It would be funnier if it werent so true. Photograph: UPI /Landov / Barcroft Media

The current state of the US and UK governments ass-backwards approach to cybersecurity was on full display this week culminating with British Prime Minister David Cameron and President Obama meeting to discuss the issue at the White House on Friday. When it comes to cybersecurity, it seems the UK and US want to embrace every crazy idea except what we know actually works.

The UKs Cameron suggested earlier in the week he wants to outlaw certain forms of encryption, which could potentially lead to some of the worlds most popular messaging apps (like iMessage and WhatsApp) being banned in the UK. That speech had been ridiculed from all angles for the past few days, with various experts labeling it a nightmare for Internet security on par with authoritarian regimes such as Russia and China and economically devastating for the British information technology industry.

Meanwhile, the White House has proposed a huge expansion of penalties under the highly-controversial law that was used to prosecute Reddit co-founder and privacy rights advocate Aaron Swartz. If passed, the administrations proposal could further criminalize mundane Internet activity for example, potentially allowing for a ten-year jail sentence for sharing your HBO GO password all to supposedly target foreign hackers that the law would likely never reach.

Less than 24 hours before Cameron-Obama the meeting, the Guardian published a secret report based on previously unreleased Snowden documents showing that the US government is fully aware that encryption is vital for security, and that the government risked leaving themselves vulnerable if they didnt start implementing it on their own systems quicker. The British government likely knows this too: many of their employees use email encryption; and UK even recommend citizens use encryption to protect their data on a government website.

At the press conference after the meeting, Obama commendably didnt embrace Camerons proposal when asked about it, and even Cameron seemed to at least appear to back off his own anti-encryption proclamation, saying hes not trying to enunciate some new doctrine.

But just because Camerons been proven to be technically illiterate and may be attempting to publicly back away from his most radical proposal, that doesnt mean that he wont later push forward. FBI director Jim Comey proposed similar legislation to Camerons just a few months ago, and Cameron used eerily similar talking points in Washington on Friday as Comey did in late 2014. Plus. the rest of Camerons plan is downright scary for Internet privacy even without a formal encryption ban.

And then theres the White Houses so-called solution to the cybersecurity problem, which they unveiled earlier this week. President Obama introduced it saying we had to do something about incidents like the headline-grabbing Sony hack, or the juvenile hijacking of US Central Commands twitter account but what he didnt say was that those proposals wouldnt have stopped those attacks at all.

Part of the Obama administrations proposal would dramatically expand the Computer Fraud and Abuse Act, the oft-abused and notorious statute that the Justice Department used to threaten the late Internet activist Aaron Swartz with 35 years in jail. (Aaron later took his own life while awaiting trial.) The CFAA already has incredibly harsh penalties, so much so that theres been a movement for years to reduce them. And how the administration thinks increasing CFAA penalties is going to worry either North Korean hackers or ISIS sympathizers (or more likely pranksters) who take advantage of negligent password practices is anyones guess.

It would also would put countless security researchers at further risk of prosecution, the exact type of people the government should consulting with before making these ill-thought proposals, not driving underground.

Read the original:
Obama and Cameron’s ‘solutions’ for cybersecurity will make the internet worse

President Barack Obama said Friday that police and spies should not be locked out of encrypted smartphones and messaging apps, taking his first public stance in a simmering battle over private communications in the digital age.

Apple, Google and Facebook have introduced encrypted products in the past half year that the companies say they could not unscramble, even if faced with a search warrant. Thats prompted vocal complaints from spy chiefs, the Federal Bureau of Investigation and, this week, British Prime Minister David Cameron.

Obamas comments came after two days of meetings with Cameron, and with the prime minister at his side.

If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we cant penetrate that, thats a problem, Obama said. He said he believes Silicon Valley companies also want to solve the problem. Theyre patriots.

In the U.S., governments have long been able to access the contents of electronic communication, including phone calls, consumer email and social media, typically with warrants, through wiretaps and from technology companies themselves.

But the law that governs these practices is dated and doesnt mandate tech firms incorporate such features into modern apps. In the post-Edward Snowden era, many technology firms have turned encryption and zero-knowledge into marketing buzzwords.

The president on Friday argued there must be a technical way to keep information private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the 1990s when it pushed for a clipper chip that would allow only the government to decrypt scrambled messages.

