Nominee for director of the FBI Christopher Wray. Photo: Jim Watson/AFP/Getty Images

News reports from likely future FBI director Chris Wrays Senate hearing today focused on the question of the agencys independence from the White House. This is understandable the bureaus relationship to the White House is at the top of everyones mind and Wray performed well: My commitment is to the rule of law, to the Constitution, he told members of the Senate Judiciary Committee. But when it came to the less attention-getting, but no less important, question of encryption, unfortunately, Wray performed somewhat less inspiringly: Theres a balance, obviously, that has to be struck between the importance of encryption which we can all respect when there are so many threats to our systems and the importance of giving law enforcement the tools that they lawfully need to keep us all safe, he said.

The problem is that there isnt really a legal balance to be struck when it comes to encryption. American tech companies already comply with lawful orders for user information that isnt fully encrypted, and shy of building backdoors into their products, there isnt a lot more they can do.

Unfortunately, Im still not sure how this is an issue that can be solved by working together with industry, said Matthew Green, a renowned cryptography professor at Johns Hopkins University, after seeing Wrays comments. Either the U.S. government will pursue a strategy that includes mandated encryption backdoors or it wont. I believe other forms of cooperation, such as metadata sharing, are already available.

Wray is entering a decades-long debate, one where a principal argument hasnt really changed: Should you be allowed to make a device or a method of communication thats so secure, even you have no way of knowing what your users are doing or saying? The FBI, famously, was so stumped when it couldnt access San Bernardino shooter Syed Farooks iPhone last year that it invoked the All Writs Act of 1789, a broadly written law used when the government needs an authorization that Congress hasnt yet legislated or thought of, and demanded Apple write a personalized, fake software update to get past the phones login screen. At the 11th hour, the FBI said it had found and paid for a rare vulnerability in the code for the 5c, the model Farook had, and stood down.

Technologists and cryptographers have long been unanimous that forcing a tech company to build a secret vulnerability into their products, only to be used for emergency situations a backdoor is a terrible idea. If cops can use it, hackers and foreign governments can probably find it and exploit users, for one thing. And if American companies would be forced by law to build backdoors, as floated in an ill-fated draft bill last year by senators sympathetic to the FBIs concerns about terrorists going dark, privacy-minded consumers would simply start using secure messaging apps made in countries that didnt have that law.

At the same time, its hard to tell the law-and-order crowd that if a terrorist cell in the U.S. is using Signal, the FBI has to simply throw up its hands and use whatever other investigative tools are at its disposal. Thats why a number of political figures, among them former Democratic presidential nominee Hillary Clinton and former FBI Director James Comey, have rejected the idea of outright backdoors, but like Wray today, still declared a wistful support for some kind of compromise solution, achievable by the tech industry and federal government really putting their heads together.

But politicians and law-enforcement figures pushing for a compromise ignore the realities of mathematics and the dire need to increase internet security in favor of pushing technologists to nerd harder and come up with some magical way to create strong security tools that only the FBI could break, said Amie Stepanovich, U.S. policy manager at Access Now, a group that advocates for digital civil liberties.

In Wrays defense, maybe he only hoped for an impossible compromise because he hasnt had time to give the issue much thought: He readily admitted he was an outsider who didnt have enough information about encryption in front of him to present a formal plan, a repeated theme in his hearing. For the future, Wray might consider stressing that pushing for mandatory backdoors should be off the table, or that strong encryption should be a fundamental consumer protection in a world where Russian intelligence agencies target American civilians, like the heads of U.S. presidential campaigns. Wray could have said that agents stymied by locked phones would have to rely more on old-school investigative techniques. He could have admitted that while the gray market of buying exploits in emergencies is far from perfect, its worked so far, and there simply isnt a better solution out there.

Unfortunately, no senator probed Wray much further on the issue. What does he think the FBI should do if the agency encounters another Farook iPhone case, but this time cant find a vendor hawking exploits? Apparently, hope that math changes.

The site is reportedly closer to running out of funds than many expected.

The domino effect is hard to watch.

Then I dont need a jacket.

Itll hit stores next year.

The FCC and Congress have a lot of reading to do.

Conclusion? No collusion.

Angela Nagles Kill All Normies is among the best examinations of the origins of the alt-right.

No matter how much politicians and law enforcement might wish for it, a compromise on encryption cant happen.

Amazon is considering allowing third-party app developers access to your voice queries to Alexa.

Donald Trump Jr. and the Kremlin are at the heart of todays burgeoning Twitter meme.

