Slide: 1 / of 1. Caption: Caption: Prime Minister Theresa May makes a statement in Downing Street after chairing a meeting of the Government's emergency Cobra committee following the June 4th 2017 terrorist incident in London.Andrew Matthews/AP

British Prime Minister Theresa May has found somethingto blame for Saturday nights terror attack in London: the internet.

May, responding to the attack by three young men who killed seven people and injured scores more, called for an end to the safe spaces that the internet provides, and for measures to regulate cyberspace.

We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internetand the big companies that provide internet-based servicesprovide, Maysaid Sunday night outside 10 Downing Street. The statement, which appears on her official Facebook page, is among four solutions she offered for fighting terrorism. We need to work with allied, democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorist planning.

What May suggests will not work.As WIREDand others have explained timeand timeagain, undermining encryptionwhich is what May is calling for hereso the good guys can see what the bad guys are up to jeopardizes everyones safety. Simply put, weakened encryption makes everything fromworld banking to travel and healthcare riskier.

When May and other politicians call for encryption-busting protocols, what they really hope to do is turn back the clock to a time when the internet didntconnecting everyone and everything and underpin howthe world works. They need to realize that time is past. Regulation, fines, pleadingnothing will return the world to the pre-internet era.

ABritish proverb applies well here: If wishes were horses, beggars would ride. May might wish for some way of securelydisruptingonline cryptography so it can be used only for good, but wishing cant make it so. Instead, May and her ilk must learn to focus on solutionsthat can make a difference. The British prime minister made four suggestionsfor combating terrorism. Here, we offer four that experts agree make more sense.

Though the internet helpsterrorists communicate (and celebratetheir actions), experts agree it does not causeterrorism, or even do much to radicalize. The internet is often oversold in terms of radicalization, says Colin Clarke, a counterterrorism expert at RAND. Despite what youve heard, he says, most conversations among extremists occurface to face.

Though the internet does play a role in helping terrorists communicate, it is not the cause of terrorism. Not by a long shot.

Traditionally the way [UK extremist group] Al-Muhajiroun have worked is that most of their radicalization has occurred offline, saysMichael Kenney of the University of Pittsburgh who has extensively studied the Al-Muhajiroun extremist group that one of the London attackers has been reportedly linked to. It occurs in small group settings. Its a group of guys. They gather, they talk, they indoctrinate each other, he says.Expanding online surveillance, eliminating full encryption, and even preventing the spread of violent videos cant eradicatethat.

Terrorism researchers note that violence inEurope and the UK followsa familiar pattern, one thatcan teach governments how to counter the problem if they expendmoney and resources where they can do the most good. MostEuropean jihadis are young Muslims, usuallymen, living in poor neighborhoods withhigh unemployment. They often are second- or third-generation immigrants from countries they have never lived in, they are not well-integrated into society, and they are unemployed or poorly educated. Their lives lack meaning and purpose.

Scapegoating the internet as the root of the problemrisks ignoring the underlying problems: avast swath of youth that have left behind, bullied, or ignored. Thesedisaffectedteenagers and young adults also often are angeredby what they consider bad foreign policies. They kind of exist in this netherworld that makes them vulnerable to radicalization, says Clarke.

Instead, Clarke, Kenney, and experts like Thomas Hegghammer of the Norwegian Defence Research Establishment say the focus must be on offline solutions. Namely, education. Clarke advocates for a really broad expansive overhaul of education in immigrant areas, and an emphasis on youth work. Hegghammer has called this a Marshall Plan for improved education in immigrant-heavy areas.

In her approach to improving counterterrorism, May never mentionededucation, though it may offer the best way to, as she says, turn peoples minds away from this violenceand make them understand that our values pluralistic, British valuesare superior to anything offered by the preachers and supporters of hate.

Mays suggestions include longer prison sentences forterrorist-linked activity, something experts agree with. Current sentencing, they say, tends to give extremists and terrorists just enough time to develop new contacts, and perhaps plan attacks. Jail can be a networking event for these guys, says Clarke. Longer sentences could deter that.

