UK lawmakers say “vague” surveillance bill should not undermine encryption

40c24e5acf5948fcbb2e3a0020229e9e18.jpg(Image: file photo)

The UK government should “clarify” a number of key provisions in a proposed draft surveillance law, according to the parliamentary joint committee charged with considering the bill.

In a short paragraph in the conclusion of a report, released early Monday, the committee said that the bill suffered as a result of “vagueness of definitions and terms” throughout the drafting of the legislation, leading to “confusion” over how the bill will be implemented if it becomes law.

The joint committee, made up of 11 cross-party members of the UK parliament, concluded that the government “should continue to consult and explain fully the likely implications of the proposed legislation.”

In other words, the bill as it stands has a long way to go before it can become law.

The so-called Investigatory Powers Bill aims to reform and clarify fragmented parts of existing legislation. Much of the UK government’s surveillance powers date back to 2000, and have been interpreted and since expanded by legal amendments and internal policies. The government said it would revisit the legislation in the wake of the Edward Snowden revelations, in which the UK and its American cousins were accused of hacking into computers, networks, and companies in order to further their mass surveillance efforts.

Among the various issues, one floated to the top: encryption. The bill currently allows the government to force UK companies to remove encryption on demand to help authorities intercept data — a highly contentious point that threatens to undermine user and device security.

But there’s a problem.

“There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption,” said the report. “The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.”

Simply put: these communication providers, such as telcos and internet providers, might not be able to decrypt data as it flows across their networks because companies like Apple will scramble user data long before it hits the internet.

Putting limitations on devices that come with end-to-end encryption, such as iPhones and many Android devices, could put UK businesses at a “commercial disadvantage,” said the report.

Read more on ZDNet:

The encryption challenge was one of many issues the committee had with the bill’s text, in part because of the “vagueness of definitions and terms have been a constant feature in the evidence we have taken.”

A number of tech companies, including Apple, Google, Facebook, Microsoft, Twitter, and Yahoo, submitted written evidence urging the government to “reconsider” the bill’s provisions.

They echo a similar sentiment from a group of United Nations’ experts, who have also warned of a “chilling effect” on freedoms of speech and expression should the draft surveillance bill become law.

In conclusory remarks, the committee said the government “should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate.”

Huawei’s Honor 5X hits the US market as affordable midrange phone

Huawei has made this clear at the onset of 2016 that it plans to release its smartphones to the US market via its “Honor” sub-brand. Now it’s finally here – the Honor 5X is now available for purchase from various online retailers. Huawei is positioning this as probably the best bang-for-your-buck dual SIM budget smartphone on the market today.

What are you getting with the Honor 5X? There’s a 5.5-inch IPS LCD screen front and center at FullHD (1080p) resolution. That will be powered by a Qualcomm Snapdragon 615 octa-core processor, supported 3GB RAM and 16GB internal storage. The storage is expandable to 128GB via microSD. With the whole package you get a 13MP main shooter and a 3,000mAh battery, and everything runs under the Android 5.1-based EMUI interface.

honor5x

More than the raw specs, it’s quite amazing to get a premium design, premium feel phone for the low price of USD$199. The phone has a metallic chassis and has a fingerprint sensor at the back. This midrange smartphone will also give you 4G LTE connectivity on both SIM cards, although dual sims are really not the norm in the US.

As of now, it looks like all of the Honor 5X’s color variants will be available, that is Dark Grey, Daybreak Silver and Sunset Gold. The phone is already are available from Amazon, Newegg and from Honor’s website. And if you choose to buy from Newegg, that particular online retailer with throw in a free 32GB microSD card for a limited time.

RETAIL: Honor | Amazon | Newegg

Tags: , , , ,

Google testing out 5G internet drones under Project SkyBender

The Guardian – a UK daily news outlet, if you’re not familiar – has seemingly spilled the beans about Google’s very hush-hush Project SkyBender. Basically, it seems that Google is trying to figure out a way to deliver super high-speed internet to users and the company is testing out drones for this situation.

The Guardian says that the online search and information giant has been testing out solar-powered drones at Spaceport America in New Mexico. The evidence of this, the Guardian says, is from several public documents they have obtained. Project SkyBender, as it is called, has had Google building several prototype transceivers at the said spaceport last summer, and is testing them with multiple drones. Housing drones in a secret project would take up space, and Google is said to be using 15,000 square feet of hangar space at Richard Foster’s hangars for the much-delayed Virgin Galactic spaceflights.

google-drone1

Project SkyBender is most likely using drones to experiment with millimeter-wave radio transmissions to bring 5G wireless internet access. High frequency millimeter waves can theoretically transmit gigabits of data per second, with speeds up to 40 times faster than today’s 4G LTE systems. With this in mind, Google seems to be looking at high altitude “self-flying aircraft” to deliver superfast wireless internet access around the world.

