A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.

This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.

Comparing the millions of keys on an Azure cloud instance, the team found common factors were used to generate keys at a rate of 1 in 172 (435,000 in total). By comparison, the team also analyzed 100 million certificates collected from the Certificate Transparency logs on desktops, where they found common factors in just five certificates, or a rate of 1 in 20 million.

The team believes that the reason for this poor entropy is down to IoT devices. Because the embedded gear is often based on very low-power hardware, the devices are unable to properly generate random numbers.

The result is keys that could be easier for an attacker to break, leaving the device and all of its users vulnerable.

"The widespread susceptibility of these IoT devices poses a potential risk to the public due to their presence in sensitive settings," Keyfactor researchers Jonathan Kilgallin and Ross Vasko noted.

"We conclude that device manufacturers must ensure their devices have access to sufficient entropy and adhere to best practices in cryptography to protect consumers."

The recommendation is that IoT hardware vendors step up their security efforts to improve the entropy of these devices and make sure that their hardware is able to properly set up secure connections.

If vendors don't step up and address the issue, there is a good chance that criminal hackers will. The team says its experiments showed that this sort of attack could be pulled off without much in the way of an up-front investment.

"With modest resources, we were able to obtain hundreds of millions of RSA keys used to protect real-world traffic on the internet," said Kilgallin and Vasko.

"Using a single cloud-hosted virtual machine and a well-studied algorithm, over 1 in 200 certificates using these keys can be compromised in a matter of days."

Sponsored: From CDO to CEO

Read more:
Internet of crap (encryption): IoT gear is generating easy-to-crack keys - The Register

Congress on Tuesday told Facebook and Apple that they better put backdoors into their end-to-end encryption, or theyll pass laws that force tech companies to do so.

At a Senate Judiciary Committee hearing on Tuesday that was attended by Apple and Facebook representatives who testified about the worth of encryption that hasnt been weakened, Sen. Linsey Graham had this to say:

Youre going to find a way to do this or were going to do this for you.

Were not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.

Its the latest shot fired in the ongoing war over encryption. The most recent salvos have been launched following the privacy manifesto that Facebook CEO Mark Zuckerberg published in March.

At the time, Zuckerberg framed the companys new stance as a major strategy shift that involves developing a highly secure private communications platform based on Facebooks Messenger, Instagram, and WhatsApp services.

Facebooks plan is to leave the three chat services as standalone apps but to also stitch together their technical infrastructure so that users of each app can talk to each other more easily.

The plan also includes slathering the end-to-end encryption of WhatsApp which keeps anyone, including Facebook itself, from reading the content of messages onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in secure connections mode: a mode thats off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.

You had better end or at least pause your plan, three governments warned Facebook in October.

US Attorney General William Barr and law enforcement chiefs of the UK and Australia signed an open letter calling on Facebook to back off of its encryption on everything plan unless it figures out a way to give law enforcement officials backdoor access so they can read messages.

No, Facebook said with all due respect to law enforcement and its need to keep people safe.

On Monday, Facebook released an open letter it penned in response to Barr.

In the letter, WhatsApp and Messenger heads Will Cathcart and Stan Chudnovsky said that any backdoor access into Facebooks products created for law enforcement would weaken security and let in bad actors who would exploit the access. Thats why Facebook has no intention of complying with Barrs request that the company make its products more accessible, they said:

The backdoor access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.

Peoples private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do.

In his opening statement on Tuesday, Sen. Graham the chairman of the Senate Judiciary Committee told Apple and Facebook representatives that he appreciates the fact that people cannot hack into my phone, but encrypted devices and messaging create a safe haven for criminals and child exploitation.

In Facebooks letter, Cathcart and Chudnovsky pointed out that cybersecurity experts have repeatedly shown that weakening any part of an encrypted system means that its weakened for everyone, everywhere. Its impossible to create a backdoor just for law enforcement that others wouldnt try to open, they said.

