Portland Business Journal | How a Portland startup is making encryption easier Portland Business Journal ... it easy for developers. Enlarge. Portland startup Tozny's latest product, InnoVault, is designed to make it easy for more. Tozny. Tozny's new product wants to help developers even those who don't want to become security experts encrypt ... |
Continue reading here:
How a Portland startup is making encryption easier - Portland Business Journal
Firstly, a quick apology from Australia: were sorry. Look, our Prime Minister and Attorney General didnt try to launch us onto the World Encryption Comedy Stage but unfortunately, here we are.
This all stems from our government (like so many others), deciding that nasty people hide nasty discussions via encrypted chat and that it would be enormously useful for law enforcement to be able to see those discussions. No arguments there from a protect the people perspective, the problem, as always, is how you do that without simultaneously jeopardising the people. When it was put to our PM that the laws of mathematics dont really provide for good guys to intercept communications whilst still protecting our messages from bad guys out, he took a rather unique stance:
Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia.
Im sorry. On behalf of all of down here, we really didnt want our elected representative to put us on the world stage this way. But it didnt stop there either
Not to be left off the World Encryption Comedy Stage, our Attorney General decided to get in on the act with a zinger of his own. Now, before I relay his message, if youre not already familiar with George Brandis its worth a quick watch of his previous hit, Heres What Metadata Is. (Ive already apologised on behalf of Australia, right?) Anyway, when questioned about the feasibility of reading messages sent by platforms implementing end to end encryption such as WhatsApp and Signal, George had an answer ready:
Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.
Now I wasnt in that chat, but Ill take a stab at it and say that this was (almost certainly) not what was said by anyone with a title that includes the word cryptography. Its entirely possible the bloke said something more along the lines of we have other techniques to gain access to messages on devices which would be just fine, but thats obviously not the way our AG heard it nor is it what were now seeing in headlines around the world. (Incidentally, in the same week the former head of the GCHQ made it very clear that encryption is overwhelming a good thing and that you cant uninvent it nor legislate it away.)
Look, weve got to do a better job of monitoring the communications of nasty people because lets face it, theyve never had it so good when it comes to hiding evil conversations. But please, for the love of god, can we stop the politicians from jumping up and making comments like this about something that is complex beyond their comprehension?
Here is the original post:
Security Sense: Can We Please Stop Politicians from Talking About ... - Windows IT Pro
After being hit with a cyberattack in 2016, the Democratic Congressional Campaign Committee wants to be hack-proof. To do that, it's turning to a new messenger with end-to-end encryption.
Back in June, theDCCC migrated toencrypted messaging service Wickr, which is now the primary method of communication in the office. It's the first political committee to make the shift to end-to-end encryption.
Outside of the office, Wickr does not replace email.
End-to-end encryption services work by usingcryptographic keysthat can only be decoded and deciphered by message recipients.Wickr works byencrypting not just the messages, but also the keys themselves. Thisadded layer of encryptionkeeps communication as secure as possible.
SEE MORE: Obama Tells SXSW: Don't Be 'Absolutist' On Encryption
Some sayend-to-end encryption could help secure future political campaigns, but other offices and political figures aren't taking so kindly to the idea.
Back in July, theDCCC sent a letterto the National Republican Congressional Committee about cybersecurity. The letter called for combined non-partisan efforts to protect against future attacks. But Steve Stivers, chair of the NRCC, dismissed it as a"political stunt."
Attacking encryption has become a bipartisan effort. Last spring, Republican Sen. Richard Burr and Democratic Sen. DianneFeinstein introducedlegislation thatorders tech companiesto decrypt messages sent by terrorist groups and criminals.
The legislation was written in response toApple's refusalto help the FBI hack the iPhone of one of the San Bernardino shooters. But months later,Reuters reportedFeinstein and Burr's bill to be dead.
Governments outside of the U.S., however, have called for similar anti-encryption efforts. In response to the attacks on London Bridge, the U.K. parliament passed the "Snooper's Bill," which gives law enforcement authorities unprecedented access to web-browsing histories and data.
Earlier in July, Australian Prime Minister Malcolm Turnbull alsosupported legislationthat would obligate internet companies like Facebook to comply with law enforcement.
