Nominee for director of the FBI Christopher Wray. Photo: Jim Watson/AFP/Getty Images

News reports from likely future FBI director Chris Wrays Senate hearing today focused on the question of the agencys independence from the White House. This is understandable the bureaus relationship to the White House is at the top of everyones mind and Wray performed well: My commitment is to the rule of law, to the Constitution, he told members of the Senate Judiciary Committee. But when it came to the less attention-getting, but no less important, question of encryption, unfortunately, Wray performed somewhat less inspiringly: Theres a balance, obviously, that has to be struck between the importance of encryption which we can all respect when there are so many threats to our systems and the importance of giving law enforcement the tools that they lawfully need to keep us all safe, he said.

The problem is that there isnt really a legal balance to be struck when it comes to encryption. American tech companies already comply with lawful orders for user information that isnt fully encrypted, and shy of building backdoors into their products, there isnt a lot more they can do.

Unfortunately, Im still not sure how this is an issue that can be solved by working together with industry, said Matthew Green, a renowned cryptography professor at Johns Hopkins University, after seeing Wrays comments. Either the U.S. government will pursue a strategy that includes mandated encryption backdoors or it wont. I believe other forms of cooperation, such as metadata sharing, are already available.

Wray is entering a decades-long debate, one where a principal argument hasnt really changed: Should you be allowed to make a device or a method of communication thats so secure, even you have no way of knowing what your users are doing or saying? The FBI, famously, was so stumped when it couldnt access San Bernardino shooter Syed Farooks iPhone last year that it invoked the All Writs Act of 1789, a broadly written law used when the government needs an authorization that Congress hasnt yet legislated or thought of, and demanded Apple write a personalized, fake software update to get past the phones login screen. At the 11th hour, the FBI said it had found and paid for a rare vulnerability in the code for the 5c, the model Farook had, and stood down.

Technologists and cryptographers have long been unanimous that forcing a tech company to build a secret vulnerability into their products, only to be used for emergency situations a backdoor is a terrible idea. If cops can use it, hackers and foreign governments can probably find it and exploit users, for one thing. And if American companies would be forced by law to build backdoors, as floated in an ill-fated draft bill last year by senators sympathetic to the FBIs concerns about terrorists going dark, privacy-minded consumers would simply start using secure messaging apps made in countries that didnt have that law.

At the same time, its hard to tell the law-and-order crowd that if a terrorist cell in the U.S. is using Signal, the FBI has to simply throw up its hands and use whatever other investigative tools are at its disposal. Thats why a number of political figures, among them former Democratic presidential nominee Hillary Clinton and former FBI Director James Comey, have rejected the idea of outright backdoors, but like Wray today, still declared a wistful support for some kind of compromise solution, achievable by the tech industry and federal government really putting their heads together.

But politicians and law-enforcement figures pushing for a compromise ignore the realities of mathematics and the dire need to increase internet security in favor of pushing technologists to nerd harder and come up with some magical way to create strong security tools that only the FBI could break, said Amie Stepanovich, U.S. policy manager at Access Now, a group that advocates for digital civil liberties.

In Wrays defense, maybe he only hoped for an impossible compromise because he hasnt had time to give the issue much thought: He readily admitted he was an outsider who didnt have enough information about encryption in front of him to present a formal plan, a repeated theme in his hearing. For the future, Wray might consider stressing that pushing for mandatory backdoors should be off the table, or that strong encryption should be a fundamental consumer protection in a world where Russian intelligence agencies target American civilians, like the heads of U.S. presidential campaigns. Wray could have said that agents stymied by locked phones would have to rely more on old-school investigative techniques. He could have admitted that while the gray market of buying exploits in emergencies is far from perfect, its worked so far, and there simply isnt a better solution out there.

Unfortunately, no senator probed Wray much further on the issue. What does he think the FBI should do if the agency encounters another Farook iPhone case, but this time cant find a vendor hawking exploits? Apparently, hope that math changes.

The site is reportedly closer to running out of funds than many expected.

The domino effect is hard to watch.

Then I dont need a jacket.

Itll hit stores next year.

The FCC and Congress have a lot of reading to do.

Conclusion? No collusion.

Angela Nagles Kill All Normies is among the best examinations of the origins of the alt-right.

No matter how much politicians and law enforcement might wish for it, a compromise on encryption cant happen.

Amazon is considering allowing third-party app developers access to your voice queries to Alexa.

Donald Trump Jr. and the Kremlin are at the heart of todays burgeoning Twitter meme.

AlphaBay, an online bazaar for drugs and other contraband, disappeared over a week ago and took millions of dollars with it.

Talking with New Yorks attorney general about net neutrality and what his office has seen while investigating broadband providers.

Thats one way to tell your neighbor what you think of them.

The company initially tested the ads with users in Thailand and Australia.

Five minutes and 25 seconds of chill vibes.