Thats a notable shift for the president. He sounded more like Jim Comey than anything else the White House has said in the past couple of months, said Stewart Baker, former general counsel at the National Security Agency, referring to the FBI director, who has criticized the tech companies new encryption policies.

Security experts have long argued such systems would hobble many anti-hacking tools, leaving computers exposed. For instance, if an encryption algorithm has a master key, it is inherently weaker because its possible for an outsider to steal that master key and crack the code.

Obama must now choose between competing priorities: the security of private information, or the ability of law enforcement to gather intelligence, said Christopher Soghoian, principal technologist at the American Civil Liberties Union.

More here:
Obama Sides with Cameron in Encryption Fight

U.K. Prime Minister David Cameron is evidently not done banging the anti-encryption drum in public yet despite being slammed by Internet security experts, startup investors and others earlier this week for appearing to suggest he wants to outlawstrong encryption.

The widespread interpretation of Cameronscomments as signifying an intention to banencryption resulted in government sourcesdoing somehasty re-spinningof his words.Rather, they said, this is aboutCameron chest-beating on counter terrorism and trying toapply political pressure on Internet companies to backdoor their own services to give government agencies access.

In other words if you can get Internet companies to stop using end-to-end encryption and/or co-operate on installingbackdoors into strong encryption, thentheres no need to actuallyban encryption because government can get its hands on the user data its after anyway.

Workaround, baby, workaround.

The PMis this weekinWashington D.C. for a long scheduled meeting with President Obama, but, in the wake of last weeks terror attacks in Paris, itlooks likely Cameron willuse the opportunity of a joint podium with POTUS to push fora united front to apply morepressure to Internet companies to perforate their own security in the name of counter-terrorism surveillance. Amping up the rhetoric abroad, as he has done at home.

Both the WSJ and The Guardian are today reporting, via their own government sources, that Cameron intends to lobby Obama on encryption workarounds and specifically to urge U.S. Internet companies to provide access to user datato U.K. security services.

The Guardian quotes a government source saying: The prime ministers objective here is to get the U.S. companies to cooperate with us more, to make sure that our intelligence agencies get the information they need to keep us safe. That will be his approach in the discussion with President Obama how can we work together to get them to cooperate more, what is the best approach to encourage them to do more.

Cameron and Obama have also today penned a joint column in The Times newspaper (available outside the paywall via Facebook), headlinedSecurity and prosperity go hand in hand an indication the two leadersare thinking broadly on the same page when it comes to counter-terrorism strategy.

TechCrunch understands thatcybersecurity will certainly be on the tech discussion agenda for the meeting, although, when asked directly, the Downing Street press office declined to provide any official information on the meetingin advance of a scheduledpress conference tomorrow - including declining to confirm whether Cameron will be directly lobbyingObama to lean on U.S. Internet companiesto soften theirstance on encryption.

U.K. security services have alreadylaid down some advanced counter-terror rhetoric against U.S. Internet companies. For instance last Novemberthe head of the GCHQ spy agency madea direct public appeal to U.S. Internet companies to co-operateand hand over data on users when asked to do so by U.K. intelligence agencies.

See original here:
U.K. PM To Take His Anti-Encryption Drum-Banging To Obama’s Doorstep

Game Maker Studio: Save File Encryption Tutorial
Download the project files! [URL coming soon] A very simple way to use built in GM functions to encrypt or mask saved information to make it more difficult for the end user to edit as plain text.

By: Shaun Spalding

Read the rest here:
Game Maker Studio: Save File Encryption Tutorial - Video

MP Julian Huppert Questions Proposed Ban on Encryption
Dr Julian Huppert (Cambridge) (LD): The Prime Minister made a proposal not to allow any online communications that could not be intercepted. That would cause huge problems for anyone who relies...

By: RTaylorUK

Excerpt from:
MP Julian Huppert Questions Proposed Ban on Encryption - Video

Official UK government security advice still recommends encryption to protect online data and networks. Photograph: Felix Clay for the Guardian

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

The advice, in a newly uncovered five-year forecast written in 2009, contrasts with the pledge made by David Cameron this week to crack down on encryption use by technology companies.

Related: David Cameron pledges anti-terror law for internet after Paris attacks

In the wake of the Paris terror attacks, the prime minister said there should be no safe spaces for terrorists to communicate or that British authorites could not access.

