Tag Archives: alliance

Five Eyes wants to weaken encryption, or legislation may be needed

Five Eyes — the government intelligence alliance between Australia, Canada, New Zealand, the U.K. and the U.S. — issued a threat to tech companies that don’t find ways to comply with law enforcement in the face of encrypted data and devices.

Following a meeting in Australia on Aug. 30, representatives of the Five Eyes nations detailed principles expressing support for privacy and claimed they did not want to weaken encryption. The coalition described a vision of cooperation between government and tech companies that would allow law enforcement to gain access to encrypted evidence. However, the Five Eyes partners reserved the right to take stronger action, if necessary.

Many of the points made by the Five Eyes governments are arguments the infosec community has heard before in pleas from the FBI, for example. But this is the first time the coalition of major Anglosphere countries has issued a joint statement on encryption.

In the “Statement of Principles on Access to Evidence and Encryption,” Five Eyes claimed “encryption is vital” to economies and for protecting information, but added that these protections are also being abused by “child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.”

“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” the Five Eyes partners wrote. “It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards.”

Although the statement did not mention encryption backdoors or how companies would have to weaken encryption in order to provide law enforcement access, there were also no details on how the Five Eyes partners expected tech companies to comply.

“The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries,” the Five Eyes report read. “Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements.”

Much like past arguments about how to gain access without having to weaken encryption, the statement urged cooperation and said government access to encrypted data should be “underpinned by the rule of law and due process protections.”

However, the statement ended with a threat: “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”

Experts defend encryption

Just as the Five Eyes argument for lawful access echoed past statements from law enforcement, experts took to Twitter with many of the same arguments used against previous law enforcement efforts to weaken encryption.

Chad Loder, founder of Rapid7, based in Boston, said even if law enforcement got its way, other software services would arise.

Others noted that even if the governments of the Five Eyes countries were to legislate weakened encryption, those laws would only apply to software companies based in one of the five countries.

Sergei Boeke, researcher and lecturer at the Institute of Security and Global Affairs and Cyber Security Academy at Leiden University in the Netherlands, expressed doubt that the Five Eyes partners would see the cooperation it hoped.  

Craig Lawson, research vice president at Gartner, said legal access was impossible without weakening encryption.

WPA3 Wi-Fi protocol aims to improve security in 2018

The Wi-Fi Alliance introduced the next generation of Wi-Fi Protected Access — WPA3 — which aims to improve password security as well as security for IoT devices.

The industry will begin rolling out the WPA3 Wi-Fi protocol in products in 2018 and replace WPA2, meaning vendors will have to follow the security standard in order to carry the “Wi-Fi Certified” branding.

In an official announcement from CES in Las Vegas, the Wi-Fi Alliance noted that the WPA3 Wi-Fi protocol will include “four new capabilities for personal and enterprise Wi-Fi networks.”

“Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and will simplify the process of configuring security for devices that have limited or no display interface. Another feature will strengthen user privacy in open networks through individualized data encryption,” the Wi-Fi Alliance wrote. “Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”

According to Mathy Vanhoef, a network security and applied cryptography post-doctoral candidate and one of the researchers behind the WPA2 KRACK vulnerability which took advantage of the WPA2 four-way handshake network connection process to produce a man-in-the-middle exploit. WPA3 implements a more secure handshake that should help prevent brute force password attacks.

Marc Bevand, former security engineer at Google, described in a Hacker News forum post how this type of password authenticated key exchange (PAKE) can prevent attacks online and off.

“[Offline, an attacker] can try to decrypt the packet with candidate passwords, but he does not know when he guesses the right one, because a successful decryption will reveal [values that] are indistinguishable from random data. And even if he guessed right, he would obtain [public keys], but would not be able to decrypt any further communications as the use of Diffie-Hellman makes it impossible to calculate the encryption key,” Bevand wrote. “[Online,] if he actively [man-in-the-middles] the connection and pretends to be the legitimate server, he can send his own [key and password] to the client using one guessed candidate password. If he guessed wrong … each authentication attempt gives him only one chance to test one password. If, out of frustration, the client tries to retype the password and re-auth three times, then the attacker can at most try to guess three candidate passwords. He can’t brute force many passwords.”

