When he was head of GCHQ, Robert Hannigan said some pretty clueless things about the Internet and encryption. For example, in 2014, he accused tech companies of 'facilitating murder', and joined in the general demonization of strong crypto. Last year, he called for technical experts to work more closely with governments to come up with some unspecified way around encryption. Nobody really knew what he meant when he said:

"I am not in favor of banning encryption. Nor am I asking for mandatory back doors. Not everything is a back door, still less a door which can be exploited outside a legal framework."

Now, speaking to the BBC, he has clarified those remarks, and revealed how he thinks governments should be dealing with the issue of end-to-end encryption. As he admits:

"You can't uninvent end-to-end encryption, which is the thing that has particularly annoyed people, and rightly, in recent months. You can't just do away it, you can't legislate it away. The best that you can do with end-to-end encryption is work with the companies in a cooperative way, to find ways around it frankly."

He emphasized that backdoors are not the answer:

"I absolutely don't advocate that. Building in backdoors is a threat to everybody, and it's not a good idea to weaken security for everybody in order to tackle a minority."

So what is the solution? This:

"It's cooperation to target the people who are using it. So obviously the way around encryption is to get to the end point -- a smartphone, or a laptop -- that somebody who is abusing encryption is using. That's the way to do it."

As Techdirt reported earlier this year, this is very much the approach advocated by top security experts Bruce Schneier and Orin Kerr. They published a paper describing ways to circumvent even the strongest encryption. It seems that Hannigan has got the message that methods other than crypto backdoors exist, some of which require cooperation from tech companies, which may or may not be forthcoming. It's a pity that he's no longer head of GCHQ -- he left for "personal reasons" at the beginning of this year. But maybe that has given him a new freedom to speak out against stupid approaches. We just need to hope the UK government still listens to him.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Read the rest here:
Former Head Of GCHQ Says Don't Backdoor End-To-End Encryption, Attack The End Points - Techdirt

In a letter to a watchdog lawmaker last week, the Department of Defense confirmed that it will finally, in 2018, join the 21st century and use a popular basic encryption tool to help make emails to and from .mil addresses more secure. What does that mean for your badass joe.schmuckatelli@centcom.mil account? Lets break it down.

The Defense Information Systems Agency confirmed to Democratic Sen. Ron Wyden of Oregon, a Senate intelligence committee member, that by next year, the Pentagons .mil email will implement STARTTLS for enhanced email encryption a longstanding application that Wyden has called a basic, widely used, easily-enabled cybersecurity technology.

The move came after years of poking around by the reporters at Vice and some tough talk from Wyden questioning how the militarys 4.5 million-user cloud-based email service had never implemented STARTTLS before.

I cant think of a single technical reason why they wouldnt use it, one former U.S. Special Operations Command IT whiz told Vice. A hacker and former Marine similarly told the outlet: The military should not be sending any email that isnt encrypted, period. Everything should get encrypted, absolutely everything. Theres no excuse.

Vices Motherboard blog has a nice breakdown of STARTTLS, which is whats called an opportunistic encryption app. Basically, when your email server and a recipients email server hook up to exchange info, STARTTLS sets up the exchange on the fly as an encrypted transaction. When your emails are sent out into the world without encryption, opportunistic or otherwise, they are as readable as postcards, per Vice:

When your email provider doesnt support STARTTLS, your email might be encrypted going from your computer to your provider, but it will then travel across the internet in the clear (unless you used end-to-end encryption.) When your email provider, and the email provider of the person youre sending the email to, both support STARTTLS, then the email is protected as it travels across.

Kinda, yeah, but not super-big. STARTTLS has been around since 2002, and Gmail first implemented it in 2004. Vice points out that Google and your other popular private email and social-media sites including Microsoft, Yahoo, Twitter, and Facebook have already integrated STARTTLS. In the wake of the NSA surveillance disclosures by contractor Edward Snowden, Facebook led a very public charge to get more sites to use STARTTLS to keep the feds from looking at your emails.

So theres nothing new here; DoD is simply catching up to a basic encryption technology thats been around for a decade and a half long enough now that the vast majority of emails you send and receive communicate with another STARTTLS-equipped server. It has some weaknesses, and it aint PGP encryption, but its a good start.

Well, you probably already know from experience that no Pentagon-level IT policy changes overnight. But more than that, keeping mail.mil STARTTLS-free has also given the military a lot more freedom to snoop through your emails a freedom DISA was probably reluctant to give up. In a letter to Wyden in April, DISA deputy director Maj. Gen. Sarah Zabel said the agencys software regularly sweeps incoming soldier email for phishing scams, viruses, and the like.

