US cybersecurity firm: Hackers stole EU diplomatic cables
By RAPHAEL SATTER
AP Cybersecurity Writer
Wednesday, December 19
LONDON (AP) — Hackers have spent years eavesdropping on the diplomatic communications of European Union officials, a U.S. cybersecurity firm said Wednesday, an operation disrupted only after researchers discovered hundreds of intercepted documents lying around on the internet.
The documents were discovered a few months ago after a malicious email was caught by the Redwood City, California-based Area 1 Security firm, according to company co-founder Blake Darche.
He said the firm followed forensic clues in the message back to an unsecured server that had some 1,100 EU diplomatic cables. Darche said he believed that tens of thousands more such documents have been stolen.
“We estimate that the ones we found are a small fraction of the overall operation,” he said. “From what we can see, the EU has a significant problem on their hands.”
Darche said the hackers are working for China’s People’s Liberation Army, a judgment he said was based on eight years spent observing the group. A report published by the group Wednesday laid out the hackers’ modus operandi, but attribution is notoriously fickle and others in the field voiced skepticism .
Calls to China’s mission to the European Union were not returned Wednesday. Beijing has in the past denied similar reports.
EU officials are taking the report “extremely seriously” but it is “impossible to comment on leaks,” European Commission Vice President Valdis Dombrovskis told reporters in Brussels.
“All communication systems have vulnerabilities, so we’re constantly dealing with this challenge,” he said.
Dombrovskis identified the system hit by the leaks as one managed by the European Council’s secretariat, which represents EU member states in Brussels, rather than the commission itself. In an email, the council acknowledged what it described as “a potential leak of sensitive information” and said it was investigating. It offered no further comment.
The New York Times, which first reported on the breach, published excerpts of the diplomatic cables after obtaining them from Area 1 ahead of time.
Some of the messages appeared to capture European officials struggling to deal with the erratic movements of U.S. President Donald Trump.
One such document appeared to capture a senior European official in Washington recommending that envoys from the EU’s member nations work around Trump by dealing directly with Congress.
In another apparent message, European diplomats described a recent summit between Trump and Russian President Vladimir Putin in Helsinki, Finland, as “successful (at least for Putin).”
Associated Press writer Lorne Cook in Brussels contributed to this report.
Raphael Satter can be reached: http://raphaelsatter.com
Is quantum computing a cybersecurity threat?
December 20, 2018
Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate School
Dorothy Denning does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Cybersecurity researchers and analysts are rightly worried that a new type of computer, based on quantum physics rather than more standard electronics, could break most modern cryptography. The effect would be to render communications as insecure as if they weren’t encoded at all.
Fortunately, the threat so far is hypothetical. The quantum computers that exist today are not capable of breaking any commonly used encryption methods. Significant technical advances are required before they will be able to break the strong codes in widespread use around the internet, according to a new report from the National Academy of Sciences.
Still, there is cause for concern. The cryptography underpinning modern internet communications and e-commerce could someday succumb to a quantum attack. To understand the risk and what can be done about it, it’s important to look more closely at digital cryptography and how it’s used – and broken.
At its most basic, encryption is the act of taking an original piece of information – a message, for instance – and following a series of steps to transform it into something that looks like gibberish.
Today’s digital ciphers use complex mathematical formulas to transform clear data into – and out of – securely encrypted messages to be stored or transmitted. The calculations vary according to a digital key.
There are two main types of encryption – symmetric, in which the same key is used to encrypt and decrypt the data; and asymmetric, or public-key, which involves a pair of mathematically linked keys, one shared publicly to let people encrypt messages for the key pair’s owner, and the other stored privately by the owner to decrypt messages.
Symmetric cryptography is substantially faster than public-key cryptography. For this reason, it is used to encrypt all communications and stored data.
Public-key cryptography is used for securely exchanging symmetric keys, and for digitally authenticating – or signing – messages, documents and certificates that pair public keys with their owners’ identities. When you visit a secure website – one that uses HTTPS – your browser uses public-key cryptography to authenticate the site’s certificate and to set up a symmetric key for encrypting communications to and from the site.
The math for these two types of cryptography is quite different, which affects their security. Because virtually all internet applications use both symmetric and public-key cryptography, both forms need to be secure.
