Weapon of Mass Disruption

Quantum Computers are heralded as the next step in the evolution of data processing. The future of this technology promises us a tool that can outperform any conventional system, handling more data and at faster speeds than even the most powerful of todays supercomputers.

However, at the present juncture, much of the science dedicated to this field is still focused on the technologys ultimate utilization. We know that quantum computers could manage data at a rate that is remarkable, but exactlywhat kind of data processing will they be good for?

This uncertainty raises some interesting questions about the potential impact of such a theoretically powerful tool.

Last month, some of the leading names in quantum technologies gathered at the semi-annual International Conference on Quantum Technologies in Moscow. Futurism was in attendance and was able to sit and talk with some of these scientists about how their work is moving us closer to practical quantum computers, and what impact such developments will have on society.

One of the most interesting topics of discussion was initiated by Alexander Lvovsky, Quantum Optics group leader at the Russian Quantum Center and Professor of Physics at the University of Calgary in Canada. Speaking at a dinner engagement, Lvovsky stated that quantum computers are a tool of destruction, not creation.

What is it about quantum computers that would incite such a claim? In the end, it comes down to one thing, which happens to be one of the most talked about potential applications for the technology:Breaking modern cryptography.

Today, all sensitive digital information sent over the internet is encrypted in order to protect the privacy of the parties involved. Already, we have seen instances where hackers were able to seize this information by breaking the encryption. According to Lvovsky, the advent of the quantum computer will only make that process easier and faster.

In fact, he asserts that no encryptionexisting today would be able to hide from the processing power of a functioning quantum computer. Medical records, financial information, even the secrets of governments and military organizations would be free for the takingmeaning that the entire world order could be threatened by this technology.

The consensus between other experts is, essentially, that Lvovsky isnt wrong. In a sense, hes right, Wenjamin Rosenfeld, a physics professor at the Ludwig Maximilian University of Munich, stated in an interview. He continued, taking a quantum computer as a computer,theres basically not much you can do with this at the moment; however, he went on to explain that this may soon be changing.

To break this down, there are only two quantum algorithms at the moment, one to allow a quantum computer to search a database, and the other,Shors algorithm, which can be used by a quantum computer to break encryption.

Notably, during the conference, Mikhail Lukin, aco-founder of theRussian Quantum Centerand head of the Lukin Group of the Quantum Optics Laboratory at Harvard University, announced that he had successfully built and tested a 51-qubit quantum computerand hes going to use that computer to launch Shors algorithm.

Vladimir Shalaev, who sits on the International Advisory Board of the Russian Quantum Center and is a professor of Electrical and Computer Engineering at Purdue University, takes a more nuanced approach to this question, saying it is neither a tool of destruction nor creationit is both: I would disagree with him. I think I would say that any new breakthrough breeds both evil and good things.

He evoked the development of laser technology as an example, saying, Lasers changed our lives with communications, surgery, their use in machinery, but they are also used in missiles to destroy buildings.But I think this is life. Nothing comes with only good, there is always bad as well. So I dont think it is just a destructive technology, it could also be a constructive one.

There is a great deal of truth to Shalaevs assessment. Nuclear technology was primarily developed as a destructive tool. After the war, many more positive applications were found, impacting energy, medicine, and agriculture, among many other fields. Quantum computers may not be capable of the physical destruction of a nuclear bomb, but their potential application in relation to encryption is the digital equivalent, making this topic worthy of reflection in these early stages.

So, if quantum computers do have such dangerous potential, why are we pursuing them? As Lukin expounds, there are other potential applications outside of encryption breaking, applications that many experts are excited about.

For example, Lukin sees enormous potential in quantum sensors. It has the potential to change the field of medical diagnostics, where some of the tasks which require huge labs can be performed on the scale of aniPhone. Imagine the implications for third world countries in parts of the world like Africa. It can really allow to diagnose and treat patients. I think theres actually a huge impact on society, he explained.

Also, the processing power of quantum computers could push research in artificial intelligence (AI) forward by leaps and bounds. Indeed, it could assist this field to such a degree that AI could be a part of the answer to the problem proposed by Lvovsky. To that end, Lukins asserts, Im fairly convinced that, before quantum computers start breaking encryption, we will have new classical encryption, we will have new schemes based on quantum computers, based on quantum cryptography, which will be operational.

Much like lasers or nuclear weapons, the scientists involved in creating quantum computers are unable to predict the total utility of this technology. There very well could be a host of world changing applications for quantum computers. Still, even with just considering the encryption busting potential of the technology, we must remain cognizant of the power we areunleashing.

Go here to see the original:
World's Leading Physicist Says Quantum Computers Are Tools of Destruction, Not Creation - Futurism

In light of Wikileaks latest Vault 7 release, we figured itd be prudent to take a look at the different levels of encryption used on popular messaging apps, as not all encryption is created equally.

However, if Wikileaks latest release is to be believed none of it matters anyway, as the CIA can get around it all.

Still, it does pay to be mindful about security as the CIA is one thing but hackers are something else completely.

Encryption was once a technology many thought was relegated to spies and security services, but the tech has actually been around for a long while in the ordinary persons everyday life. For example, when you make a bank transfer online, that data is encrypted so someone cant hack your account. But recently people have become interested in how well their less monetary communicationssuch as their text messages and calls with friendsare protected. Thats why a bunch of apps have sprung up that offer high-level encryption and existing communication apps have begun implementing encryption.