Kenney adds another suggestion: empower families and friends to intervene when they see someonebeing radicalized. Teach them how to counter the rhetoric of jihadism. Many young men and women when they radicalize its something that takes place over many months, in some cases even years. And if youre a member of a group like Al-Muhajiroun, youre not quiet, youre trying to recruit others.

This posesits own problems, though. In both the London and Manchester attacks, friends of the attackers reportedly reached out to the authorities, but British law enforcement is overwhelmed by the thousands of people already on government watch lists.

Tech companies and governments can work togetherto combat terrorism. But as US Representative Ro Khanna, who represents Silicon Valley, said Sunday on Fox News, We have to have a factual approach. Rather than attempt to turn theinternet into a world of walled gardens, the government should make smarterinvestments in certain technologies, like usingbiometrics at the border to better track people on watch lists. Orencourage tech companies to adopt technologies like eGlyph, a systemdeveloped by computer scientist Hany Farid, of the Counter Extremism Project, that can help the likes of Facebook, Twitter, and Google identify violent videos and ban them.

Farids team hopes to address the problem of groups gathering online to plan attacksby developing an early warning system that useslinguistic analysis on sites like Facebook or Twitter.Not to say you are bad or you are good but to simply give these companies some ability to monitor content and to say look, theres some bad stuff happening here,' Farid says.

The idea that we are going to somehow eradicate the problem by more closely monitoring the internet and Facebook is unrealistic and not likely to reach those intended outcomes, says Kenney. It also reflects a lack of understanding of how radicalization actually occurs. The sooner May and politicians like her accept that reality, the safer the world will be.

Read more from the original source:
Blaming the Internet For Terrorism Misses The Point - WIRED

Australia will be pushing the United States, UK and its other intelligence allies on the need to crack down on encrypted technology in the fight against terrorism.

The federal government has listed the issue as its priority agenda item for a meeting of the Five Eyes partners in Canada at the end of June.

Attorney-General George Brandis said it had become one of the biggest challenges facing law enforcement and security agencies worldwide.

"If those encrypted communications contain information which is necessary to a prosecution, an intelligence task like keeping a terrorism suspect under appropriate surveillance, then there does need to be a level of co-operation from the carriage services providers," Senator Brandis told Sky News on Tuesday.

Whether it be gaining access through telcos or internet giants Facebook and Google, it was important law enforcement could monitor people of concern.

"There is a corporate social responsibility issue here, there is an evidentiary issue here as well," he said.

It follows comments by Prime Minister Malcolm Turnbull, who believes there is too much tolerance of extremist material online.

He met with telcos, Facebook and others last week in Canberra as part of the federal government's cyber security agenda.

"It is a very high priority of my government," Mr Turnbull told reporters.

Labor leader Bill Shorten on Tuesday joined calls for global internet giants to play a greater role in stamping out terrorist propaganda online.

He said extremism was unacceptable both on Australia's streets and on the internet, which was being used to distribute evil messages.

"We need to make it clear that terrorists have nowhere to hide on our streets, in the air, in their countries and also on the internet," he told reporters in Brisbane.

"It is no good being in a 21st century fight if you are using 20th century weapons."

Facebook, Twitter and Google insist they are taking the issue seriously.

Facebook said it does not allow groups or people who engage in terrorist activity, or posts that express support for terrorism.

"Using a combination of technology and human review, we're working aggressively to remove terrorist content from our platform as soon as we become aware of it," director of policy Simon Milner said in a statement.

"If we become aware of an emergency involving imminent harm to someone's safety, we notify law enforcement."

A YouTube spokeswoman told AAP it, too, has clear policies prohibiting terrorist recruitment and content intending to incite violence, and quickly removes flagged videos in violation.

It also terminates accounts run by terrorist organisations or those that repeatedly breach their rules.

Twitter's UK head of public policy Nick Pickles said terrorist content had no place on Twitter and the company had a systematic approach to removing such material.

"We will never stop working to stay one step ahead and will continue to engage with our partners across industry, government, civil society and academia," he said in a statement.

