STE WILLIAMS

Bracknell, Nov 14, 2013.

Panda Security, The Cloud Security Company, today announced the introduction of significant enhancements and new features to Panda Cloud Office Protection (PCOP), version 6.8. The company’s cloud-based solution for corporate environments adds protection for Mac workstations and servers, and includes URL filtering and Web access control features for Windows servers as well.

Panda Cloud Office Protection leverages the proactive, real-time protection provided by Panda Security’s cloud-based Collective Intelligence platform, ensuring maximum security against malware and exploits that take advantage of unknown and unpatched vulnerabilities, regardless of the source of infection. With this new version, Panda Cloud Office Protection becomes the only solution in the market to provide centralized, cloud-based control of Windows, Linux and Mac devices.

Main New Features

The latest version of PCOP incorporates significant improvements from previous versions. One of its main new features is the inclusion of permanent, real-time protection for Mac workstations and servers, on-demand scans and the ability to scan any type of file.

“Panda’s extensive portfolio already included a solution to protect Mac computers exclusively: Panda Antivirus for Mac. However, with this new version, Panda Security takes a huge step forward with one single platform that supports three different types of systems -Windows, Linux and Mac-, in corporate environments,” said Manuel Santamara, Product Manager Director at Panda Security.

The protection for Mac is centrally managed from PCOP’s Web-based console in exactly the same way as for Windows and Linux computers. The product incorporates a specific section for configuring this new protection. The solution supports the following Mac operating systems: Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Mac OS X 10.8 Mountain Lion and Mac OSX 10.9 Mavericks.

With PCOP, companies can have licenses for Windows/Linux systems and Mac systems in a single console. Additionally, Panda Security’s channel partners who use Panda Cloud Partner Center will be able to access at all times information about customers with licenses of PCOP for OS X, regardless of whether they also have licenses for Windows or Linux computers.

Another new feature is the inclusion of URL filtering for servers in Panda Cloud Office Protection Advanced (v. 6.80). This feature responds to enterprises’ need for implementing Web access control capabilities on workstations, laptops and servers as well.

More information about Panda Cloud Office Protection here

http://www.pandasecurity.com/uk/enterprise/solutions/cloud-office-protection

About Panda Security

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions, with products available in more than 23 languages and millions of users located in 195 countries around the world. Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology. This innovative security model can automatically analyze and classify thousands of new malware samples every day, guaranteeing corporate customers and home users the most effective protection against Internet threats with minimum impact on system performance. Panda Security has 56 offices throughout the globe with US headquarters in Florida and European headquarters in Spain

Panda Security collaborates with The Stella Project, a program aimed at promoting the incorporation into the community and workplace of people with Down syndrome and other intellectual disabilities, as part of its Corporate Social Responsibility policy.

For more information, please visit http://www.pandasecurity.com

Article source: http://www.darkreading.com/endpoint/protection-for-mac-added-to-panda-cloud/240163984

Here’s a non-shocker: worldwide government requests for data have more than doubled since 2009, while requests from the US have tripled, Google said in its latest transparency report.

And that, mind you, is only the number of requests that Google’s allowed to publish, Google legal director Richard Salgado said in a blog posting on Thursday:

Since we began sharing these figures with you in 2010, requests from governments for user information have increased by more than 100 percent. This comes as usage of our services continues to grow, but also as more governments have made requests than ever before. And these numbers only include the requests we’re allowed to publish.

The company posted four slides to highlight the US government’s activities over the past four years.

Three of the slides depict the extent of attempted government surveillance that Google’s allowed to share, while one slide, devoted to requests under the Foreign Intelligence Surveillance Act (FISA), is entirely redacted.

Why is it redacted? Because neither Google nor other companies, such as Facebook or LinkedIn, for example – are allowed to disclose the number of classified customer data requests they receive under FISA.

Here are some of the numbers from the recent transparency report:

• In the second half of 2009, data requests coming from the US numbered 3,580. By the first half of 2013, that number had shot up to 10,918: an increase of about 205%.
• Requests are up globally, but not nearly as steeply as the number coming from the US. In fact, the US’s requests accounted for more than a third of the 25,879 requests Google received worldwide. That’s more than double the worldwide total – 12,539 – of the number of requests all governments sent in for data on Google customers in 2009.
• The US generates more data requests than the total combined number of requests coming from the top five countries after the US – India, Germany, France, the UK, and Brazil.
• About 80% of all requests made by the US are valid, forcing Google to hand “some data” back to the requesting federal law enforcement or intelligence agency.

