The people were most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.

In a press conference this FridayPrime Minister Malcolm Turnbull announced the Governments intention to introduce new encryption laws that would compel tech companies to provide Australian security agencies with access to encrypted messages. The laws are intended to make it easier for law enforcement to access the messages of suspected terrorists and criminals.

Unfortunately, Turnbull also used the press conference to demonstrate a deep misunderstanding of how encryption works. Specifically, he said that the laws of mathematics are very commendable but do not apply in Australia. This did not inspire confidence.

Given the importance of encryption for security and privacy, and the enormous potential consequences of inserting so called backdoors in software, people are understandably pretty freaked out. The UK laws the Australian laws are supposedly based on have also been roundly criticised as an invasion of privacy, and have been nicknamed the Snoopers Charter for that reason.

For the time being, though, its not totally clear exactly what the Australian laws will entail, whether theyll work, and whether theyll be much of a threat. Heres what you need to know at the moment:

Apart from that the laws of mathematics dont apply down under? Not much.

Basically, Turnbull said the government is concerned about making sure the rule of law applies online as well as offline so that the internet is not used as a dark place for bad people to hide their criminal activities from the law.

Attorney-General George Brandis emphasised that the new laws are not changing any existing legal principle. It has always been accepted that in appropriate cases, under warrant, there can be lawful surveillance of private communications. He characterised the new laws as bringing these up to date with technology.

As far as how the government plans to ensure this, we got vague mixed messages. Turnbull insisted that the legislation will require [tech companies] to provide assistance, except not through backdoors, but legitimately, appropriately.

The problem? Its not clear what this means, or whether its possible.

End-to-end encryption, which is used by messaging applications like WhatsApp, works by scrambling a message as its transmitted such that it can only be unscrambled by the intended recipient. The Guardian has an excellent explainer on how encryption works here, but the basic takeaway you need is this: the service provider (i.e. WhatsApp), cannot unscramble the message.

This is the point on which the governments vague press conference doesnt make a lot of sense. The law may compel companies like WhatsApp to provide assistance, but theres not a lot that WhatsApp can do. In the words of independent cybersecurity researcher Troy Hunt, you cant break the mathematics in that way, its just not how it works.

This brings us to the question of backdoors. A backdoor is a method of bypassing security or encryption, which can end up in a program by design or by mistake. One way that the government could hypothetically obtain encrypted messages is if they were able to compel an encrypted messaging provider to remove encryption, or to implement some kind of backdoor allowing messages to be retrieved from a device.

The problem with inserting backdoors, as Troy Hunt puts it, is that you cant ensure theyll only be used by legitimate forces. Once there is a way of exploiting devices, sooner or later it tends to fall into the hands of people its not meant to, he told Junkee.

The global WannaCry ransomware attacks several months ago, for example, were the result of a backdoor in Windows operating systems being exploited by malicious hackers. When security is compromised through backdoors or the removal of encryption, everybody loses.

Of course, Turnbull was adamant that no backdoors would be used. But given that he was cagey on how exactly the laws would work, people are a bit worried.

Troy Hunt told Junkee what the laws might actually mean in practice.

He thinks that rather than trying to compel services like WhatsApp to remove their encryption, were more likely to see the government proactively pursue intercepting messages at the end points, for example by using exploits to gain access to it on phones of suspects, which makes a lot more sense technically than what some of the headlines say at the moment.

This would entail trying to work with companies like Apple and Samsung to break into their devices something that has received huge pushback from such companies in past. Given that in the past tech companies have stood their ground, and ultimately it took the FBI paying about a million bucks to get some exploit tool to get in, Troy isnt particularly worried about the Australian governments use of backdoors becoming particularly widespread in practice, even if thats their tool of choice.

While it might be unlikely that the government manages to force tech companies to bypass encryption, Troy cautions that it wouldnt be great for most of us if they did.

If they managed to do that, we still have all of these mechanisms of encryption that are outside the scope of any one company or service we still have things like PGP mail. And all of these channels will still exist for people who want to use them and keep their messages private.

The people were most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.

Basically, at the moment what the governments proposing is pretty unclear, and sounds a bitdodgy, but nothings actually been finalised. The takeaway for now is that this is one to watch further details of the actual laws will emerge as the bills themselves are drafted.

Sam Langford is Junkees Staff Writer. She tweets at@_slangers.

