Miranda – Page 17 – DoGoodSoft's Official Blog

FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

In the tug-of-war between the government and U.S. companies over whether firms should hold a key to unlock encrypted communications, a frequent argument of technologists and privacy experts is that maintaining such a key poses a security threat.

But on Thursday, FBI Director James B. Comey pointed out that a number of major Internet companies do just that “so they can read our e-mails and send us ads.”

And, he said: “I’ve never heard anybody say those companies are fundamentally insecure and fatally flawed from a security perspective.”

Comey was airing a new line of government argument in the year-old public debate over the desirability of compelling Internet companies to provide a way for law enforcement to have access to decrypted communications.

Although he didn’t name names, he was alluding to major e-mail providers Google and Yahoo, which both encrypt customers’ e-mails as they fly between servers, but decrypt them once they land in order to scan them and serve customers relevant ads.

Comey, who spoke at a cyberthreats hearing held by the House Intelligence Committee, has been a leading voice advancing the concerns of law enforcement that the growing trend of strong encryption — where devices and some communications are encrypted and companies do not hold the keys to decode them — will increasingly leave criminal investigators in the dark.

The current debate, which echoes a bitter argument over encryption in the 1990s, was triggered by Apple’s announcement last September that it would expand the use of a method of encryption on its mobile operating system in which it did not hold a key. That meant Apple could no longer unlock troves of photos and other data stored on iPhones and iPads where the user had turned off the automatic backup to Apple’s servers. Such data “at rest” is useful in criminal investigations.

Of great concern to counterterrorism officials are communications encrypted in transit, such as text and instant messages, where the companies do not hold a key and where users have turned off automatic backups. Such end-to-end encryption is a feature of Apple’s iMessage and FaceTime — a video phone-call system, as well as Open Whisper Systems’ Signal, and WhatsApp — both instant message platforms.

But stored commercial e-mail is largely either unencrypted, or encrypted with a key known to the provider, Christopher Soghoian, principal technologist at the American Civil Liberties Union, said in an interview. And that’s a recipe for insecurity, he said.

“Any data that’s either unencrypted or encrypted with a key known to another party is inherently more vulnerable,” he said. He added that Google and Yahoo have been criticized for their lack of e-mail security, and the Chinese breach of Gmail announced in 2010 was a case in point.

During the hearing, Comey said that the bureau was “having some very healthy discussions” with companies on the issue. “I would imagine there might be many, many solutions depending upon whether you’re an enormous company in this business, or a tiny company in that business. I just think we haven’t given it the shot it deserves.”

Rep. Adam Schiff (D-Calif.) noted that the tech firms have stiff global competition. Other companies are offering encrypted platforms that customers might choose. “So what do we achieve, apart from harming our economic interests, by insisting on a key?” he said.

Comey said he thought that part of the solution would be “an international set of norms” in which other countries join with the United States to establish a rule that companies should be able to provide law enforcement with communications in the clear. “I hear from our allies all the time,” he said. “The French want the same thing. The Germans. The British. So I think that’s something that could be done.”

Soghoian noted, however, that more and more encryption platforms are being made available on the Internet for free by individuals or groups of open-source developers in the United States and Europe, which will make it difficult to regulate them.

Encryption and privacy are priorities for tech firms

The Justice Department and Microsoft go head-to-head in the U.S. Second Circuit Court of Appeals in Manhattan on Wednesday. The battleground? Data privacy.

At issue is the question of whether U.S. law enforcement can use a search warrant — in this case, in a drug investigation — to force the U.S.-based technology company to turn over emails it has stored in a data center in Ireland. Lower courts have sided with the government and held Microsoft in contempt for refusing to comply with the search warrant. Microsoft has appealed, arguing that its data center is subject to Irish and European privacy laws and outside the jurisdiction of U.S. authorities.

Civil liberties and internet-privacy advocates are watching the case closely, as are company and law-enforcement lawyers. They’re also watching another case, also involving a drug investigation, in which Apple was served with a court order instructing it to turn over text messages between iPhone owners.

After the Edward Snowden revelations, U.S. technology and telecom companies were criticized for allegedly letting the government spy on Americans’ emails, texts and video chats.