Theyre not alone in that belief, they said. Over 100 organizations, including the Center for Democracy and Technology and Privacy International, responded to Barrs letter to share their views on why creating backdoors jeopardizes peoples safety. Facebooks letter also quoted Cryptography Professor Bruce Schneier from comments he made earlier this year:

You have to make a choice. Either everyone gets to spy, or no one gets to spy. You cant have We get to spy, you dont. Thats not the way the tech works.

And as it is, Facebook is already working on making its platforms more secure, they said. Its more than doubled the number of employees who are working on safety and security, and its using artificial intelligence (AI) to detect bad content before anyone even reports it or, sometimes, sees it. For its part, WhatsApp is detecting and banning two million accounts every month, based on abuse patterns. It also scans unencrypted information such as profile and group information looking for tell-tale content such as child abuse imagery.

Facebook says that its been meeting with safety experts, victim advocates, child helplines and others to figure out how to better report harm to children, in ways that are more actionable for law enforcement. Its doing so while trying to balance the demands of other needs: as in, its also working to collect less personal data, as governments are demanding, and to keep users interactions private, as those users are demanding.

At a Wall Street Journal event on Tuesday, AG Barr granted that yes, there are benefits to encryption, such as to secure communications with a bank a financial institution that will, and can, give investigators what they need when served with a warrant.

But he said that the growth of consumer apps with warrant-repellent, end-to-end encryption, like WhatsApp and Signal, have aided terrorist organizations, drug cartels, child molesting rings and kiddie porn type rings.

This war over encryption has been going on since the FBIs many attempts to backdoor Apples iPhone encryption in the case of the San Bernardino terrorists.

Both sides are sticking to the same rationales theyve espoused since the start of this debate. The only real difference in the events of this week is the renewed call for legislation to force backdoors: a threat that is apparently uniting both sides of this otherwise extremely partisan Congress and hence carries that much more weight.

View post:
Facebook refuses to break end-to-end encryption - Naked Security

The Australian Encryption Act was passed last year in response to the governments concern about misuse of encrypted social media platforms to advance terrorist activities. The Act extended ASIO, Federal, and State law enforcement powers to enable them to issue notices to request access to otherwise encrypted messages from designated communication providers. This was construed broadly to include social media giants such as Whatsapp, device manufacturers, and free WIFI providers. Authorities were also permitted to detain people without a warrant or allowing them to contact a lawyer.

Initial Response

Since then, the Act has been received with significant caution from the industry. The new Technical Capability Notices (TCN) enabled authorities to require communications providers to establish back doors to allow for interceptions and decryptions of otherwise encrypted messages on specific devices without the customers knowledge. Agencies can also circumvent encryption by installing key logging software or by taking repeated screenshots of a customers screen and messages. Concerns have been raised about individuals privacy and systemic vulnerabilities caused by techniques to obtain and compromise encrypted data. Managing these concerns is important in a world increasingly concerned about misuse, control and regulation of civilian data, media and digital platforms.

Proposed Amendments

In response to bipartisan recommendations from the inquiry by the Parliamentary Committee on Intelligence and Security (PJCIS), the Labor opposition has proposed amendments to the Act. The first reading of the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019 noted that the legislation has been holding the [Australian] tech sector back from achieving [its] potential. It expressed concerns that the Act undermines our relationships with key international strategic partners including by slowing discussions with the United States for a bilateral agreement under the US CLOUD Act (Clarifying Lawful Overseas Use of Data).

The Explanatory Memorandum for the Bill describes the following effects of the amendments, if passed:

Regulation plays a vital, but complex role in a society increasingly reliant on technology. The Bills objectives shed light on the governments increasing focus on the role of effective encryption on national security, the important of strong security regulatory frameworks and the impact these have on foreign trust in Australias technology sector.

The rest is here:
Changing the Locks: Proposed Amendments to the Australian Encryption Act - Lexology

Even the Defense Department is now pointing out that the governments quest to weaken encryption lies somewhere between counterproductive and downright harmful.

