Attacks On File Sharing Simply Drive People Further Underground

from the it-doesn't-make-them-buy dept

Admittedly it's just an estimate, but reports coming out of Sweden suggest that, rather than stop file sharing, under the new IPRED law, a growing number of file sharing users have simply gone further underground using anonymizing services. Of course, this shouldn't surprise anyone, as plenty of people have been predicting that's exactly that would happen for the better part of a decade. You would think that folks in the entertainment industry might actually pay attention since those predictions from years back have come true. But instead, they'd rather attack those of us who have pointed out why their strategy isn't working. At what point do they stop and realize that their critics actually are giving them good advice?

59 Comments | Leave a Comment..

No Surprise Here: Three Strikes Law Creates Opportunity For Encrypted VPN Services In France

from the as-expected dept

Just as we saw how stricter laws on unauthorized file sharing increased the demand for encryption services in Sweden, Dan alerts us to the news that new encryption services are popping up in France in response to that country's recent approval of a law to kick file sharers off the internet. And so the cat and mouse game continues. Perhaps at some point, rather than fighting new technologies and consumer wishes, some of these politicians and copyright holders will decide to embrace the technology and use it to their advantage. Otherwise, they're just going to find that they'll keep passing ever more useless laws, driving people to newer and newer technologies to get around those laws.

7 Comments | Leave a Comment..

Encrypting Data Doesn't Do Much Good If You Tape The Password To The Storage Device...

from the just-saying... dept

In the early days of large scale data leaks online, the mantra one heard over and over again was "encryption, encryption, encryption!" Yet, encryption alone doesn't do much good, if you tape the passwords to decrypt the data to the storage device itself (found via Michael Scott). Yet, whaddaya know? That's exactly what happened in a recent data breach in the UK, though I'm sure similar breaches happen all over the world. This is what happens when someone preaches a specific action in security, rather than actual secure thinking and planning.

17 Comments | Leave a Comment..

Sweden's Anti-Piracy Law Boost Market For Encryption Technology

from the keep-whac'ing-that-mole dept

With Sweden's new antipiracy law in effect, it seems that one industry is getting a nice boost: apparently there's a lot of new interest in encrypting your internet traffic, and services that provide encrypted VPN services are getting lots of new business. This, once again, points out that near total pointlessness in playing Whac-A-Mole over file sharing. It just become an endless game where each side continues to elevate itself, and it makes it that much more difficult in the end for the entertainment industry to do what it will inevitably be forced to do anyway: start building business models that embrace file sharing. But the further they push users of such services underground, the more and more difficult they'll find it to embrace these services down the road. Each attempt to knock out these services or their users only comes around to backfire on the industry itself.

19 Comments | Leave a Comment..

UK Ruling Says Authorities Can Force You To Hand Over Your Encryption Key

from the self-incrimination-means-different-things-across-the-pond dept

A year ago, there was a legal ruling in the US that said an individual could not be forced to hand over their encryption key to encrypted data on a computer, since it violates the 5th amendment against self-incrimination. Over in the UK, they apparently also have protections against self-incrimination, but apparently it doesn't cover handing over your encryption key (thanks to JJ for sending over the link). Basically, the ruling is pretty close to the opposite of the US ruling. Basically, it found that an encryption key isn't speech but an independent "thing" that can be required to be turned over to authorities.

31 Comments | Leave a Comment..

India Claims To Have Cracked Blackberry Encryption; Proudly Spying On Emails

from the details-missing dept

Earlier this year, India demanded that RIM allow it to easily snoop on any email messages sent via Blackberry devices. The company explained that since the end user sets the encryption key, there's simply no way to provide a backdoor to snoop on the messages. However, now the government is proudly claiming that it's cracked the code and can now monitor Blackberry messages on various mobile operator networks. The details are quite vague, especially an offhand comment about how this is "wholly for non-enterprise solutions." That would suggest, then, that enterprise Blackberry messages may remain secure. It also raises questions about whether or not the mobile operators in question are simply providing access to their mail servers. Either way, the whole thing seems weird -- including the government's effort to publicize the fact that it's spying on Blackberry messages.

34 Comments | Leave a Comment..

No, Websites Shouldn't Roll Their Own Encryption

from the just-use-ssl dept

Ben Adida calls out Apple for the poor security of its MobileMe web applications and AppleInsider for its misguided defense of Apple's design. Most users know that a special "lock" icon in the corner of their browser is a signal that the contents of the current website is encrypted in transit, protecting it from third-party eavesdropping. Evidently, users of MobileMe have been alarmed that MobileMe applications don't take advantage of this feature, even when sensitive information is being transmitted. Appleinsider says this is no big deal because Apple uses "authenticated handling of JSON data exchanges" to ensure security, and as a result SSL is unnecessary. Moreover, "if Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats."

As Adida points out, this is way off base. A malicious individual may discover a security hole in the unencrypted part of the site that Apple's engineers didn't think of. Encrypting the entire session, rather than just the parts that Apple thinks are security-sensitive, provides an important extra layer of protection. There's also a more fundamental problem with AppleInsider's argument: without SSL, the user has no real assurances that he's talking to Apple, rather than a third party executing a man-in-the-middle attack (perhaps using a poisoned DNS cache). SSL requires servers to present a certificate signed by a recognized certificate authority in order to prove that it's the website it claims to be. That makes it difficult for a third party to masquerade as a legitimate SSL-encrypted website.

The scheme works because the authentication algorithm is baked into the browser and can't be changed by the website being visited. In contrast, if the authentication is performed by JavaScript code that was supplied by the server you're trying to authenticate, the "authentication" process is completely useless. A man-in-the-middle attacker can simply substitute his own bogus authentication script for the real one, and no one will notice the difference. So even if you have complete faith in Apple's ability to write secure authentication algorithms, you can't trust a non-SSL website purporting to be from Apple because there's no way to be sure it's actually an Apple server.

Training ordinary users to follow good security practices is notoriously difficult. Widespread user understanding and acceptance of the "lock" icon in their browsers is arguably the most significant improvement in web security since the web was created. It's extremely counterproductive to undermine use confidence in SSL by telling users to put their faith in Apple's magical homebrew crypto algorithms instead.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

26 Comments | Leave a Comment..

When Everything On The Internet Is Encrypted...

from the things-may-change-a-bit dept

For years, we've been pointing out that as the entertainment industry, telcos and the government increase efforts to spy on the activities of users (for various reasons, good or bad), all it's going to do is speed the adoption of encryption technologies. Well, that appears to be happening. Thanks to governments increasing the ability to spy on citizens combined with ISPs capitulating to entertainment industry and government demands to start acting as copyright cops, monitoring usage, more and more people are getting interested in encrypting their internet activity. While it's unclear if it will go anywhere (and some argue it's guaranteed to fail), the folks behind the Pirate Bay are the latest to jump into the game, promising a system that will "encrypt the entire internet."

Whether accomplished by The Pirate Bay or others, this is the near inevitable end result of this cat and mouse game. Even if you believe the entertainment industry, broadband providers and the government have both the best of intentions and the absolute right to do these kinds of monitoring activity, the fact that encryption will make it so those who don't want to monitored can hide means that it's only going to become more popular. And, at that point, it only makes the efforts by the entertainment industry, the broadband providers and the government that much more useless -- because all that monitoring they've pushed to do will not only be nearly impossible, but they've also lost the trust and respect of all those users/customers/constituents. It's a true lesson in the unintended consequences of getting what you wished for.

17 Comments | Leave a Comment..

RIM Tells India That It Simply Cannot Snoop On Blackberry Email

from the so-sorry dept

A few months back, we noted that the Indian government was demanding that RIM let government officials snoop on emails sent via Blackberry devices, or they would be banned in India. I'm not sure why it took so long for RIM to point this out, but it finally has explained to the government the nature of its encryption scheme which means that RIM itself cannot decrypt messages sent via the network, since they're based on an encryption key set up by the end user. It's not clear how India is going to respond, though the article notes the two sides are "talking."

33 Comments | Leave a Comment..

India Demanding That RIM Let It Snoop On Encrypted Email Messages

from the let-us-eavesdrop-or-no-more-crackberry dept

It's certainly no secret that governments like to snoop on various forms of communication whenever possible, but they're usually not quite so blatant about the specifics. Endgadget points us to the news that Indian security officials have demanded that RIM open up a backdoor to unencrypt all messages sent via the Blackberry network or face being shutdown in India. With approximately 400,000 Crackberry users in India, that's likely to upset quite a few people. At this point, though, do people doing things likely to attract the attention of the feds not know to seek out more secure means of communication?

15 Comments | Leave a Comment..

Ed Felten Defeats Hard Drive Encryption

from the ed-felten-strikes-again dept

Ed Felten, and the various grad students who work for him at Princeton, have done plenty to contribute to the computer security field (and make quite a name for themselves), from breaking the old SDMI encryption that the recording industry insisted was unbeatable (which nearly got Felten sued) to showing just how vulnerable e-voting machines are. However, he may have just broken his biggest story yet. Felten and a group of colleagues have now shown that hard disk encryption is incredibly easy to beat. This should be a huge concern, considering how many people and organizations rely on data encryption to protect important data. In fact, with many of the "lost" hard drive stories over the past few years, many organizations have insisted the risk was minimal, since the data was all encrypted. Yet, as Felten's team shows in this video below, not only is it quite easy to defeat the encryption using a simple can of compressed air, in some cases, there isn't much that can be done to protect against this. As the video notes, this won't work on some systems if the computer is turned completely off and the encryption package opens up before the operating system boots -- but otherwise, most systems are vulnerable.

Basically, they've figured out that, despite what many believe, data held in RAM does not disappear immediately when the power is cut. And, if you freeze the chip, you can make the data last a very long time. This is important, because for disk encryption, the key to unlocking the data resides in the RAM. If someone can access that key in the RAM and make a copy of it, then they can unencrypt all of the data without knowing your password.

29 Comments | Leave a Comment..

As Expected, BitTorrent Providers Planning To Route Around Comcast Barrier

from the cat-and-mouse dept

It's no secret that every time ISPs look to filter or degrade the performance of a certain kind of traffic, it only increases attempts to encrypt the traffic, which actually makes things worse for the ISPs. So now that Comcast is standing by its BitTorrent traffic shaping efforts, a group of different BitTorrent developers are working together to build in encryption that gets around the Comcast traffic shaping system. That encryption will, of course, add somewhat to the overhead that Comcast needs to deal with, and will become more expensive if they have to keep looking for new systems to degrade traffic. Perhaps they'll just follow the lead of some other ISPs in simply degrading all encrypted traffic -- though, considering how much legitimate traffic is encrypted, that's going to cause some problems. Of course, rather than spending so much fighting all of this, they could focus on building out their systems to better handle the traffic. But why would they do that?

27 Comments | Leave a Comment..

German Government Struggles To Tap Encrypted Skype Calls

from the crypto-works dept

The Wikileaks project is starting to bear fruit, with documents leaked to the site beginning to get a lot of attention. The latest example is correspondence between the German government and a vendor (via Slashdot) that apparently makes software for intercepting Skype calls. Interestingly, the interception technology appears to be pretty primitive and rather expensive. The software has to be installed on the Skype client, and the vendor suggests that this can be accomplished by attaching a trojan to an e-mail or physically entering the premises to install the software on the target machine. And, evidently, only Windows 2000 and XP are supported; Vista support is still in the works. The company charges thousands of euros per target computer. This suggests that Skype's encryption technology is secure against at least the eavesdropping techniques available to the German government. Apparently they haven't found a way to decode encrypted Skype traffic off the wire, so they're forced to resort to these fairly cumbersome attacks on Skype clients -- attacks that are no more convenient for law enforcement than simply bugging the target's office. That suggests that the risk of comprehensive government surveillance of online telephony is still a fair ways off. If you encrypt your online activities, they're probably pretty secure. Of course, it's entirely possible that other government agencies, such as the NSA, have more sophisticated eavesdropping technology that they haven't shared with the Germans. My guess is that any government agencies possessing really sophisticated eavesdropping tools are also less likely to have their private documents show up on Wikileaks.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

