September 2015 – DoGoodSoft's Official Blog

CHK File Recovery Has Been Updated to Version 1.09

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way, which has been updated to version 1.09 recently. In this new version, we fixed a bug which disabled to identify one file type, also we added one recoverable file type.

Change Log of CHK File Recovery 1.09:

File Name: CHK File Recovery

Version: 1.09

File Size: 2.64MB

Category: CHK File Recovery Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.30, 2015

Download Address: http://www.dogoodsoft.com/chk-file-recovery/free-download.html

What’s New in This Version:

* Improved the accuracy of judgement on Office file types.

+ Added 55 recoverable file types.

Why Choose CHK File Recovery:

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way. CHK File Recovery can accurately and quickly recover more than 180 common file types, such as mp3, mp4, jpg, bmp, gif, png, avi, rm, mov, mpg, wma, wmv, doc, docx, xls, xlsx, ppt, pptx, zip, rar, exe, dll, sql, mdb, psd.

CHK File Recovery can determine file type automatically by default. However, for file types that cannot be recognized automatically, manual identification is used to confirm file type, which can check the content of an unknown file through 4 methods and recover it afterwards.

The interface of CHK File Recovery is simple and clear. It is easy to use. You only need to select a drive and click Search, then CHK File Recovery starts to scan the whole drive automatically. Afterwards, the CHK files found are shown in the list at the left of the application by their original file type. Besides, you can choose to search and scan a folder you specify.

National Encryption Policy: Not just privacy, but also feasibility and security are at risk

Encryption is an important aspect which governs not just the communications but also the storage. When data is in motion there are some methods/ protocols which facilitate end-to-end encryption:

1. VPN

2. Remote Server Connectivity viz. RDP, SSH

3. Internet based Voice/ Messaging Communications

4. email communication

5. Communications between Wearables and their Host devices

6. Web-Services providing encryption services viz. Etherpad, Gist

However, when it concerns data at rest ie. data stored on the disk, there are numerous scenarios which fall under the purview of encryption:

1. On the Fly Disk Encryption which may also include the entire OS

2. Password protection of files

3. email Message Encryption

4. Full disk-encryption by Smartphones

Recently, Government of India released its version of Draft for National Encryption Policy and within 24 hours of releasing it, they have withdrawn it, however with a promise the policy will be re-drafted and re-released.

In these 24 hours, all those involved in IT security of the Indian Internet Security forum took up the cause of protecting user privacy, reprimanding the government for ill conceived draft of National Encryption Policy. Their efforts resulted in forcing the government to revoke the draft proposal and contemplate on a better proposal.

According to the draft, B2B/ B2C and C2B, sector shall use encryption algorithms and key sizes as prescribed by the government, moreover, according to the draft:

“On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/ hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/ organization/ agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”

Furthermore, the draft also issued guidelines for communication with foreign entity, “the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.”

The draft policy requires service providers whether irrespective of their country of origin to enter into an agreement with the Government of India and the consumers of these services (Government/ Business/ Citizens) are expected to provide the pain-text/encrypted datasets.

The question is not why, but how would it be technically feasible for a customer to maintain this information, given the fact that encryption was used to secure the data from rogue entities. Storing anything in plain-text for any amount of period, defeats the entire purpose of using encryption except with a solace that the channel used for transmission of data is secured. The draft has set very high and impossible to achieve expectations from every citizen and organization, irrespective of their field of expertise to have knowledge about the internal working of these third party applications, also at the same time they are expected to have knowledge about maintaining the two different data-sets.

Furthermore, the draft also requires anything that has been encrypted by an individual be it his personal documents or communication between two individuals, which interestingly is considered to be a private affair by the rest of the world, to be made available for scrutiny as and when demanded.

Expecting a consumer of various services, irrespective of the fact whether the consumer is an organization or an individual, to understand the internal functionality of each and every service / software and take a conscious decision of maintaining the two separate data-sets is simply not feasible and virtually impossible.

Even though a clarification was issued by the government that

The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
SSL/TLS encryption products being used for e-commerce and password based transactions.

It still raises quite a few eyebrows especially about the intention of the drafting of this National Encryption Policy. Not just the privacy, but also the feasibility and the security are at risk.

The argument until now was about data which resides on your disk, and using these very standards what can we say about the encrypted communication channels/ services? One word summarizes it all “Impossible”. Over the network encryption like VPN/ SSH or to put it simply cloud based services be it of any-type, which lately have made inroads into our lives would be rendered useless and their very existence in India is at risk, not just because it would have been mandatory for all of them to enter into an agreement with the Government of India, but the consumers of these services will also have to maintain a separate copy of the content.