Attorney General Bill Barr and Senate Judiciary Committee Chair Lindsey Graham have been on a tear lately in a bid to undermine encryption standards. Those efforts culminated in a hearing this week whose primary purpose appears to have been to demonize encryption by falsely proclaiming it poses a risk to public safety.

Many staffers at both the Department of Justice and FBI have joined the festivities, arguing that encryption enables all manner of nefarious behavior, from human trafficking to child exploitation as they push for the inclusion of law enforcement backdoors in everything from routers to smartphones.

Actual security expertsand tech giants like Facebook and Applehave long highlighted the foolishness of such efforts. Encryption aids everybody, theyll note, protecting consumers, activists, and criminals alike. Embed backdoors in encryption and network gear, theyve warned, and youre undermining an essential security tool, putting everybody at risk.

We do not know of a way to deploy encryption that provides access only for the good guys without making it easier for the bad guys to break in, Apples director of user privacy, Erik Neuenschwander told hearing attendees.

While vast segments of government have embraced the recent war on encryption, some government officials seem to understand the benefits of retaining strong encryption. This week, Representative Ro Khanna forwarded a letter to Lindsay Graham from the Defense Department's Chief Information Officer Dana Deasy.

In the letter, first reported by Techdirt, Deasy notes that all DOD issued unclassified mobile devices are required to be password protected using strong passwords, and that any data-in-transit on DOD issued mobile devices be encrypted via VPN.

The importance of strong encryption and VPNs for our mobile workforce is imperative, Deasy wrote.

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources, he said. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

Theres endless examples of governments, organizations, and corporations attempting to undermine encryption standards for both surveillance and profit. Comcast, for example, has worked to undermine recent efforts to encrypt Domain Name Server (DNS) traffic because doing so would threaten the companys efforts to monetize user behavior online.

Facebook sent a letter this week to Bill Barr, in which the company made it clear that it would not backdoor its encrypted messaging apps at the governments request.

Cybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere, Facebook wrote.

But while cybersecurity experts and tech giants spent the week warning that weakening encryption harms everyone, a bipartisan coalition of lawmakers remain stubbornly impervious to the argument.

Democratic Senator Dick Durbin largely mirrored Grahams rhetoric at this weeks hearings, insisting the latest war on encryption was about ensuring big tech companies werent beyond the reach of the law. Were talking about our government protecting our citizens, he insisted, seemingly oblivious that eroding encryption would likely have the exact opposite impact.

The Justice Department has argued for years that by including strong encryption on their networks and in their products, Silicon Valley giants are undermining the governments quest to rein in criminals. But security experts, and now the DOD, have made it abundantly clear that encryption protects everybody, not just the worst segments of society.

So far, politicians like Graham have made it abundantly clear theyre not listening, insisting that if tech companies dont set about backdooring their products and weakening encryption, there will soon be hell to pay.

My advice to you is to get on with it, because this time next year, if we havent found a way that you can live with, we will impose our will on you, Graham said.

Read the original:
The Defense Department Says It Needs the Encryption the FBI Wants to Break - Free

In this series of blogs Im going to talk about how the continued move towards all web traffic being encrypted has impacted enterprise security. In this blog Im going to focus on the basics what is encrypted web traffic and how can you proactively control this.

TLS encryption is the de-facto encryption technology for delivering secure web browsing, and the benefits it provides are driving the levels of HTTPS traffic to new heights. Every day, more HTTPS web traffic traverses the internet in a form that provides security and trust for users. This traffic is encrypted with TLS, a transport layer encryption protocol that protects data against unauthorized access and eavesdropping. Current estimates indicate that over 90% of all web traffic is now encrypted.

However, not all HTTPS traffic is benign; attackers and malware writers also leverage encryption to hide their activities. In a recent report, it was stated that 60% of malicious traffic is encrypted. Without the proper security controls, encrypted web traffic can be a blind spot in securing your network and users.