In the six months to December last year, Twitter suspended 376,890 accounts in relation to the promotion of terrorism.

Nearly three-quarters of those were picked up by the company's spam-fighting tools, while two per cent were done at the request of governments.

Read the original post:
Aust takes encryption worries to Five Eyes - News.com.au - NEWS.com.au

Share

Share

Share

Share

Email

The U.K. government, in the wake of the terrorist attack over the weekend, is increasing its calls for governments around the world to work together to on internet regulation so the web cant be used as a so-called safe space for terrorists to communicate and spread propaganda or messages of hate.

According to a report in TechCrunch, U.K. Prime Minister Theresa May called for a clampdown on end-to-end encryption and said during the weekend that internet companies provide these safe havens to spread their messages. Media reports surfaced saying attackers may have turned to YouTube to access extremist videos.

We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet and the big companies that provide internet-based services provide, May said, according to TechCrunch. We need to work with allied, democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorist planning. And we need to do everything we can at home to reduce the risks of extremism online. We need to deprive the extremists of their safe spaces online.

Meanwhile, Amber Rudd, the U.K. home secretary, said on a Sunday television program that the government in the U.K. wants technology companies to do more to remove extremist content and limit who gets access to end-to-end encryption. In March, right after the Westminster terror attack, Rudd went after the use of encryption. The report noted that the idea that the U.K. will be able to garner the support of other countries to regulate online content across borders seems farfetched given the fact that different governments have different rules governing free speech. For instance, the U.S. has protections on the books for hate speech, while in certain European countries its illegal. On Saturday night three terrorists used a van to run down pedestrians on the London Bridge and then went on a rampage stabbing people in the streets and in bars. Its the third terrorist attack in the U.K. since March.

Share

Share

Share

Share

Email

See original here:
UK Government Renews Calls For Clampdown On End-To-End Encryption - PYMNTS.com

It's impossible to create a backdoor that only the "good guys" can use by Wendy M. Grossman / June 5, 2017 / Leave a comment

After WhatsApp was used by the Westminster attacker, Amber Rudd vowed to take on encryption. Photo: PA

From pig Latin to the complex mathematics of todays computer encryption, encoding communications is as old as humanity. Often, as with Alan Turings work in World War II, cracking the enemys codes has conferred crucial military advantage.

Because the internet was designed to share, rather than secure, information, encryption plays several important roles in todays digitised landscape. It ensures that sensitive data cant be read by unauthorised people: when a healthcare manager forgets the clinics laptop in a taxi, a criminal steals a companys usernames and passwords, or a consumer sends credit card details to an online retailer, encryption protects the data against interlopers.

Encryption also provides a way to check that digital filesfrom the software programs that run your cars braking system to medical images and electronic payments havent been tampered with.

Around 1990, three interrelated developments coalesced to disrupt the policies that govern encryption. The first was the culmination of two decades during which there had been growing adoption of computers and computer networks. Second, cryptographers began working outside the militaryin academia and commercial companies. Third, computing plummeted in costwhile escalating in power.

It is great to see that you are enjoying the Prospect website.

You have now reached your allowance of 3 free articles in the last 30 days. Dont worryto get another 7 articles absolutely free, just enter your email address in the box below.

You are in complete control of which 7 articles you choose to read. Register now to enjoy more of the finest writing on politics, economics, literature, the arts, philosophy and science.

When you register, well also send you our free e-bookThe past in perspectivewhich considers how reflecting on the past can give great insight into the present AND well send you our free weekly newsletter. (If you prefer not to receive the newsletter you can unsubscribe at any time).

Prospect takes your privacy seriously. We promise never to rent or sell your e-mail address to any third party. You can unsubscribe from the Prospect e-mail newsletter at any time.

Link:
The wrong approach to encryption could make us more vulnerable - Prospect

British Prime Minister Theresa May has used Saturday's terrorist attack to again push for a ban on encryption.

May said on Sunday that Britain must take a new approach to tackling terrorism, and that this included denying terrorists and their sympathisers access to digital tools that she claimed were being used for communication and planning attacks.