Google has for the first time also given a breakdown of the kinds of requests it receives. Whereas previous reports just divided the requests up into subpoenas, search warrants and an amorphous category called “Other”, Google in its most recent report distinguishes among wiretaps, pen registers and disclosures made in connection with life-threatening emergencies.

Google also provides explanations for the legal authority behind each type of order.

While that’s an expanded amount of detail, Google’s still not happy and wants to disclose more.

Salgado had these words about the US powers that be:

We want to go even further. We believe it’s your right to know what kinds of requests and how many each government is making of us and other companies. However, the U.S. Department of Justice contends that U.S. law does not allow us to share information about some national security requests that we might receive. Specifically, the U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TBw1Y4jsjVU/

Snapchat has thumbed its nose at Facebook’s $3 billion, all-cash offer, the Wall Street Journal reports.

Snapchat is a messaging service that, for some reason, in spite of research to the contrary and having admitted that it shares its images with US law enforcement, still promises that your sexting or other photos will disappear from its servers and from your friends’ phones up to 10 seconds after you send them.

The WSJ says Facebook’s just one of many eager suitors currently wooing the supposedly-disappearing-photo service, and it’s not even the most generous.

In fact, the Chinese e-commerce giant Tencent Holdings had offered to lead an investment that would value the 2-year-old Snapchat at $4 billion, the WSJ reports.

But wait, why rush into marriage at such an early age?

The company most certainly will not, it turns out.

People briefed on the deal told the WSJ that Snapchat’s 23-year-old co-founder and CEO, Evan Spiegel, probably won’t look at acquisition or investment offers until at least early 2014, in the hope that Snapchat’s user base and message volume will grow enough to get an even fatter offer.

It’s easy to see why Facebook, for one, is so hot for the “Poof! Photos-B-Gone!” service.

In its most recent earnings announcement Facebook admitted it was seeing a “decrease in daily users, specifically among teens”.

They’re still on Facebook, mind you – just not that much.

Instead, they’re hanging out in other places – particularly in places where their parents/adults are not hanging out and are not peering over their shoulders.

Think WhatsApp, WeChat, KakaoTal and yes, Snapchat.

Facebook wants those teens back.

That’s likely one motivation behind its recent move to allow teens to post publicly, whereas prior to October they were only allowed to share with friends or friends of friends.

Then again, one can’t underestimate the appeal of a service that might curtail the horror show of stalking, cyber bullying, and internet trolling that has befallen victims of sexting, including the tragedy of teen suicides often related to nude photos having been circulated online.

Facebook’s hunger for Snapchat makes sense. Anything associated with mobile ads or teens makes sense for Facebook from a financial standpoint.

Teens’ hunger for Snapchat is also understandable, albeit disturbing.

Snapchat was designed to allow senders to control how long a message or picture could be seen.

Snapchat photos expire after a maximum of 10 seconds.

Except they don’t.

US-based computer forensics specialist Richard Hickman studied the app’s premise and found that Snapchat photos don’t actually disappear at all.

Studying a forensic image of a phone running Snapchat, Hickman found a directory called received_image_snaps.

Its contents: Both unviewed and supposedly “expired” images.

Sharing with Snapchat entails your images being stored both on Snapchat’s servers and on recipients’ phones, though marked “not for display.”

Does it sound too hidden away, too tough to sniff out unless you’re a bored security researcher?

No worries. Last time I checked, there were anti-Snapchat apps on the market.

I found one for sale for $1.99 as of August. Called Screenshot Save for Snapchat, it promised to keep those supposedly disappearing images on hand forever, for as long as the recipient likes, thereby enabling them to be saved “for easy sharing with friends!”

As Naked Security has urged in the past, anybody who wants to continue to snap nude selfies – or any other sensitive content they don’t necessarily want to be made public – should please refrain from putting too much faith in an app that promises self-destruction.

As for Facebook, if it wants to make a few billion disappear, it will have to try again in a few months, when Snapchat will likely be bigger than ever.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_ZqT-PDGQ3k/

Mavis Batey MBE, codebreaker extraordinaire at Bletchley Park during World War II, died this week at the age of 92.