But not all encryption is created equal so the Electronic Frontier Foundation has put together an awesome Secure Messaging Scorecard that shows you just how well individual apps encrypt your data. Some apps offer end-to-end encryption that is almost unbreakable, but others only encrypt a message in transit. How well do your common messaging apps hold up and which are the most secure apps? Heres what the EFF, which rates each app as a pass or fail on 7 different metrics, says:

iMessage: Apples messaging app gets a 5 out of 7. It earns points for being both encrypted in transit and encrypted so even Apple couldnt read the messages if they were ordered to, but it loses points because you cant verify contacts identities and the code isnt open to independent review.

Facebook Chat: Facebooks chat messaging system scores a lowly 2 out of 7. Messages are only encrypted in transit, but Facebook could access them if ordered too.

Google Hangouts/Chat: As with Facebook, so with Google: Hangouts scores a lowly 2 out of 7. Messages are only encrypted in transit, but Google could access them if ordered too.

Skype: The worlds most popular VOIP client scores of horrible 1 out of 7. Messages are encrypted in transfer, but Microsoft could access them on their side, past comms arent secure if the encryption keys are stolen, and the code isnt open to independent review.

Snapchat: Snapchat scores a lowly 2 out of 7. Messages and pics are only encrypted in transit, so be sure any pic you send is something you wouldnt mind the world seeing if Snapchat gets hacked.

Viber: As with Facebook and Google: Viber scores a lowly 2 out of 7. Messages are only encrypted in transit, but the company could access them if ordered too.

WhatsApp: recently WhatsApp has started encrypting everything you send. This earned the app a 6 out of 7 on the EFFs scorecard. The only thing WhatsApp got dinged for is that the code is not open to independent review.

As you can see, the most commonly used messaging apps (above) arent completely secureor, because many lack independent review, users cant know 100% that the encryption on the apps actually works. But the EFF says there are other apps that score a 7 out of 7 on their scorecard. These apps are:

Signal: The free iOS and Android app allows you to take part in completely encrypted voice calls. Signal uses your existing number, doesnt require a password, and leverages privacy-preserving contact discovery to immediately display which of your contacts are reachable with Signal. Under the hood, it uses ZRTP, a well-tested protocol for secure voice communication, the company says.

Silent Phone: The company Silent Circle makes software and hardware for businesses who are worried about secure communications. Their Silent Phone software is available on Android and iOS and allows users to call and text with complete privacy.

Telegram: is another secure messaging app that received a 7 out of 7 from the EFF. The app allows you to text and chat with other Telegram users. Best of all, not only is it available on iOS and Android, they also make a Windows Phone app as well as clients for Mac and PCs.

Text Secure: Made by Open Whisper Systems, Text Secure enables encrypted voice calls and texts. Its available for Android and iOS and among its many advocates is Edward Snowden who has recommended those interested in secure communications should use anything by Open Whisper Systems.

Read this article:
The Best Encryption Apps For Your Phone - Gears Of Biz

(Sydney, August 7, 2017) The Australian government should not force technology companies to weaken the security of their products or to subvert encryption, Human Rights Watch said last week in a letter to Prime Minister Malcolm Turnbull. That strategy would undermine cybersecurity for all users and would not stop determined criminals from using encryption.

On July 14, 2017, Turnbull announced new legislation to require device manufacturers and internet companies to provide appropriate assistance to intelligence and law enforcement agencies to access encrypted communications. Turnbull, along with Attorney General George Brandis and the acting commissioner of the Australian Federal Police, Michael Phelan, stated that encryption was thwarting the governments ability to monitor and investigate serious crime.

Governments are obliged to investigate and prosecute serious crimes, but any policy response should not do more harm than good, and needs to be effective, said Elaine Pearson, Australia director at Human Rights Watch. Unfortunately, Prime Minister Turnbulls proposal may fail on both counts and could undermine cybersecurity and human rights worldwide.

Governments have many ways to sharpen investigatory capability without undercutting the security of ordinary users, Human Rights Watch said. They could invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements. Any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted.

The Australian government previously proposed a coordinated approach to encryption at a June 26 meeting of the Five Eyes intelligence partnership, which also includes the United States, United Kingdom, Canada, and New Zealand, and the July 5 G20 summit. The prime minister provided few new details about the proposed legislation in the news conference to announce the legislation. When asked what kind of assistance companies would be required to provide, Turnbull said that he did not seek a back door into encrypted services, but nonetheless expected companies to ensure access to all data in unencrypted form.

However, for end-to-end encrypted applications like WhatsApp or iMessage or data stored on iPhones, companies cannot turn over unscrambled data nor the encryption keys, even with a court order, because they do not retain the keys. Only the sender and recipient can unscramble the information. The only way for companies to access unencrypted data is to introduce a deliberate vulnerability into their design that is, a back door or remove end-to-end encryption altogether.

The overwhelming consensus of information security experts and even some high-ranking former intelligence officials is that no technical solution would allow law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm. Once back doors are introduced, malicious hackers and cybercriminals will seek them out, sell them on private grey markets, or exploit them for abuse or profit. Europol has also warned that solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.

