Although not as high as over the last decade, security of data in the cloud remains a top concern for enterprises deploying into cloud environments, especially public. As native and third-party security solutions emerge to resolve the majority of concerns, another variable in the realm of cloud security that needs to be considered is performance.

Of course, the first domain of any security solution is just thatsecurity. But other variables need to be weighed as part of the decision on which tools to utilize. These variables include integration, performance, usability, navigation, compatibility, etc. In this article, well discuss performance metrics and concerns that should be considered as part of your acquisition decision.

In order for security to be effective, it must be practical. Many will remember the cumbersome use of early X.509 messaging or the lag and steps required with RSA tokens. Cloud technology is purpose-built for fast, flexible, and efficient operations. Similarly, solutions used to secure the cloud must be quick, seamless, and user-friendly in order to match or exceed the performance of the services theyre designed to secure. There are many cloud security solutions out there, including security information and event management (SEIM), advanced threat protection (ATP), and identity and access management (IAM) to name a few, but here we will focus on the topic of encryption and key management.

Encryption is the foundation of an effective cybersecurity strategy, especially for public cloud deployments. The majority of users view encryption as a binary functionits on (encrypting) or off (no encryption), but encryption needs to be considered under a very detailed performance light. Encryption requires time and resources (CPU and memory) to convert data from plain text to cipher textwhat I often refer to as an encryption taxso you need to ensure that your tax rate is as low as possible.

Here are some factors you should consider to lower your tax rate:

Read more:
Why Performance is Important to Cloud Security and Lower Encryption Tax Rate - Read IT Quik

There are only two types of companies, it is commonly said: those that have been hacked, and those thatjust don't know ityet.

IBM, the computing giant, wants to get rid of both. The company said Monday that it has achieved a breakthrough in security technology that will allow every business, from banks to retailers to travel-booking companies, toencrypt their customer data on a massive scale turning most, if not all, of their digital information into gibberish that is illegible to thieves with its new mainframe.

The last generation of mainframes did encryption very well and very fast, but not in bulk, Ross Mauri, general manager ofIBM's mainframe business, said in an interview. Mauri estimates that only 4 percent of data stolen since 2013 was ever encrypted.

As the number of data breaches affecting U.S. entities steadily grows resulting in theleakage every year ofmillions ofpeople'spersonal information IBM argues that universal encryption could be the answer to what has become an epidemic of hacking.

The key, according toIBM officials, is an update to the computer chipsdriving the powerful mainframe serversthat house corporate or institutional information and process millions of transactions a day worldwide, from ATM withdrawals to credit card payments to flight reservations.

Cryptography,the scienceofturning legibleinformation into coded gobbledygook, is already commonly used among certain email providers and storage services. But because of the enormous computational power needed to quickly encrypt and decrypt information as it passes from one entity to another, many businesses use encryption only selectively, if at all. A December report by the security firm Sophos found that while 3 out of 4 organizations routinely encrypt customer data or billing information, far more do not encrypt their intellectual property or HR records. Sixty percent of organizations also leave work files created by employees unencrypted, the study found.

All of these represent opportunities for digital criminals, said Austin Carson, executive director of the technology think tank TechFreedom.

One of the big problems is that way too much information is stored in clear text, he said. But universal or pervasive encryption, he added, could help ensure that even if hackers successfully broke into a company's network, any information they found there would be impossible to decode. That would be a huge step forward just in terms of protecting a much larger body of information, Carson said.

But the same technology could frustrate law enforcement, which in recent years has waged a furious battle with Silicon Valley over encryption technology and how extensively it should be used. In a high-profile dispute last year with Apple, the Justice Department argued that the companyshould help officials break into an encrypted iPhone used by one of the San Bernardino shooters. Apple refused, saying that developing tools to break encryption would undermine its customers' security, particularly if the tools were to fall into the wrong hands. Apple's concern is not theoretical: This year's WannaCry ransomware attack, which held thousands of PCs hostage, has been linked to a Windows vulnerability that was secretly discovered and exploited by the National Security Agency long before it leaked into the wild.

In its push to expand universal encryption, IBM is taking Apple's side in the debate.

IBM fully supports the need for governments to protect their citizens from evolving threats, the company said in a statement on the issue. Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.