In regards to fears that the policy wouldn't be technically feasible, Turnbull said: "The laws of mathematics are very commendable, but the only laws that apply in Australia is the law of Australia."
One of the mainissues regarding decryption or creating a "back door" for government and law enforcement officials is that it opens the door for any hacker to intercept communications.
In other words, it would make end-to-end encryption functionally useless.
Read more:
House Democrats Are Using End-To-End Encryption To Avoid Future Hacks - ABC2 News
Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...
THE BIG STORIES:
--DEMS DOCRYPTOGRAPHICCYBERCOMMUNICATIONS: The Democratic Congressional Campaign Committee (DCCC) has taken to using an encrypted messaging app called Wickr for internal communications and correspondence with the campaigns of the most vulnerable House Democrats, BuzzFeed News reported Tuesday. The DCCC was among the organizations targeted by a Russian hacking campaign during the 2016 elections -- an attack that exposed the internal documents of a handful of Democratic House campaigns. Wickr, an end-to-end encrypted messaging software, was installed at the DCCC in June, according to BuzzFeed, and is a first for political party committees on both sides of the aisle. Encrypted messaging systems prevent third parties from deciphering communications and data sent using that software, meaning that only the sender and the intended recipient can view the information. Wickr is not intended to replace email and is used to send ephemeral messages and share files.
To read the rest of our piece,click here.
--DEMS ANXIOUS ABOUT PULLING RUSSIAN SANCTIONS BILL OVER FINISH LINE: The top Democrat on the House Foreign Affairs Committee expressed pessimism on Tuesday that long-stalled Russia sanctions legislation could get done before lawmakers leave Washington for August. The bipartisan bill passed in the Senate last month by a 98-2 vote, but it has since been stuck in the House due to multiple procedural problems. The Senate subsequently approved technical changes by unanimous consent three weeks ago. But House Democrats then objected to a provision that prevents them from forcing a floor vote to block the Trump administration if it tries to lift sanctions. And on Friday, House Majority Leader Kevin McCarthy (R-Calif.) suggested that the package, which also slaps sanctions on Iran, include a bill passed by the House earlier this year to sanction North Korea. Rep. Eliot Engel (D-N.Y.), the ranking Democrat on the House Foreign Affairs panel, appeared skeptical that the sanctions package could be sent to President Trump's desk before the House is scheduled to leave for the month long August recess at the end of next week. "I would hope. But every day passes and nothing is getting done, it makes it less and less likely. But that's not our fault. That's the Republicans' fault," Engel told The Hill. Engel added that he thinks adding North Korea sanctions will make it harder to resolve the already-complicated talks to move the package. "It makes no sense to me to have a North Korea sanctions bill thrown into the mix when we apparently can't even agree on a Russia-Iran sanctions bill," Engel said.
To read the rest of our piece,click here.
A POLICY UPDATE:
HOUSE VOTES TO FUND DHS CYBER OFFICE; SLASHES FUNDING FOR RESEARCH:
House lawmakers on Tuesday advanced a spending measure that would provide roughly $1.8 billion in funding for a Department of Homeland Security (DHS) cyber unit.
The bill would allocate the money for the National Protection and Programs Directorate (NPPD), the DHS office tasked with securing critical infrastructure from cyber threats.
The House Appropriations Committee approved the fiscal 2018 funding measure for the DHS by a vote of 30-22 during a markup on Tuesday.
The allocation for NPPD is similar to fiscal 2017 spending levels and on par with the Trump administration's request for $1.8 billion in discretionary funding for the office.
NPPD, which is charged with protecting U.S. cyber and physical infrastructure, would receive nearly $1.4 billion to help secure civilian networks, prevent cyberattacks and espionage, and help modernize emergency communications infrastructure.
However, the bill would cut funds to the DHS's Science and Technology Directorate by more than $100 million, reducing its budget to $638 million and putting it in line with President Trump's budget request. Rep. Dutch Ruppersberger (D-Md.) took issue with that cut on Tuesday.
"We are drastically cutting the important cybersecurity and research and development work that happens at the Science and Technology Directorate and shifting that money to fund a border wall," said Ruppersberger.