DISA currently rejects over 85% of all DoD email traffic coming from the Internet on a daily basis due to malicious behavior, Zabel wrote. We also inspect for advanced, persistent threats using detection methods developed using national level intelligence. Many of these detection methods would be rendered ineffective if STARTTLS were enabled.

In fact, top civil liberties groups like the ACLU have long called for government agencies to use encryption not just to protect their sensitive info, but to help establish a broad pro-encryption consensus in America: If the government gets to encrypt its data, then why shouldnt free American citizens get the same right? Such a norm might not sit well with government agencies, like the NSA, CIA, and FBI, who rely on signals surveillance to further intelligence and investigative aims.

Beyond that, if the military has to triage its IT systems for info security, its probably going to tackle unclassified email servers last, after focusing on secure and closed systems like SIPRNET, the National Military Command Center, and Link 16 tactical data transmission networks.

Well, that was DISAs initial suggestion: Using STARTTLS could make it harder for the Pentagon to catch and neutralize viruses in your emails. But its decision to migrate everyones mail.mil accounts to a new STARTTLS gateway by July 2018 suggests whatever kinks the application threw in DISAs surveillance have now been worked out.

In the meantime, the service is still adamant that you shouldnt be passing any sensitive info or clicking any weird links in your nonsecure mail.mil account in the first place, so, you know, keep not doing that.

Yeah: Download less porn. Seriously. Even if its virus-free, that much cant be healthy, man.

Also, remember the cardinal rule of opsec:

WATCH MORE:

Continue reading here:
The Military Will Start Encrypting Emails. Here's What That Means ... - Task & Purpose

Encryption software is software that uses cryptography to prevent unauthorized access to digital information.[1][2] Practically speaking, people use cryptography today to protect the digital information on their computers as well as the digital information that is sent to other computers over the Internet.[3] As software that implements secure cryptography is complex to develop and difficult to get right,[4] most computer users make use of the encryption software that already exists rather than writing their own.

As encryption software is an important component in providing protection from cybercrime, there are many, many software products that provide encryption. Because there are so many software products that provide encryption, a good way to begin understanding this topic is classification by categorization.

Software encryption uses a cipher to obscure the content into ciphertext, so one way to classify this type of software is by the type of cipher used. Ciphers can be categorized into two categories: public key ciphers, also known as asymmetric ciphers, and symmetric key ciphers. Thus, encryption software may be said to based on public key or symmetric key encryption.

Another way to classify software encryption is to categorize its purpose. Using this approach, software encryption may be classified into software that encrypts "data in transit" and software that encrypts "data at rest".

As it turns out, these two types of classifications has something in common: that is, data in transit generally uses public key ciphers, and data at rest generally uses symmetric key ciphers.

However, software encryption is not as simple at that.

To begin with, symmetric key ciphers can be further subdivided into stream ciphers and block ciphers. Stream ciphers typically encrypt plaintext a bit or byte at a time, and are most commonly used to encrypt real-time communications, such as audio and video information. The key is used to establish the initial state of a keystream generator, and the output of that generator is used to encrypt the plaintext. Block cipher algorithms split the plaintext into fixed-size blocks and encrypt one block at a time. For example, AES processes 16-byte blocks, while its predecessor DES encrypted blocks of eight bytes.

Also, there is also a well-known case where PKI is used for data in transit of data at rest.

Data in transit is data that is being sent over a network. When the data is between two endpoints, any confidential information may be vulnerable to snooping. To maintain the confidentiality of the transmission, the payload (confidential information) can be encrypted to protect its confidentiality, as well as its integrity and non-repudiation.[5]

Often, the data in transit is between two entities that do not know each other - such as visiting a website. As establishing a relationship and securely sharing an encryption key to secure the information that will be exchanged, a set of roles, policies, and procedures to accomplish this has been developed; it is known as the public key infrastructure, or PKI. Once PKI has established a secure connection, a symmetric key can be shared between endpoints. A symmetric key is preferred to over the private and public keys as a symmetric cipher is much more efficient (uses less CPU cycles) than an asymmetric cipher.[6][7]

Below are some examples of software that provide this type of encryption.

Data at rest refers data that has been saved to persistent storage. Generally speaking, data at rest is encrypted by a symmetric key.

As mentioned previously, there are many, many software products that provide encryption. This Wikipedia article lists and compares the these software products by providing several tables that demonstrate their features. While these products are all listed under "disk" encryption, this may be a bit misleading.

In looking at this table that compares whether the encryption software works at the disk, partition, file, etc. layer, there just doesn't seem to be enough room to capture all the options. That's because encryption may be applied at different layers in the storage stack. For example, encryption can be configured at the disk layer, on a subset of a disk called a partition, on a volume, which is a combination of disks or partitions, at the layer of a file system, or within userland applications such as database or other applications that run on the host operating system.

