Category Archives: Encryption
Commissioners need to rethink encryption – LancasterOnline
Note: The following letter was sentFriday to Lancaster County Commissioners Dennis Stuckey, Craig Lehman and Josh Parsons.
I strongly urge you to reconsider the decision to encrypt police department radio transmissions before this change takes place in November.
First, the health and safety of both our Lancaster County community and the law enforcement officials who protect it are paramount.
Second, essential to the well-being of our county must be a government system that values public accessibility, transparency and accountability.
These two truths must find a way to co-exist.
Certainly, a healthy democracy and an informed citizenry here do not depend solely on public and news media access to Lancaster County police radio broadcasts. Both are, however, seriously diminished when the publics right to know is further eroded something that is becoming alarmingly common in our commonwealth and across this country.
Our newspaper has long relied on police communication to provide the public with emergency information. I consider a scanner as essential to my job as a wrench to a plumber, a longtime television journalist in Oklahoma wrote to me last Sunday. He reached out in support of LNPs July 5 editorial opposing encryption.
Think snowstorms. Vehicular accidents. Road closings. Gas leaks. Homicides. Violent protests.
Radio access enables news outlets to work hand-in-hand with first responders to keep the public away from dangerous situations, Melissa Melewsky, media law counsel for the Pennsylvania NewsMedia Association, noted in a recent LNP article. Total encryption addresses a problem that doesnt exist where the media is concerned.
West Hempfield Township Police Chief Mark Pugliese I, who chairs the county chiefs Police Advisory Board to Lancaster County-Wide Communications and represents the county Chiefs of Police Association on this issue, appears to agree.
Referring to events worldwide and expressing concern for police safety, he told you its not unusual for officers today to be ambushed. But he also acknowledged that were not getting that so much in Lancaster County.
Additionally, the chief spoke about incidents here where the public or the media interfered with investigations, in some cases by getting to crime scenes more quickly than police.
When pressed by an LNP reporter, Chief Pugliese could not cite a single situation in Lancaster County where the media interfered at a crime scene.
The chief says he is not anti-media.
Nor am I anti-law enforcement.
When the earth rumbles or a gun fires, citizens rely on police and other first responders to courageously address the emergency. They expect us in the news media to tell them what is happening. Shutting off access to information feeds distrust and anxiety; it fuels the spread of misinformation by social media commenters unbound by the journalistic standards of citing sources and confirming details.
Chief Pugliese said that the removal of public and media access to police broadcasts will make it incumbent on police to improve the lines of communication.
Experience suggests to me that will not happen; I dont see that as law enforcements primary role, and I dont see how it does either. Access to timely and accurate information that serves the public interest will suffer as a result.
Like law enforcement, we in the news media must be allowed to do the work we are trained to do. It is incumbent upon us to get it right and to be held accountable if we dont.
While all three of you are and must be concerned about police safety, Commissioner Lehman has said that blocking police communication might give officers a false sense of security and further isolate them from the community. Hes suggested a compromise of encrypting public transmissions, but allowing access to the news media.
It is certainly a better option.
I was at home July 2 and only yards away from the horrific Manor Township gas explosion that killed one man and injured others as it leveled a house, severely damaged neighboring homes and, in seconds, rattled the psyche of an entire community.
Frightened neighbors ran outside their homes, erroneously speculating about the cause of the blast. I called the newsroom and was accurately informed that it was a gas explosion. Then I walked to the scene to join my newspaper colleagues in probing more deeply as we talked with witnesses, questioned officials and provided real-time information that a county wanted and needed in that moment.
Fire and ambulance dispatches, the ones that guided us that day, are not part of the planned encryption here. At least not yet. As Chief Pugliese noted, the scrambling of police communication, and that of fire and ambulance, is becoming the national norm.
I dont think thats the way to go. I do believe a compromise can be struck, one that will allow law enforcement to do its work, and enable those of us in the news media to do ours.
We both exist, after all, to serve our Lancaster County community to the very best of our abilities.
Barbara Hough Roda is executive editor of LNP and LancasterOnline. Email: broda@LNPnews.com; phone, 717-481-7335; Twitter, @BarbRodaLNP.
Continued here:
Commissioners need to rethink encryption - LancasterOnline
Ex-NSA chief Chris Inglis backs government’s encryption push against Apple, Facebook – The Australian Financial Review
The deputy director of the United States' National Security Agency (NSA) during the Edward Snowden leaks has backed the Australian government's push to force tech giants to assist in revealing the content of some encrypted messages, saying the likes of Facebook and Apple could do more to help track terrorists and criminals.