TLS Primer

Secure Sockets Layer (SSL) was originally developed by Netscape Communications in 1995 to provide security for internet communications. However, in 1999, Netcscape handed over the protocol to the Internet Engineering Task Force (IETF). Later that year, the IETF released TLS 1.0, which was, in reality, SSL 3.1. Recently, TLS 1.3 was released, but most web sites still use TLS 1.2.

For clarity, in these blogs, I exclusively use TLS, but this has exactly the same meaning as SSL or SSL/TLS.

TLS provides a secure channel between two endpoints, typically a client browser and a web server, to provide protection against eavesdropping, forgery of, or tampering with the traffic. To provide this security, SSL uses X.509 digital certificates for authentication and encryption to ensure privacy and digital signatures to ensure integrity.

Essentially, SSL/TLS creates a secure tunnel between the two endpoints, and the web traffic is transmitted inside the tunnel. The encrypted traffic is called HTTPS and uses TCP port 443 to communicate between the client browser and the Web server; unencrypted HTTP traffic uses TCP port 80.

It is worth noting that, although SSL/TLS is primarily used to secure HTTP traffic, SSL/TLS was designed so that it could provide security for many other application protocols that run over TCP.

HTTPS Web Traffic: An OverviewTo allow proactive inspection and control of HTTPS web traffic, it is necessary to look inside the secure tunnel and examine the encrypted traffic. One effective way to deliver this capability is to deploy a Secure Internet Gateway (SIG) or Secure Web Gateway (SWG) that is able to intercept and decrypt the HTTPS traffic. This technique of intercepting and decrypting traffic is known as Man-in-The-Middle (MITM).

To achieve MITM, a secure connection is created between the client browser and the Secure Internet Gateway (SIG) or Secure Web Gateway (SWG), which decrypt the HTTPS traffic into plain text. Then, after being analyzed, the traffic is re-encrypted, and another secure connection is created between the SIG or SWG and the web server. This means that the SIG or SWG is effectively acting as a SSL/TLS proxy server and can both intercept the SSL/TLS connection and inspect the requested content.

This capability is available in Akamais Enterprise Threat Protector service, and it allows inspection of the requested URL to determine if the requested URL is safe or malicious. Payloads received from the web servers are also decrypted and inspected by the ETP Payload Analysis functions to determine if the content is safe or malicious.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Jim Black. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/SmvM3N8ShWc/inspecting-tls-web-traffic---part-1.html

Follow this link:
Inspecting TLS Web Traffic Part 1 - Security Boulevard

Facebook is planning end-to-end encryption on all its messaging services to increase privacy levels.

The tech giant started experimenting with this earlier this year. Soon, end-to-end encryption will be standard for every Facebook message.

But Australian, British and United States governments and law makers arent happy about it. They fear it will make it impossible to recover criminal conversations from Facebooks platforms, thus offering impunity to offenders.

For instance, this was a major concern following the 2017 London terror attacks. Attackers used WhatsApp (Facebooks end-to-end encrypted platform), and this frustrated police investigations.

But does Facebooks initiative place the company between a political rock and an ethical hard place?

End-to-end encryption is a method of communicating more securely, compared to non-encrypted communications.

It involves using encryption (via cryptographic keys) that excludes third parties from accessing content shared between communicating users.

When the sender wants to communicate with the receiver, they share a unique algorithmic key to decrypt the message. No one else can access it, not even the service provider.

Read more: Social media and crime: the good, the bad and the ugly

Facebooks plan to enact this change is paradoxical, considering the company has a history of harvesting user data and selling it to third parties.

Now, it supposedly wants to protect the privacy of the same users.

One possible reason Facebook is pushing for this development is because it will solve many of its legal woes.

With end-to-end encryption, the company will no longer have backdoor access to users messages.

Thus, it wont be forced to comply with requests from law enforcement agencies to access data. And even if police were able to get hold of the data, they would still need the key required to read the messages.