With full disk encryption, the entire disk is encrypted (except for the bits necessary to boot or access the disk when not using an unencrypted boot/preboot partition).[8] As disks can be partioned into multiple partitions, partition encryption can be used to encrypt individual disk partitions.[9][9] Volumes, created by combinining two or more partitions, can be encrypted using volume encryption.[10] File systems, also composed of one or more partitions, can be encrypted using file system encryption. Directories are referred to as encrypted when the files within the directory are encrypted.[11][12] File encryption encrypts a single file. Database encryption acts on the data to be stored, accepting unencrypted information and writing that information to persistent storage only after it has encrypted the data. Device-level encryption, a somewhat vague term that includes encryption-capable tape drives, can be used to offload the encryption tasks from the CPU.

As demonstrated by this Wikipedia article there are a large number of encryption software products in this space. For that reason it does not seem prudent to attempt to capture all of that information in this article. Instead, it is recommended to look into one or more of these articles.

When there is a need to securely transmit data at rest, without the ability to create a secure connection, userland tools have been developed that support this need. These tools rely upon the receiver publishing their public key, and the sender being able to obtain that public key. The sender is then able to create a symmetric key to encrypt the information, and then use the receivers public key to securely protect the transmission of the information and the symmetric key. This allows secure transmission of information from one party to another.

Below are some examples of software that provide this type of encryption.

Read this article:
Encryption software - Wikipedia

This statement was originally published on article19.org on 4 July 2017.

ARTICLE 19 joins 82 other organisations in the following letter, calling on governments to protect strong encryption.

To the leaders of the world's governments,

We urge you to protect the security of your citizens, your economy, and your government by supporting the development and use of secure communications tools and technologies, rejecting policies that would prevent or undermine the use of strong encryption, and urging other leaders to do the same.

Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access. The ability to freely develop and use encryption provides the cornerstone for today's global economy. Economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate and conduct business securely, both within and across borders.

Some of the most noted technologists and experts on encryption recently explained (PDF) that laws or policies that undermine encryption would "force a U-turn from the best practices now being deployed to make the Internet more secure," "would substantially increase system complexity" and raise associated costs, and "would create concentrated targets that could attract bad actors." The absence of encryption facilitates easy access to sensitive personal data, including financial and identity information, by criminals and other malicious actors. Once obtained, sensitive data can be sold, publicly posted, or used to blackmail or embarrass an individual. Additionally, insufficiently encrypted devices or hardware are prime targets for criminals.

The United Nations Special Rapporteur for freedom of expression has noted, "encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age." As we move toward connecting the next billion users, restrictions on encryption in any country will likely have global impact. Encryption and other anonymizing tools and technologies enable law yers, journalists, whistleblowers, and organizers to communicate freely across borders and to work to better their communities. It also assures users of the integrity of their data and authenticates individuals to companies, governments, and one another.

We encourage you to support the safety and security of users by strengthening the integrity of communications and systems. All governments should reject laws, policies, or other mandates or practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies.

Users should have the option to use - and companies the option to provide - the strongest encryption available, including end-to-end encryption, without fear that governments will compel access to the content, metadata, or encryption keys without due process and respect for human rights. Accordingly:

Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;

Governments should not mandate the design or implementation of "backdoors" or vulnerabilities into tools, technologies, or services;

Governments should not require that tools, technologies, or services are designed or developed to allow for third- party access to unencrypted data or encryption keys;

Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and

Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.

Strong encryption and the secure tools and systems that rely on it are critical to improving cybersecurity, fostering the digital economy, and protecting users. Our continued ability to leverage the internet for global growth and prosperity and as a tool for organizers and activists requires the ability and the right to communicate privately and securely through trustworthy networks.

We look forward to working together toward a more secure future.

Read the letter in full

See the article here:
Global coalition urges "Five Eyes" to respect encryption - IFEX

As Elites Switch to Texting, Watchdogs Fear Loss of Accountability, says a headline in todays New York Times. The story describes a rising concern among rule enforcers and compliance officers:

Secure messaging apps like WhatsApp, Signal and Confide are making inroads among lawmakers, corporate executives and other prominent communicators. Spooked by surveillance and wary of being exposed by hackers, they are switching from phone calls and emails to apps that allow them to send encrypted and self-destructing texts. These apps have obvious benefits, but their use is causing problems in heavily regulated industries, where careful record-keeping is standard procedure.

Among those industries is the government, where laws often require that officials work-related communications be retained, archived, and available to the public under the Freedom of Information Act. The move to secure messaging apps frustrates these goals.

The switch to more secure messaging is happening, and for good reason, because old-school messages are increasingly vulnerable to compromisethe DNC and the Clinton campaign are among the many organizations that have paid a price for underestimating these risks.