Speaking to The Australian Financial Review ahead of a trip to Australia this week, Chris Inglis, who was the NSA's highest-ranking civilian from 2006 to 2014 says the government's plan to enact law enforcement powers to crack open encryption by the end of the year is an appropriate attempt to strike a balance between protecting privacy and protecting citizens from terrorism.
He says the government's plan will not require the providers of apps such as WhatsApp, Wickr, Telegram Messenger and iMessage to create new so-called back doors into devices and apps, but will simply involve them doing more to open up their systems on request.
"When citizens look to their government they expect them to protect their privacy and also to keep them safe, this is not an either/or proposition. When I hear your Prime Minister and your Attorney-General speaking about this, I don't see them favouring one of these over the other," Inglis says.
"There has been scaremonger comments on these topics, but I haven't heard your government asking for new back doors, they are merely saying that, if there is a capability already there, they would like to use it under the rule of law, which has always been a legitimate government pursuit."
Tech giants such as Facebook and Apple have already asserted they provide as much assistance as they can to law enforcement agencies, both in Australia and globally, and say they are powerless to break the encryption on individual messages.
Prime Minister Malcolm Turnbull raised eyebrows around the world with a comment suggesting the laws of Australia trump the laws of mathematics, which led to Edward Snowden tweeting that such remarks create a "civilizational risk".
Apple chief executive Tim Cook previously wrote an open letter to customers last year after the company refused to build a system to help the FBI unlock the iPhone of a San Bernardino terrorism culprit who jointly killed 14 people.
He said the US government's request to break encryption would require its engineers to weaken the devices for everyone else around the world.
"The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe," Cook wrote.
In July, special adviser to the Prime Minister on cyber security Alastair MacGibbon said he couldn't understand why these companies "viscerally rail against helping protect their customers", and Inglis says he believes that the likes of Apple are balancing their commercial concerns in markets in all corners of the globe against the option of being as open as possible with different governments.
"Many of these systems already have what I would describe as an appropriate, well-known back door, whether it's a patching mechanism, or it's a software update mechanism those are back doors," he says.
"Most users have every confidence in the world that those work very appropriately and that only the vendor who services their software is able to replace the software, update the software and change the function of that phone in every way, shape, or form."
Other experts, such as Firstwave Cloud Technology's Simon Ryan have also suggested that it is entirely possible, at least for Facebook, to reveal the contents of private messages.
Inglis is heading to Australia in his role as chair of the strategic advisory board of US-based behaviour analytics cyber security firm Securonix, which is poised to officially open its operations Down Under this week.
His time in office at the NSA ended a year after its former IT contractor Edward Snowden plunged it into crisis by leaking thousands of documents that laid bare the methods and extent of the agency's surveillance programs.
Securonix provides technology, which it says detects malicious behaviour within an organisation or network in real-time, and would theoretically stop the kind of exfiltration of private data accomplished by Snowden.
While saying that he still sits more closely to the black-and-white view that Snowden committed an act of betrayal, Inglis says he now has some empathy with Snowden's purported intention to expose what he believed to be egregious behaviour by the government.
However, he says Snowden's credentials as a principled whistleblower are called into doubt by the fact that he did nothing to raise concerns in less harmful ways prior to leaking information.
"I would feel more sympathetic about him in 2013 if he had exercised one iota of having raised a hand, lodged a concern, kind of thrown a brick through somebody's window with an anonymous note to us, but he did none of those things," Inglis says.
"With allegations like these, you an obligation to actually be factually correct in what you allege is going on, and he was not I think that if you believe in your cause, you should be willing to stand and speak about that in the presence of your peers, and here he is in Moscow, so none of that speaks well of either of his motivation and certainly not of his means."
Inglis was portrayed in the 2016 Oliver Stone movie Snowden, which followed events leading up to the leak, and which he says provided an "egregious misappropriation of the facts" regarding the attitudes at the NSA and of Snowden's importance within it.
In the movie a character in Inglis' role is seen sending Snowden off to head a mission in Hawaii to solve a problem related to China, yet Inglis says the two never met in person, and Snowden was too far removed from the action to be remotely considered for such work.
"I have to imagine that the reason it was portrayed that way was not to make it more interesting, but rather to impress upon the audience that Edward Snowden was somebody that travelled in circles where he would have direct knowledge of the strategies, the means and the conspiracies that are practised by an NSA, and of course he was nowhere near in those places," he says.