Ironically, perhaps – to cryptographers and computer scientists, at least – her MBE was awarded in recognition of her work in preserving and conserving British gardens.

This was a task to which she applied herself with conspicuous success after her secretive work as a cryptanalyst during the war.

Batey’s big cryptographic breakthrough, tackling the Italian military’s use of the Enigma encryption machine in the early 1940s, gives us an fascinating insight into how cryptanalysts think.

Where the rest of us might see random gibberish or algorithmic confusion, gifted cryptanalysts are able to spot important questions – and, more importantly, to answer them.

The Italian Enigma

The Enigma was an electromechanical encryption device, first offered for sale in the 1920s by a Swiss company, adopted enthusiastically by the Nazis and their European allies, and variously enhanced for greater security by the outbreak of World War II.

Enigma used three or more electrically-wired rotors that moved forward like a car’s odometer after each character, creating an electrical circuit that varied randomly every time.

So even if you typed in AAAAAA, you might get back EJMXLR.

Presumably in an effort to boost the mixing effect, the designers made the left-hand rotor a “reflector” that re-routed the circuit back through the other rotors.

Even in a three-rotor engima, there were five rotors’ worth of mixed-up wiring for the current to follow.

The weak link

But one consequence of this, which would immediately be recognised today as an unacceptable cryptographic flaw, was that the reflector had to send the current back on a different wire, so a letter could never end encrypted up as itself.

For all that AAAAAA might give you EJMXLR, it could never give you BCDANF or YANQQP.

And one day, Mavis Batey looked at an intercept – not the one above, of course, but something that would have seemed just as meaningless to you or me – and realised that it had a curious characteristic.

The letter L, and only L, was missing, and she asked herself the important question, “Why?”

She surmised, corerctly as it turned out, that she had stumbled across a test transmission, presumably generated by a pair of Italian radio operators who were checking that they had the day’s configuration settings correct.

(Enigma settings – the cryptographic keys – were varied each day according to closely-guarded printed books.)

The sender had simply pressed L repeatedly, so that Bletchley Park now had what’s called a known plaintext for an intercepted message.

Today, encryption algorithms are expected to be immune to attacks based on a known relationship between input and output, but for the Bletchley codebreakers it was just the start they needed.

Today’s the day

Indeed, building on this success, Batey later decrypted an Italian message that read TODAY’S THE DAY MINUS THREE.

But what did it mean?

One problem cryptanalysts face – even today, with modern computers at their disposal – is where to focus their efforts.

If you can reliably crack 1% of all encrypted messages, you are doing really well.

But if you don’t pick the right 1% to attack then you may end up knowing an awful lot about the regulations governing how Sergeant Majors should wax their moustaches, and not very much about impending attacks.

As Batey describes, the codebreakers went into overdrive:

[W]e worked for three days. It was all the nail-biting stuff of keeping up all night working. One kept thinking: ‘Well, would one be better at it if one had a little sleep or shall we just go on?’ — and it did take nearly all of three days. Then a very, very large message came in.

And it was a corker of a message, documenting a massive attack against an Allied convoy en route from Egypt to Greece.

The Allies turned the tables, sending out a spotter plane that “just happened” to sight the Italian attackers (thus providing a plausible explanation for the intelligence), drawing the Italians into the Battle of Matapan, and subjecting them to an enormous naval setback.

Lest we forget

So, let’s take this opportunity to remember the war-time heroism of Mavis Batey MBE and the thousands of other cryptographic soldiers who served so industriously against Nazism and Fascism in 1940s Europe.

→ If you have ever visited Bletchley Park (if you haven’t and you can, do it!), you will know how truly awful the working conditions were, with thousands of workers crammed into mostly cold, damp and insanitary huts to pit their intellects against what must have seemed not just unknown but unknowable. The operators of Tommy Flowers’ groundbreaking Colossus codebreaking computers, installed at Bletchley near the end of the war, famously had to wear Wellington boots to work, not merely to keep their feet dry but to avoid electrocution in the wet and leaky conditions.

And, while we’re about it, let’s draw a modern lesson from the work at Bletchley, taught to us by the Italian operator’s apparently-innocent use of LLL…LLL as a plaintext.

When using cryptographic tools, follow or exceed the manufacturer’s recommendations – don’t make up your own operating procedures, even if it feels as though you’re doing the right thing.