Some of the incentives were as high as $400,000.

My new sous-vide circulator comes with an internet connection, which is convenient both for me and for any teenage hackers creating a botnet.

Nobody should be able to work a knife that fast.

Continued here:
The Encryption 'Balance' Trump's FBI Candidate Wants Is Mathematically Impossible - New York Magazine

1. What is encryption and why is it important?

Encryption is the process of making content unintelligible to anyone or any device without the proper keys to unlock that content. It is important because every time we use a device on the internet we leave a digital footprint that is accessible to those that either want to monetise this information and or those that wish us harm (e.g. terrorists, hackers etc). Encryption, if implemented the right way, puts you back in control over who you allow to view what information.

2. Is encryption a good thing or a bad thing?

Encryption is an important tool. The important point is to ensure that it is implemented in such a way that it cant be used for bad purposes, only for good. The abuse of this tool may result in actions that are evil. Equally, if your medical provider is using encryption to store your health records, then its a very good thing. Its down to society to implement encryption responsibly.

3. Why should ordinary people be bothered with encryption?

Do you leave the doors of your home unlocked and open? We all expect privacy in our homes unless the law has been broken and even then enforcement agencies require a court order to enter. The internet does not offer the same level of privacy that we enjoy in our homes. Our data is under continual scrutiny by advertisers. Our pictures are misappropriated. Our private messages are put into the public domain. Encryption offers a means to redress the balance, and restore online privacy.

4. What are the dangers of building government backdoors into encryption products?

There are numerous risks:

a bad person could gain access to the backdoor and hence all your data; backdoors make systems more complicated and increase the risk of errors in what honest users are doing; backdoors can threaten the democratic process. Imagine for instance an internet voting system; to have secret ballot voting it is essential that government does not have a backdoor. interoperability across borders. Do backdoors match each other, will overseas customers want to buy products with a foreign governments backdoors in it, and the list goes on.

Rather than a seemingly big brother approach to gaining access to personal data that could be deemed as always on, the appropriate solution should be transparent. By using a system of legitimised key escrow, authorities have the necessary powers to gain access to specific information, while ensuring an individuals privacy is intact.

A system like this is just an online implementation of the already accepted process of law enforcement requiring a warrant to gain access to a persons home.

5. Why is there so much debate about encryption and privacy at the moment?

There are two very strong themes. First, terrorist groups are using encrypted messages to organise their activities. Second, we're seeing a growing number of vital public services being hit by cyber attacks. In short, there is a significant cyber threat to national security.

UK Home Secretary Amber Rudd has stated it is "unacceptable" that internet companies should, "provide a secret place for terrorists to communicate with each other," and has met with technology companies with a view to obtaining access to encrypted messages. This has alarmed many members of the technology community, who have pointed out that any weakening of encryption standards could seriously undermine the UK's ability to compete in online services. Many ordinary citizens are also alarmed about the possible prospect of mass, indiscriminate snooping. No one has yet put forward a balanced solution so the debate continues.

6. Should there be a limit to online privacy?

This is a question for civil, legal and ethical authorities and the answer would vary across the globe. There may be a disparity in government policy across differing countries the access of personal information. What is important is ensuring a uniform technical solution, globally together with the unified interoperable government policy.

7. Is there a way to balance peoples privacy and the need for government intervention?

Yes. The use of well-known and accepted cryptographic cyphers with acceptable policy controls and legitimised key escrow is the answer. This enables internal and cross-border laws to be balanced with civil rights.

After considerable search and thought, Scentrics offers a solution using acceptable and recognised cyphers and has made them accessible to developers through their SDK.

8. What is the next stage to encryption and privacy?

There is a change happening in the way that society views online privacy. For the first time there is a viable, low cost technical solution that is scalable to the masses. It makes the service of privacy simple. A one click solution. It leverages the already existing assets in the ecology of the internet and thereby does not intrude on asking the user to invest in assets to make this work. Considering the heightened sensitivity of this issue amongst all areas of society we see the world adopting this technology to have control over their digital personas (in other words our digital footprint).

Importantly this will deliver the right balance of protecting civil ethics and national security. A legacy infrastructure that we know to be the internet which was never born to cope with the current challenges it faces now must incorporate this new IP within its skeleton just as it did some 28 years ago by allowing for a hypertext protocol which we all know and cherish as the world wide web.

Jerome Mohammed, Operations Director, Scentrics Image Credit: Yuri Samoilov / Flickr

Read this article:
Q&A: The importance of encryption - ITProPortal

Researchers at Los Alamos National Laboratory (LANL) have found that most random number generators used for encryption keys are not truly random.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

They found that encryption keys are potentially predictable because software-based random number generators typically part of the operating system have a limited capacity.

This is because the software typically depends on capturing signals or events from the physical world, such as mouse movements, hard drive activity and network traffic, to increase the level of randomness.

