Related
Recommended

Support for end-to-end encryption grows; regulations for hacking software at a stand stil

Catwell

Even security officials aren't happy with the way cyberattacks are handled. Three former security officials support end-to-end encryption; regulations for hacking software will be redrafted. (image NSA HQ!)

 

Every week, a new cyber attack or wave of hacking scandals. Ashley Madison scandal, anyone? Though everyone from the government to professional hackers are trying to come up with new ways to prevent these attacks, there hasn't been one happy solution. A lot of issues stem from encryption keys and who can get their hands on them. Now, three former US national security officials have spoken out about why end-to-end encryption is the way to go.

 

Mike McConnell, a former director of the National Security Agency and director of national intelligence, Michael Chertoff, former homeland security secretary, and William Lynn, a former deputy defense secretary, argued that more US technology companies should be using end-to-end encryption of data so only the sender and the intended recipient have the decryption keys. This way the plain text of messages will not be available to companies offering products and services to the government. The trio doesn't believe the government should have “backdoor access” or duplicate decryption keys saying it only increases the risk of cyberattack. Currently, the argument for backdoor access is it allows the government to catch criminals communicating online, but three argue against this saying “This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them.”

 

Is this the best solution to security? Not all attempts to regulate cyberattacks are well thought out. Recently, it was revealed that the US government will re-write regulations to restrict the export of software used to break into computers and smartphones. A draft of these regulations was published back in May and stated how the Department of Commerce wanted to restrict the development and testing of exploits, zero-days, and other invasion software. But after it was posted it soon received many comments and complaints, many of them from  security professionals who learned it would severely limit and may even criminalize research into surveillance software. Even those who supported the initial idea criticized the draft for being too clumsy and confusing. Google even called the rules “dangerously broad and vague.”

 

Some draft of the regulation is needed for the latest iteration of the Wassenaar agreement among 41 countries, which limits the shipping of “dual-use” technologies used for peaceful and military purposes. Despite all the negative feedback the Commerce Department took in stride and assured that “All of those comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed. A second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn.” As of right now with the various data breaches and hacking schemes, it looks kind of bleak when it comes to preventing cyberattacks.

 

C

See more news at:

http://twitter.com/Cabe_Atwell

Anonymous
  • in reply to johnbeetem

    And what ever works for you is always ok in my book, but I think it comes down to familuraty as you clearly indicate in your response

     

    I am more familuar with Windows so i dont see it as a problem or challange to protect, you are more familuar with Linux and therefor you have a different but also healthy view on that. I am not at all saying one is better than the other, it is just about what we know and can maintain. that is all about what we grew up with and work on most.

     

    Me I use both Linux and Windows all the time, I know which from a desktop is more performant per available resource (Linux) but given an 8 Core 3Ghz I7 + Hyperthreads (16 Virtual Cores) it kinda becomes a mute point.

     

    In the IOT space, for minimal resources and performance, Linux or embedded OS RTOS etc rules but Windows 10 IoT is the new kid on the block, I happen to like it and see loads of potential so will give it a go and see where MS takes it.

    Should be a fun ride

  • in reply to peteroakes

    Peter Oakes wrote:

     

    It is a litle unfair to throw the blame at Windows: there are just as many vunerabilities in Linux if not more (No one really knows them all I'm sure)...

     

    It is because Windows is so popular and has such a massive install that the hackers target it over OSX, Linux or Android (Which are all practically the same under the covers), if you're going to knowingly do a bad thing like let loose a virus on the unsuspecting world then why do it on the small fry?  Viruses and Trojans etc are designed to maximize distribution and impact so guess what: they get written for the biggest OS, and that is still Windows.

     

    I assure you, the minute that Linux, OSX or some other OS gets bigger, then the hackers attentions will change to that.