Many companies have been fighting back, hoping to burnish their images as protector of their client data privacy. Microsoft is fighting government access to overseas data centers. Apple has been rolling out strong “end-to-end” encryption, in which only the software in the sender’s and receiver’s devices (an iPhone or iPad) have the the requisite keys to decode the message. That means there’s no “back-door key” that could unlock an email or other communication. In addition, both Apple and Google have deployed private-code locking systems that make their smartphones essentially unbreakable, except by the phone’s owner, who sets the code.

“This way, the companies don’t open up the device,” says Peter Swire, an expert on computer security at Georgia Tech who served on President Obama’s task force on surveillance and cybersecurity. “The companies don’t have access to the content between Alice and Bob.”

If the company that made the device, or is carrying the communication on its network, can’t eavesdrop on users like Alice and Bob, he says, the FBI and other outside parties can’t either.

FBI director James Comey has said these new strong encryption technologies are making communications “go dark” for law enforcement. He claims the companies deploying this kind of encryption are hampering law-enforcement investigations.

But Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, says law enforcement will just have to find other ways to gather information. And, he says, with so much non-encrypted information being gathered on private citizens and consumers these days (such as GPS location, purchases, social media “likes” and contacts, web browsing habits), law enforcement still has plenty of investigative tools.

“End-to-end encryption is coming,” he says, pointing to Apple and to Facebook, which recently bought WhatsApp, a popular global messaging platform that is deploying strong encryption. “It will keep us more safe from criminals, from foreign spies, from prying eyes in general.”

CHK File Recovery Has Been Updated to Version 1.082

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way, which has been updated to version 1.082 recently. In this new version, we fixed a bug which disabled to identify one file type, also we added one recoverable file type.

Change Log of CHK File Recovery 1.082:

File Name: CHK File Recovery

Version: 1.082

File Size: 2.63MB

Category: CHK File Recovery Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.09, 2015

Download Address: http://www.dogoodsoft.com/chk-file-recovery/free-download.html

What’s New in This Version:

1. Fixed a bug which disabled to identify one file type.

2. Added one recoverable file type.

Why Choose CHK File Recovery:

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way. CHK File Recovery can accurately and quickly recover more than 120 common file types, such as mp3, mp4, jpg, bmp, gif, png, avi, rm, mov, mpg, wma, wmv, doc, docx, xls, xlsx, ppt, pptx, zip, rar, exe, dll, sql, mdb, psd.

CHK File Recovery can determine file type automatically by default. However, for file types that cannot be recognized automatically, manual identification is used to confirm file type, which can check the content of an unknown file through 4 methods and recover it afterwards.

The interface of CHK File Recovery is simple and clear. It is easy to use. You only need to select a drive and click Search, then CHK File Recovery starts to scan the whole drive automatically. Afterwards, the CHK files found are shown in the list at the left of the application by their original file type. Besides, you can choose to search and scan a folder you specify.

Argument over strong encryption reaches boiling point as Apple, Microsoft rebuff court orders for data access

A long-running debate concerning recent advances in consumer data encryption came to a head this summer when Apple rebuffed a Justice Department court order demanding access to iMessage transcripts, causing some in the law enforcement community to call for legal action against the company.

Over the summer Apple was asked to furnish real-time iMessage communications sent between two suspects in an investigation involving guns and drugs, reports The New York Times. The company said it was unable to provide such access as iMessage is protected by end-to-end encryption, a stance taken in similar cases that have over the past few months punctuated a strained relationship between the tech sector and U.S. law enforcement agencies.

Sources said a court action is not in the cards for Apple just yet, but another case involving Microsoft could set precedent for future cases involving strong encryption. Microsoft is due to argue its case in a New York appellate court on Wednesday after being taken to task for refusing to serve up emails belonging to a drug trafficking suspect. As the digital correspondence was housed in servers located in Dublin, Ireland, the company said it would relinquish the emails only after U.S. authorities obtained proper documentation from an Irish court.

Government agencies have posed hypothetical scenarios in which strong encryption systems, while good for the consumer, hinder or thwart time-sensitive criminal investigations. It appears those theories are being borne out in the real world.

Further confusing matters is a seemingly non-committed White House that has yet to decide on the topic either way. Apple and other tech companies are pressing hard to stop the Obama administration from agreeing to policy that would, in their eyes, degrade the effectiveness of existing data encryption technologies.

