Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Friday December 26 2014, @09:11PM   Printer-friendly
from the crypto-for-the-rest-of-us dept.

The Independent reports that:

A British firm could be set to net billions of pounds after making a major breakthrough in cybersecurity. Scientists at Scentrics, working with University College London, say they can guarantee total privacy for emails and text messages. It also means that for the first time laptop and smartphone users will be able to connect to wifi hotspots on the move without worrying about hackers. Only the security services would be able to gain access to the messages, if they needed to. The Scentrics application can be embedded into a mobile handset or computer device, enabling the user to obtain "one-click privacy" at the press of a button. Or it can be downloaded as an app, so the sender can pay a small fee for security every time, for instance, they send an image of family or friends over the internet.

The patent assignee modestly states:

"In terms of British Intellectual Property [IP], it is only dwarfed by the invention of the world wide web itself," said Mr Chandrasekaran. "The internet was born without this in its DNA and we've done it." He explained: "What we've done is to patent the IP for a standards-based, fully automatic, cryptographic key management and distribution protocol for UMTS and TCP/IP." In layman's terms, the company and UCL have found a way of defeating what cryptologists call "the man-in-the-middle attack" or MITM - the ability of someone to hack and intercept an electronic message.

The venture comes from a heavy hitting institution and the people involved seem to be quite connected but the scheme only works by having secure access to a public key infrastructure. Unfortunately, As I previously noted when the last one-step crypto system flamed out (but before the next five went nowhere):

any one-step, hermetically-sealed, silver-bullet solution is poor technology and, in the case of security, is actively dangerous. Although it should never be necessary to pull something to pieces, or understand innards, technology is far from waving a magic wand and having something work 100% of the time. Technology is based upon tiers of leaky abstractions. Therefore, *when* it fails, it needs to be divisible so that debug can proceed. Ideally, technology should be a binary tree of components and faults can be found in the manner that Christmas tree lights can be fixed.

Even when packaged and idiot-proofed, the implication for end users is that anything significant needs to be a multi-step process. For example, install application, install certificates, test certificates. Anything less will have a horrendous corner-case which will be awkward to detect, diagnose or correct. And in the case of security, these corner-cases foreseeably threaten liberty.

Full disclosure: I may or may not be connected to one of the parties mentioned in a previous article.

Related Stories

With this Tiny Box you can Anonymize Everything you do Online 18 comments

No tool in existence protects your anonymity on the Web better than the software Tor, which encrypts Internet traffic and bounces it through random computers around the world. But for guarding anything other than Web browsing, Tor has required a mixture of finicky technical setup and software tweaks. Now routing all your traffic through Tor may be as simple as putting a portable hardware condom on your ethernet cable.

Today a group of privacy-focused developers plans to launch a Kickstarter campaign for Anonabox. The $45 open-source router automatically directs all data that connects to it by ethernet or Wifi through the Tor network, hiding the user’s IP address and skirting censorship. It’s also small enough to hide two in a pack of cigarettes. Anonabox’s tiny size means users can carry the device with them anywhere, plugging it into an office ethernet cable to do sensitive work or in a cybercafe in China to evade the Great Firewall. The result, if Anonabox fulfills its security promises, is that it could become significantly easier to anonymize all your traffic with Tor—not just Web browsing, but email, instant messaging, file sharing and all the other miscellaneous digital exhaust that your computer leaves behind online. http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/

Subsequent to the posting of the Wired article, some critics on Reddit ( https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_false_representation/ ) have called attention to Germar’s misrepresentation of the “custom” hardware board and plastic case used for the device. They point to stock devices available on Alibaba from Chinese suppliers that appear to be nearly identical. In a followup phone call with Germar, he clarified that the router was created from a stock board sourced from the Chinese supplier Gainstrong. But he says that the project’s developers requested Gainstrong add flash memory to the board to better accommodate Tor’s storage demands. Germar also says now that the case was supplied by Gainstrong and was not custom-designed by the Anonabox developers, a partial reversal of how he initially described it to WIRED.

UPDATE: This project has been pulled from kickstarter. Details at: http://hackaday.com/2014/10/17/anonabox-how-to-fail-horribly-at-kickstarter/ and http://arstechnica.com/security/2014/10/kickstarter-pulls-anonabox-a-tor-enabled-router-that-raised-over-585000/

and, according to Ars:

Redditors and others discovered that there was a hashed root password installed on all Anonaboxes—that password was cracked, and found to be “developer!” an obviously weak password. When asked about the password, Germar responded, "There was no way to log in from the outside anyway, you'd need physical access to the device anyway."