The most straightforward way to break a code is to try all the possible keys until you get the one that works. Conventional computers can do this, but it’s very difficult. In July 2002, for instance, a group announced that it had found a 64-bit key – but the effort took more than 300,000 people over four and a half years of work. A key twice the length, or 128 bits, would have 2¹²⁸ possible solutions – more than 300 undecillion, or a 3 followed by 38 zeroes. Even the world’s fastest supercomputer would need trillions of years to find the right key.
A quantum computing method called Grover’s algorithm, however, speeds up the process, turning that 128-bit key into the quantum-computational equivalent of a 64-bit key. The defense is straightforward, though: make keys longer. A 256-bit key, for example, has the same security against a quantum attack as a 128-bit key has against a conventional attack.
Handling public-key systems
Public-key cryptography, however, poses a much bigger problem, because of how the math works. The algorithms that are popular today, RSA, Diffie-Hellman and elliptic curve, all make it possible to start with a public key and mathematically compute the private key without trying all the possibilities.
For RSA, for instance, the private key can be computed by factoring a number that is the product of two prime numbers – as 3 and 5 are for 15.
So far, public-key encryption has been uncrackable by using very long key pairs – like 2,048 bits, which corresponds to a number that is 617 decimal digits long. But sufficiently advanced quantum computers could crack even 4,096-bit key pairs in just a few hours using a method called Shor’s algorithm.
That’s for ideal quantum computers of the future. The biggest number factored so far on a quantum computer is 15 – just 4 bits long.
The National Academies study notes that the quantum computers now operating have too little processing power and are too error-prone to crack today’s strong codes. The future code-breaking quantum computers would need 100,000 times more processing power and an error rate 100 times better than today’s best quantum computers have achieved. The study does not predict how long these advances might take – but it did not expect them to happen within a decade.
However, the potential for harm is enormous. If these encryption methods are broken, people will not be able to trust the data they transmit or receive over the internet, even if it is encrypted. Adversaries will be able to create bogus certificates, calling into question the validity of any digital identity online.
Fortunately, researchers have been working to develop public-key algorithms that could resist code-breaking efforts from quantum computers, preserving or restoring trust in certificate authorities, digital signatures and encrypted messages.
Notably, the U.S. National Institute of Standards and Technology is already evaluating 69 potential new methods for what it calls “post-quantum cryptography.” The organization expects to have a draft standard by 2024, if not before, which would then be added to web browsers and other internet apps and systems.
In principle, symmetric cryptography can be used for key exchange. But this approach depends on the security of trusted third parties to protect secret keys, cannot implement digital signatures, and would be difficult to apply across the internet. Still, it is used throughout the GSM cellular standard for encryption and authentication.
Another alternative to public-key cryptography for key exchange is quantum key-distribution. Here, quantum methods are used by the sender and receiver to establish a symmetric key. But these methods require special hardware.
Unbreakable cryptography doesn’t mean security
Strong cryptography is vital to overall individual and societal cybersecurity. It provides the foundation for secure transmission and data storage, and for authenticating trusted connections between people and systems.
But cryptography is just one piece of a much larger pie. Using the best encryption won’t stop a person from clicking on a misleading link or opening a malicious file attached to an email. Encryption also can’t defend against the inevitable software flaws, or insiders who misuse their access to data.
And even if the math were unbreakable, there can be weaknesses in how cryptography is used. Microsoft, for example, recently identified two apps that unintentionally revealed their private encryption keys to the public, rendering their communications insecure.
If or when powerful quantum computing arrives, it poses a large security threat. Because the process of adopting new standards can take years, it is wise to be planning for quantum-resistant cryptography now.
Trump on verge of giving up best chance to secure wall money
By ZEKE MILLER and JILL COLVIN
Thursday, December 20
WASHINGTON (AP) — Donald Trump’s loyal supporters cried “Build the wall!” throughout his 2016 presidential campaign. Come 2020, they may well still be chanting for Trump to make good on his signature campaign promise as prospects dim for him to deliver on a wall along the U.S.-Mexico border.
Trump appears likely to give up his last, best chance to secure money from Congress for the “beautiful” wall he’s long promised to construct, as he backs away from his threat to partially shut down the government on Friday. Now, with the Senate having passed a temporary funding measure to keep the government open through Feb. 8, Trump’s mission will go from difficult to near-impossible when Democrats take control of the House on Jan. 3.
The unfulfilled pledge also threatens to hang over his re-election campaign, potentially depressing his base and dealing his political rivals a powerful talking point.