As for Apple, while some DOJ and FBI personnel are advocating to take the company to court, other officials argue that such an action would only serve to undermine the potential for compromise. Apple and other tech firms have privately voiced interest in finding a common ground, The Times reports. To that end, the publication notes Apple did indeed hand over a limited number of messages stored in iCloud pertaining to this summer’s investigation.

For its part, Apple is standing firm against government overtures calling for it to relinquish data stored on its servers. CEO Tim Cook outlined his thoughts on data privacy in an open letter to customers last year and came down hard on unlawful government snooping earlier this year.

Best Folder Encryptor Has Updated to Version 16.83

The professinal file and folder encryption software – Best Folder Encryptor has been updated to version 16.83 recently. In last version 16.82, we have fixed a bug that the encrypted file/folder cannot be prevented from deletion, copy and removal in 64 bit operating system, also fixed a bug that there is no verification for password entering when folder bulk encryption and other three bugs. Besides, we added the judgement for the disks unsuitable for protection when protecting disks.

In this new version 16.83, we improved the stability for disk advanced-protection, fixed three minor bugs prompted in message, and expanded the file/folder size limitation for Diamond-, Full- and Portable encryption to 990MB.

Change Log of Best Folder Encryptor:

File Name: Best Folder Encryptor

Version: 16.83

File Size: 3.70MB

Category: Folder Encryption, File Encryption

Language: English

License: Trial version

System Requirements: Win xp/vista/Win 7/Win 8

Released on: Aug.31, 2015

Download Address: http://www.dogoodsoft.com/best-folder-encryptor/free-download.html

What’s New in This Version:

* Improved the stability for disk advanced-protection.

– Fixed three minor bugs prompted in message.

* Expanded the file/folder size limitation for Diamond- , Full- and Portable encryption to 990MB.

Why Choose Best Folder Encryptor:

Best Folder Encryptor is a professional file and folder encryption software. It features superfast with high security and confidentiality. With the internationally advanced encryption algorithms, encryption methods and file system drivers, the encrypted files and folders cannot be decrypted without the correct password, and are prevented from copy, deletion or removal.

It is convenient to open and edit the encrypted folder or file with the Open feature, and you don’t have to re-encrypt the folder or file after use.

Besides, it supports many powerful features such as data shredding (file/folder shredding), completely hiding hard drive partition, disabling USB storage devices or set them as read-only, etc. All these make Best Folder Encryptor undoubtedly a flawless encryption software and the best helper.

Vice News fixer ‘charged over encryption software’

Three staff members from Vice News were charged with “engaging in terrorist activity” because one of the men was using an encryption system on his personal computer which is often used by the Islamic State of Iraq and the Levant (ISIL), a senior press official in the Turkish government has told Al Jazeera.

Two UK journalists, Jake Hanrahan and Philip Pendlebury, along with their Turkey-based Iraqi fixer and a driver, were arrested on Thursday in Diyarbakir while filming clashes between security forces and youth members of the outlawed and armed Kurdistan Workers’ Party (PKK).

On Monday, the three men were charged by a Turkish judge in Diyarbakir with “engaging in terrorist activity” on behalf of ISIL, the driver was released without charge.

The Turkish official, who spoke on condition of anonymity, told Al Jazeera: “The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications.”

Speaking to Al Jazeera, Tahir Elci, the head of the Diyarbakir lawyers association, said: “I find it ridiculous that they were taken into custody. I don’t believe there is any accuracy to what they are charged for.

“To me, it seems like an attempt by the government to get international journalists away from the area of conflict.

“These people have obviously been in contact with YDG-H members (the youth wing of the PKK) because of their jobs, because they are covering stories. This might not have been welcomed by the security forces.”

Rejecting the accusations, the Turkish press offical said: “This is an unpleasant incident, but the judiciary is moving forward with the investigation independently and, contrary to claims, the government has no role in the proceedings.”

‘Freedom of expression’

In response to the charges, Kevin Sutcliffe, Vice head of news programming for Europe, said on Monday that the judge “has levelled baseless and alarmingly false charges of ‘working on behalf of a terrorist organisation’ against three VICE News reporters, in an attempt to intimidate and censor their coverage.

“Prior to being unjustly detained, these journalists were reporting and documenting the situation in the southeastern Turkish province of Diyarbakir.