Now Everyone Wants to Sell You a Magical Anonymity Router. Choose Wisely 25 comments

After Anonabox requested US$7,500 and raised US$585,549 before being suspended, I hoped that one-stop solutions would be discouraged but according to Wired News, I couldn't be wronger because there are at least five parties aiming to fill Anonabox's niche:

Maintaining your privacy online, like investing in stocks or looking good naked, has become one of those nagging desires that leaves Americans with a surplus of stress and a deficit of facts. So it’s no surprise that a cottage industry of privacy marketers now wants to sell them the solution in a $50 piece of hardware promising internet "anonymity" or "invisibility." And as with any panacea in a box, the quicker the fix, the more doubt it deserves.

Last week saw the fast forward rise and fall of Anonabox, a tiny $45 router that promised to anonymize all of a user's traffic by routing it over the anonymity network Tor. That promise of plug-and-play privacy spurred Anonabox to raise $615,000 on the fundraising platform Kickstarter in four days, 82 times its modest $7,500 goal. Then on Thursday, Kickstarter froze those pledges, citing the project's misleading claims about its hardware sources. Other critics pointed to flaws in Anonabox's software's security, too.

But the Anonabox fiasco hasn't deterred other projects hoping to sell an anonymity router of their own. In fact, many of them see Anonabox's 9,000 disappointed backers as proof of the demand for their own privacy-in-a-box product. At least five new or soon-to-launch crowdfunding projects now claim to offer a consumer-focused anonymity router with names like Invizbox, Cloak, TorFi, and PORTAL, each with its own promises - and caveats.

Full disclosure: I may or may not be connected to one of the parties mentioned in the article but I think they're all misguided.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by jackb_guppy on Friday December 26 2014, @09:54PM

    by jackb_guppy (3560) on Friday December 26 2014, @09:54PM (#129346)

    Key line in write up: " Only the security services would be able to gain access to the messages "

    So they are the man-in-the-middle holding all the keys-to-kingdom.

    This will work well.

    • (Score: 5, Insightful) by hemocyanin on Friday December 26 2014, @10:04PM

      by hemocyanin (186) on Friday December 26 2014, @10:04PM (#129349) Journal

      Further fuel for the "no thank-you!!" bonfire:

      Where issues of national security are concerned, the ciphers used are all government-approved, which means messages can be accessed if they need to be by the security services, he said.

      So, even if we were to believe the over-the-top marketing BS, it's loaded up with backdoors. Of course, ONLY the gov't will have access to those. *eyeroll*

      Oh, and a patent.

      • (Score: 2) by hemocyanin on Friday December 26 2014, @10:06PM

        by hemocyanin (186) on Friday December 26 2014, @10:06PM (#129350) Journal

        I should have noted the link that quote is from as there are quite a few TFS: http://www.dailymail.co.uk/sciencetech/article-2885677/ [dailymail.co.uk]

        Look for it way down at the bottom after all the marketing hoopla.

      • (Score: 5, Insightful) by edIII on Friday December 26 2014, @11:48PM

        by edIII (791) on Friday December 26 2014, @11:48PM (#129371)

        The rest of it was the usual crypto breakthru bullshit, until that statement supporting key escrow.

        "Oh, and a patent"

        This is what worries me. What if they did actually make something better? Now we have a group with a patent that apparently feels key escrow is so normal that they can talk about it in a press conference like it doesn't matter? Patents as they are used now, are weapons to eliminate competition and control markets. This is a key escrow system that is now patented, and I would like to know to just what extent does it now threaten the rest of our freedoms and privacy.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
        • (Score: 3, Insightful) by frojack on Saturday December 27 2014, @12:18AM

          by frojack (1554) on Saturday December 27 2014, @12:18AM (#129377) Journal

          Oh but you see they have to put these keys in the hands of the authorities, otherwise "a child will die". [arstechnica.com]

          Where issues of national security are concerned, the ciphers used are all government-approved, which means messages can be accessed if they need to be by the security services, he said.

          Wait, What? Did that just tell us all, ALL, government approved ciphers are compromised??

          The mere existence of an escrow means the entire escrow contents will be propagated to every National agency in real time. Wouldn't want any child deaths to occur while paper work clogs up the works.

          It will be both SAFE and PATENTED.