Companies are incorporating strong encryption into products in response to a range of threats from cybercriminals, data thieves, and malicious hackers. Encryption is a critical tool in their fight to secure users from these threats. Any requirement to weaken encryption flies in the face of global efforts to shore up cybersecurity, Human Rights Watch said.

Limiting strong encryption in Australia, or even across Australias closest allies like the Five Eyes alliance, is also unlikely to prevent bad actors from using it. A recent global survey of encryption confirms that determined criminals could easily shift to many available foreign alternatives that would not be subject to Australian law. Those most harmed by anti-encryption legislation are the millions of ordinary users with no connection to wrongdoing whose cybersecurity would be compromised. The harm may be even more serious for journalists and activists who regularly use encrypted applications to protect sources and victims from reprisals.

Turnbull stated that the bill would be modeled after the UKs 2016 Investigatory Powers Act (IP Act). The UK legislation allows authorities to serve technical capability notices on a broad range of internet companies. These notices will require firms to provide and maintain the capability to disclose, where reasonably practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the operator. These notices can be used to facilitate not only targeted surveillance, but also mass surveillance, collection of metadata, and government hacking.

The precise scope of what these notices may require remains unclear, especially for operators who do not retain encryption keys. The draft implementing regulations do not clarify whether these companies will be required to alter the design of their products or build a back door into encryption. Contradictory statements from UK officials have not clarified the matter, nor shed light on how this approach would avoid undermining cybersecurity or prevent bad actors from using non-UK alternatives.

Just as troubling, the UK Investigatory Powers Act can also require some tech companies to notify authorities of new products or services before they are introduced so that authorities can assess whether new technical capabilities may be required. This potentially provides the government the ability to influence product design to facilitate surveillance, including whether and how encryption can be used.

The UK Investigatory Powers Act is no model for any government that cares about protecting the security of online communications, Pearson said. If other governments follow this example, no one could trust the security of the mobile phones and applications we use every day.

The UK parliament still needs to approve the implementing regulations before government officials can issue the new technical capability notices. However, once regulations are in place, the public may know very little about how they are used, since notices will be served and negotiated with companies secretly.

These overreaching provisions are among the reasons why whistleblower Edward Snowden described the IP Act as legalizing the most extreme surveillance in the history of Western democracy.

Australias approach to encryption will most likely be emulated by other countries in the region, Pearson said. If Turnbull wants to show true leadership, Australia should become a model for how countries can investigate effectively in a world with strong encryption, not endorse policies that would undermine cybersecurity and human rights.

Excerpt from:
Australia: Shelve Proposed Law to Weaken Encryption - Human Rights Watch (press release)

An increasing danger of our connected, digital world is the rise of hackers, and their potential to inflict serious damage with real-world consequences.

REUTERS

Nothing is precious for us than our data, and protecting that data at all costs is going to be paramount going forward. Good thing IBM has already perfected a full-proof system to foil the attempts of 21st century hackers!

IBM just released its latest Z series mainframe last month, the z14. What's a mainframe I hear you ask? Well, it's a very powerful computer which is used to handle huge volumes of data transactions -- for e.g. in a bank scenario, or for a flight booking website, or an ecommerce platform, among other things.

This is what the new IBM Z14 mainframe looks like

IBM's mainframes are widely used in the tech industry for delivery of critical services, but what the company has done for the first time ever with the newly released z14 mainframe is to allowdata encryption at every level of the system, and then storing everything inside encrypted containers. Multiple levels of encryption to hoodwink even the most diligent hackers out there.

And on top of that, if the system detects an attack like malware or other intrusion, the z14 mainframe has been designed to shut itself down automatically, as per an IBM statement on Techcrunch. Even if hackers could somehow get through all of these defenses, which is highly unlikely, the multiple levels of encryption would still render the data useless.

According to a report published in The Hindu, IBM's India engineering team had a crucial role in the successful development of the z14 mainframe's "pervasive encryption" technology.

The report quoted Gururaj S Rao, IBM Fellow & VP of System Integration, IBM zSystems as suggesting that a key z14 mainframe component designed by the India team was the encryption unit, which gives the z14 mainframe its unparalleled level of security. More than 100 engineers from IBM's India business unit contributed towards the development of the z14 mainframe.

Hopefully, the adoption and deployment of z14's pervasive encryption technology will cause a major dent in the exploits of hackers in the coming months and years. And we'll know that India had an important role in the scheme of things!

Life Plunge

WomenReality

History In Orbit

Lifestylogy

StyleBistro

Kiwi Report

Read more here:
IBM India Helps Create Breakthrough Encryption Technology That's Completely Hacker Proof - Indiatimes.com

On July 17, IBM unveiled its z14 mainframe server, which combines the traditional mainframe hardware with new capabilities in areas such as cloud, cognitive, analytics, application management, blockchain, machine learning and more. Most importantly, z14 includes enhanced security features namely, pervasive encryption to help clients stay one step ahead of cyberthreats.

Access protection inside the mainframe is based on the storage security keys mechanism, which is typical of the hardware. These keys ensure that access to data through the hardware and can be locked or unlocked by every software interface within the mainframe. This makes the hardware security-rich by design. In other words, the access protection hardware feature already works with a software interface in an easy and intuitive way.