Only users would have the ability to share the key (or messages) with law enforcement.

Implementing end-to-end encryption will positively impact Facebook users privacy, as their messages will be protected from eavesdropping.

This means Facebook, law enforcement agencies and hackers will find it harder to intercept any communication done through the platform.

And although end-to-end encryption is arguably not necessary for most everyday conversations, it does have advantages, including:

1) protecting users personal and financial information, such as transactions on Facebook Marketplace

2) increasing trust and cooperation between users

3) preventing criminals eavesdropping on individuals to harvest their information, which can render them victim to stalking, scamming and romance frauds

4) allowing those with sensitive medical, political or sexual information to be able to share it with others online

5) enabling journalists and intelligence agencies to communicate privately with sources.

However, even though end-to-end encryption will increase users privacy in certain situations, it may still not be enough to make conversations completely safe.

Read more: End-to-end encryption isn't enough security for 'real people'

This is because the biggest threat to eavesdropping is the very act of using a device.

End-to-end encryption doesnt guarantee the people we are talking to online are who they say they are.

Also, while cryptographic algorithms are hard to crack, third parties can still obtain the key to open the message. For example, this can be done by using apps to take screenshots of a conversation, and sending them to third parties.

When Facebook messages become end-to-end encrypted, it will be harder to detect criminals, including people who use the platform to commit scams and launch malware.

Others use Facebook for human or sex trafficking, as well as child grooming and exploitation.

Facebook Messenger can also help criminals organise themselves, as well as plan and carry out crimes, including terror attacks and cyber-enabled fraud extortion hacks.

The unfortunate trade-off in increasing user privacy is reducing the capacity for surveillance and national security efforts.

Read more: Can photos on social media lead to mistaken identity in court cases?

End-to-end encryption on Facebook would also increase criminals feeling of security.

However, although tech companies cant deny the risk of having their technologies exploited for illegal purposes they also dont have a complete duty to keep a particular countrys cyberspace safe.

A potential solution to the dilemma can be found in various critiques of the UKs 2016 Investigatory Powers Act.

It proposes that, on certain occasions, a communications service provider may be asked to remove encryption (where possible).

However, this power must come from an authority that can be held accountable in court for its actions, and this should be used as a last resort.

In doing so, encryption will increase user privacy without allowing total privacy, which carries harmful consequences.

So far, several governments have pushed back against Facebooks encryption plans, fearing it will place the company and its users beyond their reach, and make it more difficult to catch criminals.

End-to-end encryption is perceived as a bulwark for surveillance by third parties and governments, despite other ways of intercepting communications.

Many also agree surveillance is not only invasive, but also prone to abuse by governments and third parties.

Freedom from invasive surveillance also facilitates freedom of expression, opinion and privacy, as observed by the United Nations High Commissioner for Human Rights.

In a world where debate is polarised by social media, Facebook and similar platforms are caught amid the politics of security.

Its hard to say how a perfect balance can be achieved in such a multifactorial dilemma.

Either way, the decision is a political one, and governments - as opposed to tech companies - should ultimately be responsible for such decisions.

Read the original here:
Facebook's push for end-to-end encryption is good news for user privacy, as well as terrorists and paedophiles - The Conversation AU

The ConversationDec 16, 2019 16:16:27 IST

Facebook isplanning end-to-end encryption on all its messaging servicesto increase privacy levels. The tech giant startedexperimentingwith thisearlier this year. Soon, end-to-end encryption will be standard for every Facebook message.

But Australian, British and United States governments andlawmakersarenthappy about it. They fear it will make it impossible to recover criminal conversations from Facebooks platforms, thus offering impunity to offenders.

For instance, this was a major concern followingthe 2017 London terror attacks. Attackers used WhatsApp (Facebooks end-to-end encrypted platform), and this frustrated police investigations.

Image: Reuters

But does Facebooks initiative place the company between a political rock and an ethical hard place?