But because these sources are finite, software-generated encryption keys are not truly random, and could be predicted by attackers. But few organisations are aware of these shortcomings because there is no mechanism for certifying the quality of random number generators.

To address this problem, the quantum security team at LANL spent a decade developing and perfecting the ability to deliver pure entropy the foundation of randomness using quantum technology.

Quantum random number generation is widely regarded as one of the most mature quantum technologies and the inherent randomness at the core of quantum mechanics makes quantum systems a perfect source of entropy. Therefore, only pure quantum entropy is considered to be capable of enabling the generation of truly random numbers for creating cryptographic keys that are impossible to predict.

This capability to generate truly random numbers has been made commercially available through a spin-off firm named Whitewood in reference to Thomas Jeffersons wheel cipher, that was made using discs cut from a cylinder of white wood.

Whitewood is a subsidiary of Allied Minds, which licenses technology from universities and research labs and then sets up companies to commercialise those technologies and take them to market.

In June 2017, Whitewood made this capability available as a free cloud-based service for servers, desktops and laptops running on the Microsoft Windows operating system.

The service is based on the Whitewood Entropy Engine, which uses the core technology developed by LANL and is designed to strengthen cryptographic security systems in traditional datacentres, virtual cloud environments and embedded systems, including internet of things (IoT) devices, where encryption is used increasingly for authentication and assurance of integrity and confidentiality.

The use of crypto tools such as encryption have become ubiquitous in modern IT environments and play a critical role in emerging technologies such as blockchain and bitcoin services and in helping organisations to comply with the EUs General Data Protection Regulation (GDPR).

Encryption is viewed by many organisations as a get out jail card because if they can demonstrate that data was encrypted, they dont have to disclose that they lost it, said Richard Moulds, general manager of Whitewood.

And in the payments world, there are some cost saving benefits because if you encrypt credit card numbers, that database is out of scope in terms of PCI DSS [payment card industry data security standard] assessments.

According to Moulds, PCI DSS is ahead of the GDPR in terms of encryption requirements, so perfect random number generation is likely to become increasingly important for the retail industry, while it is already an area of great interest for banks, the financial services industry and the military.

The free netRandom service for Windows is part of a broader product portfolio from Whitewood that includes support for Linux as well as on-premise entropy management systems with granular reporting functionality and quantum random number generators (QRNGs) for organisations that prefer to deploy their own dedicated or private security infrastructure.

The free service delivers on-demand, quantum entropy from a cloud-based server over standard IP networks to continuously re-seed existing random number generators to make them work properly. Just as the network time protocol drip-feeds time synchronisation to devices, the Whitewood drip-feeds entropy into devices as a background service.

Random number generation is critical for security, but is often poorly understood and is a point of attack and vulnerability highlighted by the SANS Institute as one of the seven most dangerous attacks for 2017, said Moulds.

The growing widespread use of cryptography raises the bar for randomness, making the current best-effort approaches to random number generation no longer sufficient.

In some ways, this is a dirty little secret in the crypto industry, and although it is a problem that is almost universal, almost nobody has thought about it. People tend to worry about where and how encryption keys are stored, who has access to the keys, and who is able to revoke a key, but few people think about where those keys come from or about how random they are.

Underlining the problem, researchers at the University of Pennsylvania found in a 2012 study that 0.75% of TLS certificates shared keys because of insufficient entropy during key generation, and that they were able to obtain the private keys for 0.50% of TLS hosts and 0.03% of SSH hosts because their public keys shared non-trivial common factors due to poor randomness.

According to Moulds, new data protection and privacy regulation such as GDPR raise the bar for randomness even further as organisations seek to use strong encryption, both to protect data from theft by making it unintelligible and to potentially avoid data breach disclosure obligations.

The rapid growth of the IoT is also focusing attention on crypto security as a means of ensuring correct operation and trustworthiness of safety-critical devices and systems such as drones, driverless cars and smart grid infrastructure, he said.

Cryptographic keys can be compromised through theft or calculated guesswork, said Moulds. There is a constant race to keep ahead of the attackers who can exploit ever-faster processing resources to break traditional random number and key generation methods and crypto algorithms a capability that will get a further boost with the availability of quantum computers.

The trend towards virtualisation, containers and distributed environments compounds the problem by abstracting applications from the physical world and the entropy within it, he said.

In the virtual world running on shared hardware with dynamic replication, there can be little or no real entropy, increasing the risk of entropy starvation and making it virtually impossible to guarantee the quality of key generation and system security without entropy from a trusted source, said Moulds.

For this reason, Whitewood is able to deliver entropy not only to physical machines, but also to virtual machines, containers and IoT devices. Whatever random generators developers use, they will work correctly because they are being seeded or shuffled so frequently, said Moulds.