Applications and Service providers who provide Secure Messaging ie, encrypting the voice channels or self-destructing messages, in order to provide better privacy and discourage eavesdropping, would in all probability get banned or might have to remove these features so as to cater to Indian audience. Over and above, how do the policy-makers expect the consumers to comply?

What happens when a person from a different country uses these services in India? Wouldn’t this person be violating the Indian Law and in all probability be considered a criminal?

The draft also requires all the stakeholders to use Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits.

Way back in 2011 when Microsoft Researchers discovered a way to break AES based encryption, Triple DES is considered weak, while RC4 is simply not acceptable as an encryption algorithm to any organization. These are age-old encryption algorithms and are never/rarely considered when organizations are drawing up their own encryption policies.

In this age of competition, organizations have their own trade secrets to be guarded, not just from competitors but also from rogue governments. A weakened encryption schema and mandatory storage of encrypted data in its plain text form is nothing less than committing a Harakiri for these organizations. Moreover, by way of an agreement that draft expects the software/ hardware vendors to comply with these encryption restrictions, thereby weakening the overall security of India’s IT infrastructure.

National Encryption Policy should be about setting up of minimum encryption standards for data protection, penalization organizations and institutions for not implementing high encryption standards and protecting the data from pilferage and leakage.

Encryption policy has always had a direct impact on the privacy of an individual and when it used by corporations/ organization, it affects their business/ trade secrets; hence Government should also consider thinking about the various means and ways of implementing/ strengthening the non-existent privacy laws.

As we have been promised that the policy would be re-drafted, let us keep our fingers crossed and hope that better sense prevails.

Data encryption policy blamed on lack of talent, key changes: Report

The whole draft encryption policy episode has left netizens with a bitter-sweet taste. And now, the blame game has begun.

Soon after the government retracted the policy and said it was simply wrongly worded which led to the confusion, it has blamed a junior scientist for the fiasco. An official now told The Economic Times that ‘you think anything in the government moves without due procedure? All I can tell you is that all rules and regulations were followed.’

The report adds that some officials said that the junior officer didn’t seek advice of higher-ups while some other said they were out of the country.

Citing an official of a Big Four consultancy firm who didn’t want to reveal his identity, the report adds that DeitY has undergone several changes and this could have affected the function and decision making.

Director general of the National Informatics Centre (NIC) responsible to manage the technology of the entire government machinery has been vacant for more than a year now. However, a senior officer said there are many competent people who can take on additional responsibilities.

The government had released a draft encryption policy aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.

After a huge outcry, the government put out an addendum clarifying the exempted products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy. The outcry finally led the government to withdraw the draft policy.

Draft encryption policy: Frequent changes in key positions & talent crunch in DeitY led to the debacle

As the blame game for the fiasco created by the draft National Encryption Policy plays out, experts are asking if frequent changes in key positions and a talent crunch in the Department of Electronics and Information Technology (DeitY) led to the debacle.

After the government held a junior scientist responsible, officers in the department are now pointing fingers at each other, while maintaining all along that due procedure was followed.

“You think anything in the government moves without due procedure? All I can tell you is that all rules and regulations were followed,” said an official who requested anonymity. The draft policy, which proposed that social media text messages be stored for scrutiny by the government, was withdrawn after a public outcry.

Another set of officials alleged that the junior officer did not seek the advice of higher-ups before making the policy public. Some officials said they were out of the country when the policy was released online and others said they were not involved in framing it, laying the blame squarely on the junior official.

The episode has led experts to ask whether organisational instability in DeitY over the past few months led to the embarrassment. The department, which is part of the Ministry of Communications and IT, has the mandate of running the government’s ambitious Digital India project. However, several key posts have been lying vacant for many months. DeitY has also seen several changes, including that of the secretary, additional secretary and joint secretary, over the last one month.

“Unfortunately, DeitY has gone through a number of changes very frequently. Every change affects function and decision making,” said an official of a Big Four consultancy firm, who requested not to be identified.

While the position of the director general of the National Informatics Centre (NIC), which manages technology of the entire government machinery, has been lying vacant for over a year, the key post of director general of the Computer Emergency Response Team (CERT) has not been filled after Gulshan Rai was appointed national cyber security chief under the PMO in March.