AlphaBay, an online bazaar for drugs and other contraband, disappeared over a week ago and took millions of dollars with it.

Talking with New Yorks attorney general about net neutrality and what his office has seen while investigating broadband providers.

Thats one way to tell your neighbor what you think of them.

The company initially tested the ads with users in Thailand and Australia.

Five minutes and 25 seconds of chill vibes.

Some of the incentives were as high as $400,000.

My new sous-vide circulator comes with an internet connection, which is convenient both for me and for any teenage hackers creating a botnet.

Nobody should be able to work a knife that fast.

Continued here:
The Encryption 'Balance' Trump's FBI Candidate Wants Is Mathematically Impossible - New York Magazine

1. What is encryption and why is it important?

Encryption is the process of making content unintelligible to anyone or any device without the proper keys to unlock that content. It is important because every time we use a device on the internet we leave a digital footprint that is accessible to those that either want to monetise this information and or those that wish us harm (e.g. terrorists, hackers etc). Encryption, if implemented the right way, puts you back in control over who you allow to view what information.

2. Is encryption a good thing or a bad thing?

Encryption is an important tool. The important point is to ensure that it is implemented in such a way that it cant be used for bad purposes, only for good. The abuse of this tool may result in actions that are evil. Equally, if your medical provider is using encryption to store your health records, then its a very good thing. Its down to society to implement encryption responsibly.

3. Why should ordinary people be bothered with encryption?

Do you leave the doors of your home unlocked and open? We all expect privacy in our homes unless the law has been broken and even then enforcement agencies require a court order to enter. The internet does not offer the same level of privacy that we enjoy in our homes. Our data is under continual scrutiny by advertisers. Our pictures are misappropriated. Our private messages are put into the public domain. Encryption offers a means to redress the balance, and restore online privacy.

4. What are the dangers of building government backdoors into encryption products?

There are numerous risks:

a bad person could gain access to the backdoor and hence all your data; backdoors make systems more complicated and increase the risk of errors in what honest users are doing; backdoors can threaten the democratic process. Imagine for instance an internet voting system; to have secret ballot voting it is essential that government does not have a backdoor. interoperability across borders. Do backdoors match each other, will overseas customers want to buy products with a foreign governments backdoors in it, and the list goes on.

Rather than a seemingly big brother approach to gaining access to personal data that could be deemed as always on, the appropriate solution should be transparent. By using a system of legitimised key escrow, authorities have the necessary powers to gain access to specific information, while ensuring an individuals privacy is intact.

A system like this is just an online implementation of the already accepted process of law enforcement requiring a warrant to gain access to a persons home.

5. Why is there so much debate about encryption and privacy at the moment?

There are two very strong themes. First, terrorist groups are using encrypted messages to organise their activities. Second, we're seeing a growing number of vital public services being hit by cyber attacks. In short, there is a significant cyber threat to national security.

UK Home Secretary Amber Rudd has stated it is "unacceptable" that internet companies should, "provide a secret place for terrorists to communicate with each other," and has met with technology companies with a view to obtaining access to encrypted messages. This has alarmed many members of the technology community, who have pointed out that any weakening of encryption standards could seriously undermine the UK's ability to compete in online services. Many ordinary citizens are also alarmed about the possible prospect of mass, indiscriminate snooping. No one has yet put forward a balanced solution so the debate continues.

6. Should there be a limit to online privacy?

This is a question for civil, legal and ethical authorities and the answer would vary across the globe. There may be a disparity in government policy across differing countries the access of personal information. What is important is ensuring a uniform technical solution, globally together with the unified interoperable government policy.

7. Is there a way to balance peoples privacy and the need for government intervention?

Yes. The use of well-known and accepted cryptographic cyphers with acceptable policy controls and legitimised key escrow is the answer. This enables internal and cross-border laws to be balanced with civil rights.

After considerable search and thought, Scentrics offers a solution using acceptable and recognised cyphers and has made them accessible to developers through their SDK.

8. What is the next stage to encryption and privacy?

There is a change happening in the way that society views online privacy. For the first time there is a viable, low cost technical solution that is scalable to the masses. It makes the service of privacy simple. A one click solution. It leverages the already existing assets in the ecology of the internet and thereby does not intrude on asking the user to invest in assets to make this work. Considering the heightened sensitivity of this issue amongst all areas of society we see the world adopting this technology to have control over their digital personas (in other words our digital footprint).