You can well imagine that the Italian signalman who sent the long-but-repetitious message was trying to improve things by making sure that he was ready to send and receive for the day, and not risking the mis-transmission of a real and possibly important message.

(Enigma was operationally slow and clumsy, since decryption required considerable manual effort, including transcribing the output, which appeared character-by-character on an illuminated letterboard.)

But he wasn’t supposed to do that, and if he hadn’t…

…who knows whether Mavis Batey would have deciphered that three-day warning in time?

Lest we forget.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9YiOBADhbzw/

ioControl – hybrid storage performance leadership

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.

This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (CC). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Symantec concludes that the mystery malware – which it detects as Fokirtor – is different from any other Linux backdoor that its security researchers have previously analysed.

Malware on Linux systems is mostly a server-side problem and incidents of worms and Trojans run into the hundreds or low thousands – as compared to the tens of millions of Windows pathogens and one million plus Android undesirables.

Even so, Symantec claims that Fokirtor is completely different from any previous strain of Linux malware is noteworthy – not least because it suggests the new tactics pioneered by the malware may crop up in follow-up code. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/

ioControl – hybrid storage performance leadership

Hapless BlackBerry has told users to update its software on their Mac OS X and Windows computers following the disclosure of a fairly serious security flaw.

The Canadian handset maker said the vulnerability exists in selected versions of its freely available Link application – a program that allows you to transfer files between your BlackBerry mobes and an Apple or Microsoft-powered computer. Users are urged to upgrade to the latest available builds, which are not vulnerable to the discovered blunder.

The flaw stems from the fact that Link provides access to the user’s files via a WebDAV server that can be accessed over the network and yet doesn’t perform any authentication checks. This clears the way for an attacker, under certain conditions, to elevate their login privileges and run arbitrary commands by tricking another user into clicking on a specially crafted web link or visiting a malicious web page.

More details on how the WebDAV file server can be exploited remotely can be found here, on the personal blog of Google security researcher Tavis Ormandy, who reported the flaw to BlackBerry. Ollie Whitehouse also separately alert BlackBerry to the cockup.

BlackBerry said that in addition to updating the Link software to a patched release, users and administrators can apply certain mitigation techniques to guard against exploitation of the flaws. Those tips include removing the remote file sharing directory in Link.

According to recent analyst reports, the number of people who will need to install a Link update could be as low as it has ever been. Researchers at IDC estimated that 1.7 per cent of smartphones sold last quarter ran a BlackBerry OS.

For the admins whose companies who still run the BlackBerry platform, an update for BlackBerry Link will pile on to what has already been a heavy load of security patches this week. Along with Microsoft’s Patch Tuesday bundle, Adobe pitched a set of fixes for its ubiquitous Flash Player tool as well as the ColdFusion application server. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/blackberry_link_update_addresses_security_bugs/

SQL injection attacks have been plaguing the Web for so long that it may seem that they’ve grown ho-hum. But even while the fundamentals stay the same—namely malforming application input to trick databases into thinking they’ve been queried with SQL statements—new Web and mobile application development trends and new attack techniques using old SQL injection tricks are casting SQLi in a new light.

For example, researchers with Sucuri Security early this month announced that they discovered how attackers were able to leverage Google search engine bots to help launch SQLi attacks against websites.

“In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B,” wrote Daniel Cid, a researcher with the firm. “Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B.”

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

As Cid explains, this method allows the attacker to let the Google bot do the heavy lifting in the attack while providing a way to cover tracks forensically and avoid Web application firewall detection.

While the Google bot technique is a more exotic example of how SQLi attacks have changed without many shifts in the underlying technology principles behind them, IT could be dealing with thornier but workaday changes in the SQL injection vulnerability landscape very soon. The shift will come as more SQLi vulnerabilities are exploited in unexpected mobile and web applications, says Dan Kuykendall, co-CEO and CTO of NTO Objectives. These are developed using new programming formats and development frameworks like JSON, AMF, and REST that don’t necessarily depend on the name-value pair data representation that SQLi attacks tend to target for injection.

“The world has been changing, there are a whole bunch of new formats that we’ve seen traffic being sent in. There are all these new ways of building apps, you’ve got all this REST, you’ve got AJAX and you’ve got these much more dynamic apps, mobile apps,” Kuykendall says. “And they’ve all got much more different ways of packaging up the data. They don’t like to settle for the name-value pairs of the past.”