"He was an important enough worker that he was hired to do what he did, but he was working at the edge, and many of the things that he saw, he didn't fully understand the context of, and he therefore misdescribed."
Inglis says the sense of shock that permeated the NSA following the leaks had passed by the time he left the agency. He says that he and others within the NSA were comfortable that they were doing the right thing, with noble intentions, and believed they made the scandal worse by mismanaging their external communications before Snowden leaked.
He says the agency should have explained why it had surveillance plans in place and proactively addressed concerns about a lack of controls and restraint.
"If I could go back in time I would address the fact that the government and NSA were not transparent enough the noble purpose and controls were not as well understood as what Snowden was talking about, which was capability, and a capability that you might enjoy never tells the whole story," Inglis says.
"Most of his allegations were taken as revelations and they were not. His allegations were just that. They were facetious and vilified us."
Moving into the present, Inglis says he understands people outside the US viewing its present administration with a sense of worry. However, he believes that the checks and balances in place would not allow an unpredictable president to become a national security risk.
The Trump presidency has been dogged by suggestions that his team has been too close to Moscow since the election campaign, but Inglis says there are enough protections in place that would prevent the President from exceeding his remit.
"If I was still at the NSA, I would have to appreciate the President has a role, and that role within the United States system is that he is not the sole and ultimate authority on how the nation proceeds," he says.
"You have to actually let this play out, because it's still true that the conflict of ideas is one of our best ideas. I'm confident at the end of the day that our system is going to work its way through what looks like some pretty chaotic controversies at a distance, and frankly, most days, close in, feels that way as well.
"There is a genuine battle of ideas taking place as to what is the proper role of government, and the views are extreme. It looks a bit worrisome, both close in and at a distance, but the system has lived through periods where it was equally chaotic before and we worked our way through it. If you believe in the foundations of this particular form of government, as I do, you have to believe that we'll figure it out, that we'll work our way through."
See the original post:
Ex-NSA chief Chris Inglis backs government's encryption push against Apple, Facebook - The Australian Financial Review
Oak Ridge licenses its quantum encryption method – FCW.com
Cybersecurity
A Qubitekk prototype will incorporate ORNL's single-photon source approach, thereby bringing the device closer to generating pairs of quantum light particles in a controlled, deterministic manner that is useful for quantum encryption. (Photo by Qubitekk)
Oak Ridge National Laboratory has licensed a method its researchers developed to keep encrypted machine-to-machine data from being intercepted.
San Diego-based quantum technology company Qubitekk has signed a non-exclusive license for the labs method of "down-conversion" of photons, which produces random, unpredictable pairs of the particles to confound the interception of data, the lab said in a July 25 statement.
"Current encryption techniques rely on complex mathematical algorithms to code information that is decipherable only to the recipient who knows the encryption key," according to the statement. "Scientists, including a team at the Department of Energys ORNL, are leveraging the quantum properties of photons to enable novel cryptographic technologies that can better protect critical network infrastructures."
According to lab officials, the technique harnesses quantum physics to expose, in real-time, the presence of bad actors who might be trying to intercept secret keys to encryption algorithms used by the energy sector.
Qubitekk President and CTO Duncan Earl said in the ORNL statement that his company plans to enhance its existing single-photon quantum information prototype by integrating the labs design. Earl is a former ORNL researcher who worked with the lab's Cyber Warfare group and Quantum Information Sciences team.
The company's work could lead to a tenfold increase in quantum encryption rates and the ability to maintain high data transmission speeds over longer distances, he added.
Earl said the firm plans to conduct field trials with its customers, which include California utility companies.
About the Author
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.
See more here:
Oak Ridge licenses its quantum encryption method - FCW.com
Indian IT firms value scaling encryption, lag in adoption: Study – Economic Times
NEW DELHI: Indian IT firms value scaling of data encryption but lag in adoption of the technology compared to the global average, says a study commissioned by French security technology firm Thales.
"95 per cent of organisations in India valued scalability for encryption solutions, which was much higher than any other country, global average of 29 per cent," the Global Encryption Trend study said.
However, it found that 82 per cent of organisations in India covered in the study embrace some type of encryption strategy while global average is of 86 per cent
The survey is based on responses from more than 5,000 IT security decision makers across multiple industry sectors in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil, the Russian Federation, Mexico, Saudi Arabia and the United Arab Emirates and includes responses from 548 individuals in India.