"The president may have promised a border wall, but I explicitly remember him saying Mexico would pay for it, not saying he would gut the important research and development work at the Department of Homeland Security to fund it," he continued.
To read the rest of our piece,click here.
A LIGHTER CLICK:
EARLY FAKE NEWS."Goodnight Moon"is not scientifically accurate.
WHAT'S IN THE SPOTLIGHT:
MORE LIKE WHATSOUT:
WhatsApp users in China are reporting that the app isn't properly working across the country, sparking concerns that the Chinese government is censoring the encrypted messaging app.
Many users on the app in China have not been able to send videos, pictures and, in some cases, even texts, reports The New York Times. One Beijing-based reporter tweeted that the app had not been working since Sunday and could only be used with the help of a VPN.
Security groups reportedly confirmed that WhatsApp was being disrupted by government internet filters.
"According to the analysis that we ran today on WhatsApp's infrastructure, it seems that the Great Firewall is imposing censorship that selectively targets WhatsApp functionalities," Nadim Kobeissi, an applied cryptographer at Symbolic Software, a cryptography research startup, said to the Times.
Instagram and its parent company, Facebook, which also owns WhatsApp, are both already blocked by Chinese government censors.
To read the rest of our piece,click here.
LETTERS APLENTY:
DEMS PUSH TO UPDATE PIPELINE CYBERSECURITY:
Sen. Maria CantwellMaria CantwellOvernight Cybersecurity: Dem campaign arm embraces encryption | Panel signs off on .8B for DHS cyber office | Dems want review of pipeline security Dems call for review of pipeline cybersecurity rules 2 national monuments safe from Trump administrations review MORE (D-Wash.) and Rep. Frank Pallone Jr. (D-N.J.) asked the Government Accountability Office and Transportation Security Administration on Tuesday whether voluntary guidelines for cybersecurity defenses for fuel pipelines need to be updated or codified.
"An assessment of these guidelines and their effectiveness is needed as a number of major trends have emerged, with potentially significant implications for our energy, national and economic security," the lawmakers wrote in a letter.
Cantwell and Pallone are the ranking members of the Senate Energy and Natural Resources Committee and House Energy and Commerce Committee, respectively.
In the letter, they note that the same type of cybersecurity standards legislation protecting the energy grid is not in place for pipelines delivering natural gas and oil despite pipelines' dependence on the same types of internet-connected systems.
To read the rest of our piece,click here.
WYDEN ASKS DHS TO HELP STOP FAKE GOVERNMENT EMAILS:
A Democratic senator is pressing the Department of Homeland Security (DHS) to mandate the government-wide use of an email authentication tool "to ensure that hackers cannot send emails that impersonate federal agencies."
"I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies," Wyden wrote on Tuesday to Jeannette Manfra, the DHS official. "The threat posed by criminals and foreign governments impersonating U.S. government agencies is real."
Wyden asked DHS to require agencies to use a tool called the Domain-based Message Authentication, Reporting and Conformance, or DMARC, a standard developed by industry that can reroute emails that fake the sender's address to the spam folder or have them outright rejected.
Without DMARC or another authentication method, there is nothing that prevents a sender from putting whatever email address they would like in the "from" field.
To read the rest of our piece,click here.
IN CASE YOU MISSED IT:
Links from our blog, The Hill, and around the Web.
Muellergave his blessingsfor the Senate Judiciary to interview Donald TrumpDonald TrumpHouse Dems question Ivanka Trumps security clearance Dem lawmaker wears Trump, Putin 2016 hat for Made in America week Christie: Trump should 'move on' from healthcare MORE Jr. (The Hill)
The White House makes its case fordismantling net neutrality.(The Hill)
The FBI warnssmart toysmight be dumb. (The Hill)
"Far from expanding its system of biometric border screening,DHS should end it." (The Hill)
Headline of the day "Myspace fixes account security hole -but delete your account anyway." (Graham Cluley)
Lots ofsecurity camerasshare the same security flaw, inherited from a shared code library. (Motherboard)
If you'd like to receive our newsletter in your inbox,please sign up here.