          And it appears neither of those things works for Joe Citizen.
          Only Against him.

          --
          No, you are mistaken. I've always had this sig.
        • (Score: 2) by davester666 on Saturday December 27 2014, @12:29AM

          by davester666 (155) on Saturday December 27 2014, @12:29AM (#129379)

          Well, patenting a key-escrow service for cryptography on the internet is great, so nobody else can do it... These guys can do it, and few people will come, and that'll be the end of it.

          • (Score: 4, Interesting) by edIII on Saturday December 27 2014, @02:48AM

            by edIII (791) on Saturday December 27 2014, @02:48AM (#129390)

            I think I'm worried that beyond the bluff and bluster they did have something meaningful to contribute in regards to MITM. Their solution might not mandate a key escrow type system, but the policies they're willing comply with do. Hence, the technology is now locked away. All we can do is marvel at it, and then try to create a system that does the same thing, but for the people.

            --
            Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2, Insightful) by GoodBuddy on Sunday December 28 2014, @03:45AM

        by GoodBuddy (4293) on Sunday December 28 2014, @03:45AM (#129633)

        FTA:

        guarantee total privacy for emails and text messages.

        it is only dwarfed by the invention of the world wide web itself.

        This sounds like a person with a degree in marketing not computer science.

    • (Score: 0) by Anonymous Coward on Friday December 26 2014, @11:19PM

      by Anonymous Coward on Friday December 26 2014, @11:19PM (#129359)

      So they are the man-in-the-middle holding all the keys-to-kingdom.

      This will work well.

      What could go wrong?
      [Ducks and runs for cover]

    • (Score: 3, Interesting) by dltaylor on Friday December 26 2014, @11:25PM

      by dltaylor (4693) on Friday December 26 2014, @11:25PM (#129360)

      Yeah, it's not like anyone other than the security agencies ever found the back doors in Windows.

      My favorite is still the DX9 "feature" of running an executable embedded in an MP3 stream IN THE KERNEL.

  • (Score: 5, Funny) by wonkey_monkey on Friday December 26 2014, @10:26PM

    by wonkey_monkey (279) on Friday December 26 2014, @10:26PM (#129352) Homepage

    Full disclosure: I may or may not be connected to one of the parties mentioned in a previous article.

    Yeah? Me too! What a coincidence.

    --
    systemd is Roko's Basilisk
  • (Score: 4, Insightful) by Anonymous Coward on Friday December 26 2014, @10:36PM

    by Anonymous Coward on Friday December 26 2014, @10:36PM (#129353)

    So, what, are they simply applying public key cryptography between a mobile phone and an intermediary service (a security company?) connected to the Internet to ensure that the connection over the Wifi spot is encrypted in a manner that no one else can read it (even if someone else has the WPA key or even if the connection is in the open?). Kinda like a VPN being used as a proxy to access the Internet through? How is something like this patent worthy? Isn't this already prehistoric technology? But this time, because it's with a phone, it's patent worthy? A technology like this is not patent worthy it's just to be expected as computer and phones become more powerful and able to encrypt and decrypt things and as processing power becomes such that intermediary computers can better handle the load and as Internet speeds improve to make the additional work needed less noticeable.

    Also more and more websites use HTTPS and more and more services offer encryption, again as technology progresses to make it easier for everyone, so something like this becomes less and less necessary these days anyways. So long as your phone has a few root keys built in they can use those keys to validate various websites that you wish to connect to and keep the connections encrypted.

    • (Score: 0) by Anonymous Coward on Friday December 26 2014, @11:27PM

      by Anonymous Coward on Friday December 26 2014, @11:27PM (#129361)

      (same poster)

      and, AFAIK, if you're connected to a mobile network (via 4g) the connection between you over the air does have encrypted. Now if your phone is working over the Wifi network and text messages get sent through the wifi network whenever connected to a wifi router I'm not sure if there is a layer of encryption between your phone and your phone company and if those text messages are protected by that layer of encryption. The article states

      "This has never previously been possible."

      http://www.dailymail.co.uk/sciencetech/article-2885677/Online-privacy-breakthrough-British-researchers-claim-developed-way-internet-security-layer.html [dailymail.co.uk]

      Even if it's never been done doesn't mean it's never been possible. If it's never been done it's not because a layer of encryption between your phone and a mobile network when sending text messages has never been possible it's because mobile carriers are too lazy to implement it. The technology has been possible for a long time. and while nonsense articles are easy to simply ignore it's difficult to ignore the government when they start issuing patents on things that stupid patent examiners have no clue about.