While it would be easy to then assume that these new applications are as a result not vulnerable to SQLi attacks, the truth is different, Kuykendall explains. These applications—whether mobile or Web—are still passing large amounts of data between the application and the database, and are still vulnerable to injection as long as attackers take a little time to understand how the syntax has changed.

“I can still do my classic SQL injection attacks, I just have to start adjusting where I apply the payloads,” he says. “I no longer am able to put in the name-value pair, instead I’m having to look and understand the format, understand how to inject into that and then I can still do my SQL attacks.”

The difficulty is because the format of how these SQLi payloads are delivered looks differently in modern applications, many traditional application scanners are missing the vulnerabilities. But as he puts it, developers are still making the same core mistakes they always have.

“They’re passing data back and forth; they’re taking that data and doing the same things they’ve always done with them and use them in SQL statements. A lot of times because they’re getting the data from some parser, then the developer uses the data and they trust the client,” Kuykendall says. “Ultimately, these are just parameters; developers are taking values form the client and doing something with that. And the more it’s abstracted, the more likely they miss out on doing the input escaping or whatever they need to do [to prevent injection].”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/database/finding-sql-injection-attacks-in-unexpec/240163968

ioControl – hybrid storage performance leadership

Microsoft has built a new home for its Digital Crimes Unit on its Redmond campus to bring together geeks, lawyers, forensic specialists, and law enforcement in tracking down online crooks around the world.

No fighting in the war room please

“The Microsoft Cybercrime Center is where our experts come together with customers and partners to focus on one thing: keeping people safe online,” said David Finn, associate general counsel of the Microsoft DCU in a statement. “By combining sophisticated tools and technology with the right skills and new perspectives, we can make the Internet safer for everyone.”

The 100-person team will be augmented by third-party companies and police who will be able to use the facilities for investigations into crime on a 24/7 basis. While the bulk of the investigations going on will be chasing criminals attacking Microsoft products or customers, the center has a wider remit to work with Interpol and other law enforcement operations on global threats.

Microsoft’s forensic center team at work

“In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft,” Noboru Nakatani, executive director of the Interpol Global Complex for Innovation said.

“The security community needs to build on its coordinated responses to keep pace with today’s cybercriminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively.”

Included in the new center is a digital forensics laboratory for examining clues in software and hardware, a secure evidence room, a dedicated anti-malware research center, office space for visiting cops and specialists, and a control center containing a wall of touch-screens showing new attacks as they pop up. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/microsoft_opens_cybercrime_center_to_fight_global_bad_guys/

ioControl – hybrid storage performance leadership

Cisco has hosted the launch of a new “Cyber Readiness Index” and endorsed its author’s belief that nations need to measure the impact of online crime if they are to understand the true impact of technology on their economies and societies.

The author of the Index is Melissa Hathaway, a former security advisor to President Barack Obama’s and George W Bush’s administrations. Now head of an eponymous consultancy firm, Hathaway is also a senior security advisor to Cisco.

The Index notes the many upsides that flow from technology, asserting that “governments and businesses that embrace the Internet and ICTs recognize it will enhance their long-term competitiveness and societal wellbeing, and potentially contribute up to eight percent of gross domestic product”. But the document says it can find only occasional assessment or quantification of negative economic impacts brought on by technology, citing data on the cost in money and jobs of intellectual property theft.

The study also considered publicly available data on adoption of technology and “network readiness”, before a five-point assessment of whether a nation is “Cyber Ready” was constructed. Those five points are:

1. Articulation and publication of a National Cyber Security Strategy
2. Does the country have an operational Computer Emergency Response Team
3. (CERT) or Computer Security Incident Response Team (CSIRT)?
4. Has the country demonstrated commitment to protect against cyber crime?
5. Does the country have an information sharing mechanism?
6. Is the country investing in cyber security basic and applied research and funding cyber security initiatives broadly?

Full results are available in this PDF, but here’s the top 20 nations from the league table of the most “Cyber-Ready” nations:

1. South Korea
2. Sweden
3. Iceland
4. Denmark
5. Finland
6. Norway
7. Netherlands
8. United Kingdom
9. Luxembourg
10. Hong Kong
11. Australia
12. Japan
13. Switzerland
14. Macau
15. Singapore
16. New Zealand
17. United States
18. France
19. Germany
20. Canada

Hathaway, and Cisco chief security officer Jon Stewart both suggested the study should be a a wake-up call to governments, for the usual reason that the internet is a snake pit but also because without an attempt to count the negatives that come with wide technology adoption their policies aren’t well-directed or designed.