The tradeoffs here are real. But this is not just a case of choosing between insecure-and-compliant or secure-and-noncompliant. The new secure apps have three properties that differ from old-school email: they encrypt messages end-to-end from the sender to the receiver; they sometimes delete messages quickly after they are transmitted and read; and they are set up and controlled by the end user rather than the employer.

If the concern is lack of archiving, then the last propertyuser control of the account, rather than employer controlis the main problem. And of course that has been a persistent problem even with email. Public officials using their personal email accounts for public business is typically not allowed (and when it happens by accident, messages are supposed to be forwarded to official accounts so they will be archived), but unreported use of personal accounts has been all too common.

Much of the reporting on this issue (but not the Times article) makes the mistake of conflating the personal-account problem with the fact that these apps use encryption. There is nothing about end-to-end encryption of data in transit that is inconsistent with archiving. The app could record messages and then upload them to an archivewith this upload also protected by end-to-end encryption as a best practice.

The second property of these appsdeleting messages shortly after usehas more complicated security implications. Again, the message becoming unavailable to the user shortly after use need not conflict with archiving. The message could be uploaded securely to an archive before deleting it from the endpoint device.

You might ask why the user should lose access to a message when that message is still stored in an archive. But this makes some sense as a security precaution. Most compromises of communications happen through the users access, for example because an attacker can get the users login credentials by phishing. Taking away the users access, while retaining access in a more carefully guarded archive, is a reasonable security precaution for sensitive messages.

But of course the archive still poses a security risk. Although an archive ought to be more carefully protected than a user account would be, the archive is also a big, high-value target for attackers. The decision to create an archive should not be taken lightly, but it may be justified if the need for accountability is strong enough and the communications are not overly sensitive.

The upshot of all of this is that the most modern, secure approaches to secure communication are not entirely incompatible with the kind of accountability needed for government and some other users. Accountable versions of these types of services could be created. These would be less secure than the current versions, but more secure than old-school communications. The barriers to creating these are institutional, not technical.

Read more here:
On Encryption, Archiving, and Accountability - Freedom to Tinker

One year from now, the US Department of Defense (DoD) expects to implement a new infrastructure to increase security around the way it communicates electronically, Gizmodo has learned.

The Defense Information Systems Agency (DISA), which manages the Pentagons email systems, says it intends to adopt, by default, STARTTLS, an encryption protocol designed to prevent the interception of email messages in transit. DISA is actively working an acquisition to upgrade the email gateways that will allow us to take advantage of evolving capabilities for email protection, wrote Maj. Gen. Sarah Zabel, vice director of DISA, in a letter this week addressed to Senator Ron Wyden, Democrat of Oregon.

In late March, Wyden sent a letter to DISA inquiring as to why the Pentagon had not already enabled STARTTLS, as it is widely used by default throughout the federal government and in the private sector to protect email communications. As you may know, the technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet, Wyden wrote.

The senator added that while the Pentagon uses various other systems to protect classified and unclassified messagessuch as Public Key Infrastructure (PKI), which allows for the encrypted transfer of data at DoD, as well as to and from its defense industry partnersWyden was concerned that DISA is not taking advantage of a basic, widely used, easily-enabled cybersecurity technology. He continued: Indeed, until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties.

It appears, however, that surveillance was at least one reason why DISA had not enabled STARTTLS already. In a letter acquired by Gizmodo dated April 27, Zabel states that DISA made a deliberate decision not to use STARTTLS because it feared doing so would interfere with its ability to inspect each email it was sent for malicious software, phishing attempts, and other exploits. DISA currently rejects over 85% of all DoD email traffic coming from the Internet on a daily basis due to malicious behavior, Zabel wrote. The remaining 15% of email traffic is also inspected for Zero Day threats that exploit an undisclosed cybersecurity vulnerability.

Added Zabel: We also inspect for advanced, persistent threats using detection methods developed using national level intelligence. Many of these detection methods would be rendered ineffective if STARTTLS were enabled.

However, in a follow-up letter to Wyden this week, the major general clarified that DoD was largely hindered in adopting STARTTLS by its own antiquated technology.

Email remains one of our largest threat vectors, Zabel wrote, continuing: DISA is currently implementing architectural changes, which will allow the use of STARTTLS on a default basis, while still enabling us to apply appropriate safeguards; however, the capacity and throughput of the aging equipment creates limitations in supporting STARTTLS as the default for all mail sessions.

A new email gateway infrastructure will allow the use of STARTTLS by default, the letter said, estimating that DoD would be able to acquire and transition to this new system by July 2018.