Figure 1: The new IBM z14 (Source: IBM)

Register for the Aug. 8 webinar: Your Mainframe Environment in a Treasure Trove

Of course, access protection is not the only security measure we need to consider. We must also focus on encryption, especially when security regulations come into play. In the past, mainframe data encryption was based on on-chip cryptography and cryptocards, which limited de facto software interactions with the hardware.

With z14, for the first time in the 50-year history of mainframe technology, encryption is pervasive. This feature adds software-based security intelligence to the mainframes robust encryption mechanism, allowing security solutions to leverage hardware-based cryptography like never before.

Figure 2: The new IBM z14 pervasive encryption feature (Source: IBM)

Pervasive encryption enables customers to encrypt data at the database, data set or disk level. If they so choose, they can even encrypt 100 percent of their data. The most crucial benefit of pervasive encryption, however, is that it does not require customers to change or adjust applications. Each app will have an internal encryption-decryption mechanism, allowing clients to apply cryptography without altering the app itself.

This feature should alleviate many pain points associated with the EUs upcoming General Data Protection Regulation (GDPR), which governs how companies around the world handle personal data belonging to EU residents. Pervasive encryption can simplify security professionals responsibility to protect such information and help them keep up with the evolving regulations surrounding data privacy.

To learn more, register for our upcoming webinar, Your Mainframe Environment in a Treasure Trove: Is Your Sensitive Data Protected? and view our on-demand webinar, Protection Begins With Data at the Center: Encrypt It All With z Systems Pervasive Encryption. You can also read our introductory redbook or view a demo of pervasive encryption from the IBM Client Center in Montpellier, France.

Thanks to Giuseppe Ranieri, Francesco Bertagnolli, Michael Jordan and Nick Sardino for their help and contributions to this article.

Register for the Aug. 8 webinar: Your Mainframe Environment in a Treasure Trove

View original post here:
Pervasive Encryption Simplifies Mainframe Security - Security Intelligence (blog)

In the battle over encrypting private communications versus giving the government backdoor access to better thwart terrorism, it's hard to tell where the UK government stands.

"Encryption plays a fundamental role in protecting us all online."

"We need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp."

"To be very clear Government supports strong encryption and has no intention of banning end-to-end encryption."

"There is a problem in terms of the growth of end-to-end encryption."

These statements sound contradictory, but they have one thing in common: They can all be attributed to UK Home Secretary Amber Rudd.

Rudd has said all of these things and more about encryption in various speeches, interviewsover the past few months and aself-penned articlesearlier this week.

It's not just you. From reading these statements, even in context, they're pretty confusing.

The comments add more muddle to the debate over encryption, which has become a bugbear of the British government in the wake of multiple terror attacks in the UK over the past year. While encryption guards our privacy, it also prevents authorities from reading messages between terrorists. Prime Minister Theresa May has called multiple times on tech companies to "do more" to tackle the terror threat. Rudd, ahead of attending theGlobal Internet Forum to Counter Terrorismon Tuesday in San Francisco wrote an editorial in the Telegraph saying that the UK isn't looking to ban encryption but does want some kind of change.

The back and forth from Rudd is counterproductive because she's seemingly seeking a middle ground that doesn't exist. By parsing her statements, Rudd appears to suggest a version of encryption that is almost, but not absolutely, unbreakable. But end-to-end encryption means that not even the companies that create and enforce security measures can decrypt your messages, so the idea of an emergency access point seems far-fetched.

"Amber Rudd must be absolutely clear on what co-operation she expects from internet companies," said Jim Killock, executive director of UK digital rights campaign Open Rights Group. "She is causing immense confusion because at the moment she sounds like she is asking for the impossible."

It's not like tech companies aren't willing to help. Facebook, Twitter and Google have shown willingnessto work with governmentsto tackle terrorism.

Home Secretary Amber Rudd speaka at the Global Internet Forum to Counter Terrorism this week.

But they aren't bending on the issue of putting in backdoors for government access. As tech companies and security experts have repeatedly pointed out: If the companies themselves have a way of accessing these communications, so potentially do those with malicious intent.

Breakable encryption could also, as numerous experts including Facebook Chief Operating Officer Sheryl Sandberg point out, chase terrorists onto other platforms that aren't as willing to cooperate with governments.

"If people move off those encrypted services to go to encrypted services in countries that won't share the metadata, the government actually has less information, not more," Sandberg said in aninterview broadcast by the BBC last week.

In fact, it's already happening. On Wednesday, three men were found guilty in the UK of plotting a terrorist attack and had been using the encrypted app Telegram to communicate with one another. Telegram was called out by Europol chief Rob Wainwright earlier this year for "causing major problems," by not cooperating with law enforcement.

One allegation Rudd has leveled at end-to-end encryption is that "real people" don't care about it. People don't use WhatsApp because it is secure, she said in her Telegraph editorial, but because it is convenient, cheap and user-friendly. This is more than a huge generalization, it's an assertion for which she provides absolutely no supporting evidence.

Indeed, her comments have attracted criticism from privacy organization Big Brother Watch, which said they were "at best naive, at worst dangerous."