Importantly this will deliver the right balance of protecting civil ethics and national security. A legacy infrastructure that we know to be the internet which was never born to cope with the current challenges it faces now must incorporate this new IP within its skeleton just as it did some 28 years ago by allowing for a hypertext protocol which we all know and cherish as the world wide web.

Jerome Mohammed, Operations Director, Scentrics Image Credit: Yuri Samoilov / Flickr

Read this article:
Q&A: The importance of encryption - ITProPortal

Researchers at Los Alamos National Laboratory (LANL) have found that most random number generators used for encryption keys are not truly random.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

They found that encryption keys are potentially predictable because software-based random number generators typically part of the operating system have a limited capacity.

This is because the software typically depends on capturing signals or events from the physical world, such as mouse movements, hard drive activity and network traffic, to increase the level of randomness.

But because these sources are finite, software-generated encryption keys are not truly random, and could be predicted by attackers. But few organisations are aware of these shortcomings because there is no mechanism for certifying the quality of random number generators.

To address this problem, the quantum security team at LANL spent a decade developing and perfecting the ability to deliver pure entropy the foundation of randomness using quantum technology.

Quantum random number generation is widely regarded as one of the most mature quantum technologies and the inherent randomness at the core of quantum mechanics makes quantum systems a perfect source of entropy. Therefore, only pure quantum entropy is considered to be capable of enabling the generation of truly random numbers for creating cryptographic keys that are impossible to predict.

This capability to generate truly random numbers has been made commercially available through a spin-off firm named Whitewood in reference to Thomas Jeffersons wheel cipher, that was made using discs cut from a cylinder of white wood.

Whitewood is a subsidiary of Allied Minds, which licenses technology from universities and research labs and then sets up companies to commercialise those technologies and take them to market.

In June 2017, Whitewood made this capability available as a free cloud-based service for servers, desktops and laptops running on the Microsoft Windows operating system.

The service is based on the Whitewood Entropy Engine, which uses the core technology developed by LANL and is designed to strengthen cryptographic security systems in traditional datacentres, virtual cloud environments and embedded systems, including internet of things (IoT) devices, where encryption is used increasingly for authentication and assurance of integrity and confidentiality.

The use of crypto tools such as encryption have become ubiquitous in modern IT environments and play a critical role in emerging technologies such as blockchain and bitcoin services and in helping organisations to comply with the EUs General Data Protection Regulation (GDPR).

Encryption is viewed by many organisations as a get out jail card because if they can demonstrate that data was encrypted, they dont have to disclose that they lost it, said Richard Moulds, general manager of Whitewood.

And in the payments world, there are some cost saving benefits because if you encrypt credit card numbers, that database is out of scope in terms of PCI DSS [payment card industry data security standard] assessments.

According to Moulds, PCI DSS is ahead of the GDPR in terms of encryption requirements, so perfect random number generation is likely to become increasingly important for the retail industry, while it is already an area of great interest for banks, the financial services industry and the military.

The free netRandom service for Windows is part of a broader product portfolio from Whitewood that includes support for Linux as well as on-premise entropy management systems with granular reporting functionality and quantum random number generators (QRNGs) for organisations that prefer to deploy their own dedicated or private security infrastructure.

The free service delivers on-demand, quantum entropy from a cloud-based server over standard IP networks to continuously re-seed existing random number generators to make them work properly. Just as the network time protocol drip-feeds time synchronisation to devices, the Whitewood drip-feeds entropy into devices as a background service.

Random number generation is critical for security, but is often poorly understood and is a point of attack and vulnerability highlighted by the SANS Institute as one of the seven most dangerous attacks for 2017, said Moulds.

The growing widespread use of cryptography raises the bar for randomness, making the current best-effort approaches to random number generation no longer sufficient.

In some ways, this is a dirty little secret in the crypto industry, and although it is a problem that is almost universal, almost nobody has thought about it. People tend to worry about where and how encryption keys are stored, who has access to the keys, and who is able to revoke a key, but few people think about where those keys come from or about how random they are.

Underlining the problem, researchers at the University of Pennsylvania found in a 2012 study that 0.75% of TLS certificates shared keys because of insufficient entropy during key generation, and that they were able to obtain the private keys for 0.50% of TLS hosts and 0.03% of SSH hosts because their public keys shared non-trivial common factors due to poor randomness.

According to Moulds, new data protection and privacy regulation such as GDPR raise the bar for randomness even further as organisations seek to use strong encryption, both to protect data from theft by making it unintelligible and to potentially avoid data breach disclosure obligations.