For IBM, encryption is also a massive business opportunity. Businesses spend over $1 trillion a year making sure that their security meets government standards, according to company officials. One aspect of IBM's new approach to mainframes is the concept of automating that compliance work, using artificial intelligence to check that what's being protected passes regulatory muster in various industries. In doing so, IBM expects to turn a chunk of that annual compliance spending into revenue for itself. And that's on top of the roughly $500,000 it expects to charge new customers for using IBM's newest mainframe technology. Most businesses, said Mauri, will be upgrading from an existing setup, so the cost for those clients could be less.

For some small businesses, that may still be too expensive. Still, the history of technology suggests that with time, those prices may fall.

This is the turning point. The idea here is that you can start to encrypt all data, saidMauri. But even as IBM makes encrypting everything a priority, security experts like Mauri already have their eyes set on the next holy grail: the ability to securely edit and manipulate encrypted files without ever having to decrypt them in the first place.

Read the original:
To battle hackers, IBM wants to encrypt the world - Washington Post

Avalon.red/NewscomAustralia's Prime Minister Malcolm Turnbull is getting mocked by the encryption savvy for asserting that the laws of mathematics are subservient to the laws of Australia.

The Australian government is considering legislation that would require online communication companies decrypt messages on demand of law enforcement officials in order to fight crime. The problem is end-to-end encryption blocks companies from decrypting the communications. It's a safety and security measure to make it much harder for people with sinister intentionseither criminals or dangerous governmentsto access users' private data.

Turnbull's quote may make him look like an idiot, but the fundamental attitude he's expressing is shared by lawmakers and government officials in other countries, including the United States and England. These people want to deliberately jeopardize everybody's data privacy and security in order to serve the demands for information by law enforcement and the intelligence community.

Government officials have been wanting to force "back doors" into encryption so that they can get access to data in order to fight crime and terrorism. But there's no such thing as a back door that only the government can access.

Once there is a key to break encryption, it can be (and frequently has been) either discovered or reverse engineered by others. Furthermore, no single government, no matter how powerful it is, has the ability to prevent new, unheard of encryption tools from becoming available for criminals and terrorists to access. The inevitable outcome would be average users of commonly distributed communication apps having their data compromised, and actual criminals finding new ways to keep their communications secret.

In this context, Turnbull was asked whether this mathematical reality trumped government's desire to get access on demand to encrypted communication. His response:

"Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

We should actually appreciate the blunt stupidity of Turnbull's response, because it highlights how stubbornly unwilling government officials have been in recognizing the actual consequences of their proposals. We've seen it from American senators on both the left and the right like Dianne Feinstein (D-California) and Richard Burr (R-North Carolina). We've seen it from British Prime Minister Theresa May's administration.

Throughout this encryption fight we have seen government and law enforcement officials lean on their power to legally demand access to information with warrants and investigatory tools in a bid for the authority to compromise everybody's security. The quote from Turnbull vividly demonstrates their belief that the existence of a government law outweighs consideration of other consequences.

The quote should be used as a rhetorical weapon against the likes of Feinstein and May to force them (and law enforcement representatives) to deal with the dangerous consequences of the laws they propose.

Read the original post:
Australian Leader's Stupid Quote About Laws Trumping Math Is Encryption Fight in a Nutshell - Reason (blog)

Australias Attorney-General has said he will be meeting with Apple as the country becomes the latest to demand that the company cease offering end-to-end encryption, reportsSky News.

Attorney-General George Brandis says he will hold talks with tech giant Apple this week in bid to get co-operation on the Turnbull governments proposed laws compelling tech companies to give police and intelligence agencies access to encrypted information messages from suspected terrorists and criminals

Australia is apparently determined to join the US and UK in the hall of fame of governments who dont understand how encryption works. Brandis said that the new laws would be directly modelled on the UKsInvestigatory Powers Act, introduced last year.

So far, there has been no clash between the British government and Apple on the subject, though a future one seems inevitable. The law requires Apple and other tech companies to hand over details of messages sent through services such as iMessage and FaceTime, but Apples use of end-to-end encryption means that it will be unable to comply.

Apple will doubtless be making the point that the only way to comply with such a law would be to cease using end-to-end encryption, compromising everyones privacy.

Brandis says that he will be seeking voluntary cooperation first, and legislating if needed.

Senator Brandis says the government will be seeking voluntary cooperation as a first preference. But we will also be legislating so that we do have that coercive power if need be if we dont get the cooperation we seek, he told Sky News On Sunday.