Originally posted here:
Everything You Should Know About The Government's New Encryption Laws - Junkee

Jerry Irvine, EVP, CIO, Prescient Solutions

CIOs and their corporations are looking for the magic bullet to protect their intellectual property and the personally identifiable information of their clients, partners and employees. Legacy security measures such as firewalls and antivirus provide little protection from hackers and malicious users breaching the enterprise environment and the implementation of more strict access controls.Data loss prevention (DLP) solutions are cumbersome and limit the productivity of end users.

With these technical and business constraints in place, CIOs are turning to encryption of data across the entire data life cycle to mitigate the risks of lost or stolen information. But does todays encryption technology really provide the levels of confidentiality required in this totally Internet connected world?

There are three primary phases in which data can be encrypted: in transit, at rest, and in use. The highest level of data protection currently exists in the data transmission phase. In this phase, encryption occurs between specific communicating devices. Protection provided by encryption in transit includes confidentiality from eavesdropping and sniffing, or man-in-the-middle attacks. Applications such as VPN clients and browser based HTTPS provide strong encryption processes which protect the confidentiality of data making it very difficult for unauthorized users to intercept. It is common practice for organizations to encrypt of data transmitted from remote devices; however, data that is being transmitted on internal networks typically goes unencrypted. There is a perception that data transmitting the internal network, or even that being transmitted to remote facilities, is secure and therefore does not require encryption. Nevertheless, an organizations internal network can be easily breached making data vulnerable to the same risks of eavesdropping, sniffing and man-in-the-middle attacks. Consultants, vendors and individuals off the street not only have access to wireless networks but often have access to network jacks in conference rooms, cafeterias and other common areas. Also, devices that do not require direct authentication (i.e. printers, scanners, industrial controls, etc.) can be infected with malware that can eavesdrop, sniff, or capture traffic and send out information to the Internet. Past concerns of implementing encryption to internal data transit included increased overhead on servers, network devices and end user workstations. This overhead could cause systems delays, loss of connectivity and loss or corruption of data. Many of todays server and network technologies have data encryption capabilities built in to allow for easier configuration and implementation and minimize the impact on utilizations. Implementing encryption of data in transit from endpoint to endpoint, both remotely and internally is mandatory in todays cyber risk environment.

The highest level of data protection currently exists in the data transmission phase with the at rest and in use phases close behind

Another phase of data encryption is the encryption of data at rest. Implementing encryption of data at rest is the easiest of all phases and, in fact, is built in on many devices such as smartphones, tablets and PCs. There are really no reasons not to encrypt all data on smartphones, tablets, PCs; however, there are some major limitations of encrypting data at rest. Users and applications must be able read data in order to use it, consequently, when a user or application logs into the system the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to, becomes readable. So, if a users device or application is infected with a virus, malware, etc. and they log in all data on their system or systems they can access becomes available to the hacker.

The last phase of data encryption is encryption of data in use, this is the weakest link. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use; but, current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users, limiting their access to the principles of least privilege and performing on the fly decryption of data upon access, companies are providing a minimal level of encryption of data in use.

Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.

Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices that can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device and it can also be bypassed by un-authorized users who illegally obtain valid user ids and password which have rights to view the data. The encryption of data in use with existing technologies uses the same but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.

Encryption is designed to provide an additional layer of data protection but complex authorization policies and strict access controls providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data. If hackers get into a network but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining un-authorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.

Continued here:
Encryption -Is it enough? - CIOReview

by Letters Leyonhjelm's superiority is illusionary

Did David Leyonhjelm not prove the "illusionary superiority" of his own intelligence in "The great nanny state delusion" (July 14).

His premise was that academics demonstrated "illusionary superiority" and so, those promoting nanny state policies who are also predominantly academics are wrong in their belief they have the right to dictate what is good for everyone. He endorses this by saying no trade organisation has ever told him what is good for him.

First, his study analysis is weak. If 55 per cent of Americans believed themselves to be above average intelligence, then only 5 per cent overestimated and 95 per cent were quite realistic. If 75 per cent of the people with qualifications thought themselves to be above average intelligence they could be absolutely correct, dependent on the percentage who have a qualification.

Secondly, how can Leyonhjelm ignore the blatant indoctrination of the CFMEU and the like into society?

To conclude that bans on smoking, drinking, cycle helmets and lock-outs are all illusionary dictates from such weak reasoning is the delusion. I share his belief in personal freedoms, but freedoms bounded strongly by societal laws with the consequential costs of such freedoms born by the individual, not the state. It should be an ideological argument, not one based on apparent flawed bias.