"Suggesting that people don't really want security from their online services is frankly insulting, what of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime," Renate Samson, the organization's chief executive, said in astatement.

"Once again the government [is] attempting to undermine the security of all in response to the actions of a few," he said. "We are all digital citizens, we all deserve security in the digital space."

Rudd maintains "there are options" for using end-to-end encryption and also making sure terrorists "have no place to hide" online. But these options remain a mystery to everyone but her. For the sake of the British public, many of whom do care that their communications are kept private and secure, she needs to explain how this will work.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter. Here's what they're up to.

Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.

Read more:
UK's flip-flops on encryption don't help anyone - CNET

The UKs Home Secretary has yet again cranked up the pressure on messaging giants over use of end-to-end encryption to secure communications sent via popular services like WhatsApp implying she would prefer tech companies voluntarily re-engineer their security systems so that decrypted data can be handed over to terror-fighting intelligence agencies on demand.

Writing in a paywalled opinion article, published in theTelegraphyesterday, Rudd wheels out the now familiar political refrain that use of e2e encryption is hampering intelligence and law enforcement agencies, before going on to apply such twisted logic its hard not to conclude shes deploying some kind of proprietary crypto of her own, i.e. which scrambles words into incomprehensible nonsense enabling her to claim to support and value strong encryption whilst simultaneously calling for tech giants to work with her to undermine encrypted communications.

To be very clear the government supports strong encryption and has no intention of banning end-to-end encryption. But the inability to gain access to encrypted data in specific and targeted instances even with a warrant signed by a Secretary of State and a senior judge is right now severely limiting our agencies ability to stop terrorist attacks and bring criminals to justice, she writes, before going on to suggest that:

1) real people (whoever they are) arent interested in ensuring the privacy of their communications;

2) e2e encryption can be compromised without the need for a backdoor;

Quoth Rudd:

I know some will argue that its impossible to have both that if a system is end-to-end encrypted then its impossible ever to access the communication. That might be true in theory. But the reality is different. Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called back doors.

Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and usability, and it is here where our experts believe opportunities may lie.

So, there are options. But they rely on mature conversations between the tech companies and the government and they must be confidential. The key point is that this is not about compromising wider security. It is about working together so we can find a way for our intelligence services, in very specific circumstances, to get more information on what serious criminals and terrorists are doing online.

It really is not clear what reality Rudd occupies when she writes that e2e encryption is only e2e encryption in theory. Unless she intends to imply that a security system could, in fact, contain a backdoor which enables access to decrypted data in which case it would not be e2e encryption (yet she also specifically claims shes not asking companies to break encryption or create so called back doors so theres plenty to scratch your head about here).

Asked for thoughts on Rudds comments on encryption, WhatsApp parent Facebook declined to comment. And, frankly, who can blame it? When a message is so knotted with bizarre claims, contradictions and logical fallacies the only sensible response is to stay silent.

On the one hand Rudd is saying that billions of people use WhatsApp because its incredibly user-friendly, while at the same time claiming that robust security is too difficult for real people to use. (Historically she may have had a point yet, today, billions of real WhatsApp users are sending billions of e2e encrypted messages, each and every day, and apparently not finding this task overly arduous.)

It appears that the Home Secretarys greatest fear is software that is both secure AND usable. How sad, said security research Alec Muffett, a former Facebook employee who worked on deploying e2e crypto for its Secret Conversations feature, when asked for his thoughts on Rudds comments.

If you aim for a really cynical interpretation, you could say that Rudd is only saying shes not askingcompanies to stop using e2e encryption; i.e. shes implying they voluntarily dont need to use e2e because real people arent bothered about the privacy of their comms anyway ergo, tech giants are free to ditch those pesky e2e crypto systems that so annoy governments without suffering any backlash from users (and crucially from her PoV without the government being accused of literally banning encryption).

The phrase trade-offs between security and usability is an interesting one for her to choose, though. It brings to mind a specific security controversy pertaining to WhatsApps platform earlier this year, afterThe Guardianreported claims by a security researcher that hed identified a backdoor in WhatsApps crypto a claim WhatsAppvigorously denied. (The claim was also junked bya very long list of security researchers, and The Guardian went on to amend its story to remove the word backdoor before ultimately publishing a review of the original, in its words, flawed reporting.)

The retransmission vulnerability the Guardians report had couched as a backdoor was in fact a design decision, said WhatsApp, which explained that it prioritizes message reliability for its very large user-base, meaning it will still deliver a message when a key has changed offering the option for users to turn on a specific security notification to alert them to a potential risk of their communications having been compromised.

The design decision referenced in The Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks, it said in a statement at the time.

How WhatsApp handles keyretransmission was described as a small and unlikely threat, by academic Zeynep Tufekci, who organized anopen letter denouncing the Guardians original report. The letter, addressed to the newspaper, asserted: The behavior you highlight is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure.

Its possible that Rudd, and/or the intelligence and law enforcement agencies she liaises with, has picked up on these sorts of usability vs security trade-off discussions, and is viewing design decisions that prioritize things like reliability ahead of perfect, unbreakable security, as she puts it, as offering a potential route for enacting some kind of targeted and limited interception, i.e. even when a platform has otherwise deployed strong encryption.