View original post here:
Overnight Cybersecurity: Dem campaign arm embraces encryption ... - The Hill
Apple's top privacy executives have flown out to Australia twice in the past month to lobby the Turnbull government over looming changes to laws that govern access to encrypted messages.
Play Video Don't Play
Play Video Don't Play
Previous slide Next slide
The government wants to work with tech companies to ensure police and security officials can access the encrypted messages of criminals and terrorists.
Play Video Don't Play
Mario and friends join Ubisoft's Rabbids for a feel-good and modern combat adventure, coming to Nintendo Switch in August.
Play Video Don't Play
The company's project is designed to provide a rich interactive experience of the national park that can be enjoyed from anywhere around the world.
Play Video Don't Play
Disney-Pixar and Sphero have announced a robotic version of the iconic film character that talks, moves and drives just like the animated version.
Play Video Don't Play
Uber suspends its pilot program for driverless cars after a vehicle equipped with the technology crashed in Arizona.
Play Video Don't Play
Beyond Media's Shashi Fernando explains how Lenovo's Entertainment Hub can 'upscale' regular 2D movies and games into VR experiences.
Play Video Don't Play
Tech editor Tim Biggs takes a look at the three modes that make up the very first Super Mario game for smartphones.
The government wants to work with tech companies to ensure police and security officials can access the encrypted messages of criminals and terrorists.
The global technologygiant, which is on track to become the world's first trillion-dollar company, met with Attorney-General George Brandis and senior staffin Prime Minister Malcolm Turnbull's office on Tuesdayto discuss the company's concerns about the legal changes, which could see tech companies compelled to provide access to locked phones and third party messaging applications.
Apple has arguedin the meetingsthat as a starting point it does not wantthe updated laws to block tech companies fromusingencryption on their devices, nor for companies to have to provide decryption keys to allow access to secure communications.
The company has argued that if it is compelled to provide a software "back door" into its phonesto help law enforcement agencies catch criminals and terrorists, this would reduce the security for all users. It also says it has provided significant assistance to police agencies engaged in investigations, when asked.
Apple famously refused to comply with a request by the FBI to unlock the phone of one of the shooters in the San Bernardinoterrorist attack in 2016, drawing criticism from law enforcement agencies and praise from privacy advocates.
While the Turnbull government is preparing new legislation to introduce by the end of the year, it is not yet clear howit wants tech companies to facilitate access to secure devices such as phones.
Get the latest news and updates emailed straight to your inbox.
The laws will be modelled on those introduced in Britain about a year ago and the government saysit will update and enhance the obligations on tech companies that make phones and secure messaging applications such as WhatsApp to provide assistance to police and spyagencies when requested, subject to a warrant.
Just how this greater access to, for example, locked devices and encrypted messages can technically be achieved is not clear and this, in part, was the purpose of the government-Apple meeting.
A source familiar with the discussions between Turnbull government representatives and Apple saidthe company was effectivelytrying tominimise the amount ofadditional regulation and legal obligation that would be placed on it and other tech companies to hand over or facilitate access to secure information.
Another source familiar with the discussions said both sides were taking a collaborative approach, and that the Turnbull government had explicitly said it did not want agovernmentback door into people's phones, or to weaken encryption.
Last week, Senator Brandis said the government wouldwork with companies such as Apple to faciliate greater access to secure communications but warned that"we'll also ensure that the appropriate legal powers, if need be, as a last resort, coercive powers of the kind that recently were introduced into the United Kingdom under the Investigatory Powers Act...are available to Australian intelligence and law enforcement authorities as well".
The Prime Minister has been pushing for tech companies to work more closely with government and not allow "ungoverned spaces" to flourish online, and to allow easier access to encrypted information on phones and in the cloud, subject to a warrant.
Mr Turnbull has saidtech companies such as Apple and Facebook "have to face up to their responsibility. They can't just wash their hands of it and say: 'It's got nothing to do with us'."
At the G20he played a key role in drafting a section of the leaders' final statementon encryption that emphasised the law had to apply online, just as it did elsewhere.
The paragraph promised, in part, that "in line with the expectations of our peoples, we also encourage collaboration with industry to provide lawful and non-arbitrary access to available information where access is necessary for the protection of national security against terrorist threats".