Apple has of course demonstrated its willingness to stand up to government attempts to force it to compromise user privacy through the San Bernardino case in the USA.

Check out 9to5Mac on YouTube for more Apple news!

View post:
Apple meeting with Australian Attorney-General to discuss proposed ban on end-to-end encryption - 9to5Mac

Legislating against cryptography will drive encryption underground, says Tim Gallagher

The chief executive of a Swiss digital encryption app provider has lambasted the Australian governments proposed new laws that will compel tech companies to help local security forces access encrypted messages.

Theproposed lawsare expected to be put to Parliament by the end of this year, and are expected to resemble the UKsInvestigatory Powers Act 2016. This legislation obligates messaging platform operators such as Facebook and Google to cooperate with investigators looking to access encrypted messages.

SafeSwiss CEO Tim Gallagher said on Monday that the nature of his companys free messaging service for Android, iOS and Windows devices places it beyond the legal jurisdiction of the Australian government."

Gallagher warned users who are concerned about their privacy that serious design flaws in products such as WhatsApp, Telegram Messenger and WICKR potentially make them vulnerable to government-mandated backdoors.

Banning or legislating encryption apps is not the answer, this is a true paradox of security against privacy, Gallagher said.

Legislating against cryptography will drive encryption underground. It will open the doors to malicious attacks from adversaries everywhere.

Gallagher noted that encryption also applies to banking, purchasing goods online and in keyless ignition systems.

A good preview on how backdoors operate is to look at the US transport security administration (TSA) requirement that all baggage passing or travelling within the USA must be equipped with travel sentry locks that are designed to allow anyone with a readily available master key access.

As a result, a CNN investigation found thousands of incidents of theft, he said.

Gallagher added that to consider governments to be a trusted third-party is extremely misguided.

Governments would be better placed to put resources into the source of the problem the continued brainwashing of predominantly youth under the guise of medieval religion.

We are most certainly not anti-government or anti-police. We are pro privacy, and we firmly believe that both privacy and freedom of speech are two basic fundamental human rights.

Follow CIO Australia on Twitter and Like us on FacebookTwitter: @CIO_Australia,Facebook: CIO Australia, or take part in the CIO conversation onLinkedIn: CIO Australia

Follow Byron Connolly on Twitter:@ByronConnolly

Error: Please check your email address.

Tags WhatsAppdigital encryption appTelegram MessengerWickrswissTim GallagherAustralian GovernmentUSA

More about AustraliaCNNFacebookGoogleMessengerTwitter

Go here to read the rest:
Government's encryption backdoor plan flawed: SafeSwiss chief - CIO Australia

The people were most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.

In a press conference this FridayPrime Minister Malcolm Turnbull announced the Governments intention to introduce new encryption laws that would compel tech companies to provide Australian security agencies with access to encrypted messages. The laws are intended to make it easier for law enforcement to access the messages of suspected terrorists and criminals.

Unfortunately, Turnbull also used the press conference to demonstrate a deep misunderstanding of how encryption works. Specifically, he said that the laws of mathematics are very commendable but do not apply in Australia. This did not inspire confidence.

Given the importance of encryption for security and privacy, and the enormous potential consequences of inserting so called backdoors in software, people are understandably pretty freaked out. The UK laws the Australian laws are supposedly based on have also been roundly criticised as an invasion of privacy, and have been nicknamed the Snoopers Charter for that reason.

For the time being, though, its not totally clear exactly what the Australian laws will entail, whether theyll work, and whether theyll be much of a threat. Heres what you need to know at the moment:

Apart from that the laws of mathematics dont apply down under? Not much.

Basically, Turnbull said the government is concerned about making sure the rule of law applies online as well as offline so that the internet is not used as a dark place for bad people to hide their criminal activities from the law.

Attorney-General George Brandis emphasised that the new laws are not changing any existing legal principle. It has always been accepted that in appropriate cases, under warrant, there can be lawful surveillance of private communications. He characterised the new laws as bringing these up to date with technology.

As far as how the government plans to ensure this, we got vague mixed messages. Turnbull insisted that the legislation will require [tech companies] to provide assistance, except not through backdoors, but legitimately, appropriately.

The problem? Its not clear what this means, or whether its possible.

End-to-end encryption, which is used by messaging applications like WhatsApp, works by scrambling a message as its transmitted such that it can only be unscrambled by the intended recipient. The Guardian has an excellent explainer on how encryption works here, but the basic takeaway you need is this: the service provider (i.e. WhatsApp), cannot unscramble the message.