“Vice News condemns in the strongest possible terms the Turkish government’s attempts to silence our reporters who have been providing vital coverage from the region.

“We continue to work with all relevant authorities to expedite the safe release of our three colleagues and friends.”

In Brussels, EU spokeswoman Maja Kocijancic said on Tuesday: “Any country negotiating EU accession needs to guarantee the respect for human rights, including freedom of expression.”

The PKK and the Turkish state were engaged in a war for almost 30 years until a 2013 ceasefire was declared after the two sides held peace talks.

There have been clashes between security forces and protesters in different parts of Turkey following the unravelling of the ceasefire and the beginning of an air campaign by Turkey against the group.

When It Comes To Encryption, Our Policy Makers Could Learn A Thing Or Two From Thomas Jefferson

Thomas Jefferson was so interested in cryptography that he may have developed his own enciphering device after his mail was inspected by postmasters when the revolution was looming. Indeed, codes and ciphers are as American as the American Revolution itself. In fact, the revolution may not have happened if confidential correspondence, both military and otherwise, had been compromised by the British. In December 1801, Jefferson received an encrypted letter from a mathematics professor (the two both served at the American Philosophical Society) that was so inscrutable that he was never able to decode it—in fact, it was not decoded until over 200 years later.

The thread of cipher text runs through the very core of the history of this country. When James Madison penned a letter to Thomas Jefferson in 1789, letting him know that “a Bill of rights, incorporated perhaps into the Constitution will be proposed, with a few alterations most called for by the opponents of the Government and least objectionable to its friends,” the letter was partially enciphered, so that discussion about might run the Department of Finance, a smattering of international politics, and a bit of gossip about the French minister to the United States, the count de Moustier, and his sister-in-law, Madame de Brehan, wouldn’t have fallen into the wrong hands.

It’s hard to know when the narrative shifted, moving from trying to crack your enemies’ crypto and secure your own communications to working to weaken crypto for everyone. NSA director Michael Rogers, FBI director James Comey, and others in the Obama Administration have been working hard to try to convince the public that it’s possible to have secure communications that the government can access, but that criminals and bad nation-state actors can’t circumvent. They give lip service to the need for secure communications to fuel innovation and economic growth, while simultaneously working to dismantle the very systems that make those communications secure.

It is not entirely clear which approach the government will take, but whether it tries to pursue legislation forcing companies to work on mandated backdoors that they don’t want or even need, or simply tries to coerce them with fearmongering about the threat of terrorism, one thing is clear: the government should be embracing cryptography, as it once did, rather than fighting against it.

It’s true that end-to-end encryption could thwart investigation attempts for a small amount of crimes—or maybe call for more hands-on detective work—but this pales in comparison to the damage caused by government backdoors. “Cryptography was once a private game of shadows played by spy masters, but today it has become the critical foundation of our information infrastructure,” says Ethan Heilman, Research Fellow at Boston University.

A recent MIT paper written by a slew of experts makes it clear that giving the government backdoor access to secure communications would weaken the security of any system. “This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which 24 criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed countries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits,” it reads. (Oh, and China wants backdoors, too. So there’s that.)

This isn’t the first time the government has worked to weaken encryption on purpose. It goes back as far as the 1950s, and continued in the 1970s, (…NSA tried to convince IBM to reduce the length of thekey from 64-bit to 48-bit. Ultimately, they compromised on a 56-bit key,” wrote Tom Johnson in Book III: Retrenchment and Reform, an official NSA book), and the 1990s. Intentionally bad cryptography led to the Logjam bug, which can “break secure connections by tricking the browser and server to communicate using weak crypto,” Cory Doctorow explained on Boing Boing—and the government is to blame for these browsers and servers supporting weak crypto in the first place. Weak crypto, courtesy of the U.S. government, can be blamed for the FREAK SSL/TSL vulnerability as well.

NSA wants encryption that fends off quantum computing hacks

The National Security Agency isn’t just yearning for quantum computers that can break tough encryption — it wants encryption that can protect against quantum computers, too. Officials have begun planning a transition to “quantum resistant” encryption that can’t be cracked as quickly as conventional algorithms. As the NSA explains, even a seemingly exotic technique like elliptic curve cryptography “is not the long term solution” people thought it was. Quantum computing is advancing quickly enough that the NSA and other organizations could find themselves extremely vulnerable if they’re not completely ready when the technology becomes a practical reality.