CERT is responsible for warding off and fighting cyber attacks. While ministry officials have been given additional ge of these positions, it may be adding to instability and workloads. Nodal officer for the encryption policy is supposed to be the group coordinator for cyber law — but there is confusion in the ministry on who holds that post after Rai moved to the PMO.

Even the National e-Governance Division and the Controller of Certifying Authorities are being run by acting chiefs for months now. Appointments to the position of additional secretary (egovernance) and joint secretary (electronics) are also awaited.

“Though vacancies and frequent changes are routine in the government, the secretary, additional secretary and joint secretary, all in charge of the same function – e-governance – should not have been changed at the same time, especially with all the focus on Digital India,” said another technology consultant. The person added that because of these vacancies, several key initiatives such as restructuring of NIC have been stuck.

Ministry officials, while conceding that there are vacancies, countered by saying that business in the government never stops. “There are lots of competent people in the department to take on additional responsibilities,” said a senior official of the department.

The first consultancy official said there is a vacuum in the department in terms of the second rung of leadership.

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

The government has blamed a junior official – a scientist — for the encryption policy fiasco, saying he was responsible for the poor and confusing wording of the document and failed to seek advice from his higher ups before making it public.

Several officials in the communications and IT Ministry that ET spoke to admitted that the timing of the release of the draft policy – just before Prime Minister Narendra Modi’s US visit — couldn’t have been worse, prompting its immediate withdrawal.

Speaking exclusively to ET, telecom minister Ravi Shankar Prasad, however, blamed poor wording for directing withdrawal of the policy, which gave an impression that subscribers could become legally liable to store messages exchanged throug WhatsApp, Facebook and Google among other social media platforms for up-to 90 days, and produce them before authorities if asked. The intent of the government was to make the social media and messaging companies liable to store information for the 90 day period.

“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. “There was a misuse of word ‘users’ in the draft policy, for which the concerned officer has been taken to task.”

He explained that the wrong use of the phrase ‘users of encryption’ instead of ‘creators of encryption’ had led to all the confusion. Prasad added that the ‘scientist’, who was part of the expert committee under the Department of Information and Technology (Dei-TY), was responsible for the confusion. The expert panel had been tasked with framing of a national policy on ‘encryption’ which is crucial for the national policy on cyber security.

Internally, senior officials in the ministry admitted the timing of the draft policy release was all wrong with Modi set to travel to the US and meet, among others, Facebook CEO Mark Zuckerberg and other tech giants as well as many from the Indian diaspora.

“This is bad timing for sure. Modi would have surely have faced very uncomfortable questions at what is expected to be very high profile visit,” one of the officials told ET. Another official said the official tasked with coordinating and putting the policy together should have shown either the joint secretary, secretary or someone in the minister’s office before releasing it for public consultation. “This is the basics, especially for something which could be controversial.

But it was messed up,” he said, adding that reworking the policy and putting it in the public domain could take around three weeks.

The government Tuesday was forced to withdraw the controversial ‘draft encryption policy’ just over 12 hours after making it public after it came under severe criticism, especially on social media, for its move to make individuals legally bound to retain personal chats/messages on social networking sites for 90 days and provide to law authorities, if asked.

The draft policy was met with severe criticism, citing invasion of privacy, forcing DeiTY to clarify within a few hours on Monday that chats on popular social networking sites like Whatsapp and Facebook were exempted. And Tuesday it withdrew it in its entirety.

Prasad urged citizens not to misunderstand the policy. “Firstly this is a draft policy not the final policy and we have sought the comments of all stakeholders. There has always been a need for a policy on encryption given the spurt in online transactions through net banking, ecommerce, and so on,” Prasad said.

“However, no attempt will ever be made to jeopardize the rights of netizens and this government’s commitment to social media and the rights of netizens is unwavering,” he added. Dismissing speculation that the government had withdrawn the policy owing to severe media backlash or political pressure, Prasad said the country needed a robust encryption policy for security reasons.

One of the officials cited above said that the essence of the reworked draft policy will remain same, but it will be reworded. “The final policy could also require the companies to set up servers in India,” he added.

According to sources, the Intelligence Bureau (IB) had demanded that government make it mandatory for all the companies to make keep data for up-to one year, but the ministry of communications and IT had brought it down to just 90 days.

The policy seeks to bring all creators of ‘encryption codes’ to register with the government. Secondly the department of IT will from time to time notify standardized algorithms which could be used by companies. “We will only standardize the algorithms based on global practices, the formula of encryption codes will remain with the creators only,” the official said.