Whitewood has solved three problems, he said: How to generate good entropy fast so there is enough to supply thousands of virtual machines; how to deliver it securely over a network; and we plugged it into the operating system so we are not forcing application developers to adopt a different random number generator because we are enabling existing random number generators in Windows and Linux to work better.

Continued here:
Encryption keys too predictable, warn security researchers - ComputerWeekly.com

Social media giants will be compelled to pass encrypted messages on to Australiansecurity agencies under new laws introduced by the Turnbull government on Friday.

Prime Minister Malcolm Turnbull said the new laws were needed to target terrorists, paedophile rings and organised crime gangs.

Similar laws already affected telco companies, hesaid.

We have the right now to get the cooperation from the telephone companies. What we dont have is the legal right to get that sort of cooperation from the internet companies like Facebook, or WhatsApp, or Telegram and so forth, and Google, Mr Turnbulltold Channel Sevens Sunrise program.

He said the legal system needed to catch up with technological changes.

We cannot allow the internet to be used as a place for terrorists and child molesters and people who peddle child pornography and drug traffickers to hide in the dark.

Those dark places online must be illuminated by the law.

Im not talking about giving intelligence agencies backdoors or anything underhand. This is simply saying the rule of law must prevail online as it does offline.

Attorney-General George Brandis told ABC Radio hed been assured it was feasible to seize encrypted messages from WhatsApp or Signal.

What this does is merely contemporise for the modern era what is a well-established legal principle, and that is persons, including companies, can be subject to an obligation to assist law enforcement in resolving crimes and that principle shouldnt depend upon the nature of the technology, Senator Brandis said.

What we are proposing to do, if we cant get the voluntary cooperation that we are seeking, is to extend the existing law that says to individuals, citizens and to companies, in certain circumstances you have an obligation to assist law enforcement if its within your power to do so.

The laws that exist at the moment predate the development of encryption, all we are seeking to do is to apply an existing principle to a new technology.

Senator Brandis said he would introduce the laws between now and the end of the year.

He told Sky News the proposed laws had nothing to do with mass surveillance and most Australians would not be impacted.

It is not mass surveillance and its not going to make their everyday dealings in social media insecure, Senator Brandis said.

The fact is that information security is a very high value. It is an economic benefit. It matters to people and the Government is determined to protect it.

But having said that, there is also an important value to be served in protecting national security.

David Glance, Director of the University of Western Australia Centre for Software Practice, said it was not knownhow the proposed laws would take effect.

Although Brandis referred to the UKs Investigatory Powers Act, the UK Government hasnt actually made public how dealing with encrypted messages would work, Dr Glance toldThe New Daily.

There is obviously the debate about whether this will really help them in any event Plus, they are [already] able to hack peoples devices, get metadata, et cetera. So the question is why isnt that enough?

Dr Glance said encrypted messages could only be decoded if the companies involved weakened their encryptions and stored user keys.

He said people had reason to be concerned about what it could mean for them.

Not necessarily from the government but from criminals and hackers who will exploit weakened security to snoop, steal intellectual property, identities and other things.

Obviously there is a contradiction in their attempts to increase cybersecurity against nation state attacks and at the same time, weakening encryption to allow them to access anyones communications. They cant have it both ways.

Anthony Albanese told Channel NineLabor would consider the legislation.

The New Dailyhas contacted Greens spokesperson for communications Senator Scott Ludlam for comment.

Read this article:
Turnbull government to compel social media giants to hand over encrypted messages - The New Daily

Cyber Defense

A private sector firm is offering a new kind of reinforced encryption technology for the U.S. military services to safeguard mobile phone, radio and computer transactions from brute force cyberattacks.

The Internet Promise Group has used internal funding to patent a new technical method of securing encrypted military communications by implementing, integrating and changing random bits with an existing encryption key algorithm.

The idea is to strengthen existing encryption keys to make them less vulnerable to brute force attacks where adversaries or cyber intruders use computer algorithms to try multiple combinations of keys until the details are discovered and the key is broken, said Tara Chand, founder and CEO of Internet Promise Group.

Brute force attacks, which require both substantial coordination and sophistication, are typically thought to be associated with major cyberattacks from near-peer adversaries, such as Russia or China.

We want to figure out a way to make the key so strong that you cannot break it, he said.

Chand explained that his firm has patented Random Dance Keys, a new class of military encryption technology engineered to be impenetrable to brute force cyberattacks.

Random Dance Key innovation is based upon its focus on the key space itself rather than encryption algorithms, to provide ultimate defense and protection of critical data and communications. This patented, advanced key management system employs heuristic random wave envelopes derived from the three different types of waves to yield a perpetual sequence of random vectors, Chand added.

Random Dance Keys, Chand explained, are able to change encryption keys with every data package by using a new random sequence of bits. Random keys are used and then discarded.