Albeit, Rudd is also saying the options she spies to get more information on what serious criminals and terrorists are doing online nonetheless rely on mature conversations between the tech companies and the government hence repeating her call for both sides to work together.

Confidentiality ensures there will be no public discussion about what exactly tech giants and governments might be agreeing to do, collectively and individually, to harvest the online activity of particular targets although the risk for messaging platforms that sell services as strongly encrypted (and therefore give users an expectation of robust privacy), is every time these companies are seen to meet with government representatives their users might feel moved to wonder about the substance of their behind-closed-doors discussions. Which risks undermining user trust in their claims.

Asked for thoughts on what options Rudd might be trying to articulate here, Eerke Boiten, a cyber security professor at De Montfort University, told TechCrunch:With usabililty vs security trade-offs she has once again picked up a meaningful phrase and applied it out of context. WhatsApp end-to-end encryption is a usability success story, as its users barely notice it while gaining some level of security. Some level only as Sheryl Sandberg of Facebook pointed out to UK government recently, by saying that WhatsApp communications metadata (who talks to whom, and when) can still be shared, and is likely still extremely useful for law enforcement.

[Rudd] is publicly putting pressure on [Internet giants], possibly encouraged by how China managed to get Apple to stop offering VPN apps. Getting them to comply via legal means would be slow and invisible to the public eye, so this works much better, he added.

Meanwhile, Rudd has another agenda that is at least far more explicit: Getting tech giants to speed up takedowns of terrorist propaganda thats being publicly spread via their platforms.

And you could argue that applying political pressure over use of encryption is a way to grease the pipe of compliance for the related online extremism takedowns issue.

The Home Secretary, who has been suggested as a potential successor to the current (embattled) UK Prime Minister, is certainly taking full advantage of the PR opportunities to raise her own profile as she tours tech giants HQs in Silicon Valley this week.

Heres Rudd standing in front of a giant Google logo at the companys Mountain View HQ where she went to discuss what can be done to reduce the availability of online terrorist content

And here she is getting a selfie with Facebooks Sheryl Sandberg who she was meeting to discuss threat from terrorist use of the Internet

And heres a photo of the Home Secretary in talks with a couple of unidentified Twitter staffers to hear progress made to tackle terrorist content online and discuss further action needed. (Presumably Jack was too busy for a photo call.)

Rudd has also vlogged about her intent to get tech companies to take action together to stop terrorists spreading extremist propaganda online.

This Home Office PR blitz is notable in not making explicit mention of e2e encryption. Rudd has apparently left that political push to the pages of a lesser read UK newspaper. Which feeds the idea shes playing a few propaganda games of her own here.

While the bundling of the two political concerns (private terrorist/criminal comms; and public online extremism content) allows the government to obfuscate outcomes, spread blame and spin failures.

On the flip side, tech giants have been spinning up their own PR machines ahead of todays debut workshop of the newly formedGlobal Internet Forum to Counter Terrorism (GIFCT).

The initiative wasannouncedin late June by Facebook, Google, Twitter and Microsoft to as they put it help us continue to make our hosted consumer services hostile to terrorists and violent extremists, specifically by sharing information and best practices with each other, government and NGOs. Other tech companies have since signed up.

GIFCT is of course a way for tech firms to share the burden and if you want to be cynical, spread the blame of responding to growing political pressure over online extremismwhich affects them all, albeit to greater and lesser degrees.

Facebook, Googleand Twitterhave all published the same blog post about the first meeting of the forum, in which they describe their joint mission, set out strategies and list a few near-term aims.

tl;dr no one can accuse Silicon Valley of doing nothing about online extremism now.

They write:

At Tuesdays meeting we will be formalizing our goals for collaboration and identifying with smaller companies specific areas of support needed as part of the GIFCTs workplan. Our mission is to substantially disrupt terrorists ability to use the Internet in furthering their causes, while also respecting human rights. This disruption includes addressing the promotion of terrorism, dissemination of propaganda, and the exploitation of real-world terrorist events through online platforms. To achieve this, we will join forces around three strategies:

In the next several months, we also aim to achieve the following:

We believe that the best approach to tackling online terrorism is to collaborate with each other and with others outside the private sector, including civil society and government. We look forward to further cooperation as we develop a joint strategic plan over time.

Also today, Google has a separateupdate on measures its applying on YouTube to fight against online terrorism having faced a backlash from advertisers earlier this year the company arguably has even more reason to be seen to be taking action, and for those actions to be effective at stemming the loss of ad dollars.

Read the original post:
More political headbanging on encryption threatens privacy - TechCrunch

Will 2015 be the year we see a major showdown over encryption? Earlier this week, my colleague, Ariel Rabkin, penned a trenchant critique of proposals by Prime Minister David Cameron to crackvarious encryption methods increasingly employed by US tech firms. Rabkin is confident that the US political class seems more responsiblethan that of the UK, and that they will not follow Camerons bad example. As someone still wrestling with the shifting balance between security and liberty, I have a good deal of sympathy forRabkins discomfort. However, I suspect this issue will prove to be more complicated than Rabkin suggested. In this blog, I would like to add a few additional dimensions and perspectives about the prospects of going darkwith encryption and the forces at play here.