At present, an internet service provider licence allows for encryption of only up-to 40 bits but banks, e-commerce companies and communication services use much higher levels of encryption codes.

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

The government issued an addendum to clarify that “mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc.” While that language is vague in itself, you can rest easy without needing to worry about having to store your WhatsApp messages for 90 days. The original text continues below.

The DeitY has posted a draft National Encryption Policy on its website inviting comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to akrishnan@deity.gov.in, until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.

While the draft encryption policy’s preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that’s where things get worrying from a consumer’s perspective. It’s very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.

The language of the new draft policy is quite clear on one thing – businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What’s more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.

“Would OpenPGP, a commonly-used standard for encryption of email, fall under ‘mass use’?” asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. “Because if it doesn’t, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?”

Most people don’t explicitly use encryption, but it’s built into apps they use every day. Do the draft guidelines also extend to products and services with built-in encryption like WhatsApp? If yes – and the language certainly suggests it does – then combine them with governments requirements for its citizens, as proposed in the draft guidelines, and we could have very worrying scenarios.

The draft guidelines read “All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

WhatsApp messages are now encrypted end-to-end. So do the draft guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days – so that these can be produced if required by the laws of the land – so, will it even legal to read a message that deletes itself, if and when the draft guidelines become law?

The draft policy document states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that likely could be intercepted by the government, when required.

This is in many ways similar to the Telecom Regulatory Authority of India’s draft letter on Net Neutrality, which instead talked about issues like cyberbullying and ‘sexting’. In the feedback period, Trai received over 1 million emails. but the Department of Telecom report on Net Neutrality also went against public sentiment on certain things, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp voice calls in India, showing that calls for feedback aren’t necessarily being taken seriously.

And, with the draft National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what will and will not be permitted by the government if the draft guidelines are adopted. We’re living in a time when the government talks about how WhatsApp and Gmail may be used by “anti-national elements”, and even considered requiring Twitter and Facebook to establish servers in India.

With that in mind, you have to ask, will it be even legal to use WhatsApp if these guidelines are implemented? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you won’t be allowed to use it because “users in India are allowed to use only the products registered in India,” as per the draft guidelines.

These are questions that don’t just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobble the push for a digital India. There’s almost a full month to give our feedback, but is anyone listening?

Best Disk Lock Has Been Updated to Version 2.60

Best Disk Lock, which can completely hide the disk partitions, has been updated to the version 2.60. In this new version, we have improved the stability of disk advanced-lock, added the judgement for the disks unsuitable for lock when locking disks, also fixed a BUG that an error occurred in software uninstallation.

Change Log of Best Disk Lock 2.60:

File Name: Best Disk Lock

Version: 2.60

File Size: 3.38MB

Category: System Security Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.21, 2015

Download Address: http://www.dogoodsoft.com/best-disk-lock/free-download.html

What’s New in This Version:

* Improved the stability for disk advanced-lock.

+ Added the judgement for the disks unsuitable for lock when locking disks.

– Fixed a BUG that an error occurred in software uninstallation.

Why Choose Best Disk Lock:

Best Disk Lock is a powerful utility that can completely hide disk partitions and CD-ROM drives on your PC, and disable USB storage devices or set them as read-only. A hidden partition cannot be found in any environment by anyone else, so the security and confidentiality of your data on this partition can be ensured.

Experts pick big holes in India’s encryption policy

India’s proposed encryption policy has come under heavy fire with internet experts and online activists alleging that it provides blanket backdoors to law enforcement agencies to access user data, which could be abused by hackers and spies.

The Department of Electronics and Information Technology ( DeitY) has asked for public comments on the ‘Draft National Encryption Policy’ on its website until October 16. The stated mission of the policy on encryption -or, the practice of scrambling data to make it unintelligible for even the service providers -is to “provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, (and) ensuring continuing reliability and integrity of nationally critical information systems and networks”.

However, almost all the experts ET spoke to, while agreeing that a policy for encryption is a welcome move, felt that the policy document in its current form is not well thought-out and makes suggestions that could harm businesses and individuals, and thwart research and development in the field of encryption. The most contentious provision in the draft policy document is perhaps the one requiring businesses and individuals to keep a plain text copy of the data they encrypt for storage and communication, for 90 days, and make it available to law enforcement agencies “as and when demanded in line with the provisions of the laws of the country”.

