Enigma More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate.

Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996. However, the project remains a cautionary tale for security professionals and some policy-makers. In the latter case, however, the lessons appear to have been forgotten, Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University in the US, told the USENIX Enigma security conference today in San Francisco.

In short, Clipper was an effort by the NSA to create a secure encryption system, aimed at telephones and other gear, that could be cracked by investigators if needed. It boiled down to a microchip that contained an 80-bit key burned in during fabrication, with a copy of the key held in escrow for g-men to use with proper clearance. Thus, any data encrypted by the chip could be decrypted as needed by the government. The Diffie-Hellman key exchange algorithm was used to exchange data securely between devices.

Any key escrow mechanism is going to be designed from the same position of ignorance that Clipper was designed with in the 1990s

Not surprisingly, the project met stiff resistance from security and privacy advocates who, even in the early days of the worldwide web, saw the massive risk posed by the chipset: for one thing, if someone outside the US government was able to get hold of the keys or deduce them, Clipper-secured devices would be vulnerable to eavesdropping. The implementation was also buggy and lacking. Some of the people on the Clipper team were so alarmed they secretly briefed opponents of the project, alerting them to insecurities in the design, The Register understands.

Blaze, meanwhile, recounted how Clipper was doomed from the start, in part because of a hardware-based approach that was expensive and inconvenient to implement, and because technical vulnerabilities in the encryption and escrow method would be difficult to fix. Each chip cost about $30 when programmed, we note, and the relatively short keys could be broken by future computers.

In the years following Clipper's unveiling, a period dubbed the "first crypto wars," Blaze said, the chipset was snubbed and faded into obscurity while software-based encryption rose and led to the loosening of government restrictions on its sale and use. It helped that Blaze revealed in 1994 a major vulnerability [PDF] in the design of Clipper's escrow design, sealing its fate.

It is important to note, said Blaze, that the pace of innovation and unpredictability of how technologies will develop makes it incredibly difficult to legislate an approach to encryption and backdoors. In other words, security mechanisms made mandatory today, such as another escrow system, could be broken within a few years, by force or by exploiting flaws, leading to disaster.

This unpredictability in technological development, said Blaze, thus undercuts the entire concept of backdoors and key escrow. The FBI and Trump administration (and the Obama one before that) pushed hard for such a system but need to learn the lessons of history, Blaze opined.

"The FBI is the only organization on Earth complaining that computer security is too good," the Georgetown prof quipped.

"Any key escrow mechanism is going to be designed from the same position of ignorance that Clipper was designed with in the 1990s. We are going to be looking back at those engineering decisions ten years from now as being equally laughably wrong."

Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative, said this problem is not lost on all governments trying to work out new encryption laws and policies in the 21st century. He sees a number of administrations trying to address the issue by bringing developers and telcos in on the process.

"What the legislators hear is a complicated problem that they don't know how to resolve," Weitzner noted. "Moving the debate to experts on one hand gets you down to details, but it is not necessarily easy."

Sponsored: Detecting cyber attacks as a small to medium business

More here:
Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates - The Register

Its a long-simmering disagreement that shows no sign of reaching a conclusion: law enforcement wants access to encrypted devices and messaging apps to fight crime. Tech companies say any system that allows for lawful access would instantly be attacked and put legitimate users in danger.

The latest spat between the FBI and Apple was over the locked devices of Mohammed Saeed Alshamrani, who was suspected of killing three people and injuring eight in a shooting spree on a Navy base in Pensacola, Florida on December 6, may have escalated the conflict, but it's unlikely to break the deadlock.

While the debate has been framed as a battle between privacy and security, the reason for the stalemate is that the conversation between law enforcement and tech firms has largely focused on one solution. With tech firms moving to stronger security and end-to-end encryption across messaging apps, the US Justice Department along with the UK and Australia - has asked companies to create a key or backdoor into the design of their products that would allow law enforcement to unlock the phones of criminal suspects and access data a move that Facebook says is impossible without weakening the strength of its encryption.

Surprisingly little thought, however, has been given to alternative ways of handling the challenge of thwarting criminals who hide behind encryption, while also preserving the privacy of legitimate users. So what are the alternatives, and is there a possibility that both sides could agree a middle ground?