    So until we finally see "The Year of Linux on the Desktop" for real, we are safer running GNU/Linux rather than Windows.  Or to put it another way, when a lightning storm is about to happen, don't stand under the tallest tree

     

    I didn't mind using Windows 2000 on the Internet when there was full-time staff around to heal my machine when it got infected.  Now that I'm an independent consultant and have to do all my own system administration, I don't have that luxury.  Keeping my Windows machines off the Internet has worked well for me.

  • in reply to peteroakes

    From http://inventors.about.com/library/weekly/aa091598.htm

    One opposing view to ARPAnet's origins comes from Charles M. Herzfeld, the former director of ARPA. He claimed that ARPAnet was not created as a result of a military need, stating "it came out of our frustration that there were only a limited number of large, powerful research computers in the country and that many research investigators who should have access were geographically separated from them."

    Invention is usually the mother of necessity!

    Arpanet diagram

    Note the extra communication controllers like red circle.

     

    As for Internet2, I am talking about the high bandwidth version for universities i.e. wider pipes not faster links.

     

    C

  • in reply to clem57

    Hi Clem, im not sure your completly correct on that

     

    Some labs across the world sarted a network to share resources, the US military funded and initiated the first "Internet" called Arpanet which then quickly grew into the Internet

     

    this is a quite from Wikipedia

    The US Department of Defense awarded contracts as early as the 1960s for packet network systems, including the development of the ARPANET (which would become the first network to use the Internet Protocol.)

    the full description can be found here: https://en.wikipedia.org/wiki/History_of_the_Internet which seems to be fairly accurate from what I remember


    When you refer to Internet 2. Are you really refering to https://en.wikipedia.org/wiki/Internet2 or IPV6 which extends the addressing range massivly. The Internet2 seems to be more about a massive increase in speed compared to the current Internet that the public uses but still based on the same protocols etc and the rate commercial and domestic bandwidth is growing, it will soon be up to that same speeds?


    dont get me wrong though, Internet2 looks like a great thing

  • It is a litle unfare to throw the blame at windows, there are just as many vunerabilities in Linux if not more (No one really knows them all im sure). I still remember the days when it was Unix (Older version of Linux for the newcommers ) that got all the viruses etc, they were not as sophisticated as they are these days but they existed none the less

     

    It is because Windows is so popular and has such a massive install that the hackers target it over OSX, Linux or Android (Which are all practically the same under the covers), if your going to knowingly do a bad thing like let lose a vius on the unsuspecting world then why do it on the small fry, viruses and trogens etc are designed to maximize distribution and impact so guess what, they get written for the biggest OS, and that is still windows

     

    I assure you, the minute that Linux, OSX or some other OS gets bigger, then the hackers attentions will change to that

     

    Network spoofing, email systems etc are all still pretty much following the same protocols as they did 30 years ago (SMTP, FTP, TCP, UDP, IP etc) and there all spoofable

     

    HTTPS, TLS, SSL etc are all designed to encrypt the channel (The communications connection between two points) to prevent or minumize the "Wire Tap" kind of hacking sometimes called "Man in the Middle". it does not protect the machine at either end or the message once it has landed on some hard drive or other memory

     

    for that you need additional encryption on the stored files like Advanced Encryption Standard

     

    but if your computer has a virus (Any OS) then the minute you open the file or sooner if you have automatic decryption on the file system once your logged in then you data is exposed

     

    If you want to protect your computer or data, avoid auto login, use strong passwords (Mine are inexcess of 15 characters each and i have many different ones and there not simple words or birthdays or simple character substitutions either), dont have encrypted files that are automatically opened when you click on them without prompting for an additional password

     

    As a matter of interest, even SSL, TLS and HTTPS really does not fully protect you (The Client System) or the server if it is not using a mutual authentication where both ends have to assert credentials, but for most of us, this is enough

     

    So connecting windows to the internet is not an issue if you follow common sense. A linux system is just as vunerable if you have a poor, no or the default  password. Use the capabilities of your home router to only open the ports you need, strong passwords, no open shares to guest etc. all these rules apply no matter the OS.

     

    Rant over