"This study is part of a global initiative by Thales to educate leaders from the private and public sectors on the privacy and data protection practices companies can follow today," Thales, Country director India, Emmanuel de Roquefeuil said.
The company operates in strategic electronics and IT space with focus on high-end security. It is setting up manufacturing unit in India in partnership with Reliance Defence for making radar and electronic warfare display system for supply to Rafale Jet.
The study found that Indian firms led globally in adoption of cloud technology with 75 per cent of organisations transferring sensitive or confidential information to the cloud - whether encrypted or not - compared to global average of 53 per cent.
The top drivers for encryption in India are to protect against specific, identified threats and customer information.
"This is in contrast to the global data where compliance is, and historically always has been, the top driver for encryption. In India, compliance ranked third on the list at 55 per cent," the study said.
As per the study, 62 per cent of the respondents in India feel hardware security modules (HSMs) will be important in the next 12 months for encryption or key management strategy which is almost in line with global average of 61 per cent.
"This study is a call to action for organisations in India to strengthen their security position with strong data security and encryption plans in order to secure sensitive data and adhere to risk and compliance best practices and regulations," Thales e-Security, director for sales in South Asia, James Cook said.
Most of the Indian IT firms are of the view that top threat to sensitive data is from mistake of employees followed by hackers and temporary contract workers, the study said.
"Top threat to sensitive data continues to be employee mistakes (55 per cent of respondents), followed by hackers (36 per cent) and temporary or contract workers (31 per cent)," the study said.
Continued here:
Indian IT firms value scaling encryption, lag in adoption: Study - Economic Times
Industry firm patents new cyber encryption technology – Defense Systems
Cyber Defense
A private sector firm is offering a new kind of reinforced encryption technology for the U.S. military services to safeguard mobile phone, radio and computer transactions from brute force cyberattacks.
The Internet Promise Group has used internal funding to patent a new technical method of securing encrypted military communications by implementing, integrating and changing random bits with an existing encryption key algorithm.
The idea is to strengthen existing encryption keys to make them less vulnerable to brute force attacks where adversaries or cyber intruders use computer algorithms to try multiple combinations of keys until the details are discovered and the key is broken, said Tara Chand, founder and CEO of Internet Promise Group.
Brute force attacks, which require both substantial coordination and sophistication, are typically thought to be associated with major cyberattacks from near-peer adversaries, such as Russia or China.
We want to figure out a way to make the key so strong that you cannot break it, he said.
Chand explained that his firm has patented Random Dance Keys, a new class of military encryption technology engineered to be impenetrable to brute force cyberattacks.
Random Dance Key innovation is based upon its focus on the key space itself rather than encryption algorithms, to provide ultimate defense and protection of critical data and communications. This patented, advanced key management system employs heuristic random wave envelopes derived from the three different types of waves to yield a perpetual sequence of random vectors, Chand added.
Random Dance Keys, Chand explained, are able to change encryption keys with every data package by using a new random sequence of bits. Random keys are used and then discarded.
Every time you have a data package, you come up with a random key and integrate that with an algorithm and encryption key you already have. You leave them as they are, he added.
The Internet Promise Group is now in the process of introducing this technology to the U.S. military services. Early conversations are underway, Chand explained.
Current U.S. military concerns about cyber intrusions are heightened by recent revelations of Russian hacking and Chinas previous record of hacking U.S. military databases.
About the Author
Kris Osborn is editor-in-chief of Defense Systems. He can be reached at kosborn@1105media.com.
Excerpt from:
Industry firm patents new cyber encryption technology - Defense Systems
The Encryption ‘Balance’ Trump’s FBI Candidate Wants Is Mathematically Impossible – New York Magazine
Nominee for director of the FBI Christopher Wray. Photo: Jim Watson/AFP/Getty Images
News reports from likely future FBI director Chris Wrays Senate hearing today focused on the question of the agencys independence from the White House. This is understandable the bureaus relationship to the White House is at the top of everyones mind and Wray performed well: My commitment is to the rule of law, to the Constitution, he told members of the Senate Judiciary Committee. But when it came to the less attention-getting, but no less important, question of encryption, unfortunately, Wray performed somewhat less inspiringly: Theres a balance, obviously, that has to be struck between the importance of encryption which we can all respect when there are so many threats to our systems and the importance of giving law enforcement the tools that they lawfully need to keep us all safe, he said.