Facebook has offered its own solution. Anxious to avoida scenario where unbreakable encryption would effectively become illegal,Facebook says it should still be able to provide some critical location and account information.

This is because end-to-end encryption hides all content, but not all metadata of the conversation taking place.We are building tools to look for signals and patterns of suspicious activity so that we can stop abusers from reaching potential victims, Facebooks Jay Sullivan told the Judiciary Committee last month.

The big fear, however, is that 12 million referrals of child sexual abuse - currently flagged by tech giants - would be lost annually if Facebook implements its plans. Stronger encryption would limit the chances of identifying the abusers and rescuing the victims.

Then there is the argument that Facebook cannot be trusted, with critics pointing to numerous security breaches and the mass collection of users personal data for financial gain.

Anotheroption, put forward by the Carnegie Endowment for International Peace in a new paper calledMoving the Encryption Policy Conversation Forward, attempts to find some middle ground by separating data at rest and data in motion. It would prevent police from being able to carry out live surveillance of discussions that are in progress, but allow them with a court-ordered search warrant to see data at rest on mobile phones.This would include photos and messages that are already held on suspects mobile phones, laptops and in cloud storage.

Exploring mobile phone data at rest seems to be an area most likely to kick start the debate.New York County District Attorney Cyrus Vance is among supporters of this approach and wants federal legislative action to push it through.His frustration stems from Apples refusal to provide access to the phone of the San Bernardino shooter following the 2015 massacre.

Even so,many in the computer security community are skeptical, and the approach rigorous testing and debate to see if its viable.

A third option isnt so much a backdoor, more an emergency entrance. Here the government, the tech company and a neutral third party, such as a court, would each keep a fragment of a cryptographic key. Authorities would get sanctioned and pre-agreed access to messaging data a bit like a bank safe deposit box which can only be opened if the bank and the customer are present.

According to Andersen Cheng, CEO of Post-Quantum, this scenario option would significantly limit the ability of rogue actors to get access because it means no one authority has a master key to unlock millions of accounts. Any concerns over government control can be allayed because the key management could be hosted by the social media companies, he says.

The only problem and its a big one - is that no one appears to have any idea how to create such a thing at scale that will remain secret. Tech companies are likely to rail against any technical steps that would fundamentally weaken communications.

Then, theres the current solution. Each year,US police districts give millions of dollars to third-party commercial developers to access data saved to the cloud. As we know from recent scandals, undetectable spyware exploits vulnerabilities in software, allowing the buyer to access a device to read texts, pilfer address books, remotely switch on microphones and track the location of their target. There is no shortage of commercial surveillance companies that offer these services, and police reportedly used similar tools to access the phone of the San Bernardino shooter when Apple wouldnt help.

This kind of technology is playing an increasing part in helping government agencies all over the world prevent and investigate terrorism and crime and save lives: almost 50% of police investigations now involve cloud data.

Controversial Israeli firm NSO Group was involved in the capture notorious drug lord El Chapo, and recently police in Western Europe said that NSO spyware was helping them track a terror suspect they feared was plotting an attack during Christmas.

Despite this, encrypted devices and messaging platforms continue to complicate crime investigations, not least becausecritical evidence is often only available on the device itself, not in the cloud. The tools provided by commercial companies can also be expensive, with police claiming that justice is sometimes unattainable for crime victims in areas where police departments do not have the means to decrypt phones.

Campaigners also point to potential abuses and a lack of transparency over new forms of surveillance being used, and a more widespread adoption of this approach will mean that governments will have to impose careful controls to prevent misuse and enforce oversight.

Whatever the solution to the current debate over encryption, its unlikely to perfectly suit everyone. As the Carnegie Endowment report points out,cybersecurity advocates may have to accept some level of increased security risk, just as law enforcement advocates may not be able to access all the data they seek.

The first step, however, is recognizing that, with the lives and safety of so many at stake, lawmakers and tech firms should investigate every option.

Read more:
Options to End the End to End Encryption Debate - Infosecurity Magazine

from the this-makes-no-sense dept

Last month, we noted that Attorney General William Barr was making a bizarre attack on Section 230 of the Communications Decency Act, claiming that the DOJ was "studying Section 230 and its scope" and arguing -- without evidence -- that 230 might be contributing to "unlawful behavior" online. As we noted at the time, Section 230 explicitly exempts federal criminal charges from what it applies to, meaning that it literally cannot interfere with any DOJ prosecution. So it's truly bizarre to see the DOJ concerned about the issue.