This is the point on which the governments vague press conference doesnt make a lot of sense. The law may compel companies like WhatsApp to provide assistance, but theres not a lot that WhatsApp can do. In the words of independent cybersecurity researcher Troy Hunt, you cant break the mathematics in that way, its just not how it works.

This brings us to the question of backdoors. A backdoor is a method of bypassing security or encryption, which can end up in a program by design or by mistake. One way that the government could hypothetically obtain encrypted messages is if they were able to compel an encrypted messaging provider to remove encryption, or to implement some kind of backdoor allowing messages to be retrieved from a device.

The problem with inserting backdoors, as Troy Hunt puts it, is that you cant ensure theyll only be used by legitimate forces. Once there is a way of exploiting devices, sooner or later it tends to fall into the hands of people its not meant to, he told Junkee.

The global WannaCry ransomware attacks several months ago, for example, were the result of a backdoor in Windows operating systems being exploited by malicious hackers. When security is compromised through backdoors or the removal of encryption, everybody loses.

Of course, Turnbull was adamant that no backdoors would be used. But given that he was cagey on how exactly the laws would work, people are a bit worried.

Troy Hunt told Junkee what the laws might actually mean in practice.

He thinks that rather than trying to compel services like WhatsApp to remove their encryption, were more likely to see the government proactively pursue intercepting messages at the end points, for example by using exploits to gain access to it on phones of suspects, which makes a lot more sense technically than what some of the headlines say at the moment.

This would entail trying to work with companies like Apple and Samsung to break into their devices something that has received huge pushback from such companies in past. Given that in the past tech companies have stood their ground, and ultimately it took the FBI paying about a million bucks to get some exploit tool to get in, Troy isnt particularly worried about the Australian governments use of backdoors becoming particularly widespread in practice, even if thats their tool of choice.

While it might be unlikely that the government manages to force tech companies to bypass encryption, Troy cautions that it wouldnt be great for most of us if they did.

If they managed to do that, we still have all of these mechanisms of encryption that are outside the scope of any one company or service we still have things like PGP mail. And all of these channels will still exist for people who want to use them and keep their messages private.

The people were most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.

Basically, at the moment what the governments proposing is pretty unclear, and sounds a bitdodgy, but nothings actually been finalised. The takeaway for now is that this is one to watch further details of the actual laws will emerge as the bills themselves are drafted.

Sam Langford is Junkees Staff Writer. She tweets at@_slangers.

Originally posted here:
Everything You Should Know About The Government's New Encryption Laws - Junkee

Jerry Irvine, EVP, CIO, Prescient Solutions

CIOs and their corporations are looking for the magic bullet to protect their intellectual property and the personally identifiable information of their clients, partners and employees. Legacy security measures such as firewalls and antivirus provide little protection from hackers and malicious users breaching the enterprise environment and the implementation of more strict access controls.Data loss prevention (DLP) solutions are cumbersome and limit the productivity of end users.

With these technical and business constraints in place, CIOs are turning to encryption of data across the entire data life cycle to mitigate the risks of lost or stolen information. But does todays encryption technology really provide the levels of confidentiality required in this totally Internet connected world?

There are three primary phases in which data can be encrypted: in transit, at rest, and in use. The highest level of data protection currently exists in the data transmission phase. In this phase, encryption occurs between specific communicating devices. Protection provided by encryption in transit includes confidentiality from eavesdropping and sniffing, or man-in-the-middle attacks. Applications such as VPN clients and browser based HTTPS provide strong encryption processes which protect the confidentiality of data making it very difficult for unauthorized users to intercept. It is common practice for organizations to encrypt of data transmitted from remote devices; however, data that is being transmitted on internal networks typically goes unencrypted. There is a perception that data transmitting the internal network, or even that being transmitted to remote facilities, is secure and therefore does not require encryption. Nevertheless, an organizations internal network can be easily breached making data vulnerable to the same risks of eavesdropping, sniffing and man-in-the-middle attacks. Consultants, vendors and individuals off the street not only have access to wireless networks but often have access to network jacks in conference rooms, cafeterias and other common areas. Also, devices that do not require direct authentication (i.e. printers, scanners, industrial controls, etc.) can be infected with malware that can eavesdrop, sniff, or capture traffic and send out information to the Internet. Past concerns of implementing encryption to internal data transit included increased overhead on servers, network devices and end user workstations. This overhead could cause systems delays, loss of connectivity and loss or corruption of data. Many of todays server and network technologies have data encryption capabilities built in to allow for easier configuration and implementation and minimize the impact on utilizations. Implementing encryption of data in transit from endpoint to endpoint, both remotely and internally is mandatory in todays cyber risk environment.