The Presidential Advisory Commission on Election Integrity, which is charged with investigating President Trumps unsubstantiated claims of widespread voter fraud during the 2016 election, recently asked state officials to send their voter rolls to the commission using an email address that does not use STARTTLS.

For far too long, many of the unclassified email messages sent and received by members of the military have been left vulnerable to surveillance by foreign governments and hackers, Senator Wyden told Gizmodo. The Pentagon is doing the right thing by encrypting emails as they are sent to and from the militarys servers.

Wyden called DISAs decision a good step, but said there was no reason it should take an entire year to adopt industry-standard cybersecurity technology. Protecting the communications of American servicemen and women should be a priority, so I hope the agency accelerates its timeline, he said.

Kate Conger contributed to this report.

Visit link:
After Criticism, US Defense Department Will Implement New ... - Gizmodo

(Image: file photo)

Chinese researchers have discovered a way to rapidly decrypt satellite phone communications -- within a fraction of a second in some cases.

The paper, published this week, expands on previous research by German academics in 2012 by rapidly speeding up the attack and showing that the encryption used in popular Inmarsat satellite phones can be cracked in "real time."

Satellite phones are used by those in desolate environments, including high altitudes and at sea, where traditional cell service isn't available. Modern satellite phones encrypt voice traffic to prevent eavesdropping. It's that modern GMR-2 algorithm that was the focus of the research, given that it's used in most satellite phones today.

The researchers tried "to reverse the encryption procedure to deduce the encryption-key from the output keystream directly," rather than using the German researchers' method of recovering an encryption key using a known-plaintext attack.

Using their proposed inversion attack thousands of time on a 3.3GHz satellite stream, the researchers were able to reduce the search space for the 64-bit encryption key, effectively making the decryption key easier to find.

The end result was that encrypted data could be cracked in a fraction of a second.

"This again demonstrates that there exists serious security flaws in the GMR-2 cipher, and it is crucial for service providers to upgrade the cryptographic modules of the system in order to provide confidential communication," said the researchers.

An Inmarsat spokesperson said Thursday that the company "immediately took action to address the potential security issue and this was fully addressed" in 2012. "We are entirely confident that the issue... has been completely resolved and that our satellite phones are secure," the spokesperson said.

Matthew Green, a cryptography teacher at Johns Hopkins University, blogged about the German read-collision based technique in 2012. "Satellite telephone security matters," he said at the time. "In many underdeveloped rural areas, it's the primary means of communicating with the outside world. Satphone coverage is also important in war zones, where signal privacy is of more than academic interest," he added.

"They seem to have optimized the 2012 attack so that it's much faster and requires only about a dozen bytes of 'known plaintext'," he said, referring to the encryption of a readable message. Green said that the attack was "fast enough to allow key recovery (and decryption) in real time if one could get the known plaintext."

"From a scientific perspective it's a big advance," Green said, but he noted that "from a practical perspective it's unclear."

"So maybe don't trust satellite phone encryption," he said. "But I would have said the same thing in 2012."

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-7558849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

See more here:
New attack can now decrypt satellite phone calls in "real time" | ZDNet - ZDNet

Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations.

Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) certificates through an automated process that allows websites, given the technical requirements, to be accessed over encrypted HTTPS rather than the unprotected HTTP.

Since its inception, Let's Encrypt has helped make the horribly insecure web less so.

In a blog post, Josh Aas, executive director for the non-profit Internet Security Research Group, which operates Let's Encrypt on behalf of partner organizations, said the CA has secured 47 million domains through its free automated Domain Validation (DV) certificate API.

"This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Lets Encrypt's service became available in December 2015," said Aas.

In a phone interview with The Register, Aas said Let's Encrypt has played a significant part in accelerating HTTPS adoption but credited the work of other organizations as well. For example, he said, Amazon offers free certs for AWS customers.

Aas said Let's Encrypt's indirect impact has also been valuable in terms of changing the narrative about web security. "Before Let's Encrypt, HTTPS was difficult and cost money," he said. "Now the narrative is there are no excuses anymore."

Let's Encrypt offers DV SSL certificates, but not Organization Validation (OV) or Extended Validation (EV) certificates, which require the CA to verify details about the company seeking the cert.

"We operate at scale and when something involves manual examination in any way, it's not possible to scale that," said Aas.

DV certs cover a specific web domain (example.com), and nothing more. Wildcard DV certs cover a domain and any number of subdomains (*.example.com), like api.example.com or bad.example.com.

Having a single certificate and encryption key pair for a domain and its subdomains makes administration significantly easier than having to manage different certs for each. But, as Aas observed, wildcard certs aren't necessarily ideal for every situation.

"Wildcards are really useful when you have a centralized place for serving domains," said Aas. "Where they can be wrong choice is when you have a lot of different places serving subdomains."