On Saturday night, seven people were killed and scores injured in an attack on London Bridge. The country goes to the polls on Thursday.

"We cannot allow this ideology the safe space it needs to breed," May said, according to a CNN report."Yet that is precisely what the Internet and the big companies that provide Internet-based services provide.

This is not the first time that British politicians have pushed for a ban on encryption.

In March, following an attack, Home Secretary Amber Rudd demanded that all encrypted messaging apps allow intelligence agencies access to content when they demanded.

More recently, after the attack on a concert given by American singer Ariana Grande, Rudd was again in the forefront, blaming social media sites like Facebook and Twitter for not doing enough to prevent messages advocating terrorism on their sites.

Last year, Britain passed a sweeping surveillance law, dubbed the Snoopers Charter, that requires Internet, phone and communications applications firms to store records for a year and allow law enforcement to access the data on demand.

Well-known digital activist and author Cory Doctorow described May's call as "a golden oldie, a classic piece of foolish political grandstanding".

"May says there should be no 'means of communication' which 'we cannot read' and no doubt many in her party will agree with her, politically. But if they understood the technology, they would be shocked to their boots."

He said it was impossible to overstate how "bonkers" the idea of sabotaging cryptography was to people who understood information security.

"If you want to secure your sensitive data either at rest on your hard drive, in the cloud, on that phone you left on the train last week and never saw again or on the wire, when youre sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography.

"Use deliberately compromised cryptography, that has a back door that only the 'good guys' are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption."

See original here:
British PM seeks ban on encryption after terror attack - iTWire

Australian Prime Minister Malcolm Turnbull has said social media companies are too tolerant of extremist material, and called on those companies to help bust the encryption used in user communications.

"We need these global social media messaging companies to assist in providing access to encrypted communications, which are used by billions of people," Turnbull said on Monday.

"The security services need to get access to them."

The prime minister said the Five Eyes countries -- the US, the UK, Australia, Canada, and New Zealand -- are working with social media companies such as Facebook and Twitter to get extremist material taken down.

Saying nations and their agencies need to be smarter, more agile, and more collaborative than those "who are seeking to do us harm", Turnbull agreed with the thoughts espoused by British Prime Minister Teresa May over the weekend.

May called for the introduction of rules to "deprive the extremists of their safe spaces online", and also hit out at technology firms for not doing enough.

"We cannot allow this ideology the safe space it needs to breed. Yet, that is precisely what the internet and the big companies that provide internet-based services provide," said May.

May's comments followed the UK suffering its third terrorist attack in four months.

Last week, Australian Federal Police (AFP) Commissioner Andrew Colvin said tackling the online world is a "'genuinely wicked problem" for police forces.

"Technology presents challenges to governments like almost never before," Colvin said. "It is a realm that we cannot simply legislate or regulate to control -- we must work with the industry who have their hands on the levers, and invariably, they are in the private sector."

Colvin called for the use of traditional and non-traditional policing capabilities to ensure criminals cannot hide behind encryption to avoid the law.

"Prolific growth in the use of encryption technology is an everyday reality for investigators, and we cannot afford for this to remain an obstacle."

Read more:
Australian PM calls on Facebook and Apple to help access encrypted chats - ZDNet

Rapid7 encouraged owners of its Nexpose appliancesthis week to apply an update to their systems to tweak how SSH is configured by default.

The company warned on Wednesday the devices were shipped with an SSH configuration that could have let some obsolete KEX, encryption and MAC algorithms be used for key exchange.

Nexpose devices are preconfigured servers, deployed in server racks, designed to help users gauge vulnerabilities, manage vulnerability data, and limit threat exposure. All physical Nexpose appliances are affected per a disclosure by Samuel Huckins, a program manager with the company, published on Wednesday.

Disclosure on CVE-2017-5243: Nexpose hardware appliance SSH enabled obsolete algorithms https://t.co/DHI7uLJ5yj (Thanks to @LiamMSomerville)

Rapid7 (@rapid7) May 31, 2017

Liam Somerville, a researcher based in Scotland, discovered the vulnerability (CVE-2017-5243) and reported it to the company three weeks ago.

