backdoor, open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just Whats App or Telegram, would not apply.

In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.

Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.

David Wells

See the original post here:
Why Australia might be on the right encryption-cracking track - The Interpreter

Although not as high as over the last decade, security of data in the cloud remains a top concern for enterprises deploying into cloud environments, especially public. As native and third-party security solutions emerge to resolve the majority of concerns, another variable in the realm of cloud security that needs to be considered is performance.

Of course, the first domain of any security solution is just thatsecurity. But other variables need to be weighed as part of the decision on which tools to utilize. These variables include integration, performance, usability, navigation, compatibility, etc. In this article, well discuss performance metrics and concerns that should be considered as part of your acquisition decision.

In order for security to be effective, it must be practical. Many will remember the cumbersome use of early X.509 messaging or the lag and steps required with RSA tokens. Cloud technology is purpose-built for fast, flexible, and efficient operations. Similarly, solutions used to secure the cloud must be quick, seamless, and user-friendly in order to match or exceed the performance of the services theyre designed to secure. There are many cloud security solutions out there, including security information and event management (SEIM), advanced threat protection (ATP), and identity and access management (IAM) to name a few, but here we will focus on the topic of encryption and key management.

Encryption is the foundation of an effective cybersecurity strategy, especially for public cloud deployments. The majority of users view encryption as a binary functionits on (encrypting) or off (no encryption), but encryption needs to be considered under a very detailed performance light. Encryption requires time and resources (CPU and memory) to convert data from plain text to cipher textwhat I often refer to as an encryption taxso you need to ensure that your tax rate is as low as possible.

Here are some factors you should consider to lower your tax rate:

Read more:
Why Performance is Important to Cloud Security and Lower Encryption Tax Rate - Read IT Quik