Miranda – Page 13 – DoGoodSoft's Official Blog

Microsoft releases encryption tech for bioinformatics

Allows researchers to work on data securely.

Microsoft has released tools that allow bioinformatics researchers to work on genome data sets securely to protect privacy.

Genomic data is becoming available in increasing amounts as gene sequencing becomes easier, cheaper and faster, and is used for several new applicaitons such as predicting the occurrence and survival of cardiovascular disease.

Hospitals, clinics, companies and other insitutions are faced with handling large amounts of such data securely, to ensure the privacy of subjects, but this carries risks.

Storing the data in a cloud is one solution to handle large amounts of information, but this is subject to legal orders, data misuse, theft and insider attacks, a team of six Microsoft researchers said.

Homomorphic encryption can protect people’s sensitive genetic information and still allow researchers to work with the data.

The technique allows an unlimited amount of two operations, addition and multiplication, on the scrambled material.

This means researchers are able to work on the data in encrypted form without having to decrypt it or have access to decryption keys.

Traditional encryption, in comparison, locks down data, making it impossible to use or compute on without decoding it first.

The Microsoft team of researchers have written a manual for how to use their homomorphic encryption solution, as a guide to using the technique for bioinformatics and genomic computations.

Along with the manual, Microsoft will also release the SEAL (simple encrypted arithmetic library) as a free download, to be used for experimentation and research purposes.

Apple’s Encryption Fight Turns To The UK

After a major victory in the United States, Apple is facing an another threat to its encryption efforts on a different front: the United Kingdom.

The Cupertino-based tech giant typically shies away from taking firm stances on specific legislation and works through lobbying groups representing technology companies’ interests. Apple’s CEO Tim Cook today told students in Dublin that the company is opposed to a new British proposal that would require it to provide law enforcement with access to encrypted data.

Cook said creating a so-called backdoor for law enforcement would expose personal data to hackers.

“If you leave a back door in the software, there is no such thing as a back door for good guys only,” Cook said, according to Reuters. “If there is a back door, anyone can come in the back door.”

Cook’s statements have been backed up by privacy and technology experts. This summer, a group at MIT reported government limits on encryption would present risks.

Cook also said the British bill in its current form is vague. He said at the same event that it is not clear how Apple has to comply.

The Brtish bill, known as the Investigatory Powers Bill, would make explicit in law for the first time that law enforcement can hack and bug computers and phones, and it obliges companies to help officials bypass encryption.

Apple began encrypting its smartphones by default in 2014 with the introduction of iOS 8. Law enforcement in the United States has rallied against the update, claiming it would prevent them from obtaining information key to solving investigations.

However the White House has said it will not take a firm stance against encryption. Though the debate has continued heavily in the Capitol Hill hearing rooms, the U.S. Congress has not proposed any legislative solutions to the encryption debate.

The danger of the U.K.’s current proposal does not lie just in the privacy and security risks it presents to British citizens, but in the global precedent such a law would set. If the U.K. passes a law that requires that law enforcement be able to access encrypted data with a warrant, what’s to stop China or Russia from passing a similar law?

Apple hasn’t backed down on encryption since this issue first bubbled up last year. Though it’s been able to hold its own in the debate over encryption, this is the first time it will have to fight a bill targeting this practice.

Snowden Never Told Us About Ransom Encryption

While Edward Snowden is the source behind the largest scandal on the internet, he sure didn’t warn us that hackers would put ransoms onto their spyware. A special ransomware virus was discovered which targets Linux-based systems specifically, and it’s telling us hackers are expanding to web browsers for their vicious attacks.

This specific malware, labeled Lunix.Encoder.1, it breakes all files and goes through specific directories, encrypting home directories, the MySQL server directory, logs, and Web directories of Apache and the Ngnix web servers. It leaves a ransom note in every directory that contains encrypted files, and they are next to impossible to recover without appropriate backups or if users don’t pay the ransom.

This specific virus encrypts archives that contain the very word ‘backup’, so getting out of the pinch without paying the ransom is extremely difficult. The team behind the discovery urge users to keep active backups and make sure their information is as secure as possible. The team also revealed that it’s likely that the malware uses brute force guessing of remote access credentials or Web application exports combined with local privilege escalations, and it probably gives Snowden himself a warm feeling in the heart.