Keeping your private key secure in multiple locations is inherently riskier than keeping it safe in a single place, Aas explained.

The availability of wildcard certs should make Let's Encrypt's service more appealing to large organizations that manage multiple subdomains. And the fact that the certs will be free should help some companies sell wildcard certs for several hundred dollars annually, though they can be had for significantly less.

Aas said he could't speak to how other companies selling costly wildcard certs view Let's Encrypt.

Let's Encrypt certs must be renewed every 90 days, but the renewal process can be automated via script or service.

The arrival of wildcard certs coincides with Let's Encrypt's rollout of its ACME v2 protocol, the successor to v1. ACME v2, scheduled to debut in January next year, will be an IETF standard so that other CAs can interoperate more easily with Let's Encrypt systems.

Read more from the original source:
FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader ... - The Register

Turnbull has been at pains to emphasise the government does not want a "so called" backdoor to access devices and messages. But that is not how the technologists frame this debate.

If Malcolm Turnbull presses forward on threats to force technology companies to better cooperate on countering terrorism by unlocking secret encrypted messages and data belonging to suspected violent plottersthe Prime Minister can expect a heated tussle with America's powerful Silicon Valley.

Turnbull intends to nudge world leaders at the Group of 20 in Germany this week to pressurepredominantly US-based tech giants toshare more readily with authorities the secret digital behaviour of criminal suspects using smartphones and messaging apps.

The world's most valuable companies such as Apple and Facebook are in the crosshairs of like-minded political leaders from Australia, Germany and the United Kingdom.

Criminals are using encrypted devices such as the iPhone and messaging apps likeWhatsApp,Wickr, Telegram Messenger, Signal,SilentCircle,ChatSecureand even the Sony Play Station 4 to covertly plot their crimes.

Even though Donald Trump has presented himself as a tough law and order leader and has often been at loggerheads with progressive Silicon Valley, it appears unlikely that the US President will readily embrace Turnbull's offensive against American tech firms.

Zachary Goldman, co-founder of the Center for Cyber Security at New York University, says: "These are American companies, so in terms of economic competitiveness you are potentially putting at risk the darlings of the American economy."

"The European and Australian governments may not have the same concerns."

Encryption is effectively mathematical algorithms designed to stop hackers accessing information on phones and messaging app communications.

More than 1 billion transactions globally a day are encrypted, including online banking and internet shopping.

Silicon Valley is paying close attention to Australia's posturing.

While Australia is more than a year behind the US in the so-calledprivacy versus securitydebate between tech firms and national security personnel,the battle lines are already well defined.

Apple chief executive Tim Cook wrote an open letter to customers last year after the world's most valuable company refused to build a system to help the FBI unlock the iPhone of a San Bernardino terrorism culprit who jointly killed 14 people.

The FBI wanted to see who else the husband and wife killers had been communicating with and their recent places of movement, to help identity possible accomplices and stop any future attack.

Cook stood firm, arguing that Apple had a duty to protect personal information from conversations, photos, calendars, contacts, financial information and health data.

"The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers including tens of millions of American citizens from sophisticated hackers and cybercriminals," he wrote."The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe."

Trump, then the Republican presidential frontrunner, said at the time that Apple should comply with the California judge's order to help the FBI break into the phone.

"But to think that Apple won't allow us to get into her cell phone.

"Who do they think they are?"

Since the heat of the election, President Trump and US lawmakers have sat pat, in effect siding with technologists, privacy advocates and libertarians suspicious of government intrusion.

These groups have argued that weakening encryption will make people and businesses more vulnerable to cyber hacking criminals.

Turnbull, a former internet entrepreneur, has been at pains to emphasise the government does not want a"backdoor" to access devices and messages.

But that is not how the technologists frame this debate and they view the Prime Minister's argument as semantics.

The tech sector argues that any weakening of encryption is in effect a backdoor for the good guys and the bad guys.

Once a decoding keyis built or a vulnerability is exposed, hackers will do their best to hunt down the decryption method.

AmieStepanovich, US policy manager at Access Now, which is funded by tech firms such as including Facebook, Google, Microsoft, Yahooand human rights groups, says Australia is in a difficult position but risks weakening digital security for individuals and business.

"Weakening encryption won't work because the criminals will beincentivisedto get access to the tools," she says.

"Across the board it will lower the security of the rest of the world."

The government sees it differently.

As the Prime Minister hinted at in interviews with Fairfax Media and the ABC this week, the government believes the tech companies are already aware of flaws and weaknesses in their systems.

With this knowledge, one policy under consideration is to legally compel the companies to give their best effort to access the correspondence and data, without threatening the intellectual property of the tech firms.

