Will quantum computing cause encryption’s Y2K?

At the Can-Tech (formerly known as IT.Can) conference this week Mike Brown of Isara Corporation spoke about quantum computing and security.  Within a few short years quantum computing will become commercially viable.  Quantum computing works differently than the binary computing we have today.  It will be able to do things that even today’s super computers can’t.

For the most part that is a good thing.  The downside is that quantum computers will be able to break many current forms of encryption.  So it will be necessary to update current encryption models with something different.

That may not be a simple or quick exercise, given the layers and complexity of encryption.  His message was that we need to start planning for this now, and it may take an effort greater and more challenging than the one that fixed the Y2K problem.

For the record, Isara sells security solutions that are designed to be quantum computer safe.  For some validation that this really is a thing, take a look at this Wikipedia article on Post-quantum cryptography.  

Cross-posted to Slaw

Encryption = good : Backdoor = bad

Every time there is a tragic attack on people or property, there is a cry from various authorities or politicians for law enforcement to get unfettered access to all kinds of communication tools.

But that would cause far more harm than good, and is a really bad idea.

The argument goes something like this:

These bad actors hide behind encrypted communications to plan their evil deeds.  Therefore to stop them law enforcement needs to have access to all this.  Therefore we need to have backdoors built into all encryption that law enforcement can use.

This is flawed in many ways.

There is no evidence that unfettered access to communications helps.  Sometimes the information was actually available, but no one managed to put it together ahead of time to stop the evil deed.

There is no way that backdoors can be limited to use by law enforcement.  They will inevitably be discovered by others and used for evil, thus rendering encryption and all the protection it provides useless.

Bad actors will stay a step ahead.  If mainstream communications and encryption tools have backdoors, they will just create their own secure communications channels.

But don’t just take my word for this.  Read, for example, this article by security expert Bruce Schneier entitled Why we Encrypt.

And this article by Cory Doctorow on how ridiculous British Prime Minister David Cameron’s comments on the need to backdoor encryption are entitled What David Cameron just proposed would endanger every Briton and destroy the IT industry.

And this article by Mike Masnick of Techdirt entitled The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem.

Cross posted to Slaw

Crypto backdoors are a horrible idea

From time to time various law enforcement and government types whine that encryption is a bad thing because it allows criminals to hide from authorities.  That is usually followed by a call for security backdoors that allow government authorities to get around the security measures.

That’s a really bad idea – or as Cory Doctorow puts it in a post entitled Once Again: Crypto backdoors are an insane, dangerous idea: “Among cryptographers, the idea that you can make cryptosystems with deliberate weaknesses intended to allow third parties to bypass them is universally considered Just Plain Stupid.”

They build in a vulnerability to exploit – there are enough problems keeping things secure already.  And the thought that government authorities can be trusted to use that backdoor only for the “right” purposes, and to keep the backdoor out of the hands of others is wishful thinking.

Cross-posted to Slaw

Encrypt the Web

Todays Slaw post

It will be no surprise to anyone that one of the reactions to the NSA/Snowden revelations would be attempts to evade spying.  Many organizations have looked at their systems to determine where the vulnerable weak points are.  For example, even if certain internet communications are encrypted, there may be points along the chain where it becomes unencrypted and vulnerable.

This article talks about efforts by Microsoft and others to encrypt more than they have before. Those interested in this topic can learn more by following Bruce Schneier and the EFF.

The EFF, for example, recently published a chart that shows what some providers are doing, and explains the best practices behind it.crypto-survey-graphic


Unencrypted laptop violates UK privacy law

Outlaw.com has a report that starts by saying:

“Manchester City Council broke the Data Protection Act when it failed to encrypt laptop computers containing data on nearly two thousand workers. The local authority has promised to ensure all mobile computers are encrypted.

Two laptops were stolen from Manchester’s Town Hall. The machines were unencrypted and carried the personal details of 1,754 school workers, privacy regulator the Information Commissioner’s Office (ICO) has said.”

Privacy commissioners in various jurisdictions generally take the view that personal information contained on laptops and other portable devices should be encrypted.   Privacy legislation generally doesn’t specifically say that – the position is based on obligations to keep the data secure.    

Encyrption is often not done either because no one thinks of it, or because its a nuisance – but that’s just inviting customer and privacy commissioner wrath if the device goes missing.