12 Comments | Leave a Comment..

Why AT&T's Plans To Filter The Internet Will Only Do More Harm To AT&T (And Everyone Else)

from the not-a-good-idea dept

AT&T announced last summer that it was going to start filtering traffic for copyrighted content -- so we're still not entirely sure why many in the press seem to think it was something new when discussed at CES a few weeks ago. However, this new burst of attention has many more people pointing out all the reasons this is bad for AT&T itself. As we said, this seems to make no sense at all, unless it's some bizarre attempt to come up with an excuse to get rid of net neutrality. In that post, we noted that any filtering would likely open up additional liabilities for AT&T, potentially losing its safe harbors from being a service provider (safe harbors that AT&T itself spent a lot of effort lobbying to have put into the law). Tim Wu has a lot more detail on that aspect of this plan (which he calls "corporate seppuku"). However, there are many other problems for AT&T as well. For example, it won't take long for someone to accuse AT&T of violating wiretap laws, a charge which may be accurate. But the biggest point is that this won't even do what they hope it will do. It won't stop unauthorized transfers from happening and it won't reduce network traffic. As we've discussed in the past, every move to do this kind of filtering will only drive up the market for encryption technologies, and that encryption actually adds more overhead to internet traffic. The PC World article linked above notes that 20% of all bittorrent traffic is encrypted, and if that number goes up, as it will under a filtering regime, the network load will only increase. So, if AT&T actually thinks (as it sometimes claims) that filtering will decrease the burden on the network, it's likely very mistaken.

45 Comments | Leave a Comment..

Your Encryption Key Is Protected By The Constitution?

from the can't-incriminate-yourself dept

In an interesting case up in Vermont, a federal judge has ruled that someone accused of a crime cannot be forced to reveal his or her encryption key, as it would be a violation of the Constitution's 5th Amendment, saying that an individual cannot be forced to self-incriminate. In an age where encryption is becoming increasingly popular, expect to see other cases of this nature. It seems likely that a case like this one (if not this one itself) will eventually wind up before the Supreme Court to determine whether or not someone can be forced to give up his own encryption key. Where it gets tricky is the question of whether or not the key itself incriminates the person. As the article notes, a person can be forced to give up a key to a safe that contains incriminating evidence, which many say is analogous to this situation. In the meantime, though, we've already seen cases where people are presumed guilty just because their computers have encryption software installed -- so, it may not matter whether or not the key is provided when the presence of PGP alone is viewed as incriminating.

40 Comments | Leave a Comment..

The Register Misunderstands BitTorrent Encryption

from the it's-about-throttling dept

The Register recently had a story about an explosion of encrypted BitTorrent traffic. They speculate that this is an attempt to evade the recording industry and law enforcement officials who are cracking down on illegal file sharing. But as TorrentFreak explains, El Reg is fundamentally misunderstanding the rationale for BitTorrent encryption. The whole point of BitTorrent is its ability to share files with complete strangers. Copyright holders can connect to BitTorrent swarms as easily as anyone else can, and encryption won't stop them from determining the IP addresses of the other swarm participants. Rather, the goal of BitTorrent encryption is to obfuscate BitTorrent traffic and thereby make it harder for ISPs to detect. This feature was added to a number BitTorrent clients after some ISPs started throttling BitTorrent connections to save bandwidth. The encrypted network connections are harder to identify as BitTorrent streams, and therefore are harder to block. But that brings up another puzzling thing about the Register story that TorrentFreak points out: since the whole point of BitTorrent encryption is to avoid identification as BitTorrent traffic, how does the Register know the traffic it's seeing is BitTorrent traffic and not something else? Of course, it's quite possible that a lot of BitTorrent users are making the mistake the Register did, wrongly assuming that using encryption will keep them safe from the prying eyes of the recording industry. It won't, but there might be users who use the encryption features hoping that it will.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

19 Comments | Leave a Comment..

Hushmail Turns Out To Not Be Quite So Hush Hush

from the privacy-is-an-illusion dept

Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.

32 Comments | Leave a Comment..