Nothing needs to be downloaded to resolve the issue, but a file does need to edited, Rapid7 said. According to Huckins, to fix the vulnerability a user with root access has to edit /etc/ssh/sshd_config in the appliance to ensure only modern ciphers, key exchange, and MAC algorithms are accepted. This should lessen the likelihoodof any attacks involving authentication.

Prior to the fix, weak and out of date encryption algorithms such asAES192-CBC, Blowfish-CBC, and 3DES-CBC, and KEX algorithms such asdiffie-hellman-group-exchange-sha1, could have been enabled.

This change should not impact connections from Nexpose instances to the physical appliance. The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms, Huckins wrote.

According to Tod Beardsley, Research Director at Rapid7, the vulnerability could have let an attacker in a privileges position on the network force an algorithm downgrade between an SSH client and Nexpose during authentication.

The privileged position is crucial to making the attack a success, since its a man-in-the-middle (MitM) attack first, the attacker needs to be able to insert himself between the client and server, which usually means the attacker is on the same network as either endpoint, or has compromised an ISP along the way (in which case you have bigger problems), Beardsley told Threatpost late Friday, Once there, the attacker can pose as both sides of the initial SSH handshake, and rewrite the handshake to request one of these older, obsolete algorithms. Once thats done, the attacker then records the session, and then can decrypt the session offline.

Beardsley says that removing server-side support for the algorithms makes the aforementioned kind of attack impractical and that overall, the actual risk of exploitation is fairly low.

These appliances dont tend to be exposed on public networks, so attackers need to be on the inside to begin with, Beardsley said, The whole point of SSH is to be resistant to this kind of session meddling, even in the face of an attacker whos in the right place and has the right expertise and resources to mount this sort attack. By strengthening whats available on the server, we can help keep that promise of confidentiality.

*This article was updated at 4:30 p.m. EST to include comments from Tod Beardsley of Rapid7.

See the original post:
SSH Configuration on Nexpose Servers Allowed Weak Encryption Algorithms - Threatpost

/ Cory Doctorow / 8 am Sun, Jun 4 2017

Aaron Swartz once said, "It's no longer OK not to understand how the Internet works."

report this ad

He was talking to law-makers, policy-makers and power-brokers, people who were, at best, half-smart about technology -- just smart enough to understand that in a connected world, every problem society has involves computers, and just stupid enough to demand that computers be altered to solve those problems.

Paging Theresa May.

Theresa May says that last night's London terror attacks mean that the internet cannot be allowed to provide a "safe space" for terrorists and therefore working cryptography must be banned in the UK.

This is a golden oldie, a classic piece of foolish political grandstanding. May's predecessor, David Cameron, repeatedly campaigned on this one, and every time he did, I wrote a long piece rebutting him. Rather than writing a new one for May, I thought I'd just dust off a pair of my Cameron-era pieces (1, 2), since every single word still applies.

Theresa May says there should be no "means of communication" which "we cannot read" -- and no doubt many in her party will agree with her, politically. But if they understood the technology, they would be shocked to their boots.

Its impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest on your hard drive, in the cloud, on that phone you left on the train last week and never saw again or on the wire, when youre sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the good guys are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.

There are two reasons why this is so. First, there is the question of whether encryption can be made secure while still maintaining a master key for the authorities use. As lawyer/computer scientist Jonathan Mayer explained, adding the complexity of master keys to our technology will introduce unquantifiable security risks. Its hard enough getting the security systems that protect our homes, finances, health and privacy to be airtight making them airtight except when the authorities dont want them to be is impossible.

What Theresa May thinks she's saying is, "We will command all the software creators we can reach to introduce back-doors into their tools for us." There are enormous problems with this: there's no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal -- and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They -- and not just the security services -- will be able to use it to intercept all of our communications. That includes things like the pictures of your kids in your bath that you send to your parents to the trade secrets you send to your co-workers.

But this is just for starters. Theresa May doesn't understand technology very well, so she doesn't actually know what she's asking for.