“The mission of the policy is to promote national security and in crease confidentiality of information, but it specifically excludes `sensitive departmentsagencies’, which most need such protection.The content of the policy shows why they have been excluded: the policy, in fact, decreases security and confidentiality of information,” said Pranesh Prakash, policy director at the Centre for Internet and Society. “If our emails, for example, are required to be kept in plain text rather than in encrypted form, then that makes it easier for hackers and foreign agencies to spy on our government, businesses, and on all Indian citizens,” he said.

Raman Jit Chima, policy director at digital rights organisation Access, said that instead of promoting the use of encryption, the policy draft “appears to seek to heavily regulate encryption and the rules it proposes will likely impede its usage by Indian developers and startups”. “By trying to restrict and weaken the everyday usage of encryption in order to facilitate tapping demands, the everyday communications of all Indians will likely become less secure,” Chima said.

The policy seeks to promote R&D in the field of cryptography by public and private companies, government agencies and academia, but it requires all vendors of encryption products to register their products with the government and re-register when their products are upgraded.

Arun Mohan Sukumar, cyber initiative head at Observer Research Foundation, said, “The government has finally realised the need to protect its communications infrastructure from cyber intrusions. But creating a `license raj’ of encrypted products and services, as this draft policy aims to, will only stunt cyber security research.”

Obama edges toward full support for encryption

President Obama recently called on the best minds in government, the tech sector and academia to help develop a policy consensus around “strong encryption” — powerful technologies that can thwart hackers and provide a profound new level of cybersecurity, but also put data beyond the reach of court-approved subpoenas.

From Obama on down, government officials stressed that they are not asking the technology sector to build “back doors” that would allow law enforcement and intelligence agencies to obtain communications in the event of criminal or terrorist acts.

That prospect drew an extremely negative reaction from the techies — and is still chilling the government-industry dialogue over the issue.

Instead, the government is saying that tech and communications companies themselves should have some way to unlock encrypted messages if law enforcement shows up with a subpoena.

Access to such messages could, in theory, be vital in real-time crises. Skeptical lawmakers have said federal officials have offered no empirical data suggesting this has been a problem.

“One of the big issues … that we’re focused on, is this encryption issue,” Obama said during a Sept. 16 appearance before the Business Roundtable. “And there is a legitimate tension around this issue.”

Obama explained: “On the one hand, the stronger the encryption, the better we can potentially protect our data. And so there’s an argument that says we want to turbocharge our encryption so that nobody can crack it.”

But it wasn’t as simple as that.

“On the other hand,” Obama said, “if you have encryption that doesn’t have any way to get in there, we are now empowering ISIL, child pornographers, others to essentially be able to operate within a black box in ways that we’ve never experienced before during the telecommunications age. And I’m not talking, by the way, about some of the controversies around [National Security Agency surveillance]; I’m talking about the traditional FBI going to a judge, getting a warrant, showing probable cause, but still can’t get in.”

According to the president, law enforcement, the tech community and others are engaged in “a process … to see if we can square the circle here and reconcile the need for greater and greater encryption and the legitimate needs of national security and law enforcement.”

Obama summed up: “And I won’t say that we’ve cracked the code yet, but we’ve got some of the smartest folks not just in government but also in the private sector working together to try to resolve it. And what’s interesting is even in the private sector, even in the tech community, people are on different sides of this thing.”

However, the tech sector, writ large, has shown little interest in negotiating over strong encryption.

After a recent hearing of the House Intelligence Committee, Rep. Adam Schiff, D-Calif., said technology companies want the government to spell out what it wants, and that techies simply will not craft a policy in an area that should be free from government interference.

Tech companies are deeply concerned that American-made products will be seen in the global marketplace as tainted if they reach some kind of accommodation with the government. It’s all part of the continued international blowback from the revelations by ex-NSA contractor Edward Snowden, tech groups say.

Schiff visited with several Silicon Valley-based companies over the recent summer recess. “I was impressed by the companies’ position — it’s hard to refute. But what was unusual, more than one of the companies said government should provide its [proposed] answer in order to advance the discussion,” he said.

The tech sector, Schiff said, is unlikely to advance a policy position other than its opposition to any mandated “back door.”

“But there has to be some kind of resolution, even if it is acceptance of the status quo.”

Schiff and other lawmakers, including Senate Judiciary Chairman Charles Grassley, R-Iowa, are trying to encourage a dialogue between the tech sector and law enforcement.

FBI Director James Comey testified before the House Intelligence panel that such talks are underway, and have been productive so far.

“First of all, I very much appreciate the feedback from the companies,” Comey said at the Sept. 10 Intelligence Committee hearing. “We’ve been trying to engage in dialogue with companies, because this is not a problem that’s going to be solved by the government alone; it’s going to require industry, academia, associations of all kinds and the government.”