The government believes this is more akin to exploiting a vulnerability, not creating a backdoor.

The government may also argue that digital companies already spend billions of dollars protecting their most precious and sensitive IP such as source code, sothe firms could alsodo the same for any information about how to get around their encrypted systems.

Chris Swecker, a retired head of the FBI criminal investigative division, says tech advocates have created an "artificial distinction" between lawful intercept of old tech like cell phone calls and pager messages, compared to new encrypted communications.

"Technology moved way ahead of the legal structure," he says.

"We can't put ourselves in a position where the only guys we catch are the dumb criminals who don't use cutting edge modern technology."

"I believe this technology communications material should be available via a valid court order."

In echoes of that, Turnbull saidthis week that the rule of law must extend to cyber with the appropriate legal authority, such as a court order or warrant.

"We cannot allow these systems to be used as they are at the moment to enable terrorists and other criminals to basically conceal themselves to operate in the dark, a dark that we cannot illuminate and the law must be able to reach into those dark crevices and so that our agencies are able to keep us secure."

Still, any such move by Turnbull would also undermine the commercial interests of tech firms.

Since the 2013 revelations from rogue National Security Agency contractor Edward Snowdenabout the extent of US government spying, sometimes assisted by US telco and technology companies, Silicon Valley has become more circumspect about being seen tocooperate with law enforcement.

Turnbull knows from his time as communications minister that US tech firms like IBM and Cisco Systems suffered commercially in China because the Snowden affair raised perceptions that American hardware vendors were leaving backdoors open for NSA spooks.

If customers believe Silicon Valley is in cahoots with US spies, sales are likely to suffer, especially in large consumer markets such as China and Russia that are suspicious of the US government.

Furthermore, a related argument by technologists is that is that if Western governments like Australia force tech firms to decrypt private data and messages, less trusted foreign regimes such as in China and Russia will do the same against citizens from overseas.

The government has considered this problem too, but is also aware that presently nothing stopssuch regimes already doing this.

Indeed, Russia has tried to compel digital companies to share their source code, while China is forcing tech firms to retain locally their source code and intellectual property.

Encryption was discussed by Attorney General GeorgeBrandisand "Five Eyes"intelligence counterparts from Canada, New Zealand, the United Kingdom and US last week.

NYU's Goldman says there is no costless solution for governments and societies.

"The question is what costs are you willing to bear to accept risk?"

Critics of government-mandated decryption suggest other compromise options such as better training law enforcement to tap into digital data and for government agencies to improve their hacking techniques.

In the San Bernardino Apple iPhone case, the FBIultimately paid a third-party firm to successfully break the device's pass code.

Go here to read the rest:
Malcolm Turnbull faces Silicon Valley fight on encryption - The Australian Financial Review

Street art by Banksy near Hyde Park, London. Credit: David Maddison/Flickr. Some rights reserved.The Five Eyes is a surveillance partnership of intelligence agencies consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States. According to a joint communique issued after the meeting, officials discussed encryption and access to data. The communique states that encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism.

In the letter organized by Access Now, CIPPIC, and researchers from Citizen Lab, 83 groups and security experts wrote, we call on you to respect the right to use and develop strong encryption. Signatories also urged the members of the ministerial meeting to commit to allowing public participation in any future discussions.

Read the full letter here.

Security experts and cryptographers are as united in their views on encryption as scientists are on climate change.

Massive surveillance operations conducted by the Five Eyes partnership inherently put the human rights of people around the world at risk. The joint communique commits to human rights and the rule of law, but provides no detail as to how these powerful, secretive spy agencies plan to live up to those commitments. We call for public participation and meaningful accountability now; otherwise, those commitments are empty. Amie Stepanovich, U.S. Policy Manager at Access Now

Our political leaders are putting people around the world at greater risk of crime when they call for greater powers to weaken our digital security. Security experts and cryptographers are as united in their views on encryption as scientists are on climate change. Politicians need to listen to them before they make decisions that could put us all at risk. Jim Killock, ORG

Attempting to undermine the free use and development of strong encryption technology is not only technologically misguided, it is politically irresponsible. Both law enforcement and intelligence agencies have access to more dataand more powerful analytical toolsthan ever before in human history. Measures that undermine the efficacy or public availability of encryption will never be proportionate when weighed against their profound threat to global human rights: encryption is essential to the preservation of freedom of opinion, expression, dissent, and democratic engagement. Without it, meaningful privacy, trust, and safety in the digital sphere would not be possible. Lex Gill, Research Fellow, Citizen Lab, Munk School of Global Affairs

Encryption protects billions of ordinary people worldwide from criminals and authoritarian regimes. Agencies charged with protecting national security shouldnt be trying to undermine a cornerstone of security in the digital age. Cynthia Wong, Senior Internet Researcher, Human Rights Watch

Encryption is used by governments, businesses, and citizens alike to secure communications, safeguard personal information, and conduct business online. Deliberately weakening encryption threatens the integrity of governance, the safety of online commerce, and the interpersonal relationships that compose our daily lives. We must not sacrifice our core values to the threat of terrorism: the solution to such threats must entail better protecting our basic rights and the technologies that advance them. Christopher Parsons, Research Associate and Managing Director of the Telecom Transparency Project at the Citizen Lab, Munk School of Global Affairs

Encryption is a necessary and critical tool enabling individual privacy, a free media, online commerce and the operations of organisations of all types.