Additionally, experts noted that the WPA3 Wi-Fi protocol improvements to “configuring security for devices that have limited or no display interface” could help improve security on IoT devices, but not all experts, like Tom Van de Wiele, principal cyber security consultant and red-teamer at F-Secure, were optimistic about the possibility.

Microsoft Azure allies with nearForm for Node.js Developer Migration and Support Services

At Node.js Interactive 2017, starting tomorrow in Vancouver, BC, nearForm and Microsoft are announcing a new alliance to help customers migrate Node.js apps to Azure, and provide enterprise-grade support for them. By partnering with nearForm we are now bringing their multi-year expertise in architecting, designing and supporting Node.js apps to developers as they adopt Azure and build on top of our cloud.

Every day, more and more Node.js developers choose to build and deploy on top of Azure, and Microsoft continues in its commitment to make investments in the area. The recent announcements of Azure App Service on Linux and Azure Web App for Containers, combined with support for Node.js across Azure Functions, Azure Container Service and pre-provisioned VM images, provide developers a great range of choices to host their Node.js apps and services across several cloud compute models offered by Azure.

nearForm Migration and Developer Support Services

nearForm is recognized as a leader in architecting and developing full-stack JavaScript solutions. With world-class teams of software architects, designers, developers, DevOps engineers and open source tooling experts, nearForm takes its clients worldwide through a current-architecture review workshop to a fully deployed high-performance new stack on Azure in a short amount of time.

As part of the alliance, Microsoft and nearForm are announcing today the nearForm Migration and Developer Support services, which enables customers to confidently move to the cloud with Node.js on Azure. Beyond the migration of technology, nearForm can help businesses migrate to offering new Software-as-a-Service (SaaS) capabilities: the nearForm design sprint is an intensive engagement which enables customers to generate a prototype of new business ideas in just five days. Customers can then work with nearForm’s Solutions teams to turn the prototype into a production system.

nearForm’s Developer Support service ensures that teams have direct access to the most knowledgeable Node.js developers in the industry, including Node.js Core contributors. This level of expertise can guide customers step-by-step through the process.

Customers interested in the Migration and Developer Services can request a quote from nearForm directly.

1100

Free Node Clinic at Node Interactive 2017

Attendees at Node.js Interactive, in Vancouver from October 4-6, can request a Node Clinic at the event with nearForm’s Node.js experts and Microsoft’s Azure experts, including members of the Node.js Technical Steering Commitee. At each Node Clinic, clients can have a free, one-to-one, twenty-minute session to discuss any issues with their Node.js applications and services.

First look at Satya Nadella’s new book, Adobe and Microsoft deepen ties while science reveals (yet again) the power of the pen — Weekend Reading: Sept. 8 edition – The Official Microsoft Blog

Time to read, write and “Hit Refresh,” following a brief-but-busy week at Microsoft. We saw an alliance grow, protections reinforced and new chapters emerge.

Let’s take a spin through the news.

Microsoft SEO Satya Nadella in his office reading one of the first arrivals of his new book.

This week, the author got a first look at his new creation. Early copies of “Hit Refresh” arrived at the office of Microsoft CEO Satya Nadella. He smiled while leafing through pages packed with reflections, ideas and principles on transformation – the story of Microsoft’s quest to rediscover its soul, as told through Nadella’s eyes and experiences.

In a LinkedIn post published Wednesday, Nadella described “Hit Refresh” as an exploration of the renaissance of a storied company and the implications of the coming wave of technology — artificial intelligence, mixed reality and quantum computing — which will soon disrupt the status quo impacting our lives, communities and economies.”

“Hit Refresh” goes on sale globally Sept. 26 and is available now for preorder. Nadella is donating all proceeds from the book to Microsoft Philanthropies.

A student in the study wears hundreds of sensors to monitor her brain.

Pens down? Not so fast.

