Tagged: The Register Toggle Comment Threads | Keyboard Shortcuts

  • richardmitnick 12:46 pm on December 31, 2020 Permalink | Reply
    Tags: A new legal basis had to be found to enable ongoing access to the DNA database., Brexit trade deal advises governments to use Netscape Communicator and SHA-1. Why? It's all in the DNA", It’s no surprise that the whole thing has been included in the Brexit trade deal: AES-256; SHA-1 and all., Netscape Communicator declared end-of-life in 1997., NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013., Part of the text in question is a treaty underpinning an EU-wide DNA database., Prüm Convention – the treaty underpinning the European Union’s bloc-wide DNA database to which the UK wants to keep access after departing the EU on Friday (1 January)., Putting it into the UK-EU trade deal appears to be the solution., Somebody’s finally noticed that the Prüm Convention’s recommendations are out of date but updating it will not be a fast process., The Register, Unilaterally modifying a treaty with more than 20 international signatories could open a can of worms.   

    From The Register: “Brexit trade deal advises governments to use Netscape Communicator and SHA-1. Why? It’s all in the DNA” 

    From The Register

    31 Dec 2020
    Gareth Corfield

    A simple cut-and-paste text job from a 2008 EU treaty for genetic databases.

    People are pointing to the inclusion of Netscape Navigator and SHA-1 in the newly-minted British Brexit trade deal – yet no one seems to have realised part of the text in question is a treaty underpinning an EU-wide DNA database.

    Buried in the 1,000+ pages of the UK-EU trade deal are references to the obsolete Netscape Navigator browser and even Netscape Communicator, which was declared end-of-life in 1997.

    1
    Netscape Navigator browser

    2
    Netscape Communicator

    3
    In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard.
    Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible and instead use SHA-2 or SHA-3. Replacing SHA-1 is urgent where it is used for digital signatures.
    All major web browser vendors ceased acceptance of SHA-1 SSL certificates in 2017. In February 2017, CWI Amsterdam and Google announced they had performed a collision attack against SHA-1, publishing two dissimilar PDF files which produced the same SHA-1 hash. But SHA-1 is still secure for HMAC.

    “s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages,” says page 921 of the deal, in a part named “ANNEX LAW-1: EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA”.

    Rather than being a throwback to the dusty days of dial-up internet and shouting at your mum for picking up the phone while you try to download cat GIFs, however, that annex contains the full and current text of the Prüm Convention – the treaty underpinning the European Union’s bloc-wide DNA database, to which the UK wants to keep access after departing the EU on Friday (1 January).

    Unilaterally modifying a treaty with more than 20 international signatories could open a can of worms – so it’s no surprise that the whole thing has been included in the Brexit trade deal, AES-256, SHA-1 and all.

    The obsolete programs and security standards laid down in the Brexit trade deal are mandated for use with the Prüm database, with criminal suspects’ fingerprints, DNA and car registration details being sent around the bloc’s various police forces by email as described in both the EU treaty and the Brexit trade deal annex.

    With Britain leaving both the EU’s political and legal control, a new legal basis had to be found to enable ongoing access to the DNA database. Putting it into the UK-EU trade deal appears to be the solution.

    An EU thing that’s valued by UK.gov

    Government minister James Brokenshire told Parliament in summer:

    “The Government has considered the impact of sharing suspects’ data as it concerns individual freedoms. However, I am reassured by protections applicable to England and Wales which carefully govern the retention of biometric data, and which confer protections to data from individuals who have not been convicted.”

    Brokenshire also confirmed that since the UK joined the scheme in July 2019, around 12,000 people’s fingerprints and DNA profiles had been sent to British police through the EU DNA database – and 41,000 Britons’ information had gone to EU countries in return.

    It is not immediately obvious whether the EU’s systems for moving personal data around the internet have had security updates since 2008, though one would hope the bloc’s focus on data protection would have seen the infosec parts of the Prüm treaty being pragmatically set aside.

    Nonetheless, the security standards mandated are dangerously out of date and no-one serious would advocate using them today. For example, the SHA-1 hashing algorithm is no longer supported by Microsoft and the 25 year-old hash function can now be cracked for less than $50,000.

    Politico-legal analysis in 280 characters

    When the “obsolete security” part of the deal began circulating on Twitter this week, people whose critical thinking skills begin and end with Ctrl-F inevitably began airing their political views about the inclusion of ancient tech in the trade agreement.

    Yet simply copying and pasting snippets from the annex into popular search engines takes the curious reader to its original source: EU Council decree 2008/615/JHA, dated 23 June 2008. That document adopts the Prüm Convention that was signed in 2005 by a handful of European countries, making it part of EU law.