      "The simple Application Programming Interface (API) allows for any service provider to plug in any application to take care of privacy and security settings for data and image and voice.

      Read more: http://www.dailymail.co.uk/sciencetech/article-2885677/Online-privacy-breakthrough-British-researchers-claim-developed-way-internet-security-layer.html#ixzz3N359VWrz [dailymail.co.uk]
      Follow us: @MailOnline on Twitter | DailyMail on Facebook"

      Uhm, it doesn't sound much like an API. More like an encryption proxy (an SSL proxy) that programs send their traffic through. This type of thing has been around for a long time for desktop applications. For example say I have a program on my computer that can connect to the same program on your computer but the program doesn't support encryption. I can create an SSL proxy to connect the program through and connect the program through the SSL proxy on your end that the program is also running through. Nothing innovative here other than it's being put on a phone.

      Home browsers support SSL but many web servers have an SSL termination proxy to offload the cryptographic load onto different computers than the ones handling the web requests.

      http://en.wikipedia.org/wiki/SSL_termination_proxy [wikipedia.org]

      You can technically run these proxies on the same servers that run the web servers so there is nothing innovative here. This looks like it's essentially the same thing, a proxy that simply routes text messaging and other traffic through it, only over the phone. The idea is nothing innovative, proxy servers that modify traffic have been around for a long time.

      • (Score: 0) by Anonymous Coward on Friday December 26 2014, @11:48PM

        by Anonymous Coward on Friday December 26 2014, @11:48PM (#129370)

        The idea of having a local proxy server that encrypts traffic is nothing new. Heck, when you configure WPA encryption on your router and you connect to a website from your laptop there is a layer of encryption between your laptop and the router. Your laptop essentially has a local proxy server that encrypts the web traffic between your laptop and the router.

      • (Score: 2) by hemocyanin on Saturday December 27 2014, @06:12AM

        by hemocyanin (186) on Saturday December 27 2014, @06:12AM (#129403) Journal

        It's probably worth noting for those unfamiliar with this technique, that one such program (GPL) which does the ssl proxy thing, is stunnel: https://www.stunnel.org/index.html [stunnel.org]

        Apparently, there are even android and windows versions. Also another use case is to route data from a local program that doesn't support SSL to a remote server that does (this was true years ago with the Pan newsreader -- I don't know if Pan supports SSL now or not, my usenet days being long over).

        • (Score: 0) by Anonymous Coward on Saturday December 27 2014, @06:32PM

          by Anonymous Coward on Saturday December 27 2014, @06:32PM (#129507)

          (Same poster)

          Yeah, I remember stunnel but I couldn't remember the name. This is what I was trying to link to. Thanks.

    • (Score: 5, Informative) by frojack on Saturday December 27 2014, @12:31AM

      by frojack (1554) on Saturday December 27 2014, @12:31AM (#129380) Journal

      Also more and more websites use HTTPS and more and more services offer encryption, ... so something like this becomes less and less necessary

      Your statement is technically true for "something like this" since THIS provides no additional security at all, because everybody's private keys are in escrow known to everyone with a warrant pad in hand.

      With more than one company being ordered to turn over their SSL keys [wired.com], I think you are a FAR too trusting of HTTPS. How many other companies rolled over to such an order?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 1, Insightful) by Anonymous Coward on Saturday December 27 2014, @12:42AM

        by Anonymous Coward on Saturday December 27 2014, @12:42AM (#129381)

        Well, the problems with https and certificate authorities and root authorities and how to deal with them transparently is a whole different issue in itself.

        From the original article

        "The simple Application Programming Interface (API) allows for any service provider to plug in any application to take care of privacy and security settings for data and image and voice.

        Read more: http://www.dailymail.co.uk/sciencetech/article-2885677/Online-privacy-breakthrough-British-researchers-claim-developed-way-internet-security-layer.html#ixzz3N3QUmYjV [dailymail.co.uk]
        Follow us: @MailOnline on Twitter | DailyMail on Facebook"

        http://www.dailymail.co.uk/sciencetech/article-2885677/Online-privacy-breakthrough-British-researchers-claim-developed-way-internet-security-layer.html [dailymail.co.uk]

        While this seems to simply be describing a local encryption proxy service it's weird how they refer to it as an API. If they can't even make the distinction between an API and a local proxy service that should really suggest to us that we shouldn't be taking them seriously. Too bad government employees are clueless enough to grant patents on the basis of a poor understanding.