The problem is that there isnt really a legal balance to be struck when it comes to encryption. American tech companies already comply with lawful orders for user information that isnt fully encrypted, and shy of building backdoors into their products, there isnt a lot more they can do.
Unfortunately, Im still not sure how this is an issue that can be solved by working together with industry, said Matthew Green, a renowned cryptography professor at Johns Hopkins University, after seeing Wrays comments. Either the U.S. government will pursue a strategy that includes mandated encryption backdoors or it wont. I believe other forms of cooperation, such as metadata sharing, are already available.
Wray is entering a decades-long debate, one where a principal argument hasnt really changed: Should you be allowed to make a device or a method of communication thats so secure, even you have no way of knowing what your users are doing or saying? The FBI, famously, was so stumped when it couldnt access San Bernardino shooter Syed Farooks iPhone last year that it invoked the All Writs Act of 1789, a broadly written law used when the government needs an authorization that Congress hasnt yet legislated or thought of, and demanded Apple write a personalized, fake software update to get past the phones login screen. At the 11th hour, the FBI said it had found and paid for a rare vulnerability in the code for the 5c, the model Farook had, and stood down.
Technologists and cryptographers have long been unanimous that forcing a tech company to build a secret vulnerability into their products, only to be used for emergency situations a backdoor is a terrible idea. If cops can use it, hackers and foreign governments can probably find it and exploit users, for one thing. And if American companies would be forced by law to build backdoors, as floated in an ill-fated draft bill last year by senators sympathetic to the FBIs concerns about terrorists going dark, privacy-minded consumers would simply start using secure messaging apps made in countries that didnt have that law.
At the same time, its hard to tell the law-and-order crowd that if a terrorist cell in the U.S. is using Signal, the FBI has to simply throw up its hands and use whatever other investigative tools are at its disposal. Thats why a number of political figures, among them former Democratic presidential nominee Hillary Clinton and former FBI Director James Comey, have rejected the idea of outright backdoors, but like Wray today, still declared a wistful support for some kind of compromise solution, achievable by the tech industry and federal government really putting their heads together.
But politicians and law-enforcement figures pushing for a compromise ignore the realities of mathematics and the dire need to increase internet security in favor of pushing technologists to nerd harder and come up with some magical way to create strong security tools that only the FBI could break, said Amie Stepanovich, U.S. policy manager at Access Now, a group that advocates for digital civil liberties.
In Wrays defense, maybe he only hoped for an impossible compromise because he hasnt had time to give the issue much thought: He readily admitted he was an outsider who didnt have enough information about encryption in front of him to present a formal plan, a repeated theme in his hearing. For the future, Wray might consider stressing that pushing for mandatory backdoors should be off the table, or that strong encryption should be a fundamental consumer protection in a world where Russian intelligence agencies target American civilians, like the heads of U.S. presidential campaigns. Wray could have said that agents stymied by locked phones would have to rely more on old-school investigative techniques. He could have admitted that while the gray market of buying exploits in emergencies is far from perfect, its worked so far, and there simply isnt a better solution out there.
Unfortunately, no senator probed Wray much further on the issue. What does he think the FBI should do if the agency encounters another Farook iPhone case, but this time cant find a vendor hawking exploits? Apparently, hope that math changes.
Read this article:
The Encryption 'Balance' Trump's FBI Candidate Wants Is Mathematically Impossible - New York Magazine
We need to protect encryption – ITProPortal
As we have come to terms with recent tragic events in the UK understandably there is great anxiety and a lot of questions about the causes of such terrible loss of life. It has again highlighted the debate around regulating the internet giants like Google, Facebook, Twitter and Amazon. These channels have given criminals and terrorists the opportunity to broadcast their message, so politicians in the UK responded in the first instance by suggesting the technology industry should play their part in addressing this huge challenge. However, the Queens Speech, the list of laws that the government hopes to get approved by Parliament over the coming year, leaves me confused.
Listening to the earlier comments from policy makers the rhetoric suggested the new Government would push the technology industry for tougher legislation that might not have proper checks and balances in place. These concerns were heightened reading Matt Burgess report claiming the Government wanted to push through demands for tech companies to provide access to user information by breaking end-to-end encryption as needed.
The Home Secretarys comments, especially in relation to encryption compounded that concern, so it was very pleasing to see positive signals from the European Union on the individuals right to privacy. The European Parliaments Committee on Civil Liberties, Justice and Home Affairs underlined its support for the principle of confidentiality.