    The EU’s own EUR-lex website, a website of EU laws similar to legislation.gov.uk, appears to show that the 2008 EU treaty’s wording has never been updated. In June this year, however, the EU Council accepted that it “needs to ensure full alignment of the new Prüm Framework with the [EU Law Enforcement Directive], especially regarding the data protection safeguards.”

    Somebody’s finally noticed that the Prüm Convention’s recommendations are out of date but updating it will not be a fast process.

    Sadly the BBC, whose hacks were presumably enjoying an extended period of festive cheer, reported all this dull-but-important detail by churning throwaway speculation – and even managing to quote “experts” who were curiously incurious about where the original text came from, or why a 2020 trade deal would mandate early 2000s tech.

    Sneering Britons were informed that it was probably down to some tired civil servant inappropriately using copy and paste from a “late 1990s security document”; an “explanation” that is simply untrue.

    Sometimes the truth is both dull and not immediately obvious – two categories of information that El Reg, at least, still specialises in ferreting out. ®

    Note

    Netscape is not the only example of elderly tech being used to define EU legal standards. The Register knows of at least one diagram in EU transport safety regulations that was created by hand using MS Paint.

    See the full article here .

    five-ways-keep-your-child-safe-school-shootings

    Please help promote STEM in your local schools.

    Stem Education Coalition

     

  • richardmitnick 11:00 am on July 4, 2019 Permalink | Reply
    Tags: , , , China's FAST radio telescope, , , The Register   

    From The Register: ” Science Crikey, that’s FAST: China clocks 84 pulsars in 2 years using world’s largest radio telescope” 

    From The Register

    1
    The Five-hundred-meter Aperture Spherical Radio Telescope. Image: Chinese Academy of Sciences

    The world’s largest single-dish radio telescope, an enormous white circle half a kilometre in diameter, has helped scientists uncover 84 new pulsars since it began collecting data two years ago.

    Jiang Peng, chief engineer at the Five-hundred-meter Aperture Spherical Radio Telescope (FAST) in Guizhou Province, southwest China, revealed that number to Xinhua News, the official mouthpiece of the Communist Party of China, on Wednesday.

    Pulsars are leftover remnants of stars that have passed their shelf life and no longer burn hydrogen. The old cores have collapsed into dense white dwarfs or neutron stars.

    These stars are still energetic, however, spewing regular beams of electromagnetic radiation as they rotate rapidly.

    Scientists predict (CJAA) that the number of observable pulsars in our galaxy is around 70,000, but less than 3 per cent of them have been discovered so far.

    FAST hopes to find particularly weird pulsar specimens, ones that spin at sub-millisecond speeds or orbit near black holes as a binary pair.

    Peng also said that the FAST team were using the radio telescope to find out how clumps of cold gas, a source of fuel for star formation, was distributed in the Milky Way. It also contributes to the SETI Institute by looking out for rogue signals from possible alien civilisations.

    The telescope, made up of 4,450 reflecting panels, covers a range of radio frequencies between 70MHz to 3GHz. ®

    See the full article here .

    five-ways-keep-your-child-safe-school-shootings

    Please help promote STEM in your local schools.

    Stem Education Coalition

     

  • richardmitnick 12:48 pm on January 30, 2019 Permalink | Reply
    Tags: Iceland starts planning for new undersea internet cable to Europe, The North Atlantic island state wants to build a fourth cable to either the UK or Ireland, The Register   

    From The Register: “Iceland starts planning for new undersea internet cable to Europe” 

    From The Register

    30 Jan 2019
    Gareth Corfield

    Route to Ireland via UK will be surveyed, says local ministry.

    1
    Map via Icelandic Ministry of Transport and Local Government website

    Iceland has made public its plans to build a fourth undersea internet cable to Europe. While one Icelandic news outlet reported that this was because of “security reasons”, the truth appears a bit more mundane.

    The North Atlantic island state wants to build a fourth cable to either the UK or Ireland, according to the country’s Ministry of Transport and Local Government.

    As can be seen from the above graphic, two of Iceland’s existing submarine comms cables terminate in Scotland and Denmark, with the Scottish cable joining an existing, non-Iceland-owned overland route to London. The Irish plan would see a new cable landing in County Mayo and then taking a new route to London, crossing the Irish Sea via Dublin and north Wales.