First, Camerons push must be analyzed against the background of a rapidly changing political and security environment, both in the US and around the world. I have commented several times that the pendulum seemed to be shifting toward prioritizing civil liberty over security, as evidenced by proposals and actions by both the Obama administration and Congress. Anotable high point being an amendment banning all forms of backdoor malware passing the US House of Representatives, on a bipartisan basis, last spring.

Today, after events in Paris, Belgium, and across Europe, the Sony debacle, the heightened fears of future attacks by cyber-savvy Islamic terrorists, along with the earlier beheading of journalists and the rise of ISIS, the security/liberty balance is shifting rapidly back toward security. Cameron is certainly not alone is his call for action against plans by Apple, Google, Facebook, WhatsApp and Snapchat to introduce impenetrable encryption in their products and services. While the prime minister may be spearheading this effort, it is also true that he is responding to urgent demands by his security agencies, MI5 and GCHQ. Not far behind, the French government is putting together a package of new cybersecurity proposals, with rumors that it, too, will act to head off going darkby telecoms and Internet companies. Beyond governments, publications such as the Economist (hardly a bastion of hawkish sentiment) have called on tech firms to desist from claiming that their realm is so distinct and inviolate that it can imperil others lives(I)t is far better to agree to some form of standard now, rather than wait for an atrocity plotted behind impenetrable walls to be unleashed.

Despite Rabkins hope, I also suspect that the American political class,however defined, will respond to recent events by shifting toward support of more stringent security measures. We have already seen Attorney General Eric Holder make common cause with FBI Director James Comey, blasting Apple and Google for placing themselves beyond the law and aiding and abetting terrorists and child molesters. And while Cameron failed to get ringing support in these issues while stateside last week, President Obama has signaled that he could well be moving toward backing Holder and Comey, stating that, [i]f we get into a situation in which the technologies do not allow us at all to track somebody that were confident is a terrorist despite having a phone number, or despite having a social media address or email address that we cant penetrate that, thats a problem.

While it is too early to see specific legislation, Congress on its own and certainly if the administration recommends it will likely take up the matter and update the existing legal framework that mandates that companies provide means for government officials to carry out wiretap orders to cover email and other Internet content. All of this will set the stage for major conflict with civil libertarians and high tech companies. When asked to respond to Camerons demands, Apple referred reporters to a previous statement by CEO Tim Cook: If law enforcement wants something, they should go to the user and get it. Its not for me to do it. Were not Big Brother.

All this said, I agree that there are monumental problems associated with combatting encryption. As Rabkin notes, given the structure of the Internet and the growing market for encryption technologies, attempts to block the new security measures may well end up as the proverbial Dutch boys finger in the dyke. Mandated backdoors will likely increase insecurity as they cannot be cabined just to government officials. And how do companies respond to authoritarian governments (read: China) who will demand equal access?

It is hard to know how all of this will play out. But my money is on an outcome wheregovernments and their cybersecurity agencies will not be deterred from trying to thwart products and services from going dark.

This post was originally published on TechPolicyDaily.

Read the original post:
Going Dark: Is a confrontation over encryption looming in 2015? - American Enterprise Institute

August 3, 2017 Hon. Malcolm Turnbull MP Prime Minister Parliament House CANBERRA ACT 2600

Re: Encryption and Human Rights

Dear Prime Minister Turnbull,

We write to urge you to support the use of strong encryption as essential to security and human rights in the digital age. We call on you to refrain from forcing technology companies to weaken the security of their products or banning the use of end-to-end encryption.

In a July 14 press conference on national security and encryption, you discussed challenges that Australian law enforcement and intelligence agencies faced in accessing encrypted data or communications, even with a lawful court order. You announced your intention to introduce legislation that will in particular impose an obligation upon device manufacturers and upon service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis, to access data in unencrypted form. While the conference released few details, you stated that the legislation would be modelled on the United Kingdoms Investigatory Powers Act and that you will seek a coordinated approach with international partners, including the Five Eyes intelligence alliance.

Governments have a human rights obligation to investigate and prosecute crime and thwart terrorist attacks. However, any policy response should not do more harm than good, while also be effective at achieving its aim. Forcing companies to weaken encryption or effectively forbidding the use of end-to-end encryption fails on both counts, and would undermine human rights worldwide.

Strong encryption is the cornerstone of cybersecurity in the digital age. Todays cybercriminals are increasingly sophisticated, targeting Internet companies, credit card and identity data, critical infrastructure, and even nation-state intelligence agencies.[1] Strong encryption built into private sector technology protects the dataand the human rights and securityof billions of Internet users worldwide against these growing security threats. You yourself have acknowledged that you use encrypted applications like Wickr and WhatsApp because traditional communication methods are not secure.[2]

Weakening encryption for any purpose effectively weakens it for every purpose, including malicious hacking, financial fraud, and for other illicit purposes. And unfortunately, weak or partial encryption provides not just weak or partial protection, but no protection at all against sophisticated repressive regimes and capable criminals. Some companies that manufacture encrypted apps or devices do not have the ability to disclose conversations or data to law enforcement because that information is encrypted end-to-end and companies do not have the decryption keys. A requirement of assured decryptability for all data would force such companies to redesign their products without security features like end-to-end encryption or to introduce deliberate vulnerabilities, or back doors, into their software.