It’s an interesting development in how we are willing to pay to keep our information secure, as anti-virus software continues to grow, perhaps ransoms will start getting more aggressive and more lethal. Could this have been something Snowden missed or failed to inform the world about?

Investigatory Powers Bill could allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp

The new Investigatory Powers Bill could ban WhatsApp and iMessage as they currently exist and lead to the weakening of security.

Introducing the Bill this week, Home Secretary Theresa May said that it didn’t include a controversial proposal to ban the encryption that ensures that messages can’t be read as they are sent between devices. But it does include rules that could allow the Government to force companies to create technology that allows those messages to be read, weakening encryption.

The Bill gives wide-ranging powers to the Home Secretary to force companies to make services that that can be more easily read by intelligence agencies.

Section 189 of the law allows the Government to impose “obligations” on companies that provide telecommunications services. That can include “the removal of electronic protection”, as well as a range of others.

It isn’t clear how that law would be used in practice. But it could allow for the breaking of encryption so that messages can be read.

Some of those powers were already available. But the new legislation repeats them – despite the suggestion that the ban on encryption has been dropped – as well as strengthening some of the ways that Government can impose such obligations.

At the moment, services including WhatsApp and Apple’s iMessage use end-to-end encryption. That means that the phones that are sending each other use keys to ensure that nobody else – including WhatsApp and Apple themselves – can’t read messages.

When end-to-end encryption is used, it isn’t possible to set up a system so that it only allows for the breaking of messages from a specific phone, or of messages sent between two specific people. Instead, allowing for the viewing of just two messages would entail entirely re-engineering the system so that WhatsApp and Apple had the keys to unlock any message, sitting in the middle of all messages.

Technology companies are understood to be concerned about that setup, because if they are able to read through messages then the same system could be used by members of staff or hackers to read through the messages of all of a services’ users.

Earlier this year, a report from some of the world’s leading computer experts said that weakening encryption “will open doors through which criminals and malicious nation states can attack the very individuals law enforcement seeks to defend”.

“If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege,” the report argued.

Apparently partly in response to that criticism, the US Government has mostly walked back its attempts to weaken encryption.

New U.K. online surveillance proposal could have international reach

A new surveillance proposal in the United Kingdom is drawing criticism from privacy advocates and tech companies that say it gives the government far-reaching digital surveillance powers that will affect users outside the nation’s borders.

The Draft Investigatory Powers Bill released by British Home Secretary Theresa May Wednesday would force tech companies to build intercept capabilities into encrypted communications and require telecommunications companies to hold on to records of Web sites visited by citizens for 12 months so the government can access them, critics allege.

Policy changes are necessary to maintain security in a changing digital landscape, the government argued. “The means available to criminals, terrorists and hostile foreign states to co-ordinate, inspire and to execute their plans are evolving,” May wrote in a forward to the bill. “Communications technologies that cross communications platforms and international borders increasingly allow those who would do us harm the opportunity to evade detection.”

The bill has some new judicial oversight mechanisms, but the response from privacy advocates was largely negative, with some arguing that those changes aren’t enough to compensate for the expanse of new powers.

“The law would apply to all companies doing business with the UK, which includes basically all companies that operate over the internet,” said Nathan White, senior legislative manager at digital rights group Access. “This means that even wholly domestic encrypted communications in the United States, France, or South Africa would be put at risk.”

Some tech companies themselves also raised alarm bells. “Many aspects of the draft Bill would directly impact internet users not just in the UK, but also beyond British borders,” Yahoo said in a blog post. “Of most concern to us at this stage is the UK Government’s proposal to affirm extraterritorial jurisdiction over foreign service providers.”

The U.K. government says some of the controversial aspects of the draft, including the requirement to unlock encrypted communications, date back to laws already on the books and it replaces a patchwork of powers which go back to the early days of the Web. However, while a Code of Conduct for Interception Capabilities released by the British government earlier this year said communications companies were required to maintain a “permanent interception capability,” it made no mention of decrypting such content.