This doesn’t mean that the NSA is asking the government or security vendors to avoid upgrading their ‘traditional’ encryption. It already has suggestions for cryptographic methods that should make it easier to adopt quantum-proof security. However, the agency doesn’t want others pouring a lot of their time and money into encryption that may well become obsolete in the “not too distant future.” Even though you aren’t likely to see a wave of quantum hacking any time soon, the prospect is real enough that the NSA is treating it as a high priority.

Whose keys are they anyway?

Google recently announced enhanced security support for its cloud customers by granting them the ability to hold the encryption keys to their data. These customer-supplied encryption keys for the Google Cloud Platform follow the example set by other cloud industry leaders such as Amazon Web Services and Box and position the tech giant as an advocate for user data privacy.

The many federal IT managers who rely on Google Cloud and AWS are now able to develop a more sound security strategy when it comes to adopting the cloud. Government security managers running Google Cloud should educate themselves on the various cloud encryption models available and also consider which complementary security solutions must also be implemented. Depending on the cloud encryption model employed, cloud data may be susceptible to unauthorized access by cloud service provider insiders or be moved to other jurisdictions that might present data sovereignty issues.

Let’s break it down.

Server-side encryption. At the most basic level of the cloud encryption models, there is server-side encryption (SSE), where the encryption is performed by the cloud service provider using keys it owns and manages itself. Server-side encryption is the most vulnerable cloud encryption model, as the key unlocking access to the data is in control of the cloud provider. While SSE provides a basic level of encryption, it does not provide enterprise security control nor does it help protect against insider attacks because service provider employees could access the data intentionally or by mistake.

Server-side encryption with customer-provided keys. What Box, AWS and now Google offer is server-side encryption with customer-provided keys (SSE-CPK). In this model, the cloud provider handles the encryption but hands the keys the customer to own and manage. The cloud service provider runs the encryption in its underlying infrastructure and promises to only keep the keys in memory while the virtual machine is up and running. However, the keys still flow through cloud provider application programming interfaces, so it is not much of a stretch for the cloud provider to divert or intercept the keys.

Client-side encryption. The most secure solution is client-side encryption (CSE), which occurs in the cloud but it is initiated and managed by the data owner. The customer selects the encryption method and provides the encryption software. Most important, the customer owns and manages the encryption keys.

This approach allows customers to store and manage the keys for the virtual machines on their own premises or in a controlled instance in the cloud. When the virtual machine boots up in the private or public cloud, it can use a pre-boot network connection to an enterprise-controlled intelligent key manager to retrieve the key.

In the announcement of SSE-CPK on Google’s blog, the company chides, “Keep in mind, though, if you lose your encryption keys, we won’t be able to help you recover your keys or your data – with great power comes great responsibility!” The onus is indeed on the customer to not only keep the keys close, but keep them safe. The most responsible move for IT admin is to have an enterprise-controlled intelligent key management solution to manage crypto activities.

Google’s support for SSE-CPK is a step in the right direction to giving enterprises control over who accesses their data, but it still falls short of client-side encryption. Only with the CSE model – where both the encryption and keys are initiated and managed by the data owner, not the cloud provider – does the customer have the most protection and control possible in the cloud.

NCUA institutes encryption protocols for data provided to examiners

NCUA has instituted data encryption protocols as suggested by its Office of Inspector General this June following review of an examiner’s loss of a thumb drive containing credit union members’ data.

The protocols were communicated Aug. 21 in a letter from NCUA Examination and Insurance Director Larry Fazio to the chief executives of federally insured credit unions.

The letter says the agency’s examiners now will accept data files from credit unions only if the files are encrypted first by the credit union or, if the credit union is unable or does not wish to do that, via transfer to NCUA’s encrypted equipment. In either case, parties involved will sign a “chain of custody” document. The letter, in a footnote, also advises credit unions against electronically transmitting unencrypted data to examiners.

Encryption protocols outlined in the letter will remain in use until the agency acquires a secure file transfer solution that will allow credit unions and exam staff to “securely and efficiently” exchange information, Fazio wrote. That solution is expected to be in place early next year.