The highest level of data protection currently exists in the data transmission phase with the at rest and in use phases close behind

Another phase of data encryption is the encryption of data at rest. Implementing encryption of data at rest is the easiest of all phases and, in fact, is built in on many devices such as smartphones, tablets and PCs. There are really no reasons not to encrypt all data on smartphones, tablets, PCs; however, there are some major limitations of encrypting data at rest. Users and applications must be able read data in order to use it, consequently, when a user or application logs into the system the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to, becomes readable. So, if a users device or application is infected with a virus, malware, etc. and they log in all data on their system or systems they can access becomes available to the hacker.

The last phase of data encryption is encryption of data in use, this is the weakest link. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use; but, current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users, limiting their access to the principles of least privilege and performing on the fly decryption of data upon access, companies are providing a minimal level of encryption of data in use.

Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.

Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices that can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device and it can also be bypassed by un-authorized users who illegally obtain valid user ids and password which have rights to view the data. The encryption of data in use with existing technologies uses the same but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.

Encryption is designed to provide an additional layer of data protection but complex authorization policies and strict access controls providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data. If hackers get into a network but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining un-authorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.

Continued here:
Encryption -Is it enough? - CIOReview

by Letters Leyonhjelm's superiority is illusionary

Did David Leyonhjelm not prove the "illusionary superiority" of his own intelligence in "The great nanny state delusion" (July 14).

His premise was that academics demonstrated "illusionary superiority" and so, those promoting nanny state policies who are also predominantly academics are wrong in their belief they have the right to dictate what is good for everyone. He endorses this by saying no trade organisation has ever told him what is good for him.

First, his study analysis is weak. If 55 per cent of Americans believed themselves to be above average intelligence, then only 5 per cent overestimated and 95 per cent were quite realistic. If 75 per cent of the people with qualifications thought themselves to be above average intelligence they could be absolutely correct, dependent on the percentage who have a qualification.

Secondly, how can Leyonhjelm ignore the blatant indoctrination of the CFMEU and the like into society?

To conclude that bans on smoking, drinking, cycle helmets and lock-outs are all illusionary dictates from such weak reasoning is the delusion. I share his belief in personal freedoms, but freedoms bounded strongly by societal laws with the consequential costs of such freedoms born by the individual, not the state. It should be an ideological argument, not one based on apparent flawed bias.

Jack Parr

Sandringham, Victoria

Senator Leyonhjelm is a champion for those who believe they should be able to profit from harming others and pass the costs on to others. He also puts his ideology before any objective assessment of the evidence.

In 2008 the NSW Government introduced a measure in which liquor outlets associated with more than 10 violent incidents in a year are publicly listed and subject to a range of restrictions, mainly around the service of alcohol, until such time as the annual number of violent incidents have been reduced. The violent incidents in listed venues had dropped by 84 per cent since the scheme began, when 48 venues were associated with 1270 violent incidents. In 2015 there were only 14 listed venues associated with 200 violent incidents. The vast majority of us would agree that pubs and clubs should be required by law to be responsible in the way they sell their products, to reduce harm to their patrons, their staff and the police and ambulance workers.

Similarly the way gambling products are allowed to be offered impacts on the levels of suicides, family violence, fraud and homelessness that can result from excessive gambling.

The community is right to restrict those who profit from others' suffering.

Mark Zirnsak

Uniting Church in Australia

Melbourne, Vic

Why is David Leyonhjelm surprised if a group of people who have been through a process of selection for intellectual ability are higher than the average in this characteristic? If they weren't smarter then there is something wrong with the process of obtaining high qualifications.

Senator Leyonhjelm thinks that he knows better than the experts who study climate change. But it is going to extremes to then seek to denigrate smart people by saying it is illusionary for them to think that they are smart.

Perhaps politicians should be encouraged to listen to smart people?