    Iceland’s authorities have tasked a survey ship from the state-owned Farice cable company with surveying the proposed route from the fishing town of Grindavik on Iceland’s southern peninsula to the Irish hamlet of Killala, prior to any cables being laid. It was not immediately clear whether the Ireland-UK cable would piggyback off existing capacity, of which there is plenty, or whether Iceland would fund a new dedicated link.

    Local TV station RUV reported: “Both for data security and to ensure Iceland’s ability to receive and send large amounts of internet traffic, it is considered important to establish a third physical point of contact with mainland Europe.”

    El Reg reckons “secure” here is in the sense of “security of supply” rather than having that data securely bypass a soon-to-be-non-EU Britain, though we have asked Farice for comment and will update this article if they respond. Ireland currently has just the one undersea comms cable linking it to mainland Europe (the imaginatively named Ireland-France Cable-1, which has not yet been commissioned).

    For some reason the cable map from Iceland’s government, reproduced above, does not include Iceland’s third cable to Europe: the eastern part of the 25-year-old 5Gb/s Cantat-3 link, whose Iceland-Denmark and Iceland-Germany segments are still operational. It also serves oil rigs in the North Sea. Originally a transatlantic cable, Cantat-3’s western link from Iceland to Canada was abandoned a few years ago.

    Iceland’s other operational cables to Europe are the 5.2Tb/s Danice, which also runs between Denmark and Iceland, and the 720Gb/s Farice-1, which was laid in 2004, as we noted some years ago.

    See the full article here .

    five-ways-keep-your-child-safe-school-shootings

    Please help promote STEM in your local schools.

    Stem Education Coalition

     

  • richardmitnick 2:34 pm on January 28, 2019 Permalink | Reply
    Tags: Arm Holdings, Arm wants to wrestle industry into a seat on the UK.gov's £70m hardware security train, , The Register   

    From The Register: “Arm wants to wrestle industry into a seat on the UK.gov’s £70m hardware security train” 

    From The Register

    28 Jan 2019
    Gareth Corfield

    We’re taking it seriously, says chief architect

    ARM Holdings

    Arm Holdings has declared that it feels the “weight of our responsibility” as it jumps on board with UK.gov’s £70m plans to influence “hardware and chip designs” to enhance security.

    The Digital Security by Design project is “a combination of the best practice approaches to security laid out in the Digital Security by Design review in 2018”, which also gave us GCHQ’s code of practice on IoT device security.

    “With businesses having to invest more and more in cyber security, ‘designing in’ security measures into the hardware’s fabric will not only protect our businesses and consumers but ultimately cut cybersecurity costs to businesses,” said Business Secretary Greg Clark MP, in a canned quote announcing the move. The project is led by a government body, UK Research and Industry (UKRI).

    Cambridge-headquartered Arm, while increasingly global in outlook following its buyout by Japan’s Softbank in 2016, is taking the initiative seriously. Its chief architect, Richard Grisenthwaite, said: “Arm is fully supporting UKRI’s push on security as it will catalyze research by the UK’s top computer engineering departments and, in partnership with industry, turn advanced security ideas into commercially-deployable technologies more rapidly.”

    He continued, referring to Cambridge University’s Capability Hardware Enhanced RISC Instructions (CHERI) project, whose fruits are soon to be seen in Arm-architected chips: “CHERI technology offers the potential to derive formally-proven security properties of the memory system, addressing basic spatial memory safety which is a root cause of many existing security exploits… we must think about security in its entirety – not just at a point in time or at a particular layer in a hardware or software stack.”

    The “up to £70m” Digital Security by Design Challenge will be delivered by UKRI through the Industrial Strategy Challenge Fund, which we are told will be “subject to business case approval and match funding from industry”. Similarly, the £30.6m “Ensuring the Security of Digital Technology at the Periphery” programme will be overseen by UKRI via its Strategic Priorities Fund.

    The latter programme is targeted at IoT device security, with UK.gov informing us all: “Effective solutions need to combine cyber and physical safety and security with human behaviour, influence new regulatory response and validate and demonstrate novel approaches. This will build on current investments including the PETRAS Internet of Things Research Hub and other activities supported through IoT UK.”

    Digital minister Margot James chipped in to add: “We’re moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks.”

    A sum of “up to” £70m spread across different projects compares less than favourably with, for example, Intel’s R&D budget of $13bn in FY2017/18. Nonetheless, Arm’s Grisenthwaite concluded: “Now the UK government has taken this stronger position on security, it is up to industry to show support. That will mean putting in money and resource and it is in all of our interests to do the right thing.”

    See the full article here .

    five-ways-keep-your-child-safe-school-shootings

    Please help promote STEM in your local schools.

    Stem Education Coalition

     

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: