Cameron on a hiding to nothing if he really does want encrypted comms ban

whatsapp logoThis week, prime minister David Cameron seemed to indicate that if he is elected this May he’ll do all he can to ensure strongly encrypted communications are banned in the UK.

Well, that’s the gist of what he said. More correctly, he made it clear that no form of comms should exist where, in extremis, the security services can’t eavesdrop on private conversations – to stop criminals, terrorists etc.

His comments have been widely criticised in the media and by the technology industry, and rightly so.

Although others including the FBI, US attorney general Eric Holder and even Europol have voiced concerns about encrypted communications, none have gone as far as Cameron – who is now apparently off to the US to try and get support for his plans from Barack Obama.

A few thoughts sprung to mind as I reported on this breaking story:

  • If Cameron thinks he can take on the might of Apple, Google et al over this, he’s mistaken.
  •  His comments are at odds with European security agency Enisa which has just released a document praising encryption and calling for MORE privacy enhancing technologies (PETs), not fewer
  • There’s no evidence that the Paris attacks would have been prevented if encrypted comms were banned
  • The UK’s burgeoning tech industry will suffer
  • UK business will react angrily if they can’t use strongly encrypted comms, as will UK entrepreneurs –  it’s sending out a dreadful signal to potential investors in our supposedly liberal democratic country. Also, these are exactly the sort of traditional Tory supporters Cameron needs on side.
  • If encrypted comms were banned, or backdoors were engineered into products so the security services could access them if needed, the bad guys would eventually find a way of exploiting them too.
  • Terrorists and criminals will continue to use encrypted comms, downloaded from regions where they are still legal.

Sophos global head of security research James Lyne summed up the whole farce neatly in comments he sent me by email:

“Even if regulation was brought in to force legitimate companies to use encryption the government (in extremis) could intercept, unless they plan to build a great firewall of China (but even bigger and better – or sinister) to prevent people getting their hands on open source tools available in other countries it isn’t going to stop the darker side of the net from using it,” he told me.

“At the end of the day, terrorists will use any tools at their disposal to communicate, so this is unlikely to solve the real problem. The intention behind the statement was likely a little different to the way in which it has appeared but the suggestion as it stands would do the UK more harm than good and clearly lacks insight into how the internet works or how such controls might be implemented.”

Advertisements

Did North Korea Really Hack Sony?

kim jong unNot for the first time, official law enforcement is at odds with certain sections of the information security industry on the attribution of a particularly high profile cyber attack.

The case, of course, is the destructive hit on Sony Pictures Entertainment which not only forced the movie giant to close its entire network for over a week, but also led to embarrassing internal documents and communications leaking online.

Oh, and the movie which is said to have started it all – The Interview – was virtually withdrawn from North American cinemas after distributors feared for the safety of movie-goers.

On one side it’s the Feds, who believe North Korea was responsible for the attack. On the other, industry players who believe a disgruntled insider – possibly with help from others – was to blame.

FBI director James Comey this week claimed that the hackers in question got “sloppy” a few times and forgot to use proxy servers to hide their true location, revealing IP addresses used “exclusively” by North Korea.

“They shut it off very quickly once they saw the mistake,” he added, according to Wired. “But not before we saw where it was coming from.”

The agency’s “behavioural analysis unit” has also been studying the Guardians of Peace – the group claiming responsibility – and deduced that it displays many of the psychological characteristics of North Korean operatives, he added.

The Feds have already claimed that some of the code in the malware used in this attack had been previously developed by Pyongyang, and that some of the tools used were also deployed in the DarkSeoul attacks of 2013.

So far so clear? Well, not quite according to security consultant and Europol special advisor, Brian Honan.

“What was interesting is director Comey also stated they have not yet identified the original attack vector. So this makes it even more difficult to attribute who is behind the attack and makes it more important that the FBI and Sony provide assurances regarding their attribution, particularly given that this attack is resulting in diplomatic action impacting international relations,” he told me.

“It would also be useful for many other companies to have sight of the IP addresses that were used in this attack so they can add them to their own defensive measures to prevent attacks from those IP addresses against their networks and systems.”

This scepticism has been echoed throughout sections of the information security sector – with experts claiming that attribution is tricky at the best of times and that the Feds would be wise to hold fire until a detailed forensic examination has been undertaken.

US security vendor Norse, for example, claimed last week that any evidence linking North Korea to the attacks was purely circumstantial and that an investigation it undertook pointed to the involvement of a former employee.

Part of its reasoning is that the names of corporate servers and passwords were programmed into the malware fired at Sony, which would indicate an insider’s involvement.

Another sticking point is the motivation of North Korea. If it did carry out the attack in retaliation for The Interview, which lampoons the Kim Jong-un regime, the Guardians of Peace online missives didn’t even mention the movie until the media began pegging it as the cause.

It certainly wasn’t mentioned when the group were trying to extort a ransom for the stolen data online.

In the end, we’ll have to assume the Feds have more up their sleeves than they’ve admitted to right now if we’re to be convinced about the link to Pyongyang.

“Such information need not be shared with others as it would expose valuable intelligence sources, however knowing that is what is reinforcing the FBI’s claims would help those of us in the industry to accept those claims,” said Honan.

“The FBI do have very skilled technical individuals on the case which are no doubt supplemented by Sony’s own staff and any of the private computer security companies engaged by Sony. However, analysing log data and forensics takes a very long time so I would not be surprised to see additional details come out at a later stage.”


ZTE in 2013: do smartphone designers dream of electric sheep?

blade runner posterI popped down to ZTE’s pre-Chinese New Year lunch for journos in Hong Kong earlier this week to see what the world’s fifth largest smartphone maker had to say for itself.

It’s not been an easy year for it or Shenzhen rival Huawei, who were both named as a national security risk in a US congressional committee report released at the tail end of 2012 in the bi-partisan hubbub typical of pre-election months.

In addition, ZTE has been under lengthy investigation by the FBI on suspicion of selling embargoed US-made tech to Iran and then covering it up when found out. Then there were the false rumours of swingeing job cuts at the firm and a $5bn cash injection from the Chinese government.

Despite its problems, however, ZTE remains on the move in the smartphone space, an innovator in telecoms infrastructure with its LTE offerings and has plans to grow the enterprise business despite the kind of government roadblocks put up in Australia, the US and now India.

Head of handset strategy Lv Qian Hao battled manfully with the flu to show me the firm’s latest high-end handset, the 5.7in Grand Memo (no pics I’m afraid). It comes across as a smallish version of Huawei’s massive six-incher the Ascend Mate and probably benefits from not being quite as large – in other words I could just about use it as a phone without looking daft.

In the rapidly developing smartphone space, specs like 13 megapixel camera, quad core 1.7Ghz Snapdragon processor and a 720p screen – specs which might once have elicited gasps of awe from the assembled masses – are now pretty standard at the high-end.

This is no criticism of ZTE but it certainly makes its job of climbing up the smartphone rankings and a goal of 50 million shipments this year that bit harder.

So where can it differentiate? Well, with high-end specs almost commoditised now, design is obviously one key area. With the best will in the world ZTE is not know for its beautiful design, but it’s hoping to change that with Hagen Fendler on board.

Pinched from cross-town rival Huawei, Fendler’s appointment and a new design centre in Shanghai certainly serve to highlight the firm’s vaulting ambitions in this space.

Fendler explained that his job is to create a design DNA which can be seeded throughout the firm’s handsets to help create a brand identity. It got off to a flyer with the launch at CES of the Grand S, an HD handset which at 6.9mm is currently the world’s thinnest.

It won’t be an easy job creating handsets that are both beautiful and distinctively “ZTE” but with 400 staff working on design alone, they’ve as good a chance as any.

It can be a frustrating time for a journalist talking to a designer, because so many of the concepts they tend to reference are abstract, ethereal and emotive rather than the nuts and bolts practicalities of engineering.

However, Fendler did reveal that much of his design inspiration comes from outside the immediate environs of the smartphone space – from books, magazines and films.

1982 sci-fi classic Blade Runner was singled out for particular praise for sparking interesting ideas about “how humans interact with the technology around them”.

Just don’t expect to see the ZTE Blade Runner phone anytime soon. Actually, Google already got there with the Nexus, didn’t it?