Hathaway’s rationale for such studies are as follows:

“Measuring the declining gains may force governments to align their digital agenda and economic vision with their cyber security strategy and invest in the derivative value of both. Bringing transparency to the economic losses may spark national and global interest in addressing the economic erosion. Cyber security initiatives, therefore, can enable and preserve the promise of the ICT dividend and help countries realize the full potential of the Internet economy.”

It’s a rare day on which a Reg hack somewhere in the world is not offered a study on just how bad things are online and the terrible consequences that await if businesses, governments and you, dear readers, don’t offer more time, attention and currency to security. This study has plenty of that thinking behind it, along with some contestable and contentious assertions like the idea counterfeiting and piracy cost jobs.

The study’s proposed remedy is more and more serious policy responses to the dangers of the internet, along with more and better implementations of the ideas and institutions listed in the five points above.

Interestingly, before the event started Cisco said it would not entertain questions related to recent Snowden-related revelations.

Our question about pone response to Snowden-instigated action, the IETF’s recently-announced plan to harden the internet and bake encryption into HTTP 2.0, saw Hathaway respond that “things happening in international venues are quite emotional.”

“When we enabled encryption for e-commerce we made it easy for criminals to hide their money,” she said. “We need to think about what we enable on the other side of the coin and third or fourth order effects.” ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/cisco_suggests_new_economic_measure_gross_domestic_p0wnage/

You can’t get out of cooperating with government-ordered electronic surveillance by shutting down, any more than a business can stop police from executing a search warrant by locking its front gate, the US Department of Justice (DOJ) tutted at Lavabit on Tuesday.

Here’s what the DOJ said on Tuesday, in a filing in an appeal by Lavabit (posted courtesy of Lawfareblog.com):

Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems.

Lavabit, the former encrypted email provider to National Security Agency (NSA) secret-leaker Edward Snowden, shuttered its service in August following court orders demanding metadata about an unnamed user who just about everybody assumes was Snowden.

After much wrangling, founder Ladar Levison eventually gave the government Lavabit’s crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that left the government’s judge none too pleased.

As soon as Levison gave the government the encryption key to unlock metadata on their target’s email, he turned around and shut everything down.

That meant that even though the government had the key, there was nothing to open with it – including the founder’s own email account, given that, as they say, he ate his own dog food.

Lavabit’s suicide has pleased the government about as much as being given an encryption key it can’t read without a microscope.

Which is, likely, why the government’s brief sounds a tad prickly.

In the document, the DOJ says that Lavabit is wrong, wrong, wrong about everything, including:

• Feeding them encryption keys printed in teensy weensy ant-sized type,
• The notion that the company only had to help agents install a pen/trap device to monitor communications without actually helping them to decipher anything the device snooped on, and
• Nuking the whole shebang to prevent the government from using the encryption key Lavabit eventually coughed up (in non-teensy weensy, usable form).

The DOJ also countered Lavabit’s assertion that handing over the encryption key would enable the government to snoop on all users’ encrypted email.

Well of course the government wouldn’t do that, the DOJ said. That would be illegal!

To wit:

That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.

The DOJ also dismissed Lavabit’s argument that disclosing its encryption key was not what one does if one advertises its service as being encrypted:

Lavabit’s belief that the orders here compelled a disclosure that was inconsistent with Lavabit’s “business model” makes no difference. Marketing a business as “secure” does not give one license to ignore a District Court of the United States.

In sum, an exasperated-sounding court has said that, no, of course you are NOT allowed to NOT do what a court orders you to do.

Granted, it’s not breaking news at 11.

But readers will hopefully pardon journalists and security cognoscenti for keeping an eye out on the various strategies that internet service providers take to deal with government demands in these surveillance-happy times, be it Facebook patenting an easier way to pass data to the government or Lavabit’s Levison slipping out the back door when agents tried to serve him with a subpoena.

Literally. He was spotted exiting through his home’s rear door.

I suggest reading the court document – his evasive maneuvers are impressive, be they legalistic, business-oriented or corporeal.

What do you think? Should the Lavabit founder’s civil disobedience tactics be applauded, or given the thumbs down?

Please let us know your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZVbbEPCLE1E/