He stressed: “I hope we can start from a place we all agree there’s a problem and that we share the same values around that problem. … We all care about safety and security on the Internet, right? I’m a big fan of strong encryption. We all care about public safety.”

It was an extremely complicated policy problem, Comey agreed, but added, “I don’t think we’ve really tried. I also don’t think there’s an ‘it’ to the solution. I would imagine there might be many, many solutions depending upon whether you’re an enormous company in this business, or a tiny company in that business. I just think we haven’t given it the shot it deserves, which is why I welcome the dialogue. And we’re having some very healthy discussions.”

Tech sources contacted after the hearing suggested that Comey was overstating the level of dialogue now taking place.

The Obama administration has signaled that it isn’t looking for a legislative solution, which is just as well, because lawmakers including Schiff and Grassley have said that is a highly unlikely prospect.

But the administration probably needs to give a clearer signal of what it would like to see at the end of this dialogue before the tech side agrees to fully engage.

Science on the Hill: For cybersecurity, in quantum encryption we trust

As everyone becomes more interconnected on the Internet, personal information like bank and investment accounts, credit card numbers, home addresses and even social security numbers becomes more vulnerable to cybertheft. The same goes for the corporate world.

Identity theft struck 16.6 million Americans in 2012, the most recent year for which figures were available. According to the U.S. Department of Justice, financial losses hit $24.7 billion — at least $10 billion more than other property crimes. PBS Newshour reported that in 2014, 783 million data breaches exposed 85 million records. This spring, hackers broke into the Anthem Health System, potentially gaining access to the health records of 80 million people.

One can’t build a concrete wall around this kind of information nor post an armed guard at every portal to the Internet. Keeping information secure depends on encryption. The security of electronic messages depends on the unpredictability of the random numbers used to scramble the data. Modern data centers have very limited access to true random numbers.

Current encryption methods are based on the difficulty of finding the right numbers in the key. The Achilles’ heel is that all encryption requires unpredictable, unguessable random numbers and computers do not (generally) do unpredictable things. Large data centers, like those used by online shopping sites, aren’t good at generating truly random numbers in sufficient quantity to offer bulletproof encryption. So to provide truly secure data communications, we need a reliable source of unpredictable numbers that aren’t generated by a set of mathematical operations, or algorithm.
Los Alamos National Laboratory has specialized for decades in security and pushed the limits of computing. With that background, it’s only natural that we made it our business to improve data security with a solution from outside traditional computing. From the physicist’s point of view, the only true unpredictability comes from quantum mechanics. That’s why Los Alamos physicists developed a quantum random number generator and a quantum communication system, both of which exploit the weird and immutable laws of quantum physics to improve cybersecurity.

These physical laws state that events at the subatomic level cannot be predicted; random quantum events lie at the root of the universe. From that starting point, we developed a revolutionary method to generate unpredictable, theoretically unhackable random numbers. Quantum mechanics itself guards the secret. Unlike current math-based encryption keys, which are derived from random numbers generated by a potentially knowable algorithm, a quantum key can’t be determined through calculation, no matter how powerful a computer one uses.

After thorough testing, we teamed with Whitewood Encryption Systems to commercialize a quantum random number generator, called the Entropy Engine. A plug-and-play computer card that fits most network servers, the Entropy Engine creates more than 200 million random numbers each second on demand and integrates with — and greatly improves — existing cryptographic methods over networks.

At the lab, we’ve also demonstrated an impregnable quantum communication system that sends a signal of polarized pulses of light over a fiber-optic cable. Under the peculiar laws of quantum physics, the photons, or light particles, encoding a message are in two different and unpredictable physical states. Because the act of intercepting a message over this quantum system alters the state of the photons, the sender is guaranteed to find out if someone is eavesdropping. The hacker never even gets a chance to examine the key.

This communication system works over distances up to 100 miles. We’re now refining it for commercial use over longer distances and possibly even through the air to satellites. Combined with technology like the Entropy Engine, it could revolutionize cybersecurity worldwide. We envision a wide range of organizations deploying these technologies, including financial institutions, government agencies, health care organizations, large data centers and cloud servers.

Encryption, unhackable digital identities and secure digital signatures are indispensable to establishing trust in the digital world. As Whitewood rolls out the Entropy Engine across the global digital landscape and more quantum-computing technology follows, we can all breathe a little easier that our information is safe.