For Theresa May's proposal to work, she will need to stop Britons from installing software that comes from software creators who are out of her jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.

May is not alone here. The regime she proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

Theresa May has already shown that she believes she can order the nation's ISPs to block access to certain websites (again, for the record, this hasn't worked very well). The next step is to order Chinese-style filtering using deep packet inspection, to try and distinguish traffic and block forbidden programs. This is a formidable technical challenge. Intrinsic to core Internet protocols like IPv4/6, TCP and UDP is the potential to "tunnel" one protocol inside another. This makes the project of figuring out whether a given packet is on the white-list or the black-list transcendentally hard, especially if you want to minimise the number of "good" sessions you accidentally blackhole.

More ambitious is a mandate over which code operating systems in the UK are allowed to execute. This is very hard. We do have, in Apple's Ios platform and various games consoles, a regime where a single company uses countermeasures to ensure that only software it has blessed can run on the devices it sells to us. These companies could, indeed, be compelled (by an act of Parliament) to block secure software. Even there, you'd have to contend with the fact that other EU states and countries like the USA are unlikely to follow suit, and that means that anyone who bought her Iphone in Paris or New York could come to the UK with all their secure software intact and send messages "we cannot read."

But there is the problem of more open platforms, like GNU/Linux variants, BSD and other unixes, Mac OS X, and all the non-mobile versions of Windows. All of these operating systems are already designed to allow users to execute any code they want to run. The commercial operators -- Apple and Microsoft -- might conceivably be compelled by Parliament to change their operating systems to block secure software in the future, but that doesn't do anything to stop people from using all the PCs now in existence to run code that the PM wants to ban.

More difficult is the world of free/open operating systems like GNU/Linux and BSD. These operating systems are the gold standard for servers, and widely used on desktop computers (especially by the engineers and administrators who run the nation's IT). There is no legal or technical mechanism by which code that is designed to be modified by its users can co-exist with a rule that says that code must treat its users as adversaries and seek to prevent them from running prohibited code.

This, then, is what Theresa May is proposing:

* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept

* Any firms within reach of the UK government must be banned from producing secure software

* All major code repositories, such as Github and Sourceforge, must be blocked

* Search engines must not answer queries about web-pages that carry secure software

* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

* Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright

Theresa May will say that she doesn't want to do any of this. She'll say that she can implement weaker versions of it -- say, only blocking some "notorious" sites that carry secure software. But anything less than the programme above will have no material effect on the ability of criminals to carry on perfectly secret conversations that "we cannot read". If any commodity PC or jailbroken phone can run any of the world's most popular communications applications, then "bad guys" will just use them. Jailbreaking an OS isn't hard. Downloading an app isn't hard. Stopping people from running code they want to run is -- and what's more, it puts the whole nation -- individuals and industry -- in terrible jeopardy.

Thats a technical argument, and its a good one, but you dont have to be a cryptographer to understand the second problem with back doors: the security services are really bad at overseeing their own behaviour.

Once these same people have a back door that gives them access to everything that encryption protects, from the digital locks on your home or office to the information needed to clean out your bank account or read all your email, there will be lots more people wholl want to subvert the vast cohort that is authorised to use the back door, and the incentives for betraying our trust will be much more lavish than anything a tabloid reporter could afford.

If you want a preview of what a back door looks like, just look at the US Transportation Security Administrations master keys for the locks on our luggage. Since 2003, the TSA has required all locked baggage travelling within, or transiting through, the USA to be equipped with Travelsentry locks, which have been designed to allow anyone with a widely held master key to open them.

What happened after Travelsentry went into effect? Stuff started going missing from bags. Lots and lots of stuff. A CNN investigation into thefts from bags checked in US airports found thousands of incidents of theft committed by TSA workers and baggage handlers. And though aggressive investigation work has cut back on theft at some airports, insider thieves are still operating with impunity throughout the country, even managing to smuggle stolen goods off the airfield in airports where all employees are searched on their way in and out of their work areas.