Every time you have a data package, you come up with a random key and integrate that with an algorithm and encryption key you already have. You leave them as they are, he added.

The Internet Promise Group is now in the process of introducing this technology to the U.S. military services. Early conversations are underway, Chand explained.

Current U.S. military concerns about cyber intrusions are heightened by recent revelations of Russian hacking and Chinas previous record of hacking U.S. military databases.

About the Author

Kris Osborn is editor-in-chief of Defense Systems. He can be reached at kosborn@1105media.com.

Continued here:
Industry firm patents new cyber encryption technology - Defense Systems

As we have come to terms with recent tragic events in the UK understandably there is great anxiety and a lot of questions about the causes of such terrible loss of life. It has again highlighted the debate around regulating the internet giants like Google, Facebook, Twitter and Amazon. These channels have given criminals and terrorists the opportunity to broadcast their message, so politicians in the UK responded in the first instance by suggesting the technology industry should play their part in addressing this huge challenge. However, the Queens Speech, the list of laws that the government hopes to get approved by Parliament over the coming year, leaves me confused.

Listening to the earlier comments from policy makers the rhetoric suggested the new Government would push the technology industry for tougher legislation that might not have proper checks and balances in place. These concerns were heightened reading Matt Burgess report claiming the Government wanted to push through demands for tech companies to provide access to user information by breaking end-to-end encryption as needed.

The Home Secretarys comments, especially in relation to encryption compounded that concern, so it was very pleasing to see positive signals from the European Union on the individuals right to privacy. The European Parliaments Committee on Civil Liberties, Justice and Home Affairs underlined its support for the principle of confidentiality.

However, a week really is a long-time in politics, especially when it comes to digital and technology legislation.

The Queens Speech has highlighted a commitment to make the UK the safest place online and added new right to be forgotten laws, as well as a determination to comply with the European Unions GDPR legislation. The speech also included a pledge to review counter terrorism strategy. This might suggest the Government is revising its view on cybersecurity, placing the individuals right to privacy above national security issues. Unfortunately the vagueness of the Queens address leaves far too much room for interpretation. The talk of a Digital Charter is good if its goal is to protect the privacy of consumers, but how will that be weighed up against national security needs?

From the perspective of MaidSafe we applaud attempts to protect user privacy. However, there is no clarity on the question of encryption, particularly giving intelligence services exceptional access in the name of national security. The Investigatory Powers Bill still stands and there appears to have been no mention of the unassumingly named Investigatory Powers (Technical Capability) Regulations, which will require service and application providers to give access to information. While this remains unaddressed we have one simple question for the authorities: what if the technology has been designed so that it cannot reveal user information?

As most people who follow the story of MaidSafe know the start point for the SAFE Network was creating a better internet one where users were in control of their data and privacy was paramount. That is why it has been designed with encryption at its core and why users are the only ones, who control access to their data. However, to ensure MaidSafe cannot compromise a users identity and data MaidSafe has no way to break the encryption. The user is the only one with the keys and we have no master key that can override the system. Bottom line we cannot put a backdoor into our network, because we have no way of identifying users once they are set up.

If you listen to the arguments from politicians the potential threat outweighs the right to privacy and freedom of speech. We believe that rushing legislation through is the wrong approach. This should be a time for cool reflection and a recognition that it is a complex problem, which cannot be solved by pressurising technology companies to create backdoors to their products. Even if you do not accept the fundamental right of individuals to privacy and freedom of speech there is a simple practical point - weakening encryption will make itwell insecure. A vast array of organisations use encryption today for everything from banking to processing legal documents, tax accounts and protecting email. Creating mechanisms for the security services to access information means there is a weak point which hackers can exploit too. If you dont believe they will then you have clearly erased Wannacry from your memory. The excellent article by Andy Greenberg in Wired on the extent of the hacking in the Ukraine shows how devastating cyberattacks already are without giving the hackers a short cut and this weeks episode has only served as a stark reminder.

The more difficult moral debate we are fully aware of is that we are building a network, which could be used for both good or bad purposes. It is our view that users should be given the right to make this choice for themselves. If they control their data and who they share it with, they control whether or not an individual can broadcast information to them. Security services may also say the SAFE Network will make it harder for them to do their jobs, but there is little or no evidence that mass surveillance and breaking encryption will mean it is easier to catch criminals. Indeed while the bad guys appear to take an innovative approach to new technologies it often seems as though the authorities wish to take a step backwards.

Compromising security and allowing sweeping powers more often than not leads to abuses of such authority. We have seen this time and again. We would argue there is evidence the police and security services are more successful with targeted surveillance and building partnerships with communities. John Thornhill at the Financial Times recently reminded me of a report I had seen before, originally published in 2015. MITs Computer Science and Artificial Intelligence Laboratory (CSAIL) produced a damning criticism of backdoor access to encryption the title of the report underlining the crudeness of such an approach: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications. While it sounds obvious there is absolutely no point in locking the door and allowing the bad guy to find the keys. It makes for good drama in Hollywood, but it in real life it has serious consequences.