Cameron, who landed in the US on Thursday night, is expected to urge Barack Obama to apply more pressure to tech giants, such as Apple, Google and Facebook, which have been expanding encrypted messaging for their millions of users since the revelations of mass NSA surveillance by the whistleblower Edward Snowden.

Cameron said the companies need to work with us. They need also to demonstrate, which they do, that they have a social responsibility to fight the battle against terrorism. We shouldnt allow safe spaces for terrorists to communicate. Thats a huge challenge but thats certainly the right principle.

But the document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the best defence for computer users to protect private data.

Part of the cache given to the Guardian by Snowden was published in 2009 and gives a five-year forecast on the global cyber threat to the US information infrastructure. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agencys staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime hacking attacks are estimated to cost the global economy up to $400bn a year was a clear imbalance between the development of offensive versus defensive capabilities, due to the slower than expected adoption of encryption and other technologies, it said.

Read the original here:
Secret US cybersecurity report: encryption vital to protect private data

British Prime Minister David Cameron, in Washington to meet with President Obama, is expected to raise the issue of widening government access to data from U.S. Internet companies a sensitive subject on both sides of the Atlantic in the aftermath of the attacks in Paris.

Last weeks attacks have renewed European concerns that intelligence officials lack the authority to obtain the communications of terrorism suspects who use encrypted online services. On Monday, Cameron suggested he would consider banning American messaging services like Snapchat or WhatsApp if intelligence agencies were not provided with the authority to intercept communications.

But in Britain, as in the United States, such calls have revived the debate over the proper scope of government surveillance and how to balance security interests against privacy concerns.

The prime ministers point is that we have to find a way of closing down the space where terrorists operate on the Internet, said one British official, who spoke on the condition of anonymity because he was not authorized to speak on the record. Hes asking, How do we work with tech companies to make this work?

We did this with child abuse and child pornography, added the official. When it comes to terrorism, we are not where we need to be.

Technology companies, however, are still smarting from revelations about U.S. and British surveillance from former intelligence contractor Edward Snowden. Seeking to restore consumer confidence, they have increasingly begun to encrypt communications and data stored on mobile devices.

That, in turn, has alarmed law enforcement and intelligence officials, who say the encryption prevents them from gaining access to suspects data even when they have court orders.

Although U.S. law enforcement officials, including FBI Director James B. Comey, have sharply criticized technology companies for developing new forms of encryption, Obama who unveiled a series of surveillance reforms a year ago this week has said little about the issue.

Cameron, by contrast, has been forceful in his arguments in favor of widening government authorities access to communications data, telling Parliament: If we want the police and the security services to protect the public and save lives, they need this capability.

White House press secretary Josh Earnest said Obama and Cameron will probably talk about cybersecurity during the prime ministers visit, but he declined to say whether the president shared Camerons concerns about the need for broader government access to online communications.

Here is the original post:
Obama, Cameron to discuss encryption of online services

Messaging programs are a closely watched application category, with experts scrutinizing how communications are protected from government surveillance dragnets and hackers. The primary defense invariably involves encryption, but just saying an application uses encryption by no means ensures its secure.

One of the latest programs to come under fire is Telegram, which is backed by Pavel Durov[cq], who also founded the popular Russian social networking site Vkontakte. Telegram is a free desktop and mobile application launched in 2013 that promotes itself as taking back our right to privacy.

Telegram is well intended but has several weak spots, said Alex Rad[cq], who has a background in application security testing and reverse engineering. He and researcher Juliano Rizzo, who discovered two major attacks against SSL (Secure Sockets Layer), have been analyzing Telegram intermittently since last year as a side project to help improve its security.

They went public on Sunday with a blog post pointing out problems with Telegram, which may cause concern for those who are particularly worried about how such messaging systems could be compromised. Rad said in a phone interview that his correspondence with Telegram has been cordial but a bit tense.

What bothered me about Telegram was the way they market themselves versus the reality of how people use their application, said Rad, who lives in Stockholm.

For example, Telegram doesnt implement end-to-end encryption by default, a technique that ensures a message is encrypted on a device and is only decrypted by a recipient. That kind of encryption is regarded as the safest way to send information.

To send a fully encrypted message, Telegram users must initiate a secret chat. But Rad said there are potential problems with how a secret chat is set up that could make it vulnerable to a man-in-the-middle (MITM) attack.