However, a week really is a long-time in politics, especially when it comes to digital and technology legislation.
The Queens Speech has highlighted a commitment to make the UK the safest place online and added new right to be forgotten laws, as well as a determination to comply with the European Unions GDPR legislation. The speech also included a pledge to review counter terrorism strategy. This might suggest the Government is revising its view on cybersecurity, placing the individuals right to privacy above national security issues. Unfortunately the vagueness of the Queens address leaves far too much room for interpretation. The talk of a Digital Charter is good if its goal is to protect the privacy of consumers, but how will that be weighed up against national security needs?
From the perspective of MaidSafe we applaud attempts to protect user privacy. However, there is no clarity on the question of encryption, particularly giving intelligence services exceptional access in the name of national security. The Investigatory Powers Bill still stands and there appears to have been no mention of the unassumingly named Investigatory Powers (Technical Capability) Regulations, which will require service and application providers to give access to information. While this remains unaddressed we have one simple question for the authorities: what if the technology has been designed so that it cannot reveal user information?
As most people who follow the story of MaidSafe know the start point for the SAFE Network was creating a better internet one where users were in control of their data and privacy was paramount. That is why it has been designed with encryption at its core and why users are the only ones, who control access to their data. However, to ensure MaidSafe cannot compromise a users identity and data MaidSafe has no way to break the encryption. The user is the only one with the keys and we have no master key that can override the system. Bottom line we cannot put a backdoor into our network, because we have no way of identifying users once they are set up.
If you listen to the arguments from politicians the potential threat outweighs the right to privacy and freedom of speech. We believe that rushing legislation through is the wrong approach. This should be a time for cool reflection and a recognition that it is a complex problem, which cannot be solved by pressurising technology companies to create backdoors to their products. Even if you do not accept the fundamental right of individuals to privacy and freedom of speech there is a simple practical point - weakening encryption will make itwell insecure. A vast array of organisations use encryption today for everything from banking to processing legal documents, tax accounts and protecting email. Creating mechanisms for the security services to access information means there is a weak point which hackers can exploit too. If you dont believe they will then you have clearly erased Wannacry from your memory. The excellent article by Andy Greenberg in Wired on the extent of the hacking in the Ukraine shows how devastating cyberattacks already are without giving the hackers a short cut and this weeks episode has only served as a stark reminder.
The more difficult moral debate we are fully aware of is that we are building a network, which could be used for both good or bad purposes. It is our view that users should be given the right to make this choice for themselves. If they control their data and who they share it with, they control whether or not an individual can broadcast information to them. Security services may also say the SAFE Network will make it harder for them to do their jobs, but there is little or no evidence that mass surveillance and breaking encryption will mean it is easier to catch criminals. Indeed while the bad guys appear to take an innovative approach to new technologies it often seems as though the authorities wish to take a step backwards.
Compromising security and allowing sweeping powers more often than not leads to abuses of such authority. We have seen this time and again. We would argue there is evidence the police and security services are more successful with targeted surveillance and building partnerships with communities. John Thornhill at the Financial Times recently reminded me of a report I had seen before, originally published in 2015. MITs Computer Science and Artificial Intelligence Laboratory (CSAIL) produced a damning criticism of backdoor access to encryption the title of the report underlining the crudeness of such an approach: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications. While it sounds obvious there is absolutely no point in locking the door and allowing the bad guy to find the keys. It makes for good drama in Hollywood, but it in real life it has serious consequences.
The intelligence community terms this breaking of encryption as exceptional access which makes it sound very benign. However, MIT CSAIL was clear about the consequences in its report: In the wake of the growing economic and social cost of the fundamental insecurity of todays Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimise the impact on user privacy when systems are breached.
If you are not convinced on moral grounds there is also a simple technical reason why giving control back to users works. If an individual controls his or her identity that person is anonymous, but also potentially traceable. As John Thornhill rightly points out using encryption also authenticates the user and in environments such as the blockchain it should not be forgotten that once an individual, including a hacker, adds something to the blockchain it is recorded for posterity. Suggesting that encryption is an enabler for the bad guys shows a lack of understanding of next generation technologies, because unlike previous analogies of good guys versus bad guys technologies in the current landscape are more complex.