Follow us on Facebook
Read the original:
Apple flies in top executives to lobby Turnbull government on encryption laws - The Sydney Morning Herald
Get today's popular DigitalTrends articles in your inbox:
Why it matters to you
This technique shows hackers don't need bottomless wallets or even direct access to a system to breach heavy encryption.
Security researchers have devised a method of defeating AES-256bit encryption in as little as five minutes, and most importantly, you dont need an expensive supercomputer to do it. The technique leverages radio hardware to measure the frequency changes in the magnetic field generated during encryption to record and decode the information from a distance.
Manufacturing and digital security often have the project management triangle in common. Defeating security and breaching encryption can rarely be done fast, well and without significant cost. But what this Fox-IT technique achieves is very close to that ideal, offering the ability to crack even complex AES-256bit encryption in a few minutes with relatively cheap, off-the-shelf hardware.
Although using more-expensive radio recording hardware can yield better results, the technique is capable of cracking software encryption using just a $25 USB stick and a small wire loop antenna.
By measuring the power output of the encrypting system, the snoopers can tell when an algorithm is receiving input data and later outputting it in an encrypted form. With a mixture of guesswork and correlation, the researchers are able to take that and begin to decode the AES algorithm. By attempting to figure out what the correct value (of 256 options) for each of the 32 bytes is, only 8,192 guesses must be made.
If you were to attempt to brute force hack the encrypted message itself, youd be making an impossible number of guesses (two, to the power of 256). This technique makes the impossible not only viablebut easy.
Better yet, the technique doesnt require direct access to the encrypting hardware. The researchers were able to perform the technique from up to a meter away.
That was technically only possible because of ideal testing conditions though. In reality, the most even those with high-end equipment could expect to conduct such an attack is from 30 centimeters away. Still, being able to make such an attack from a distance with cheap hardware highlights the potential for new attack vectors against typically near-foolproof encryption systems.
Although breaking open someones obfuscated files is almost always going to be easier if you extract the decryption key from the owner, this system offers a new way for all sorts of organizations and individuals to target it. In turn, this should lead to better shielding for protected hardware in the future.
Read the original here:
$20 antennas can now help breach 256-bit encryption standards - Digital Trends
Image: iStockphoto
Here we go again: the Australian government is the latest to plan new laws that will require companies to be able to unscramble encrypted communications.
In particular, the government wants tech companies to be able to hand over communications currently protected by end-to-end encryption, which scrambles messages so they can only be read by the sender and the recipient, and not by the tech company itself.
"The laws of Australia prevail in Australia, I can assure you of that," Australian Prime Minister Malcolm Turnbull told reporters. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
The Australian stance is modelled on the one taken by the UK government, which last year passed the Investigatory Powers Act that aims to do something similar. At the time it was making its way through Parliament there were warning the law, known either as the 'Snoopers Charter' or "the most extreme surveillance in the history of western democracy", would spark copycat legislation elsewhere and this was clearly correct.
The argument that criminals should not be allowed to plot in secret is a legitimate one. When the UK law was being debated, the government said that intercepted communications form between 15 and 20 percent of the intelligence picture in counter-terrorism investigations.
Here's the problem. It's not realistic to legislate encryption out of existence. You can't outlaw the application of maths. Even 20 years ago, when it was relatively rare and harder to use, governments accepted that that the benefits of encryption -- like privacy and security -- vastly outweighed the genuine concerns that encryption could help bad people to do evil in secret.
And it's worth remembering that many companies started to use end-to-end encryption recently to protect their customers' data precisely because intelligence agencies around the world have been shown to have a tendency to scoop up as much data as they can, whenever they can.
The new UK law demonstrates these difficulties, and it's worth looking at how it has played out. This law requires UK internet companies to be able to remove any encryption they apply to messages. That makes it hard for any UK company to offer an end-to-end encrypted service themselves, but there's at least one major issue with this: UK law only extends so far, and the tech industry is a global one.
Few of the companies that offer the secure (end-to-end encrypted) services that worry the government are actually based in the UK.