Before a secret chat begins, two Telegram users see an image that verifies their connection hasnt been tampered with. Rad describes in the blog post how an attacker could replace that image with one of their own, potentially giving assurance to users that their chat is secure when it is not.

Determining whether the MITM attack would even be feasible leads to an academic argument about computing power. Telegram has dismissed the attack in a blog post as too expensive to pull off. It also requires that the attacker already has access to Telegrams servers, an assumption that Rad concedes makes a MITM attack on two users less likely given the vast hacking opportunities that such a position would afford anyway. But he also said his theoretical attack could be made impossible by using a stronger encryption algorithm, a trivial upgrade for Telegram.

Telegrams Markus Ra[cq] said via email that while his company contests the feasibility of Rads attack, Telegrams secret chats are evolving constantly, and well make sure they stay secure even as potential attackers gain processing power over time.

Read more from the original source:
How much trust can you put in Telegram messenger?

Cryptographers devote their careers to the science of securing your communications. Twenty-four-year-old Nadim Kobeissi has devoted his to the art of making that security as easy as possible. His software creations like Cryptocat and Minilock encrypt instant messages or shared files with three-letter-agency-level protection, with user interfaces that require Lincoln-Log-level skills. Now hes combiningelements of his dead-simple apps into what hes calling his biggest release yet, a single platform designed to encrypt everything you and any group of collaborators do on the desktop.

Today, Kobeissi plans to announce Peerio, an encrypted productivity suite meant to help individual users and businesses encrypt everything from IMs to online file storage. The software, initially launching as a Windows and Mac app as well as a Chrome plugin but coming to mobile platforms soon, resembles a simplified Gmail with IM and Google Drive features included. Unlike Gmail, all communication sent viaPeerio are end-to-end encrypted and cant be decrypted by anyone but the recipientnot even someone with access to the Peerio server itself.

With Peerio everything you share or communicate with your team is secured with state-of-the-art encryption, and its as easy as using Gmail. You dont need to learn to use it, says Kobeissi. Peerio brings crypto to where the people are.

Encrypted messages sent using Peerio can have a subject line and are organized in the recipients searchable inbox. But Peerio messages just as easily can be exchanged in rapid-fire one-liners with a press of the return keya hybrid of email and instant messaging. The app also lets you upload and share end-to-end encrypted files of up to 400 megabytes, a limit Kobeissi says will climb in future updates.

Kobeissi hopes Peerio will woo two groups of users. Those who use Gmail, Dropbox, and collaboration software like Slack and Hipchat ought to see it as a significantly more secure alternative designed to foil eavesdroppers. For security-minded people already using venerable but clunky encryption tools like the 20-plus-year-old PGP, its a far simpler option thats not limited to communicating exclusively with fellow crypto-nerds. We wanted to take every possible use case of PGP and put it in a single app and make it better, Kobeissi says.

Read the original:
The Free Encryption App That Wants to Replace Gmail, Dropbox, and HipChat

The world has declared open season on encryption and civil liberties. In one week Thailand announced its draft Cyber Security bill, Irans highest court banned encrypted messaging apps and now the United Kingdom has announced its own war on privacy in the wake of the French terror attacks.

UK Prime Minister David Cameron said that he will not allow terrorists to have a safe place to communicate. This is understood to mean that encrypted communications apps are to be banned or backdoored to allow access by the security services.

The idea of eavesdropping on communications to protect the monarchy is genuinely popular in Thailand, as is the idea of empowering the state to get rid of terrorists in the west.

The only problem is banning encryption simply cannot work. The genie is already out of the bottle.

I asked Caspar Bowden, former Chief Privacy Officer at Microsoft and now an independent privacy advocate, for his comments on Camerons pledge. Bowden pointed out that the exact same arguments and counter-arguments had been made in the wake of 9-11.

In October 2001, Bowden wrote a piece for the BBC website that still is valid today as it was over 13 years ago.

Bowden said that the politicians argument that there must be a balance between civil liberties and public safety is a false dichotomy.

Those who want a nostalgic return to the era of phone-tapping are either nave or impervious to reason. The only way to stop terrorist cells communicating via the internet is to disinvent it. Encryption is irrelevant, he said.

There are four ways in which encryption can be compromised in a way that would allow the state to access messages with warrant, but all are fundamentally flawed, as Bowden argued back in 2001.

The 'back-door'

Excerpt from:
The encryption genie is already out of the bottle