At its heart this debate needs a reset, because it feels like cybersecurity strategy is still in the 2000s when Web 2.0 came along. The technology is cleverer now, but so too are the users and the technology is reflecting what users want. They want privacy, but equally they do not want to propagate terrorism or hatred. They believe technology exists that balances the absolute right of individuals for privacy and the need for national security.
Sadly we do not live in a perfect world and technology is unfortunately being used by bad actors to do some nefarious things. Certainly, the approach of the big tech companies in response to growing consumer and political concerns has not been as quick and responsive as many would like, but weakening encryption in the name of national security is not the answer. Paul Bernal, in Matt Burgess article, raised the important issue of accountability and oversight. If the Technical Capability Regulations are passed into law there is also an even more fundamental question of right to privacy and right to freedom of speech. This is a time for cool heads. The MIT CSAIL report is good not just in its technical analysis but also as a historical reminder. We have been debating this issue since the 1970s when computers became increasingly mainstream. Today we are seeing rights undermined increasingly around the world and if a country like the UK is seen to promoting more draconian laws it will give more authoritarian states the justification they need to implement similar and worse rules. If we force technology companies to break their encryption we do not just compromise security we compromise fundamental human rights.
Nick Lambert, Chief Operating Officer, MaidSafeImage Credit: Yuri Samoilov / Flickr
Read the original:
We need to protect encryption - ITProPortal
End-to-End Encryption is Key to Securing Government Databases – Nextgov
Walter Haydock works for PreVeil (@EndToEndEncrypt), a Boston-based cybersecurity company.
If the Internal Revenue Service's Data Retrieval Tool had used end-to-end encryption from the start, the federal government may have been able to avoid a privacy breach that ultimately occurred over the past year.
This tool allowed prospective students to transfer their tax return data to the Education Departmentfor use in loan applications. Earlier this spring, the agency disabled it because identity thieves had used the tool to receive the personal financial data of potentially thousands of taxpayers in an effort to file fraudulent returns.
Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
One of the key lessons from this breach is that deploying default end-to-end encryption should be a priority for all enterprises handling sensitive information, especially the government. Following the presidents recent cybersecurity executive order, which urges federal agencies to move to the cloud, properly securing data there is more critical than ever.
Because ofa statutory quirk, the IRS could not transmit taxpayer information directly to the Education Department. Instead, the agency relied on loan seekers to obtain their tax return information themselves through the Data Retrieval Tool, and then include it in their applications.
Unfortunately, the IRS tool had flaws that allowed identity thieves to masquerade as loan applicants. These cyber criminals could use already stolen personal information to download their victims tax data and subsequently file fraudulent returns.
Although hackers took advantage of the lack of proper authentication procedures necessary to access the Data Retrieval Tool, end-to-end encryption still could have saved the day. This technology cryptographically makes data unreadable at the start of its journey and only ever renders that data legible at the devices of authorized recipientsnever at any intermediate point.
Those seeking student loans do not need to see the tax data they forward with their applications; they only need to transmit it from the IRS to the Education Department. As a result, the two organizations should have designed the Data Retrieval Tool to forward taxpayer data in end-to-end encrypted form, in which case the stolen information would have appeared as complete gibberish to the identity thieves who obtained it.
Unfortunately, government officials seem to have only considered this course of action after the major cybersecurity incident that resulted from their initial oversight, at which point they took down the Data Retrieval Tool for several months to add a comparable feature.
Bringing federal technology into the 21st century while keeping it secure will by no means be a simple task. Even though its systems were not to blame for the aforementioned incident, the Education Departmentis an example of the challenges the government faces in this regard.
Despite a chorus of warnings, especially from Congress, the department used more than 180 different data management systems as of 2016, many of which are outdated and insecure. Maintaining nearly 140 million unique Social Security numbers of ordinary Americans, the department has nonetheless ignored many security recommendations from its own inspector general.
Moving federal systems to the cloud, as the presidents recent guidance encourages, will assist in consolidating and protecting such arrays of overlapping systems, but doing so is not without risks. Although convenient, data stored in the public cloud can be an easy target for hackers, if not properly protected.
Fortunately, a new generation of secure, easy-to-use and competitively priced end-to-end encrypted file-sharing applications is now coming to market. These cheap and effective tools can help government organizations secure the data of their citizens more effectively, while still providing easy access to appropriate stakeholders through innovative security features.
As the Data Retrieval Tool incident demonstrates, limiting access to sensitive data through well-designed security measures is critical. Using end-to-end encryption by default is one readily available way to do so, which will more effectively protect American citizens in the cyber domain.