But Barr has continued to push forward with this anti-230 kick, and is going to host a "workshop" about 230 in a few weeks.

The U.S. Justice Department is hosting a workshop next month seeking a wide diversity of viewpoints on Section 230 of the Communications Decency Act, the federal statute that, with few exceptions, protections major internet companies and private website owners from liability when it comes to the posts and comments generated by users.

While the DOJ claims that this workshop will have that "diversity of viewpoints," as we've seen in other contexts with the DOJ, that this is rarely the actual case. It may offer up a sacrificial lamb in support of 230, but it is likely to stack the deck against 230. This is the same thing that the DOJ has done, repeatedly, with regard to the encryption debate and questions around "going dark." Indeed, we've noted before the similarities between the government's efforts to attack encryption and the playbook that was used to attack Section 230 in 2018. In fact, we've heard that the very same former Hollywood lobbyist is a key player in both efforts.

Given the similarities in the playbook, and the fact that the DOJ is not hindered at all by 230, it makes you wonder if Barr and the DOJ are playing this anti-230 card simply as a method of punishing the internet industry for opposing his desire to gut encryption? The whole thing seems to be little more than an abuse of DOJ power to intimidate and threaten an entire industry for daring to support online security and free speech online against a government which would prefer neither thing be enabled.

Filed Under: cda 230, doj, encryption, section 230, william barr

See the original post here:
Is William Barr's Latest Attack On Section 230 Simply An Effort To Harm Tech Companies For Blocking His Desire To Kill Encryption? - Techdirt

Once again, the FBI is putting pressure on Apple to help them break into the phone of a mass shooter. And once again, Apple has been largely resistant to the effort. Which is good, because a government having control over a private company that gives them secret backdoor access into people's personal technology devices is an authoritarian wet dream waiting to happen.

It also doesn't matter anyway because as Reuters pointed out this week Apple already buckled under FBI pressure a few years and cancelled their plans to add end-to-end encryption to all iPhone backups in iCloud:

The company said it turned over at least some data for 90% of the requests it received [from the FBI]. It turns over data more often in response to secret U.S. intelligence court directives, which sought content from more than 18,000 accounts in the first half of 2019, the most recently reported six-month period.

But what if the FBI wants access to someone's locked iPhone, and they haven't backed it up to iCloud? Theystill don't need Apple's help, because as with the San Bernardino shooting there are plenty of third-party companies that can and will gladly solve the problem in exchange for money.

From OneZero:

Over the past three months,OneZero sent Freedom of Information Act (FOIA) requests to over 50 major police departments, sheriffs, and prosecutors around the country asking for information about their use of phone-cracking technology. Hundreds of documents from these agencies reveal that law enforcement in at least 11 states spent over $4 million in the last decade on devices and software designed to get around passwords and access information stored on phones.

[]

The documents range from contracts, requests for proposals (RFPs), invoices for payments by law enforcement, quotes from forensic companies, and emails traded between officials discussing vendor approval. They suggest that most law enforcement agencies bought forensic investigation products from a small group of companies that includeCellebrite, Grayshift, Paraben, BlackBag, and MSAB. In addition to selling the software and hardware needed to unlock phones, these companies also charge thousands of dollars each year to upgrade the software in their products. In addition, their customers spend thousands on training sessions to teach personnel in their offices how to use the tools.

And perhaps that's the most frustrating thing about this whole scenario. The US government is always warning us about the authoritarian overreaches of surveillance states like those in China, but really, they just want to replicate it without feeling guilty. Meanwhile, supposed-innovations of free market enterprise are providing the same opportunities for authoritarian surveillance capitalism, but, ya know, privately-owned, so immune to any legal oversight or transparency, because America. Isn't that supposed to be the dream?

Exclusive: Apple dropped plan for encrypting backups after FBI complained [Joseph Menn / Reuters]

Exclusive: U.S. Cops Have Wide Access to Phone Cracking Software, New Documents Reveal [Michael Hayes / OneZero]

Image via the White House

No encrypted iCloud backups for you, citizen!