The US system is rigged to create a halo of buck-passing unaccountability. When my family picked up our bags from our Easter holiday in the US, we discovered that the TSA had smashed the locks off my nearly new, unlocked, Travelsentry-approved bag, taping it shut after confirming it had nothing dangerous in it, and leaving it completely destroyed in the words of the official BA damage report. British Airways has sensibly declared the damage to be not their problem, as they had nothing to do with destroying the bag. The TSA directed me to a form that generated an illiterate reply from a government subcontractor, sent from a do-not-reply email address, advising that TSA is not liable for any damage to locks or bags that are required to be opened by force for security purposes (the same note had an appendix warning me that I should treat this communication as confidential). Ive yet to have any other communications from the TSA.

Making it possible for the state to open your locks in secret means that anyone who works for the state, or anyone who can bribe or coerce anyone who works for the state, can have the run of your life. Cryptographic locks dont just protect our mundane communications: cryptography is the reason why thieves cant impersonate your fob to your cars keyless ignition system; its the reason you can bank online; and its the basis for all trust and security in the 21st century.

In her Dimbleby lecture, Martha Lane Fox recalled Aaron Swartzs words: Its not OK not to understand the internet anymore. That goes double for cryptography: any politician caught spouting off about back doors is unfit for office anywhere but Hogwarts, which is also the only educational institution whose computer science department believes in golden keys that only let the right sort of people break your encryption.

(Image: Facepalm, Brandon Grasley, CC-BY))

report this ad

report this ad

Greg Gianforte is a short-tempered, hyper-conservative Montana political hopeful who is standing for the GOP in a special election for a Congressional seat; he is also invested in Russian firms that are under US sanction.

Before the FCC stopped taking comments on its plans to destroy Net Neutrality (but after so many people rallied to tell it not to that its site crashed and the agency manufactured a fake denial of service attack to avoid admitting how much America hated its plans), the FCCs comment form was flooded with 128,000 []

On Wednesday 25-year-old Fyre Festival founder Billy McFarland who is being sued for $100M over his catastrophic schadenfreudefest gathered his long-unpaid employees on a conference call this week to tell them that After conferring with our counsel and all financial people, unfortunately we are not able to proceed with payroll. Were not firing []

Few things are as relaxing than an afternoon laying around in the sun. But no matter how careful you are, wet towels always seem to track some sand back home with you. The Quicksand Mat eliminates this beach-going annoyance by letting sand easily pass through.Whether you use it as a blanket or a buffer to []

Drones are the perfect way to cheaply shoot aerial video, but it can be difficult to accurately point its camera when your view is limited to a tiny smartphone screen. This quadcopter offers a first-person view of the action in immersive 3D, so you can frame your shots as if you were flying.The Micro Drone []

Python is an excellent general-purpose programming language that many professionalsconsider a good first language for aspiring programmers to learn. It isalso one of the tools of choice in the worlds of Big Data and machine learning. To help you get familiar with Pythons extensive capabilities and human-readable syntax, this bundle includes 7 unique courses covering []

See original here:
Theresa May wants to ban crypto: here's what that would cost, and here's why it won't work anyway - Boing Boing

By Kamlesh Bajaj

Encryption and lawful government-access debate raging for over two decades has become more important in present scenario of ever increasing cyber crimes and terrorism. EastWest Institute's seventh Global Cybersecurity Summit, held at University of California, Berkeley , from March 14-16, included this as an important part of the summit agenda. It looked at policy development in the United States, India and Europe. Both the threat landscape and technology landscape have changed during this period. Encryption was not easy to deploy in the 1990s though it was available since it required high skills to use it. Hence, the intercepted communications were largely in plain text. Clipper and key escrow, though presented as solutions for lawful government access, were not accepted by technologists.

It was concluded that the society would be exposed to more risk if either of these were to be compromised.

The technology developments during the last few years have made it easier for encryption to be used.End-to-end encryption (E2EE) is provided by apps such as WhatsApp and Telegram which are overthe-top (OTT) applications. Encryption keys, which are ephemeral, are with the end-user. Since app providers don't have keys, they can't enable access to law-enforcement agencies, even if they have a court warrant. This is a unique situation where even with a warrant, the law-enforcement can't access data in a device of a suspect or shared via an E2EE app.