Reg Lawler

Dagun, Qld

Chanticleer columnist Tony Boyd has been writing strongly about the Perpetual versus Brickworks court case ("Brickworks case carries lessions for Perpetual and shareholder activists" July 12) but his conclusions about what it means for shareholder activism should not go unchallenged.

The judge's decision supports a grandfathered corporate structure from the 1960s that no modern ASX listed company would be allowed to create.

But a decision at law as to the role of directors is not the same as celebrating a 'win' for directors over minority shareholders. Perhaps the more relevant issue here is who should pay the multi-million dollar bill for the case Perpetual unitholders or shareholders and whether the ASX listing rules or the Corporations Act should be amended so that the undemocratic cross-shareholding arrangement has to be unscrambled.

One vote, one value is an important democratic principle at public companies and the Millner family, along with their independent directors, continue to disregard shareholders in order to entrench their control through structures that neuter traditional board accountability mechanisms.

The Australian Shareholders' Association congratulates Perpetual for trying to do the right thing.

And we would prefer commentary to be balanced and note that the other aspect of the case is that Brickworks and Soul Pattinson directors could show respect for their independent shareholders by voluntarily unwinding the gerrymander.

Judith Fox

Chief executive

Australian Shareholders'Association

The government's proposal to force "backdoors" into encryption creates massive systemic vulnerabilities that outweigh any marginal good. We rely on strong encryption to secure all commerce, privacy and freedom of speech. No entity can guarantee that backdoors can be secured; a fact repeatedly demonstrated by continuing government and private sector data breaches. Further, the "encryption technology genie" is in the public domain and cannot be put back in its bottle. Access to powerful encryption tools is trivially easy, irrespective of legislation. The government is proposing that global information platform companies "don't have to break encryption, they just have to give us the data". This semantic "spin" suggests you can preserve strong encryption and yet still access individual data at will. This is nonsense.

Yes, strong encryption could be preserved for data "in transit" but ultimately a backdoor is required to access the data "at rest" or as it is entered into, or displayed on, a device. This is functionally equivalent to creating encryption backdoors; any of which create global vulnerabilities with ultimately certain catastrophic consequences. And they do not actually guarantee a window into nefarious activity. Strongly encrypted backdoor-free platforms do make law enforcement work harder, but there are a range of approaches to penetrating the communications of specific criminals that do not create massive systemic vulnerabilities for our economies, our societies and for us as individuals. The government's "backdoor by any other name" proposals are folly and ultimately un-enforceable. They should be set aside.

Roderick Laird

Glen Iris,Vic

Vale Liu Xiaobo. An example of standing up for what is right even when being pushed down and locked away. The world needs more heroes that fight for a better and freer world.

Dennis Fitzgerald

Box Hill, Vic

View post:
Letters: nanny state, Perpetual and encryption - The Australian Financial Review

Encryption access: It looks as if the government is going to lay out the requirements for tech companies and then let the companies themselves work out the methods. Photograph: Justin Sullivan/Getty Images

The Australian government is proposing legislation, similar to that introduced in the UK, that will compel technology companies to provide access to users messages, regardless of whether they have been encrypted.

The attorney general, George Brandis, said on Friday: What we are proposing to do, if we cant get the voluntary cooperation we are seeking, is to extend the existing law that says to individuals, citizens and to companies that in certain circumstances you have an obligation to assist law enforcement if it is in within your power to do so.

Here is how encrypted messaging currently works.

I use an app, such as WhatsApp, to type a message to Darren on my phone. Before sending the message to the Darren via WhatsApps server, my phone encrypts the message specifically for Darren using what is called a public key. Now, the message can only be read by Darren using his private key, which corresponds to the public key the message was encrypted with.

WhatsApps server doesnt have access to the private keys of either user, and so cannot decrypt the message. The situation is the same for other apps that use end-to-end encryption, such as Signal and iMessage.

With a warrant the proposed legislation could compel companies such as Apple, Google and Facebook, to provide access to messages from phones and other devices.

There are several ways this could occur.

One way is that at the point of message encryption the message is not just encrypted for the recipients key but also with a key belonging to the technology company that makes the app. Then the technology company would be able to decrypt the message, store it and then later provide this to law enforcement agencies. This amounts to what most people would call a backdoor that is a method introduced, usually by the manufacturer, that allows someone to bypass a security system.

Another way is to circumvent the encryption entirely, by copying the message before it is encrypted or after it is decrypted. This requires either the phone operating system or the messaging application to be modified to record what someone is typing, and then store the unencrypted message for later retrieval or send it to another server.