(Also read:Facebook to encrypt conversations on more of its messaging services: Mark Zuckerberg)

End-to-end encryptionis a method of communicating more securely, compared to non-encrypted communications. It involves using encryption (via cryptographic keys) that excludes third parties from accessing content shared between communicating users.

When the sender wants to communicate with the receiver, they share a uniquealgorithmic key to decryptthe message. No one else can access it, not even the service provider.

Facebooks plan toenact this change is paradoxical, considering the company has a history ofharvesting user dataandselling it to third parties. Now, it supposedly wants to protect the privacy of the same users.

One possible reason Facebook is pushing for this development is because it will solve many ofits legal woes. With end-to-end encryption, the company will no longer havebackdooraccess to users messages.

Thus, it wont be forced to comply with requests from law enforcement agencies to access data. And even if police were able to get hold of the data, they would still need the key required to read the messages.

Only users would have the ability to share the key (or messages) with law enforcement.

(Also read: Facebook is requested not to use encrypted messages as it does not let officials peek)

Implementing end-to-end encryption will positively impact Facebook users privacy, as their messages will be protected from eavesdropping. This means Facebook, law enforcement agencies and hackers will find it harder to intercept any communication done through the platform.

And although end-to-end encryption is arguably not necessary for most everyday conversations, it does haveadvantages, including:

1) protecting users personal and financial information, such as transactions on Facebooku Marketplace

2) increasing trust and cooperation between users

3) preventing criminals eavesdropping on individuals to harvest their information, which can render them victim tostalking, scamming and romance frauds

4) allowing those with sensitive medical, political or sexual information to be able to share it with others online

5) enabling journalists and intelligence agencies to communicate privately with sources.

(Also read:Facebooks end-to-end encryption could come to an end as us, UK fight child abuse and terrorism)

However, even though end-to-end encryption will increase users privacy in certain situations, it may still not be enough to make conversations completely safe.

This is because the biggest threat to eavesdropping is the very act of using a device.

End-to-end encryption doesntguaranteethe people we are talking to online are who they say they are.

Also, while cryptographic algorithms are hard to crack, third parties can stillobtain the key to open the message. For example, this can be done by using apps totake screenshotsof a conversation, and sending them to third parties.

When Facebook messages become end-to-end encrypted, it will beharder to detect criminals, including people who use the platform to commitscamsand launchmalware.

Others use Facebookfor humanor sex trafficking, as well aschild groomingandexploitation. Facebook Messenger can also helpcriminals organise themselves, as well as plan and carry out crimes, including terror attacks and cyber-enabled fraud extortion hacks.

The unfortunatetrade-offinincreasing user privacyis reducing the capacity for surveillance and national security efforts. End-to-end encryption on Facebook would also increase criminals feeling ofsecurity.

However, although tech companies cant deny the risk of having their technologies exploited for illegal purposes they also dont have acomplete duty to keep a particular countrys cyberspace safe.

A potential solution to the dilemma can be found in variouscritiquesof theUKs 2016 Investigatory Powers Act. It proposes that, on certain occasions, a communications service provider may be asked to remove encryption (where possible). However, this power must come from an authority thatcan be held accountablein court for its actions, and this should be used as a last resort.

In doing so, encryption will increase user privacy without allowing total privacy, which carriesharmful consequences. So far, several governments have pushed back against Facebooks encryption plans, fearing it will placethe company and its users beyond their reach, and make it more difficult tocatch criminals.

End-to-end encryption is perceived as a bulwark for surveillance by third parties and governments, despiteother ways of intercepting communications. Many also agree surveillance is not onlyinvasive, but also prone to abuseby governments and third parties.

Freedom from invasive surveillance alsofacilitates freedom of expression, opinion and privacy, as observed by the United Nations High Commissioner for Human Rights. In a world where debate is polarised by social media, Facebook and similar platforms are caught amid the politics of security. Its hard to say how a perfect balance can be achieved in such a multifactorial dilemma. Either way, the decision is a political one, and governments as opposed to tech companies should ultimately be responsible for such decisions.