Link:
End-to-End Encryption is Key to Securing Government Databases - Nextgov
Quantum satellites demonstrate teleportation and encryption – physicsworld.com
Physicists in China have achieved the first quantum teleportation from Earth to a satellite, while their counterparts in Japan are the first to use a microsatellite for quantum communications. Both achievements suggest that practical satellite-based quantum communications could soon be a reality.
Jian-Wei Pan of the University of Science and Technology of China in Hefei and colleagues used China's $100m Quantum Experiments at Space Scale (QUESS) satellite to receive a quantum-teleported state. This was done over a distance of 1400km from a high-altitude (5100m) ground station in Tibet to QUESS. This is more than 10 times further than the 100km or so possible by sending photons through optical fibres or through free space between ground-based stations.
Described in a preprint on arXiv, the process involves creating photons that are quantum-mechanically entangled and then transmitting them to QUESS. Last month, Pan and colleagues reported the distribution of quantum entanglement over 1200km using QUESS.
Meanwhile, Masahide Sasaki and colleagues at the National Institute of Information and Communications Technology in Japan have shown that quantum information can be transmitted to Earth from a 5.9kg photon source called SOTA which is on board a 48kg Japanese microsatellite called SOCRATES.
Writing in Nature Photonics, Sasaki's team reports that they were able to receive and process the information at a ground station in Japan using a quantum key distribution (QKD) protocol. QKD is uses principles of quantum mechanics to ensure that two parties can share an encryption key secure in the knowledge that it has not been intercepted by a third party.
Read more from the original source:
Quantum satellites demonstrate teleportation and encryption - physicsworld.com
PKWARE Integrates Intelligent Data Discovery With Enterprise Encryption Platform – PR Newswire (press release)
According to a 2017 report, 2.5 million terabytes of data are generated every dayand the ways that employees share and store data continues to multiply. As the amount of data continues to explode, and as the number of non-corporate-controlled places to store data expand, companies are faced with a daunting challenge: How do we find and protect sensitive information?
"Today, data can exist simultaneously in multiple locations across an enterprise," said Matt Little, chief product officer at PKWARE. "Because data is crossing traditional boundaries, both on premise and in the cloud, many organizations do not have visibility into where sensitive information is stored, leaving data unprotected and vulnerable to internal and external threats. Smartcrypt Data Discovery allows customers to not only find their sensitive data, but protect that information wherever it's used, shared or stored."
Smartcrypt Data Discovery findssensitive information credit card numbers, Social Security numbers, personal account numbers and customer-specified data and can also encrypt it using Smartcrypt's persistent data-centric encryption. It is the simplest, most integrated way for organizations to identify their sensitive information and strongly protect it against theft or misuse.
"Organizations of all sizes are recognizing that many traditional security tools are no longer enough to protect sensitive data from breaches," said Garrett Bekker, Principal Analyst, Information Security Practice, 451 Research."Encryption is a powerful tool to protect sensitive data, but organizations generally face big challenges both finding sensitive data and also determining what data to encrypt and what not to encrypt. Combining encryption with data discovery is a logical way to help organizations protect their data without the costs and overhead associated with using encryption indiscriminately."
Smartcrypt Data Discovery uses the existing Smartcrypt agent which continuously monitors desktops, laptops, file servers and other storage locations for sensitive information. Each time a file is added or modified, Smartcrypt initiates a scan based on the organization's policies. If the data fits one of the defined patterns, the system can apply remediation via encryption, reporting or other custom actions. The discovery and encryption process is transparent to end users and the organization maintains complete control.
PKWARE's Smartcrypt Data Discovery is now available. For more information, click here.
About PKWAREPKWARE is a trusted leader in global business data protection. For 30 years PKWARE has focused not just on networks and devices, but on the data itself. Building on our compression expertise with the latest encryption technology, PKWARE protects data for over 30,000 enterprise customers and 200 government agencies. Our software-defined solutions provide cost-effective and easy-to-implement protection that is transparent to end users and simple for IT to administer and control.
Media ContactJosh Swarz +1 (646) 428-0650 pkware@allisonpr.com
View original content with multimedia:http://www.prnewswire.com/news-releases/pkware-integrates-intelligent-data-discovery-with-enterprise-encryption-platform-300486220.html
SOURCE PKWARE
Read the original post:
PKWARE Integrates Intelligent Data Discovery With Enterprise Encryption Platform - PR Newswire (press release)