The time is always right to do what is right, thats true. But the timing of this is a pretty ugly retconespecially after a new trove of FBI files on Martin Luther King, Jr. were just released six months ago, painting an ugly picture of frequent sexual misconduct.

Gee, thanks.

You dont need to be a climate scientist in order to know that the Earth is in serious trouble, but the good news is that you also dont need to necessarily make any drastic changes to your lifestyle in order to do your part to help. This nOcean Wearable Reusable Silicone Straw will help you []

When it comes to conquering that resolution list and hitting all of your goals in 2020, nothing is more important than getting a great nights sleep every night so you can wake up feeling refreshed and extra productive. The CarbonIce: 7-in-1 Bacteria Protection & Cooling Pillow will help you do just that, and right now []

Its no secret that business leaders and project managers require a certain set of skills in order to outpace the competition and increase the overall efficiency of their company or team. The Lean Six Sigma Expert Training Bundle will take your managerial skills to the next level through training that will help you earn some []

See the original post:
The FBI doesn't need Apple to give it a backdoor to encryption, because it already has all the access it needs - Boing Boing

While the fallout from the LifeLabs privacy breach continues to reverberate in the form of proposed class action lawsuits and patients still trying to determine if their personal medical information was accessed, the Office of the Information and Privacy Commission of B.C. has confirmed there is no legislation that mandates private information held by a company be encrypted.

Neither the Freedom of Information and Protection of Personal Information Act (FIPPA), which applies to public bodies, nor the Personal Information Protection Act, (PIPA), which applies to private organizations, specifically mention encryption, the Information and Privacy Commission confirmed in an email response to a query from KTW.

Personal information of up to 15-million LifeLabs patients, primarily in B.C. and Ontario, may have been accessed during a cyberattack on the companys computer systems in October. LifeLabs reported it to authorities on Nov. 1, but the breach was not made public until mid-December.

LifeLabs said it retained outside cybersecurity consultants to investigate and assist with restoring the security of its data.

While LifeLabs states on its website that its patient information is encrypted, company CEO Charles Brown told the CBCs Early Edition on Dec. 18 that he did not know if the information hacked was, indeed, encrypted.

Here is the text that can be found on the Life Labs website: Our security practices are designed to protect your personal information and prevent unauthorized access. Only authorized employees are permitted to access personal information and only when the access is necessary. Your information is protected using industry best practices, and all information is transmitted over secure, encrypted channels.

Section 30 of the Freedom of Information and Protection of Personal Information Act states: A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Section S.34 of the Personal Information Protection Act states: An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

Noel Boivin, senior communications officer for the Office of the Information and Privacy Commission of B.C., said the department has the authority to issue legally binding orders to ensure organizations comply with those requirements.

Decisions such as these are made based on the unique facts of each case, Boivin said. Based on these requirements in both pieces of legislation, our office recommends encryption as a best practice.

The Office of the Information and Privacy Commission recommends organizations implement technical safeguards, including ensuring computers and networks are secure from intrusion by using firewalls, intrusion-detection software and antivirus software and by encrypting personal information.

Boivin noted findings from previous investigation reports call for organizations to encrypt data on personal storage devices.

Our guidance is that personal information should be encrypted in transit and at rest in order to protect against unauthorized access, said Caitlin Lemiski, the Office of the Information and Privacy Commissions director of policy.

The encryption, and key management, should be based on current industry-accepted standards for protecting data and should be reviewed regularly.

LifeLabs has four clinics in Kamloops two downtown, one in Aberdeen and one in North Kamloops.

According to the company, hackers gained access to the computer system that held customer information from 2016 and earlier that could include names, addresses, email addresses, login user names and passwords, dates of birth, health card numbers and lab test results.

The access was accompanied by a ransom demand, which LifeLabs paid.

LifeLabs set up a dedicated phone line and information on its website for those affected by the breach. To find out more, the public should go online tocustomernotice.lifelabs.comor contact LifeLabs at 1-888-918-0467.

In January 2013, patient information for 16,100 Kamloops-area residents was on a computer hard drive that went missing as it was being transferred by LifeLabs to Burnaby from Kamloops.

Read the original here:
There is no legislation mandating encryption of private information - Kamloops This Week