New research offers the first electrophysiological evidence that the brain behaves differently when people use a pen versus a keyboard – and that the physical movement of a pen boosts learning.

The finding builds on previous studies that suggest long-hand notetaking with a pen deepens the mind’s ability to retain and process information.

Cognitive neuropsychologists Audrey van der Meer and Ruud van der Weel outfitted participating students with more than 250 sensors that monitored their brain signals.

The students then completed tasks involving typing and note-taking by hand, including with the use of Surface Pro 4 devices. Van der Meer told Microsoft News Centre Europe that many tablet and stylus devices – like the Surface Pen – help people get the most out of ancient and modern technology.

Conducted over two months in Norway and later peer reviewed, the study provides fresh proof that the pen – once seen as an analogue artifact – can be fully appreciated as a key component of our digital learning experiences.

A Nordstrom sign outside a Nordstrom store.

Shoppers know: Nordstrom is synonymous with legendary customer service at its 350-plus stores and online.

During a recent chat between Cho Hwang, technology director at Nordstrom, and Ron Markezich, Microsoft corporate vice president, talk turned to Microsoft Office 365.

“Office 365 supports the diverse and ever-evolving workstyles of Nordstrom employees in retail and corporate locations,” Hwang said. “It provides a comprehensive set of tools that enables employees to be more productive and always have the data that they need at their fingertips.”

On Thursday, more Office 365 news broke when Adobe and Microsoft announced they are expanding their strategic alliance to increase workforce productivity and drive more efficient business processes.

Adobe Sign, the market leading e-signature service in Adobe Document Cloud, is now Microsoft’s preferred e-signature solution across the company’s portfolio, including the 100 million monthly active users of Office 365.

A global map shows recent ransomware attacks.

A new Microsoft report details recent ransomware threats and the need for advanced security. You can protect yourself with Windows 10, which integrates next-gen security features that guard against ransomware, including multiple exploit mitigations, Windows Defender Advanced Threat Protection (ATP) and more.

The upcoming Windows 10 Fall Creators Update will make Windows even more secure against attacks through seamless integration of Windows Defender ATP across the entire Windows protection stack plus other updates. You can start taking advantage of these protections now with the Windows Defender ATP Windows 10 Fall Creators Update, now open for public preview.

The Microsoft logo
On Tuesday, Microsoft responded to the administration’s decision to rescind protection under the program for Deferred Action for Childhood Arrivals (DACA), calling it a “big step back for our entire country,” writes Brad Smith, Microsoft president and chief legal officer, on the Microsoft on the Issues blog.

The administration is giving Congress six months to replace DACA with new legislation. “Congress now needs to reprioritize the fall legislative calendar and move quickly with new legislation to protect these 800,000 Dreamers,” Smith writes.

“This means that Congress should adopt legislation on DACA before it tries to adopt a tax reform bill.” Microsoft will work as needed with other companies and the broader business community to “vigorously defend the legal rights of all Dreamers,” Smith says. “For the 39 Dreamers that we know of who are our employees, our commitment is clear. If Congress fails to act, our company will exercise its legal rights properly to help protect our employees.”

Several Harry Potter books.

With fall (nearly) in the air, head back to Hogwarts School of Witchcraft and Wizardry, as the complete collection of “Harry Potter” e-books arrives in the Windows Store. Find all seven books in the series in a single title, along with other favorites in this universe such as “Fantastic Beasts and Where to Find Them” and “Harry Potter and the Cursed Child.”

Need more entertainment this weekend?  Get your scare on with the newest chapter in Ryan Murphy’s TV drama anthology, “American Horror Story: Cult.” Buy a season pass now in the Movies & TV section of the Windows Store – and follow what’s hot, new and trending in the Windows Store on Twitter and Facebook.

That caps our round-up. See you next Friday for another Weekend Reading!

Posted by Bill Briggs
Microsoft News Center Staff

Tags: Adobe, LinkedIn, Microsoft Philanthropies, Office 365, Satya Nadella, Surface Pro 4, Windows 10