Persuading companies to change the way they run their business just for the UK market is unlikely to succeed. And, even if the biggest companies could be forced to change their policies, which is deeply unlikely, then criminals could easily find another company, somewhere in the world, that will offer them an encrypted service. Or they could even build one themselves.
Banning end-to-end encryption would make it easier to snoop on some conversations, for sure. But it's likely to have a bigger effect on disorganised crime -- crooks that don't know how to or care about covering their tracks.
There is a benefit in being able to tackle any crime, of course, but it's worth being at least aware that any local -- that is, national -- ban on encryption is likely to have an extremely limited impact on organised criminals.
But what a ban will certainly do is weaken security for tens of millions of people.
We already know far too well that both cyber-crooks out for cash and hackers backed by governments are trying to snoop on and steal data from political parties, businesses, and individuals on a daily basis. Weakening the security that protects those communications will make it much easier.
The tech companies that hold those 'golden keys' that can decode all the messages that flow over their networks will be a huge target for hackers and history has shown us that few organisations are capable of protecting themselves forever.
There is perhaps an outside chance that there will be a domino effect: that as successive governments start passing legislation like this, that we could eventually end up in a position where end-to-end encryption is effectively outlawed worldwide. But that is extremely, extremely unlikely. Realistically, without the same legislation in the US (which has up to now rejected such a move) the impact of any other nations' laws will be limited.
What is better is for governments to accept the existence of end-to-end encryption as something that is, for the most part, a beneficial part of the landscape.
And there are ways to get round it. For example, many PCs and smartphones are inherently insecure and relatively easy to hack into; in the UK police and intelligence agencies now have the powers to hack individual devices should they need to. That means investigators can get access to most communications but can't routinely access everything.
This seems to me to be a much better, targeted use of powers rather than making us all insecure. It's the equivalent of giving the police a battering ram versus requiring everyone to hand in a copy of their front door key. In addition, investigators already have access to huge amounts of metadata -- information about the communications if not the actual contents. The problem in many cases is not too little information, but too much.
In reality it is unlikely to be possible to prevent the use of end-to-end encryption, and even if it were, the side-effects of doing so could be very significant for modern, connected, societies.
In a fight between maths and politics it's unlikely the politicians are going to emerge the winners: they should instead think of better ways to get access to communications to keep us all safer.
Originally posted here:
Encryption: In the battle between maths and politics there is only one winner - ZDNet
This is the first post in our new regular series on data center security. Scroll to the bottom of the article to learn more about the column and its author.
Researchers at top university and corporate labs around the world are in a furious race to create the first practical, usable quantum computer. Quantum computers which use quantum bits, or qubits are capable of running computations impossible for existing technology. It promises to open up new possibilities in areas like medical research, artificial intelligence, and security.
Oh, and they would also easily crack current encryption algorithms.
How close are quantum computers to becoming reality? The point at which quantum computers would surpass our current computers in capability is at about 50 cubits.
In March, IBM announced that it had a 20-qubit quantum computer, and that outside researchers and developers could already start running simulations on the IBM Quantum Experience.
In June, Google raised the ante. Alan Ho, an engineer from Googles quantum AI lab, told a conference in Germany that Google already had a 20-qubit system, and was planning to built a 49-qubit computer by the end of the year.
See also:Googles Quantum Computing Push Opens New Front in Cloud Battle
Quantum computers are now commercially available if you have a lot of money, said Mike Stute, chief scientist at Masergy, a networking, security and cloud communications technology company headquartered in Plano, Texas.
The problem is that dealing with qubits requires some tricky engineering involving quantum physics. Plus, quantum computers require built-in error correction to deal with the fact that qubits are not as well-behaved as the traditional zero-or-one bits of classical computing. These two challenges combine to make the development of larger quantum computer a difficult task.
Meanwhile, its not enough to just surpass current computers. In order to crack todays encryption, quantum computers have to be a lot better than what we have today.
That will take between 500 and 2,000 qubits, said Kevin Curran, a senior member at IEEE and cybersecurity professor at Ulster University.
See also:One Click and Voil, Your Entire Data Center is Encrypted
So, run-of-the-mill hackers wont be breaking into banking systems right away. Government agencies, however, may have quantum computing technology a generation or two ahead of whats commercially available, said Masergys Stute.