      • (Score: 2, Informative) by Anonymous Coward on Saturday December 27 2014, @01:01AM

        by Anonymous Coward on Saturday December 27 2014, @01:01AM (#129382)

        Actually by reading this you are right, this is worse.

        "The impact is truly revolutionary as it envisages a future in which there will be total user controlled privacy whilst also balancing the needs of national security by the architecture of the service which allows for Legitimised Key Escrow.

        'In short, every individual and/or machine now has the ability to call, from the cloud, its own cryptographic key (pair). This process, for the first time in history, is fully automated.'

        Read more: http://www.dailymail.co.uk/sciencetech/article-2885677/Online-privacy-breakthrough-British-researchers-claim-developed-way-internet-security-layer.html#ixzz3N3UzsolS [dailymail.co.uk]
        Follow us: @MailOnline on Twitter | DailyMail on Facebook"

        The reason that private keys are stored locally is not because no one thought of the idea of storing them on a remote server. It's not that storing them on a remote server is a revolutionary idea that has never been thought and so no one has ever done it it's that doing so is inherently less secure. This is simply a way to allow for a back door by allowing the government to have access to the key pair. This does absolutely nothing to add security and only does something to take it away. For this article to market it as a revolutionary new breakthrough is intellectually disingenuous at best.

  • (Score: 2, Insightful) by Anonymous Coward on Friday December 26 2014, @10:36PM

    by Anonymous Coward on Friday December 26 2014, @10:36PM (#129354)

    holy cow.
    its a NETWORK! when are solutions relying on a sinle point of failure going to stop being called innovative?
    we all make up the internet!
    tor and bitorrent are NETWORK solutions.
    the internet w/ dns http ftp and all that stuff was meant to kickstart the next generation of stuff not add more blinge.
    get a onion domain and be a real internet citizen!

  • (Score: 5, Insightful) by f4r on Saturday December 27 2014, @01:07AM

    by f4r (4515) on Saturday December 27 2014, @01:07AM (#129383)

    All that press release does is set off my "Marketing BS" alarm many times.

    If they actually expect anyone (who knows what they're talking about) to take them seriously, then I really feel bad for them.

    --
    Do not use as directed.
    • (Score: 1) by Anonymous Coward on Saturday December 27 2014, @01:41AM

      by Anonymous Coward on Saturday December 27 2014, @01:41AM (#129387)

      Agreed, the only reason this article is worth mentioning here is to give us the opportunity to denounce yet another stupid patent and to criticize the government for wasting taxpayer resources on granting it. Otherwise posting this is a complete waste of our time.

    • (Score: 1) by cbiltcliffe on Saturday December 27 2014, @04:35PM

      by cbiltcliffe (1659) on Saturday December 27 2014, @04:35PM (#129481)

      If they actually expect anyone (who knows what they're talking about) to take them seriously, then I really feel bad for them.

      They don't need people who know what they're talking about to take them seriously. They just need the clueless majority to take them seriously. Or, the marketing departments of various cell phone companies, who can they publish all sorts of crap in their advertising about encrypted text messages that are "virtually unreadable by anyone except the proper recipient."

      As long as most of the people reading the claims are security clueless, but look at "encrypted texts" and think "That sounds like a good idea!" then their marketing will potentially be successful. Which means the clued in people need to make massive amounts of noise over braindead schemes such as this.

  • (Score: 0) by Anonymous Coward on Saturday December 27 2014, @05:35PM

    by Anonymous Coward on Saturday December 27 2014, @05:35PM (#129499)

    It requires a user-agent client device which is equipped with a Trusted Platform Module (TPM) conforming to the Trusted Computing Group specifications.
    Also according to the patent the user must do the following steps :

    In order for a user to start using the scheme, the following steps are performed:

    [0094] 1. The user establishes a relationship with a server. This could, for example, be a fee-paying contractual relationship (where the server is providing a service to the user), or a relationship which arises `by default` with the user's employment where the server is run by, or on behalf of, the employer.

    [0095] 2. The user selects one or more Certificate Authorities (CAs) who will be responsible for generating certificates for user public keys. Of course, depending on the server-user relationship, this may be done automatically for the user by the server.

    [0096] 3. The user establishes a shared secret password with the server.

    Quite far from a one click solution…