The intelligence community terms this breaking of encryption as exceptional access which makes it sound very benign. However, MIT CSAIL was clear about the consequences in its report: In the wake of the growing economic and social cost of the fundamental insecurity of todays Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimise the impact on user privacy when systems are breached.

If you are not convinced on moral grounds there is also a simple technical reason why giving control back to users works. If an individual controls his or her identity that person is anonymous, but also potentially traceable. As John Thornhill rightly points out using encryption also authenticates the user and in environments such as the blockchain it should not be forgotten that once an individual, including a hacker, adds something to the blockchain it is recorded for posterity. Suggesting that encryption is an enabler for the bad guys shows a lack of understanding of next generation technologies, because unlike previous analogies of good guys versus bad guys technologies in the current landscape are more complex.

At its heart this debate needs a reset, because it feels like cybersecurity strategy is still in the 2000s when Web 2.0 came along. The technology is cleverer now, but so too are the users and the technology is reflecting what users want. They want privacy, but equally they do not want to propagate terrorism or hatred. They believe technology exists that balances the absolute right of individuals for privacy and the need for national security.

Sadly we do not live in a perfect world and technology is unfortunately being used by bad actors to do some nefarious things. Certainly, the approach of the big tech companies in response to growing consumer and political concerns has not been as quick and responsive as many would like, but weakening encryption in the name of national security is not the answer. Paul Bernal, in Matt Burgess article, raised the important issue of accountability and oversight. If the Technical Capability Regulations are passed into law there is also an even more fundamental question of right to privacy and right to freedom of speech. This is a time for cool heads. The MIT CSAIL report is good not just in its technical analysis but also as a historical reminder. We have been debating this issue since the 1970s when computers became increasingly mainstream. Today we are seeing rights undermined increasingly around the world and if a country like the UK is seen to promoting more draconian laws it will give more authoritarian states the justification they need to implement similar and worse rules. If we force technology companies to break their encryption we do not just compromise security we compromise fundamental human rights.

Nick Lambert, Chief Operating Officer, MaidSafe Image Credit: Yuri Samoilov / Flickr

See the article here:
We need to protect encryption - ITProPortal

Introduction

On May 23, 2017, the District Court for the Eastern District of Virginia (District Court) denied a motion for summary judgment that the patent claims asserted in a lawsuit brought by TecSec, Inc. (TecSec) are invalid under 35 U.S.C. 101.[1]

In the lawsuit, TecSec accused Adobe Systems, Inc. (Adobe) of infringing four related patents[2] directed to a multi-level encryption system that allows encrypted objects [to] be nested within other [encrypted] objects . . . resulting in multiple layers of encryption.[3] Representative Claim 1 from the 702 Patent is reproduced below:

Click here to view the image.

1. A method for providing multi-level multimedia security in a data network, comprising the steps of:

A) accessing an object-oriented key manager;

B) selecting an object to encrypt;

C) selecting a label for the object;

D) selecting an encryption algorithm;

E) encrypting the object according to the encryption algorithm;

F) labelling the encrypted object;

G) reading the object label;

H) determining access authorization based on the object label; and

I) decrypting the object if access authorization is granted.

Patent Eligibility Inquiry

The eligibility inquiry under 35 U.S.C. 101 proceeds in two steps.[4] First, the court determines whether the patent claim at issue is directed to one of the patent-ineligible concepts (e.g., abstract idea, law of nature, or natural phenomenon) (step one).[5] If the claim is not directed to a patent-ineligible concept, the inquiry ends.[6] Otherwise, the court determines whether the claim includes any additional elements that transform the nature of the claim into a patent-eligible application (step two).[7] If a claim is found to be directed to a patent-ineligible concept in step one and also lack any additional elements that transform the nature of the claim into a patent-eligible application in step two, the claim is ineligible for patent protection under 101.[8]

Arguments before the District Court

Adobe argued that the claims in the asserted patents are directed to the abstract idea of managing access to objects using multiple levels of encryption.[9] According to Adobe, Claim 1 of the 702 patent provides no guidance at all as to how to encrypt an object, how to nest objects, or any specific type of object that the process may operate on and is thus abstract because it provides no restriction on how the result is accomplished.[10]

TecSec contended that Adobe failed to properly perform the step one analysis by overgeneralizing the claims, failing to tie the identification of the abstract idea to the claim language at issue, and oversimplifying the claims and downplaying the inventions benefits.[11] Further, TecSec argued that there is no risk of preemption because there are other ways to manage access to objects using multiple levels of encryption that do not require an [object-oriented key manager] component along with the recited encryption and labelling steps.[12]