That means companies protecting data of interest to China, Russia, or the NSA might need to be particularly careful.
Current encryption is based on the idea that there are some mathematical problems that are really hard for computers to solve.
For example, public-key encryption where one key is used to encrypt the data, and a different key to unlock it typically relies on just those kinds of problems.
When quantum computing becomes a reality, then many public-key algorithms will be obsolete, said Curran.
Symmetric encryption, where the same key is used to both encrypt and decrypt the data, is more robust and will last longer.
Companies that have data they want to protect may want to start planning ahead to make more use of symmetric encryption, as well as switch to longer keys.
In addition, researchers are already working on new, quantum-proof encryption methods and will start testing them as soon as quantum computers become more widely available.
For companies that depend on having good encryption in place the most important thing is not to hard-wire encryption systems into their applications.
Instead, they need to adopt a modular approach, so that they can easily replace old, obsolete algorithms with new, effective ones. With some advanced planning, thats not hard to do.
Cyberattacks with wide-reaching consequences are now commonplace. Last months attack on FedExs TNT Express will hurt its quarterly results. The same month, thousands of members of the British Parliament and their staff lost access to email as a precautionary measure taken to limit the damage from a massive cyberattack on the legislative body. If your job has anything to do with your organizations data centers, cybersecurity is becoming a bigger and bigger part of it, which is why were introducing a new column focused exclusively on data center security.
Its a great pleasure to introduce Maria Korolov, who will author the column. She is a Massachusetts-based technology journalist who writes about cybersecurity and virtual reality.
During her 20 years of experience covering financial technology and cybersecurity she wrote for Computerworld, was a columnist for Securities Industry News, ran a business news bureau in China, and founded a publication covering virtual reality. She has reported for the Chicago Tribune, Reuters, UPI, and the Associated Press.
Before switching to business and technology journalism, she was a war correspondent in the republics of the former Soviet Union and has reported from Chechnya, Afghanistan, and other war zones.
See more here:
Quantum Computing Could Make Today's Encryption Obsolete - Data Center Knowledge
Australia is proposing laws that would require companies like Apple and Facebook to give the government access to our personal encrypted data, and now the countrys attorney general thinks he can convince Apple thats a good idea. Australia Attorney General George Brandis is meeting with Apple this week in a effort to coax the iPhone maker into voluntarily building back doors into it encryption.
Australia wants access to our encrypted data
His argument for access into encrypted data is in line with the ongoing government fight in the United States for the same: criminals, terrorists, and pedophiles can act cover their trails and act with impunity. Brandis says hed like to see tech companies voluntarily cooperate, but wants legislation to force compliance, too.
Australias stance isnt new or even innovative. Its the same position the U.S. and U.K. have taken on encryption, and like the U.S., Australia is saying it doesnt want a back door. Instead, it wants a way to bypass security protections that prohibit anyone from decrypting data without a passcode.
The government is also saying it isnt seeking to weaken encryption, but instead simply wants the access to user data.
Apple argued thats the same thing as a back door into our data and it weakens security for everyone. That was part of Apples stance during the very public fight with the FBI over a 2015 mass shooting in San Bernardino, California.
In that case, the FBI sought a court order forcing Apple to create a special version of iOS the agency could hack so it could see what was on the shooters iPhone. Apple argued that doing so would expose millions of iPhone to attack, and that even though the FBI promised it wouldnt be used on other phone or ever released, the hack would eventually leak.
The FBI dropped that fight only hours before a scheduled court hearing after paying US$900,000 to a company for a hack into suspects iPhone. Ultimately there wasnt anything of value on the phonesomething the San Bernardino police chief suspected from the beginning.
Now Senator Diane Feinstein has a bill she hopes will pass that gives the U.S. government authority to force companies to make their encryption unlockable by law enforcement agencies.
Like the U.S., Australia is pushing its stance that creating a way for governments to access our encrypted data isnt the same as a back door. That doesnt make it any less of a back dooror less of a security threatno matter how much Brandis argues.
His hope that Apple will voluntarily erode the privacy and security measures we see on the iPhone and Mac will only lead to disappointmentsomething the FBI learned very publicly last year.