Privacy advocates say the government is reinterpreting earlier laws in problematic ways. “This is a major change” that would effectively outlaw end-to-end encryption, a form of digital security where only the sender and the recipient of a message can unlock it, White said.

In meetings before the draft was released, the government pressed at least one tech company to build in backdoors into encrypted communications, according to a person familiar with the issue who requested anonymity because he was not authorized to comment on the issue.

Apple’s iMessage system uses end-to-end encryption as do an increasingly number of standalone messaging and calling apps including Signal. If the proposal becomes law, critics warn, such services may be forced to alter their systems to include such “backdoors” to allow the government to access encrypted content — something encryption experts say would undermine security by making the underlying code more complex and giving hackers something new to target — or exit the market. Apple declined to comment on the bill, but chief executive Tim Cook has been a vocal opponent of government-mandated backdoors in the past.

Encryption was at the heart of a U.S. policy debate over the last year. The dialogue was triggered when Apple moved to automatically protect iOS devices with encryption so secure the company itself cannot unlock data stored on an iPhone even if faced with a warrant, assuming that a user turns off automatic back-ups to the company’s servers.

Some law enforcement officials warn that criminals and terrorists are “going dark” due to such technology. But the Obama administration decided not to press for a legislative mandate that would require companies to build ways to access such content into their products, although it has not yet come out with a full policy position on the issue.

Critics argue that has led to ambiguity which emboldened British officials. “This draft proposal from the U.K. government demonstrates the lack of leadership on encryption policy from the Obama Administration” and could lead to similar proposals in other parts of the world, said White.

If one country is able to force companies to unlock encrypted data it will be hard to fend off such requests from others including China and Russia, some inside tech companies fear.

When asked about the British proposal by The Post, National Security Council spokesperson Mark Stroh declined to weigh in. “We’d refer you to the British government on draft British legislation,” he said via e-mail.

This Snowden-Approved Encrypted-Communication App Is Coming to Android

Since it first appeared in Apple’s App Store last year, the free encrypted calling and texting app Signal has become the darling of the privacy community, recommended—and apparently used daily—by no less than Edward Snowden himself. Now its creator is bringing that same form of ultra-simple smartphone encryption to Android.

On Monday the privacy-focused nonprofit software group Open Whisper Systems announced the release of Signal for Android, the first version of its combined calling and texting encryption app to hit Google’s Play store. It’s not actually the first time Open Whisper Systems has enabled those features on Android phones; Open Whisper Systems launched an encrypted voice app called RedPhone and an encrypted texting program called TextSecure for Android back in 2010. But now the two have been combined into a Signal’s single, simple app, just as they are on the iPhone. “Mostly this was just about complexity. It’s easier to get people to install one app than two,” says Moxie Marlinspike, Open Whisper Systems’ founder. “We’re taking some existing things and merging them together to make the experience a little nicer.”

That streamlining of RedPhone and TextSecure into a single app, in other words, doesn’t actually make Open Whisper System’s encryption tools available to anyone who couldn’t already access them. But it does represent a milestone in those privacy programs’ idiot-proof interface, which in Signal is just as straightforward as normal calling and texting. As Marlinspike noted when he spoke to Wired about Signal’s initial release last year, that usability is just as important to him as the strength of Signal’s privacy protections. “In many ways the crypto is the easy part,” Marlinspike said at the time. “The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes.”

Open Whisper Systems’ encryption tools already have a wide footprint: According to Google Play’s stats, TextSecure had been downloaded to at least a million Android phones, all of which will now receive the Signal app in a coming update. Since 2013, TextSecure has also been integrated by default in the popular CyanogenMod version of Android. And last year WhatsApp gave it an enormous boost by integrating it by default into its Android app for Android-to-Android communications—a move that put Open Whisper Systems’ code on at least a half-billion Android users’ devices.

The security of those apps has been widely applauded by cryptographers who have audited them: As Johns Hopkin professor Matthew Green wrote in a 2013 blog post, “After reading Moxie’s RedPhone code the first time, I literally discovered a line of drool running down my face. It’s really nice.”