Calls to undermine encryption in the name of national security are fundamentally misguided and dangerous. Encryption is a necessary and critical tool enabling individual privacy, a free media, online commerce and the operations of organisations of all types, including of course government agencies. Undermining encryption therefore represents a serious threat to national security in its own right, as well as threatening basic human rights and the enormous economic and social benefits that the digital revolution has brought for people across the globe. Jon Lawrence, EFA

Assurances of strong encryption not only benefit civil liberties and privacy, but the economy as well. A vibrant and dynamic internet economy is only possible if consumers and users trust the environment in which theyre conducting business. While law enforcement and intelligence services have legitimate concerns over their ability to access data, those concerns need to be balanced with the benefits encryption provides to average users transacting in cyberspace. A strong Internet economy, buttressed by the trust that encryption produces, is vital to national interests around the globe. National policies should support and defend, not weaken and abridge, access to encryption. Ryan Hagemann, Niskanen Center

The strength of the tools and techniques that our government and members of the public have and use to secure our nation and protect our privacy is of significant public interest. Transparency and accountability around a nations policy regarding the use of encryption is a bedrock importance in a democracy, particularly given the potential of backdoors to put billions of online users at greater risk for intrusion, compromise of personal data, and breaches of massive consumer or electoral databases. The democracies in the Five Eyes should be open and accountable to their publics about not only the existence of these discussions but their content, removing any gap between what is being proposed and the consent of those governed by those policies. Alex Howard, Sunlight Foundation

Encryption is a vital tool for journalists, activists, and everyone whose lives and work depend on using the internet securely. It allows reporters to protect their confidential sources from reprisal, and to fearlessly pursue stories that powerful actors dont want told. It offers protection from mortal danger for dissidents trying the communicate under repressive regimes. Undermining the integrity of encryption puts lives at risk, and runs directly counter to the mandate of the Five Eyes Signals Intelligence agencies to keep their citizens safe. Tom Henheffer, Executive Director, Canadian Journalists for Free Expression

The answer to concerns on going dark is to help bring our law enforcement and counterterrorism officials into the future, not send encryption to the past. We hope to hear back from the Five Eyes that they were looking for how to adapt to digital security measures, not break them to the detriment of everyday Americans and our national security. As Five Eyes leaders work on a strategy to protect against cyberattacks, it is important to have a transparent process and cooperation between governments and civil society without stifling innovation or weakening other parts of security. Austin Carson, Executive Director, TechFreedom

Strong encryption is essential for modern society. Broken technologies undermine commerce, security, and human rights. Jeramie Scott, EPIC

Any attempt by the U.K. government to attack encrypted messengers would be nothing less than an attack on the right to a private conversation.

Any attempt by the U.K. government to attack encrypted messengers would be nothing less than an attack on the right to a private conversation. Far from making the internet safer, by undermining the technology that protects everything from our bank accounts to our private conversations, governments around the world are putting us all at risk. Transparency is vital around any coordinated plans that could jeopardize both our security and our rights. Silkie Carlo, Policy Officer, Liberty

We increasingly rely on a secure internet for work, personal relationships, commerce, and politics. While we support justifiable lawful intercept with appropriate oversight, we dont think we should be seriously weakening the security of the internet to achieve it. Attempts to weaken encryption will do more damage to our society and our freedom than the possible threats its meant to be protecting us from. Thomas Beagle, Chairperson, NZ Council for Civil Liberties

All sensitive personal data must be encrypted as a matter of human rights to privacy, especially health data, i.e., all information about our minds and bodies, wherever it exists. Today health data is the most valuable personal data of all, the most attractive to hackers, and the most sold and traded by the massive, hidden global health data broker industry. Dr. Deborah Peel, Patient Privacy Rights

We lock our devices for good reason. Introducing backdoors weakens security and violates our right to privacy. The very existence of backdoors means unwelcome guests will come knocking. Linda Sherry, Director of National Priorities, Consumer Action

Originally posted here:
Shielding data from the "five eyes": we need to stand up for encryption - Open Democracy