Roberto Musotto, Cyber Security Cooperative Research Centre Postdoctoral Fellow, Edith Cowan UniversityDavid S. Wall, Professor of Criminology, University of Leeds

This article is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.

View post:
Facebook's end-to-end encryption will enhance user privacy but its not good news for law enforcement - Firstpost

OPINION: The technology and privacy debate has just taken a turn for the worse, with US Senator Lindsey Graham directing some colourful threats towards Apple and Facebook during a Senate Judiciary Committee hearing this week.

"This time next year, if we haven't found a way that you can live with, we will impose our will on you."

"You're going to find a way to do this or we're going to go do it for you."

Those are just two of the explosive threats Graham made, referring to the two companies' use of end-to-end encryption on their platforms.

READ MORE:* Republicans back US Attorney General William Barr at extraordinary hearing* US Democrats subpoena uncensored Mueller report, some in party calling for Trump impeachment* A redacted version of the Mueller report could be released by mid-April

Graham's comments followed a tone set by US Attorney General William P. Barr, who on Monday said that dealing with how big tech used encryption was one of the Justice Department's "highest priorities."

Barr claimed that cartels and child pornographers used the feature to hide their criminal activities, saying the companies' message to customers was "no matter what you do, you're completely impervious to government surveillance". "Do we want to live in a society like that? I don't think we do."

From a technical point-of-view, he's not wrong. That makes the row over encryption, from a law-maker and law-enforcement point of view, a maddening one. Big tech companies like the two mentioned above are, in some scenarios, actively (but inadvertently) preventing governments from doing their jobs as effectively as they could do.

J SCOTT APPLEWHITE/AP

US Senator Lindsey Graham has warned tech companies that official action will be taken if they can't come up with a solution.

In a rare display of cross-party unity, both Democrats and Republicans argued that Apple and Facebook's use of encryption was getting in the way of justice.

Graham even went as far as to say "We're not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion."

Strong stuff. But the Senator's colourful words don't tell the whole story.

End-to-end encryption isn't there to prevent justice from being served. It's just one of the unfortunate byproducts as we found out when Apple refused to grant the FBI backdoor access to the San Bernardino mass shooter's iPhone back in 2015.

Apple's message at the time was a sensible one: "Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

In plain English, this means Apple couldn't provide the FBI with a one-time backdoor to the shooter's iPhone. The only way Apple could deliver this, as I understand it, would be to roll out a software update to all iPhone users. That would provide the FBI with a backdoor to all iPhones.

My view on this is similar to Apple and Facebook's. Encryption is there to offer us, the user, one of our basic human rights, privacy. It's a widely-used, and pretty basic, piece of technology that allows personal messages to remain how they were intended. Personal.

Apple's user privacy manager, Erik Neuenschwander, put across an eloquent argument for encryption when he said: "We've been unable to identify any way to create a back door that would work only for the good guys."

Likewise, WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky put the argument against encryption across eloquently with a written testimony that read: "The 'backdoor' access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimesThat is not something we are prepared to do."

But there was a definite lack of unity when the two tech giants offered possible solutions for the problem.

With Facebook's Sullivan suggesting that "on-device scanning" could be a viable option, Apple's Neuenschwander said, "We don't have forums for strangers to contact each other ... and our business doesn't have us scanning material of our users to build profiles of them."

What's going to happen now? Nothing. Not in the immediate future anyway. The next significant step will likely come as William Barr hopes to have his Justice Department investigations of the big tech platforms - Facebook, Google, Amazon and Apple - completed next year.

Whatever is eventually decided in the US will, no doubt, have repercussions throughout the rest of the world.

Read more here:
US Government steps up fight on Apple and Facebook's use of encryption - Stuff.co.nz

from the good-for-him dept

There are very few things in life that former NSA and CIA director Michael Hayden and I agree on. For years, he was a leading government champion for trashing the 4th Amendment and conducting widespread surveillance on Americans. He supported the CIA's torture program and (ridiculously) complained that having the US government publicly reckon with that torture program would help terrorists.