“The huge advantage of millimeter wave is access to new spectrum because the existing cellphone spectrum is overcrowded. It’s packed and there’s nowhere else to go,” says Jacques Rudell, a professor of electrical engineering at the University of Washington in Seattle and specialist in this technology. Google’s primary issue with millimeter wave transmissions is that they have a much shorter range than mobile phone signals – around just a tenth of the distance a 4G phone signal could reach. The experiments are seemingly to figure out how to deliver the signal efficiently.

SOURCE: The Guardian

Tags: , , ,

New Books, and Even Audio and Video Courses, Added to Library Sale

I’ve been thrilled by the response to my 20 Best Tech Titles Left in My Library Sale, trying to update the original post as readers take advantage of the titles still left in my library. It was time to take another pass, relist the titles from the first post, add new ones, and include a few other items that might appeal to the intelligence of my readership. In that spirit, here is what you see above, as of approximately 1:45 AM ET.
Running IPv6ReviewBuy. The author writes very clearly, in a multi-OS manner.
Crimeware: Understanding New Attacks and DefensesReviewBuy. I wrote “Crimeware is an impressive examination of malware, on a variety of fronts.”
The Best of Freebsd BasicsReviewBuy. I wrote “If you are a beginner to intermediate FreeBSD user, you will find this book invaluable. If you are an advanced user, you may find a helpful tip or two as well.”
Absolute OpenBSD: Unix for the Practical Paranoid, Second EditionBuy. New condition, except signed by author.
DNSSEC Mastery: Securing the Domain Name System with BINDBuy. New condition, except signed by author.
FreeBSD Mastery: Storage Essentials. Buy. New condition, except signed by author.
Sudo Mastery: User Access Control for Real PeopleBuy. New condition, except signed by author.
SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys. Buy. New condition, except signed by author.
Visible Ops Security: Achieving Common Security And IT Operations Objectives In 4 Practical Steps. Buy
The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. Buy
CISSP Study Guide, Second Edition. Buy
A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness. Buy
Recent Advances in Intrusion Detection: 6th International Symposium, RAID 2003, Pittsburgh, PA, USA, September 8-10, 2003, Proceedings (Lecture Notes in Computer Science). Buy
Computer Incident Response and Product Security. Buy.
IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. Buy.
Network Intrusion Detection (3rd Edition). Buy
I still have several copies of my newest book, The Practice of Network Security Monitoring, in multiple languages: 
If you would like any of these books signed, please let me know via “seller feedback” after buying, and I will sign them before shipping. 
I’m afraid I’m only shipping within the US. Everything I’m selling is listed here, including the various “Great Courses” from the Teaching Company at the far right side of the photo. It’s way too late for me to list those now, but I will probably add them Sunday.
Richard Bejtlich on Amazon.com Click the “products” tab to see listings.
If you order by midnight ET Sunday night, I will get the packages in the mail before work Monday morning.
If you have any questions, please leave a comment here. Enjoy!

Security week-in-review: Attacks big, small, and not at all

Business Travel

Business Travel

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. Knowledge is power. Check back every Friday to learn about the latest in security news.

1) This week, Ars Technica reported about “Shodan,” a search engine that anyone can use to look up web cameras across the Internet. The engine looks for IP addresses with open ports, meaning that many unprotected “Internet of things” devices (think security cameras or baby monitors) are particularly at risk. Ars makes the good point that technologies such as this highlight some of the biggest holes in IoT security today: that is, there’s not a lot of it.

2) As part of its new monthly updates cadence, Samsung plans to patch a number of vulnerabilities in its Android Galaxy products, ZDNet reports. The to-be-patched devices include the Galaxy S6 and S5, as well as the Note 5 and 4, among others. A number of these patches come from Google’s patch release in early January.

3) Israel’s Public Utility Authority was recently attacked, according to the country’s Minister of Infrastructure, Energy, and Water. The minister described the attack as “one of the largest cyber attacks we have experienced,” according to a report from CSO Online. The attack may have ransomware in the utility’s systems.

4) HSBC was hit with a distributed denial of service (DDoS) attack Friday, according to a report from the BBC, causing a temporary website outage. The company reported that it had “successfully defended” its systems and apologized for inconveniences.

5) This week, we reported that phones are becoming a part of the “kill chain,” or the steps an attack must take to infect or gain control over a targeted system. This is because the phone is becoming an ever more critical element in authentication (via two-factor authentication).