This is very similar to the way that criminals use programs known as keyloggers to steal peoples passwords and other details, and is also a method used by intelligence agencies to get around encrypted messaging.

Brandis has repeatedly said the government will not require a backdoor, telling the ABC: Well, we dont propose to require backdoors, as they are sometimes called, though there is a debate of course about what is or is not a backdoor.

However, confusingly Brandis has also said that encryption keys should be provided to the government if necessary.

At one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement, he told the Sydney Morning Herald in June.

If there are encryption keys then those encryption keys have to be put at the disposal of the authorities.

Seemingly contradictory statements aside, and without yet seeing the legislation, it looks as if the government is going to lay out the requirements for tech companies and then let the companies themselves work out the methods.

Various security researchers have expressed concern that if companies did install backdoors that allow them to decrypt messages, this would have significant security implications for the general public. Once discovered, its possible that any backdoor method could be exploited for criminal purposes, compromising the privacy of all users of a service.

Its also likely that people concerned about security and privacy would simply stop using the services of any company that introduces methods to decrypt or record messages, and switch to other means of secure communication.

For example, in addition to using encrypted messaging apps, members of the terrorist group Isis have also been known to use simple, open-source encryption software to encrypt files which can then be transferred conventionally. Its hard to see how the governments legislation could address methods such as this, given the basic function of encrypting and decrypting files is done by mathematical algorithms.

This situation led tech reporter Asha McLean from ZDnet to ask the prime minister: Wont the laws of mathematics trump the laws of Australia? And then arent you also forcing people onto decentralised systems as a result?

To which Turnbull replied: The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.

Just how the law of Australia will override mathematics is still unclear.

See the rest here:
Australia's plan to force tech giants to give up encrypted messages may not add up - The Guardian

British signals intelligence agency Government Communications Headquarters (GCHQ) can crack end-to-end encrypted messages sent using WhatsApp and Signal, according to Australian attorney-general George Brandis.

Brandis made the claim speaking to the Australian Broadcasting Corporation's AM program, on the occasion of Australia announcing it would adopt laws mirroring the UK's Investigatory Powers Act. Brandis said the proposed law will place an obligation on device manufacturers and service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis where it is necessary to interdict or in the case of a crime that may have been committed.

Asked how Australia's proposed regime would allow local authorities to read messages sent with either WhatsApp or Signal, Brandis said Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.

Brandis is infamous for being unable to articulate an accurate or comprehensible definition of metadata when asked to do so during a live television interview, so his understanding of cryptographic concerns cannot be trusted without qualification, which The Register is seeking.

But there's no doubt about the intent of Australia's proposed laws, as Brandis later said in a joint appearance with prime minister Malcolm Turnbull that Australia's law enforcement agencies want access to encrypted traffic for three reasons.

The first is that Brandis says Australia already has mechanisms to allow law enforcement authorities to intercept electronic communications. Extending that power to encrypted traffic just brings that power up to date, he argues.

The second is that the Australian Federal Police says it has seen rapid growth in the amount of encrypted traffic from around three per cent a couple of years ago to now over 55, 60 per cent of all traffic.

Lastly, Turnbull said that encrypted messaging services are used by ordinary citizens, they are alsi used by people who seek to do us harm. They're being used by terrorists, they're being used by drug traffickers, they're being used by paedophile rings.

Bad people using encryption means the law needs to be modernised, with a definitely-not-a-backdoor that sees device makers and service providers co-operate with Australia in as-yet-unspecified ways to provide access to encrypted messages when warrants are produced.

Pushed on how encrypted messages could be read when service providers hold neither public or private keys, and Turnbull had this to say:

Your Sydney-based correspondent looks forward to an attempt at repealing gravity so we can see if the laws of Australia override the laws of physics, too.

But we digress.

Brandis and Turnbull said the law will reach Parliament in the Spring sessions which commence on August 8th. Just what it will compel device-makers and service providers to do has not been revealed, nor has how Australia will access messages sent using services based offshore. Turnbull said I'm not suggesting this is not without some difficulty but hinted that in discussions at last week's G20 Leaders' Summit the participants agreed that member nations should be able to rely on colleagues to sort things out with companies resident in their respective jurisdictions.

Visit link:
UK spookhas GCHQ can crack end-to-end encryption says Australian AG - The Register