District Courts Discussion

Siding with TecSec, the District Court found that the claims in the asserted patents are not directed to an abstract idea, law of nature, or natural phenomenon.[13] According to the District Court, the patent claims provide a solution to a computer-centric problem that would not exist but for the ubiquity of computer technology.[14] Rejecting Adobes contention that the claims are reducible to putting a sealed envelope (single-level encryption) into a second sealed envelope (multi-level encryption) for extra security, the District Court stated that the claims provide a specific solution that allows multiple users in multiple locations [to access] information at different security levels from a central repository.[15]

Further, the District Court noted that the asserted patents preempt systems which make use of the specific method of an object-oriented key manager without foreclos[ing] all forms of multi-level security.[16] Having determined that the patent claims are not directed to an abstract idea, the District Court ended the patent-eligibility analysis and denied Adobes motion for summary judgment.[17]

Takeaways

This case illustrates that (i) a solution that is necessarily rooted in computer technology as illustrated in DDR[18] and (ii) evidence of no preemption as illustrated in McRO[19] both continue to play an important role in helping patent owners survive 101 challenges. When drafting claims, patent applicants should carefully consider how the claims solve a computer-specific problem without preempting all possible ways of solving such a problem.

On the other hand, patent challengers should emphasize how the problem solved by the claims is a conventional one, and not one that exists only because of the Internet or the computer technology. Additionally, patent challengers should point out why the claims impermissibly preempt an entire field of ideas. Here, Adobe presumably had some difficulty arguing that TecSecs claims cover all types of multi-level encryption because Adobe also had to argue that its multi-level encryption system did not infringe the asserted claims. In such cases, patent challengers may want to, if possible, formulate the abstract idea in a way that does not include their own products.

See more here:
Multi-level Encryption Patent Survives 101 Challenge in District Court - Lexology (registration)

Physicists in China have achieved the first quantum teleportation from Earth to a satellite, while their counterparts in Japan are the first to use a microsatellite for quantum communications. Both achievements suggest that practical satellite-based quantum communications could soon be a reality.

Jian-Wei Pan of the University of Science and Technology of China in Hefei and colleagues used China's $100m Quantum Experiments at Space Scale (QUESS) satellite to receive a quantum-teleported state. This was done over a distance of 1400km from a high-altitude (5100m) ground station in Tibet to QUESS. This is more than 10 times further than the 100km or so possible by sending photons through optical fibres or through free space between ground-based stations.

Described in a preprint on arXiv, the process involves creating photons that are quantum-mechanically entangled and then transmitting them to QUESS. Last month, Pan and colleagues reported the distribution of quantum entanglement over 1200km using QUESS.

Meanwhile, Masahide Sasaki and colleagues at the National Institute of Information and Communications Technology in Japan have shown that quantum information can be transmitted to Earth from a 5.9kg photon source called SOTA which is on board a 48kg Japanese microsatellite called SOCRATES.

Writing in Nature Photonics, Sasaki's team reports that they were able to receive and process the information at a ground station in Japan using a quantum key distribution (QKD) protocol. QKD is uses principles of quantum mechanics to ensure that two parties can share an encryption key secure in the knowledge that it has not been intercepted by a third party.

Original post:
Quantum satellites demonstrate teleportation and encryption - physicsworld.com

Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists and other ne'er do wells.

UK Home Secretary Amber Rudd has criticised mobile messaging services such as WhatsApp, that offer end-to-end encryption in the wake of recent terror outages, such as the Westminster Bridge attack, arguing that there should be no place for terrorists to hide.

Hannigan, who led GCHQ between November 2014 and January 2017, struck a different tone in an interview with BBC Radio 4 flagship news programme Today on Monday morning, arguing there's no simple answer on the national security challenges posed by encryption.

"Encryption is overwhelmingly a good thing," Hannigan said. "It keeps us all safe and secure. Throughout the Cold War and up until 15 years ago it was something only governments could do at scale."

The former spy agency boss described the availability of e2e encryption in smartphone apps available to everyone is, broadly, a good thing.

"The challenge for governments is how do you stop the abuse of that encryption by the tiny amount of people who want to do bad things, like terrorists and criminals," Hannigan said.

"You can't un-invent end-to-end encryption you can't legislate it away," he added.

The former head of GCHQ favours co-operation between government agencies and private (tech) companies "to find a way around it" rather than passing laws that oblige tech providers to weaken the encryption of their technology or install backdoors.

"I don't advocate building in backdoors," Hannigan said. "It's not a good idea to weaken security for everybody in order to tackle a minority.

The best solution is to "target the people who are abusing" encryption systems and go after the smartphone or laptops they are using.

"Trying to weaken the system, trying to build in backdoors won't work and is technically difficult," Hannigan reiterated.

e2e schemes are a subset of encryption in general but present a tougher challenge for law enforcement and government because service provides don't hold the private keys needed to decipher data.