Open Whisper Systems, which is funded by a combination of personal donations and grants from groups like the U.S. government’s Open Technology Fund, likely doesn’t enjoy the same popularity among law enforcement agencies. FBI Director James Comey has repeatedly warned Congress over the last year of the dangers of consumer encryption programs, and British Prime Minister David Cameron even threatened to ban WhatsApp this summer based on its use of TextSecure.

All of that enmity has only bolstered Signal’s reputation within the privacy community—an affection that’s now been extended to its new Android app, too. “Every time someone downloads Signal and makes their first encrypted call, FBI Director Jim Comey cries,” wrote American Civil Liberties Union lead technologist Chris Soghoian on Twitter. “True fact.”

New UK laws ban unbreakable encryption for internet and social media companies

Companies such as Apple and Google will be banned from offering unbreakable encryption under new UK laws.

Set to be unveiled on Wednesday (November 4), internet and social media companies will no longer be able to provide encryption so advanced that they cannot decipher it, according to The Daily Telegraph.

It will see tech firms and service providers required to provide unencrypted communications to the police or spy agencies if requested through a warrant, and comes as David Cameron urged the public and MPs to back his new surveillance measures.

On ITV’s This Morning earlier today (November 2), the Prime Minister argued that terrorists, paedophiles and criminals must not be allowed to communicate secretly online.

“We shouldn’t allow the internet to be a safe space for them to communicate and do bad things,” he outlined.

Measures in the Investigatory Powers Bill will place a duty on companies to be able to access their customer data in law, and is also expected to maintain the current responsibility for signing off requests with the Home Secretary, but with extra judicial oversight.

The bill will also require internet companies to retain the browsing history of their customers for up to a year.

Oracle hardwires encryption and SQL hastening algorithms into Sparc M7 silicon

Oracle execs used the final keynote of this week’s OpenWorld to praise their Sparc M7 processor’s ability to accelerate encryption and some SQL queries in hardware.

On Wednesday, John Fowler, veep of systems at Oracle, said the M7 microprocessor and its builtin coprocessors that speed up crypto algorithms and database requests stood apart from the generic Intel x86 servers swelling today’s data center racks.

“I don’t believe that the million-server data center powered by a hydroelectric dam is the scalable future of enterprise computing,” Fowler said. “We’ll need to keep doing it, but we also need to invest in new technology so you all don’t have to build them.”

He told the crowd that Oracle has spent the past five years working out how to build a chip that can handle some SQL database queries in hardware, offloading the job from the main processor cores.

The new Sparc has eight in-memory database acceleration engines that are capable of blitzing through up to 170 billion rows per second, apparently. The acceleration is limited by the memory subsystem, which tops out at 160GB/s. Each of the eight engines has four pipelines, which adds up to 32 processing units.

According to Oracle, an acceleration engine can read in chunks of compressed columnar databases, evaluate a query on those columns while decompressing the information, and then spit out the result. While powerful, these engines are tiny and account for less than one per cent of the M7 chip’s acreage, Fowler said.

Essentially, the hardware is tuned for performing analytics at high-speed on in-memory columnar databases. Decompression is more important than compression for handling information fast, Fowler said, and the decision to build in specific hardware to handle it all makes the M7 very speedy. Very speedy at running Oracle Database, anyway.

To access these engines, you need to use an Oracle software library that abstracts away the specifics of the hardware: the library queues up SQL queries for the coprocessors to process, much like firing graphics commands into a GPU. Naturally, Oracle Database takes advantage of this library.

Oracle has taken the same hardware approach to encryption, too. Inside the M7 are accelerators capable of running 15 crypto algorithms, including AES and Diffie-Hellman, although at least two of these – DES and SHA-1 – are considered to be broken by now. Hardware accelerated crypto is standard issue now in today’s microprocessors, from Intel and AMD CPUs to ARM-compatible system-on-chips.

As a result of these accelerators, the M7 chip is 4.5 times as fast as IBM’s Power8 processors, Fowler claimed, and in Oracle systems the processor handled encrypted data only 2.8 per cent more slowly than the same data unencrypted. The cryptographic capabilities of the chip don’t just work for Oracle code, Fowler said, but also in third-party Solaris applications.