[Thanks to Sky News for the heads up]
Originally posted here:
Australia's Attorney General Thinks He can Convince Apple Encryption Back Doors are Good - The Mac Observer
Much of the reaction to Malcolm Turnbulls press conference last Friday has cast his comments as the latest, and possibly worst example of political technological illiteracy. And just another instance of anti-technology bluster and rhetoric without any firm policy foundation.
Based on the level of detail and technical understanding the Australian Government has revealed so far, this is an understandable assessment. But reading between the (admittedly very blurred) lines, I would suggest that an eventual policy destination is slowly emerging.
Before assessing this policy proposal, there are three broad questions that need to be answered: What problem is the current policy approach not solving? Is what is being suggested feasible? And if so, will it address the problem?
The status quo
Firstly then, why all the rhetoric? Because, despite significant investment and a series of legislative changes, Australian law enforcement agencies are unable to access communications content, and increasingly, communications metadata in a timely manner.
The former challenge, particularly in relation to encryption, is not new. What is new is the combination of ubiquitous end-to-end encryption, and easy to use, free communication apps, that are typically hosted and headquartered outside of the reach of domestic law enforcement agencies.
As Turnbull himself noted prior to the introduction of mandatory metadata retention laws in 2015, using WhatsApp or Wickr is enough to ensure that your communications are encrypted, and that the metadata is stored outside of Australia.
For law enforcement, this means that they can no longer rely on access to the low hanging fruit, those within a conspiracy unable or unwilling to use secure communications methods. Or indeed, quickly conduct network metadata analysis to prioritise investigative leads.
Clearly, there are already ways around these limitations, particularly where an individual or group has been identified as a high priority. Most obviously, given the variety and number of apps most people use, why try to defeat (or indeed backdoor) a series of encrypted apps if instead, you can get access to the device theyre used on?
The UKs Investigatory Powers Act spelled out the extent of hacking powers currently available to UK intelligence agencies. And within law enforcement, weve learned about hacking in the US, but also by private sector contractors on an international level.
Recent global events might have suggested that hacking is easy; in reality, doing so within a government framework against a handful of individuals requires significant time and resources. And as the big technology companies make welcome progress at fixing vulnerabilities, this is only getting harder.
The policy solution
Up until now, the often baffling language used by government ministers across the Five Eyes alliance has made the feasibility of any potential solution too difficult to assess. But perhaps the clearest indication yet came last week in a revealing interview with Robert Hannigan, a former director of Britain's Government Communications Headquarters (GCHQ) . Hannigan largely echoed the views of the global infosec community - he refused to advocate building backdoors into encryption, which he described as overwhelmingly a good thing, and concluded that weakening security for everybody in order to tackle a minority was 'a bad idea'.
What was largely overlooked however, was Hannigans suggestion that authorities should instead 'go after the smartphone or laptops' of people abusing the system. And importantly, do so in cooperation with tech companies.
The specifics of how this cooperation might work remains unclear. But Hannigans comments point towards a solution that might satisfy some of the concerns of privacy and cyber security advocates, while also delivering a workable solution that delivers real value for law enforcement agencies - private sector-assisted hacking.
Cooperation would be compelled via a warrant, with all the accompanying oversight that this should imply. Its target would either be an app provider (such as Whats App) or perhaps more realistically, the operating system provider (largely Apple or Google). On receipt of a warrant, the provider could push a unique, tailored update to a targets device, containing device-specific malware that delivered ongoing law enforcement access to the device, and hence, the associated content and metadata.
Will it address the problem?
In a very obvious sense then, this proposal would help deliver access to the intelligence that law enforcement agencies need, increasing the scalability and success of law enforcement hacking operations but reducing their associated resource impact. And unlike an encryption backdoor, it might pass the technological feasibility test. Instead of weakening encryption, it would simply bypass it.
From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these updates to ensure that they couldnt be reverse engineered - they wouldnt need to be a backdoor, open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just Whats App or Telegram, would not apply.
In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.
Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.
David Wells
See the original post here:
Why Australia might be on the right encryption-cracking track - The Interpreter