There is universal agreement that strong encryption is essential for secure e-transactions, both by the government and industry . But then, is the cyberspace `going dark' to use the famous phrase of the FBI Director? Is the law-enforcement unable to track terrorists and investigate crimes involving criminals using encryption?

There is increasing use of encrypted smartphones such as the Apple. E2EE messaging traffic is also on the rise, with terrorists using E2EE apps to communicate. This traffic is already touching 275 billion messages per day .Is the Internet truly going dark?

In the `going dark' debate, cryptographers and others have come up with a number of policy options which centre around the following: weak encryption not a solution, hence law-enforcement needs to work around strong encryption by learning to use metadata which continues to grow in the form of location data and call data records; cooperate with tech companies; above all use lawful hacking of devices under court warrant. Compelled disclosure too is an option that law-enforcement often resorts to.

Lawful hacking is possible only for known vulnerabilities, which is often a small subset of the vulnerabilities in a target device. It is the vulnerabilities in underlying software platforms operating system, browser or apps that are exploited before encryption takes place in a device, which enables access to plaintext. So, law-enforcement would like to discover or pay to find as many vulnerabilities and exploits, as possible. They are thus not worried about having to decrypt strong encryption.

Governments have the responsibility to enhance cybersecurity and promote trust in cyberspace. The agencies that discover vulnerabilities should let the vendors know, so that these are plugged through software patches.

Cyber surveillance and weapon development is old story. What is new is that it is lawful hacking under court orders that is trying to keep the underlying IT platforms vulnerable. Do we need an encryption policy at all? It is this that reinforces suspicion among policy makers in countries like India, that notwithstanding any encryption policy instrument, the US and the UK will have access to all encrypted data, while India will be advised to work with tech companies and use metadata! No wonder, the Indian government has been unable to come up with a revised encryption policy after it withdrew the draft policy in September 2015.

(Kamlesh Bajaj is ex-CEO, Data Security Council of India)

See the original post here:
View: India is worried that the West will always have free access to ... - Economic Times

The battle over encryption, and the role tech companies should play in criminal investigations, has re-emerged after United Kingdom investigators discovered that Khalid Masood, the alleged perpetrator of last weeks terror attack in London, used WhatsApp before the attack.

Four people were killed and 50 others were injured before the attacker was shot and killed by police.

In a Sunday appearance on BBCs Andrew Marr show, U.K. Secretary of State Amber Rudd said the end-to-end encryption capabilities of messaging tools like WhatsApp are completely unacceptable. There should be no place for terrorists to hide, Rudd said, explaining how she believes national security supersedes concerns over privacy.

End-to-end encryption ensures that data is encrypted on one end and can only be deciphered by the recipient, with no third party, including Internet providers, able to intercept the messages. Apple found itself ensnarled in the debate previous year as authorities sought to unlock the phones of the San Bernardino shooters, who killed 14 people at a center for adults with disabilities in December 2015. Eventually, the Federal Bureau of Investigation accessed the devices without Apples assistance.

The tech industry will most likely resist Rudds request for a back door system to allow authorities to retrieve information, as it has in the face of previous law enforcement demands for access to data after major attacks.

And encrypted messaging is becoming a more popular feature, with other services opting to roll out new features. We need to make sure organisations like WhatsApp, and there are plenty of others like that, dont provide a secret place for terrorists to communicate with each other. [.] We need to make sure our intelligent services have the ability to get into situations like encrypted WhatsApp.Earlier today, MP Nadine Dorries also joined the chorus, tweeting that to keep our streets safe, we need to rise up against companies like Apple and WhatsApp who provide space and comfort to terrorists. They are not, she noted.

There is a fine line here, Maltese Interior Minister Carmelo Abela said Monday.

Police made another arrest in Birmingham, where Masood had lived. The 30-year-old is one of two men now being held over possible connection to the attack.

This report contains material from the Associated Press.

View original post here:
'WhatsApp encryption helps terrorists communicate safely' - pppFocus