“We’ve picked up the pace of silicon development,” he concluded. “This is our sixth processor in five years, with many more to come.”

Timothy Prickett Morgan, co-editor of our sister site The Platform said the M7 has 10 billion 20nm transistor gates, and its database analytics engines are available to any programs running on Solaris.

“The Sparc M7 processors made their debut at the Hot Chips conference in 2014, and it is one of the biggest, baddest server chips on the market,” Prickett Morgan added in his in-depth analysis on Wednesday.

“And with the two generations of ‘Bixby’ interconnects that Oracle has cooked up to create ever-larger shared memory systems, Oracle could put some very big iron with a very large footprint into the field, although it has yet to push those interconnects to their limits.”

Biometric data becomes the encryption key in Fujitsu system

Fujitsu says it has developed software that uses biometric data directly as the basis for encryption and decryption of data, simplifying and strengthening security systems that rely on biometrics such as fingerprints, retina scans and palm vein scans.

Current security systems that rely on encryption require the management of encryption keys, which are stored on secure smartcards or directly on PCs. Biometric scans can be used as a way of authenticating the user and providing access to those encryption keys in order to decrypt data.

Fujitsu’s system uses elements extracted from the biometric scan itself as a part of a procedure to encrypt the data, making the biometric scan an integral part of the encryption system and removing the need for encryption keys.

That has two big benefits, according to the company.

The lack of encryption keys means there’s no need for smartcards and hackers won’t have anything to find should they break into a network.

The second major benefit comes from biometric data use with cloud services. With current systems, a user’s biometric data is potentially vulnerable as it’s sent over the Internet to allow log-in to a service. Because Fujitsu’s new system uses random numbers to convert the biometric data as part of the encryption and decryption process, unconverted data is not transmitted over a network.

The procedure employs error correction to smooth out slight differences in successive biometric scans that are the result of variations in a user’s position or motion when the scan is taken.

At present, the system has been developed to work with palm vein authentication, a technology that Fujitsu has spent years developing and has already deployed on systems like bank ATMs in Japan. But the company said it could readily be adapted to work with other biometric data such as fingerprints or retina scans.

The software was developed by Fujitsu Laboratories and two Japanese universities, Kyushu University and Saitama University, and is being presented this week at the 8th International Symposium on Foundations and Practice of Security in Clermont-Ferrand, France.

Tech Companies and Civil Liberties Groups Force Obama To Weigh In On Encryption Debate

President Obama will now be forced to publicly describe the extent of his commitment to protecting strong encryption, after nearly 50 major technology companies, human rights groups, and civil liberties collectives—including Twitter, the ACLU, and Reddit — succeeded in getting over 100,000 signatures on a White House petition on Tuesday.

The government’s “We the People” platform, created in 2011, was designed as “a clear and easy way for the American people to petition their government.” Once a petition gains 100,000 signatures, it is guaranteed a response.

The savecrypto.org petition demands that Obama “publicly affirm your support for strong encryption” and “reject any law, policy, or mandate that would undermine our security.”

FBI director James Comey has been preaching about the dangers of end-to-end encryption for the past year, saying it blocks law enforcement from monitoring communications involving criminals and terrorists. He’s asked for special access into encrypted communications — a “back door” or “front door.”

However, technologists and privacy advocates insist that any hole in encryption for law enforcement can be exploited by hackers.

Comey testified earlier this month before the Senate Homeland Security and Governmental Affairs Committee that the White House was not seeking legislation to force companies to build backdoors into their products—at least not yet.

However, top intelligence community lawyer Robert S. Litt wrote in a leaked e-mail obtained by the Washington Post that public opinion could change “in the event of a terrorist attack or criminal event” where encryption stopped law enforcement from detecting the threat. He recommended “keeping our options open for such a situation.”

Now, the White House will have to speak for itself.

“More than 100,000 users have now spoken up to ask the Administration to make a strong statement in support of data security – no back doors, no golden keys, no exceptional access,” said Amie Stepanovich, the U.S. Policy Manager for digital rights group Access Now, one of the founding organizations of the petition along with the Electronic Frontier Foundation. “We thank those who have stood with us and look forward to President Obama’s response.”