Jack Parr

Sandringham, Victoria

Senator Leyonhjelm is a champion for those who believe they should be able to profit from harming others and pass the costs on to others. He also puts his ideology before any objective assessment of the evidence.

In 2008 the NSW Government introduced a measure in which liquor outlets associated with more than 10 violent incidents in a year are publicly listed and subject to a range of restrictions, mainly around the service of alcohol, until such time as the annual number of violent incidents have been reduced. The violent incidents in listed venues had dropped by 84 per cent since the scheme began, when 48 venues were associated with 1270 violent incidents. In 2015 there were only 14 listed venues associated with 200 violent incidents. The vast majority of us would agree that pubs and clubs should be required by law to be responsible in the way they sell their products, to reduce harm to their patrons, their staff and the police and ambulance workers.

Similarly the way gambling products are allowed to be offered impacts on the levels of suicides, family violence, fraud and homelessness that can result from excessive gambling.

The community is right to restrict those who profit from others' suffering.

Mark Zirnsak

Uniting Church in Australia

Melbourne, Vic

Why is David Leyonhjelm surprised if a group of people who have been through a process of selection for intellectual ability are higher than the average in this characteristic? If they weren't smarter then there is something wrong with the process of obtaining high qualifications.

Senator Leyonhjelm thinks that he knows better than the experts who study climate change. But it is going to extremes to then seek to denigrate smart people by saying it is illusionary for them to think that they are smart.

Perhaps politicians should be encouraged to listen to smart people?

Reg Lawler

Dagun, Qld

Chanticleer columnist Tony Boyd has been writing strongly about the Perpetual versus Brickworks court case ("Brickworks case carries lessions for Perpetual and shareholder activists" July 12) but his conclusions about what it means for shareholder activism should not go unchallenged.

The judge's decision supports a grandfathered corporate structure from the 1960s that no modern ASX listed company would be allowed to create.

But a decision at law as to the role of directors is not the same as celebrating a 'win' for directors over minority shareholders. Perhaps the more relevant issue here is who should pay the multi-million dollar bill for the case Perpetual unitholders or shareholders and whether the ASX listing rules or the Corporations Act should be amended so that the undemocratic cross-shareholding arrangement has to be unscrambled.

One vote, one value is an important democratic principle at public companies and the Millner family, along with their independent directors, continue to disregard shareholders in order to entrench their control through structures that neuter traditional board accountability mechanisms.

The Australian Shareholders' Association congratulates Perpetual for trying to do the right thing.

And we would prefer commentary to be balanced and note that the other aspect of the case is that Brickworks and Soul Pattinson directors could show respect for their independent shareholders by voluntarily unwinding the gerrymander.

Judith Fox

Chief executive

Australian Shareholders'Association

The government's proposal to force "backdoors" into encryption creates massive systemic vulnerabilities that outweigh any marginal good. We rely on strong encryption to secure all commerce, privacy and freedom of speech. No entity can guarantee that backdoors can be secured; a fact repeatedly demonstrated by continuing government and private sector data breaches. Further, the "encryption technology genie" is in the public domain and cannot be put back in its bottle. Access to powerful encryption tools is trivially easy, irrespective of legislation. The government is proposing that global information platform companies "don't have to break encryption, they just have to give us the data". This semantic "spin" suggests you can preserve strong encryption and yet still access individual data at will. This is nonsense.

Yes, strong encryption could be preserved for data "in transit" but ultimately a backdoor is required to access the data "at rest" or as it is entered into, or displayed on, a device. This is functionally equivalent to creating encryption backdoors; any of which create global vulnerabilities with ultimately certain catastrophic consequences. And they do not actually guarantee a window into nefarious activity. Strongly encrypted backdoor-free platforms do make law enforcement work harder, but there are a range of approaches to penetrating the communications of specific criminals that do not create massive systemic vulnerabilities for our economies, our societies and for us as individuals. The government's "backdoor by any other name" proposals are folly and ultimately un-enforceable. They should be set aside.

Roderick Laird

Glen Iris,Vic

Vale Liu Xiaobo. An example of standing up for what is right even when being pushed down and locked away. The world needs more heroes that fight for a better and freer world.

Dennis Fitzgerald

Box Hill, Vic

View post:
Letters: nanny state, Perpetual and encryption - The Australian Financial Review