But, there is one thing that he and I agree on: putting backdoors into encryption is a horrible, dreadful, terrible idea. He surprised many people by first saying this five years ago, and he's repeated it a bunch since then -- including in a recent Bloomberg piece, entitled: Encryption Backdoors Won't Stop Crime But Will Hurt U.S. Tech. In it, he makes two great points. First, backdooring encryption will make Americans much less safe:

We must also consider how foreign governments could master and exploit built-in encryption vulnerabilities. What would Chinese, Russian and Saudi authorities do with the encrypted-data access that U.S. authorities would compel technology companies to create? How might this affect activists and journalists in those countries? Would U.S. technology companies suffer the fate of some of their Australian counterparts, which saw foreign customers abandon them after Australia passed its own encryption-busting law?

Separately, he points out that backdooring encryption won't even help law enforcement do what it thinks it wants to do with backdoors:

Proposals that law-enforcement agencies be given backdoor access to encrypted data are unlikely to achieve their goals, because even if Congress compels tech firms to comply, it will have no impact on encryption technologies offered by foreign companies or the open-source community. Users will simply migrate to privacy offerings from providers who are not following U.S. mandates.

Indeed, this is the pattern we have seen in Hong Kong over the last six months, where pro-democracy protesters have moved from domestic services to encrypted messaging platforms such as Telegram and Bridgefy, beyond the reach of Chinese authorities. Unless Washington is willing to embrace authoritarian tactics, it is difficult to see how extraordinary-access policies will prevent motivated criminals (and security-minded citizens) from simply adopting uncompromised services from abroad.

None of this is new, but it's at least good to see the former head of various intelligence agencies highlighting these points. At this point, we've seen intelligence agencies highlight the value of encryption, Homeland Security highlight the importance of encryption, the Defense Department highlight the importance of encryption. The only ones still pushing for breaking encryption are a few law enforcement groups and their fans in Congress.

Filed Under: backdoors, encryption, michael hayden

Go here to see the original:
Michael Hayden Ran The NSA And CIA: Now Warns That Encryption Backdoors Will Harm American Security & Tech Leadership - Techdirt

A study has found laws which allow governments to access companies' encrypted data are putting private information at risk.

Law enforcement can ask companies to give them access to encrypted data under the Search and Surveillance Act, and that could be misused, an expert says. Photo: Unsplash / Markus Spiske

That's one of the findings from the University of Waikato and New Zealand Law Foundation's study, A matter of security, privacy and trust: A study of the principles and values of encryption in New Zealand.

Lead investigator, University of Waikato legal professor Dr Michael Dizon, said law enforcement could ask companies to give them access to encrypted data under the Search and Surveillance Act, and that could be misused.

"There is something in the law that allows governments to ask any service provider, including your bank, including Facebook, to render reasonable assistance for them to access, to let's say, a criminal's account but the problem there is, it's not very clear what reasonable assistance means, and that becomes a really big problem because they can overstep their bounds."

The study also cited a case in the US where the FBI sought a court order to gain access to a shooter's locked iPhone, after Apple refused to comply on the grounds it would endanger the privacy and security of all its users.

Dizon was concerned that governments could ask companies to create weaknesses in their security systems, such as encrypted internet banking, so they could access the information of terrorists or criminals.

"If you create a backdoor or a weakness in one system, it can be exploited, not just by the police but any other person that can access it so it can be abused by criminals, by malicious state actors - say somebody from another country that has nefarious motives - so the point is there, if there is a weakness, anyone can exploit it," Dizon said.

The researchers recommended that people suspected or charged with a crime should not be forced to disclose their passwords.

They also recommended that companies should only provide information to police or law enforcement authorities if it does not undermine the information security of its products, services and the privacy of its clients.

Visit link:
Private information at risk from laws allowing access encrypted data - RNZ