The rapid growth of the IoT is also focusing attention on crypto security as a means of ensuring correct operation and trustworthiness of safety-critical devices and systems such as drones, driverless cars and smart grid infrastructure, he said.

Cryptographic keys can be compromised through theft or calculated guesswork, said Moulds. There is a constant race to keep ahead of the attackers who can exploit ever-faster processing resources to break traditional random number and key generation methods and crypto algorithms a capability that will get a further boost with the availability of quantum computers.

The trend towards virtualisation, containers and distributed environments compounds the problem by abstracting applications from the physical world and the entropy within it, he said.

In the virtual world running on shared hardware with dynamic replication, there can be little or no real entropy, increasing the risk of entropy starvation and making it virtually impossible to guarantee the quality of key generation and system security without entropy from a trusted source, said Moulds.

For this reason, Whitewood is able to deliver entropy not only to physical machines, but also to virtual machines, containers and IoT devices. Whatever random generators developers use, they will work correctly because they are being seeded or shuffled so frequently, said Moulds.

Whitewood has solved three problems, he said: How to generate good entropy fast so there is enough to supply thousands of virtual machines; how to deliver it securely over a network; and we plugged it into the operating system so we are not forcing application developers to adopt a different random number generator because we are enabling existing random number generators in Windows and Linux to work better.

Continued here:
Encryption keys too predictable, warn security researchers - ComputerWeekly.com

Social media giants will be compelled to pass encrypted messages on to Australiansecurity agencies under new laws introduced by the Turnbull government on Friday.

Prime Minister Malcolm Turnbull said the new laws were needed to target terrorists, paedophile rings and organised crime gangs.

Similar laws already affected telco companies, hesaid.

We have the right now to get the cooperation from the telephone companies. What we dont have is the legal right to get that sort of cooperation from the internet companies like Facebook, or WhatsApp, or Telegram and so forth, and Google, Mr Turnbulltold Channel Sevens Sunrise program.

He said the legal system needed to catch up with technological changes.

We cannot allow the internet to be used as a place for terrorists and child molesters and people who peddle child pornography and drug traffickers to hide in the dark.

Those dark places online must be illuminated by the law.

Im not talking about giving intelligence agencies backdoors or anything underhand. This is simply saying the rule of law must prevail online as it does offline.

Attorney-General George Brandis told ABC Radio hed been assured it was feasible to seize encrypted messages from WhatsApp or Signal.

What this does is merely contemporise for the modern era what is a well-established legal principle, and that is persons, including companies, can be subject to an obligation to assist law enforcement in resolving crimes and that principle shouldnt depend upon the nature of the technology, Senator Brandis said.

What we are proposing to do, if we cant get the voluntary cooperation that we are seeking, is to extend the existing law that says to individuals, citizens and to companies, in certain circumstances you have an obligation to assist law enforcement if its within your power to do so.

The laws that exist at the moment predate the development of encryption, all we are seeking to do is to apply an existing principle to a new technology.

Senator Brandis said he would introduce the laws between now and the end of the year.

He told Sky News the proposed laws had nothing to do with mass surveillance and most Australians would not be impacted.

It is not mass surveillance and its not going to make their everyday dealings in social media insecure, Senator Brandis said.

The fact is that information security is a very high value. It is an economic benefit. It matters to people and the Government is determined to protect it.

But having said that, there is also an important value to be served in protecting national security.

David Glance, Director of the University of Western Australia Centre for Software Practice, said it was not knownhow the proposed laws would take effect.

Although Brandis referred to the UKs Investigatory Powers Act, the UK Government hasnt actually made public how dealing with encrypted messages would work, Dr Glance toldThe New Daily.

There is obviously the debate about whether this will really help them in any event Plus, they are [already] able to hack peoples devices, get metadata, et cetera. So the question is why isnt that enough?

Dr Glance said encrypted messages could only be decoded if the companies involved weakened their encryptions and stored user keys.

He said people had reason to be concerned about what it could mean for them.

Not necessarily from the government but from criminals and hackers who will exploit weakened security to snoop, steal intellectual property, identities and other things.

Obviously there is a contradiction in their attempts to increase cybersecurity against nation state attacks and at the same time, weakening encryption to allow them to access anyones communications. They cant have it both ways.

Anthony Albanese told Channel NineLabor would consider the legislation.

The New Dailyhas contacted Greens spokesperson for communications Senator Scott Ludlam for comment.

Read this article:
Turnbull government to compel social media giants to hand over encrypted messages - The New Daily