Not all encryption works end to end. As well as malware implants on end point devices, encryption schemes can be broken through protocol weakness and implementation flaws.

Hannigan referenced the 1980s Clipper Chip debacle in saying he doesn't think legislation to weaken crypto would work now either. "The Americans tried that in the 1990s under the Clinton Administration and it didn't work. I can't see, particularly since most of these companies are US based, that legislation is the answer."

The co-operation Hanningan advocates with tech firms is more difficult after the revelations from former NSA sysadmin Edward Snowden. This is not just because of pressure from consumers for tech firms to offer technologies more resistant against government snooping but because firms, such as Google, who co-operate with the US government in handing over data under schemes such as PRISM were angered to discover that the NSA was pulling other tricks such as hacking into links between their data centre too.

Telcos, in particular, co-operated with law enforcement agencies across the world in lawful interception schemes for years before smartphones and endpoint devices rather than telecom switches became the necessary focus of surveillance efforts as the result of advances in technology such as the rise of mobile messaging and apps such as WhatsApp, Apple iMessage and Telegram, among others.

The former GCHQ boss - who started off his tenure criticising tech giants for acting as a "command and control" networks of choice for terrorists and criminals back in November 2014 - underwent something of a conversion in attitudes as a spy agency boss.

By March 2016 he was had softened his stance and begun advocating co-operation with tech giants, such as Google and Apple, a line he expanded and updated during his interview on Monday morning, which is well worth a listen.

Hanningan also wants technology firms to get together and apply their "engineering brilliance" to tackle the abuse of the internet as a vehicle for spreading terrorist propaganda and radicalisation. "Legislation is a blunt last resort," he said.

Lastly, in a wide-ranging interview, Hanningan said Russia as a country was responsible for a "disproportionate amount of mayhem in cyberspace" such as attacks on democratic institutions as well as the activities of cyber-criminal groups. He praised the creation of the UK's National Cyber Security Centre (NCSC) in improving defences ("the private sector needs to get better") as well as French President Emmanuel Macron's public condemnation as positive moves in combating the problem. Hanningan went on to suggest that sanctions and other measures against Russia over cyber espionage might be necessary to set "red lines" while acknowledging much online malfeasance comes from cybercrime elements.

"There is an overlap of crime and state and a deeply corrupt system that allows crime to flourish. But the Russian state could do a lot to stop that and it can certainly rein in its own activity," Hanningan concluded.

Read more here:
Former GCHQ boss backs end-to-end encryption - The Register

Prime Minister Malcolm Turnbull has put the onus on the technology companies providing end-to-end encryption to work out ways law enforcement can access the communications of criminals and terrorists.

In a speech in London overnight, Turnbull said companies should not be able to build end-to-end encryption tools that meant nobody - including courts and law enforcement - could access the content of communications.

The Australian government - along with its G20 counterparts - is looking at ways it can legally gain access to encrypted messages.

The government has repeatedly denied it is asking for backdoors to be built into encrypted messaging products, however technology companiesand security experts say encrypted communications - for which individual users hold the decryption keys - cannot be accessed without doing so.

Attorney-General George Brandislast month saidthe government would try to secure co-operation from technology companies and internet service providers through an agreed set of protocols, rather than legal requirements.

He also hinted at a potential tweaking of warrant exchanges between Australian and Five Eyes law enforcement to more easily access data in those jurisdictions.

"What we need is to develop, and what well be asking the device makers and the ISPs to agree to, is a series of protocols as to the circumstances in which they will be able to provide voluntary assistance to law enforcement," Brandis said.

"There is also, of course, the capacity which exists now in the United Kingdom and in New Zealand under their legislation for coercive powers, but we dont want to resort to that. We want to engage with the private sector to achieve a set of voluntary solutions."

Turnbull overnight told technology companies "the ball is in your court" when it comes to finding a solution to the problem.

"... just as a locked bank vault or filing cabinet cannot resist a court order to produce a document, why should the owners of encrypted messaging platforms like Whatsapp or Telegram or Signal be able to establish end to end encryption in such a way that nobody, not the owners and not the courts have the ability to find out what is being communicated," Turnbull said.

"[We are saying to Sillicon Valley] youhave created messaging applications which are encrypted end to end, they are being used by terrorists and criminals to hide their murderous plans.

"You must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals your technologies have made undetectable."

Turnbull conceded it would be a "difficult conversation" but argued the best defence against terrorists was "good intelligence".

"We have in the last few years disrupted 12 major terrorists plots, including several that would have resulted in large mass casualty attacks," he said.

"How many more can we disrupt if every communication, by every conspirator, is encrypted end to end and cannot be read despite every lawful right, indeed duty, so to do?"

The prime minister reiterated that the government would not pursue backdoors or access to technology companies' source code.

More here:
Turnbull handballs encryption problem to tech companies - iTnews