The overwhelming consensus of information security experts, along with some former Five Eyes intelligence officials, is that there is no technical solution that would allow specific law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm.[3] Europol has also warned that solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.[4] Determined cybercriminals and rival foreign intelligence agencies will find and exploit such back doors, for profit or abuse. This would undermine cybersecurity for all users, including billions that are under no suspicion of wrongdoing.

For human rights defenders and journalists, the harm can be even more serious. Activists and media organizations with whom we work in places like Hong Kong, Vietnam, Thailand, and across the Middle East rely on encryption built into phones and chat applications to protect sources and victims from reprisals. In 2015, the UN special rapporteur on freedom of expression, David Kaye, recognized that encryption enables the exercise of freedom of expression, privacy, and a range of other rights in the digital age.[5] Countries like Russia, China, and Turkey need no encouragement, they are already blurring the line between human rights activism and terrorism in order to justify surveillance and repression of human rights activists.

While strong encryption may limit some existing surveillance capabilities, weakening such security features will only increase the vulnerability of billions of ordinary people to cybercrime, identify theft, and malicious hacking. Such harm would be broadly disproportionate to any gains in law enforcement capabilities that undermining encryption would achieve.

It is also unlikely that limiting strong encryption in Australiaor even in all Five Eyes countries would prevent bad actors from using it. As a recent global survey of encryption products confirms, terrorists and criminals could easily shift to the many available foreign alternatives that would not be subject to Australian law.[6]

Technology companies face an escalating digital arms race to secure their software and devices against cybercriminals, and encryption is a key part of their arsenal. Instead of hindering efforts to protect ordinary users, we urge your government to invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements.[7] For example, any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted. And encrypted data can often be accessed in unencrypted form through cloud-based backups or by directly accessing it on devices with hacking or forensic tools. Of course, these alternative approaches should also be necessary and proportionate to legitimate security goals, regulated in public law, and subject to strict safeguards to ensure respect for privacy and other rights.

Australias approach to encryption will be emulated by other countries facing similar challenges. Your government can demonstrate true leadership by adapting to a world with strong encryption instead of fighting the gains the private sector has made in shoring up security and human rights in the digital age.

Sincerely,

Elaine Pearson Australia Director

Cynthia Wong Senior Internet Researcher

CC:

Senator the Hon. George Brandis QC, Attorney-General

Mr. Michael Phelan APM, Acting Commissioner of the Australian Federal Police

[1] See, for example, Sam Thielman, "Yahoo hack: 1bn accounts compromised by biggest data breach in history," The Guardian, December 15, 2016, https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-o... (accessed August 2, 2017); Nicole Perlroth & David Sanger, "Hacks Raise Fear Over N.S.A.s Hold on Cyberweapons," New York Times, June 28, 2017, https://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-too... (accessed August 2, 2017).

[2] Eliza Borrello, "Malcolm Turnbull confirms he uses Wickr, WhatsApp instead of unsecure SMS technology," ABC News, March 2, 2015, http://www.abc.net.au/news/2015-03-03/malcolm-turnbull-uses-secret-messa... (accessed August 2, 2017).

[3] Nicole Perlroth, "Security Experts Oppose Government Access to Encrypted Communication," New York Times, July 7, 2015, https://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us... (accessed August 2, 2017); Mike McConnell, Michael Chertoff and William Lynn, Why the fear over ubiquitous data encryption is overblown, July 28, 2015, https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-enc... (accessed August 2, 2017); John Leyden, "Former GCHQ boss backs end-to-end encryption," The Register, July 10, 2017, https://www.theregister.co.uk/2017/07/10/former_gchq_wades_into_encrypti... (accessed August 2, 2017).

[4] Europol and ENISA joint statement, "On lawful criminal investigation that respects 21st Century data protection," May 20, 2016, https://www.enisa.europa.eu/publications/enisa-position-papers-and-opini... (accessed August 2, 2017).

[5] UN Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, A/HRC/29/32, May 22, 2015, http://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/29/32 (accessed August 2, 2017).

[6] B. Schneier, K. Seidel, and S. Vijayakumar, A Worldwide Survey of Encryption Products, February 11, 2016, https://www.schneier.com/academic/archives/2016/02/a_worldwide_survey_o.... (accessed August 2, 2017).

[7] Orin Kerr and Bruce Schneier, Encryption Workarounds, March 20, 2017, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033 (accessed August 2, 2017).

Read the rest here:
Letter to Prime Minister Turnbull re Encryption and Human Rights - Human Rights Watch (press release)

August 4 2017, 12:00am,The Times

Edward Lucas

Giving the state access to encrypted phones wont stop terrorist attacks and would weaken security for the rest of us

Encryption is one of the words that make most readers hurriedly turn the page. Yet if you ever use a plastic payment card, you benefit from it. If you ever let your personal details be stored on someone elses database, you rely on it. If you ever use a password on your computer, you use it. Contrary to the home secretarys assertion this week that strong encryption is not a priority for real people, these are applications that real people depend on.

Most people, perhaps even Amber Rudd, do not understand the maths behind encryption. But its effects are simple enough. The internet, a deeply insecure computer network, has become the central nervous system of modern civilisation. Encryption gives us the best chance of protecting

Read more from the original source:
Why Rudd is wrong about online encryption - The Times