“I thought if you’re going to have a fight, now’s the time to have it,” said Sen. Lindsey Graham, a close ally of the president who warned that it’s only going to get more difficult to get the money when Democrats take over.
“When you draw lines in the sand like this, it ends up haunting you in the future,” the South Carolina Republican warned.
Rep. Mark Meadows, R-N.C., called on Trump to veto the temporary funding bill, warning that it would cause “major damage” to the president’s re-election effort.
“The base will just go crazy,” he said, referring to Trump’s most loyal backers.
Trump is hardly the first president to be confronted with the challenges of passing a legislative priority through Congress, but the lack of progress on an issue so closely identified with his bid for the White House may prove to be a costly failure. He had promised to begin working on an “impenetrable physical wall” along the southern border on his first day in office, but little headway has been made. A March funding bill included money for 33 miles (53 kilometers) of barrier construction in South Texas’ Rio Grande Valley, but work there has yet to begin. Other work has merely replaced existing barriers that had been deemed “ineffective,” not added miles.
The president’s allies expressed anxiety Wednesday that Trump was, in the words of some, “caving” on the wall and warned of the potential backlash from his supporters and the impact it could have on his re-election effort. The failed promise, they argued, could weaken turnout and leave him more vulnerable to challengers.
Conservative commentator Ann Coulter published a column that called Trump “gutless” and said in a radio interview that she won’t vote for Trump in 2020 if he doesn’t deliver on the wall.
“Nor will, I think, most of his supporters. Why would you?” she asked, arguing that Trump’s time in office will one day go down as “a joke presidency that scammed the American people.”
Some within the administration cautioned that it was still possible Trump would change his mind and end up rejecting the stopgap funding bill, prompting a holiday shutdown that could also be politically damaging. Trump had said last week that he would be “proud” to have a shutdown to get Congress to approve a down payment on the wall.
Trump had originally demanded $5 billion to begin building the wall this year, but the White House acknowledged this week that he is willing to settle for far less. The temporary measure offers just $1.3 billion for border security fencing and other improvements. That money cannot be used for new wall construction.
The president had little choice. Even in the GOP-controlled House, Trump did not have the votes to get $5 billion in wall money, and House Speaker Paul Ryan declined to bring it to the floor.
The White House is instead putting its faith in a potential work-around, with Trump telling allies he’ll be able to make an end-run around lawmakers by using the military to fund and carry out construction, though such a move would face significant pushback from Congress as well as legal challenges.
“Because of the tremendous dangers at the Border, including large scale criminal and drug inflow, the United States Military will build the Wall!” he tweeted Wednesday.
White House press secretary Sarah Huckabee Sanders said Tuesday that the president had also directed every one of his Cabinet secretaries “to look and see if they have money that can be used” for wall construction.
But Rep. Adam Smith, D-Wash., the incoming chairman of the House Armed Services Committee, told MSNBC that there has been strong opposition to using Defense Department dollars for border wall construction. And he said that Trump can’t do so without lawmakers’ signoff.
“Congress, both Republicans and Democrats, do not think the DoD money should go towards building a wall on the border,” he said. “We have many other national security priorities that are vastly more important.”
The president’s conservative backers insist that Trump should not back down from his demand for $5 billion from Congress.
“Trump should not sign this bill and leave for Mar-a-Lago, and tell them it’s not gonna get signed and their precious government’s not gonna get back up and running ‘til there’s $5 billion,” wrote radio host Rush Limbaugh.
On “Fox & Friends,” Trump’s favorite and most-tweeted-about morning show, conservative blogger Michelle Malkin described his latest move as a “cave” and a “blink.”
Questioning White House counselor Kellyanne Conway, “Fox & Friends” host Brian Kilmeade said the president has “no leverage,” while co-host Ainsley Earhardt asked why Trump was “softening” his position.
“The president is not softening his stance. He has a responsibility to keep the government moving forward and he has a responsibility to get border security,” Conway responded.
Former Trump campaign adviser Barry Bennett said it was too soon to panic.
“He must have a trick up his sleeve because I can’t imagine he would just walk away from it,” Bennett said.
Former Republican House Speaker Newt Gingrich said that while the base would be “unhappy” if border wall funding isn’t included in a final budget deal, it will make little difference come 2020.
“The other side doesn’t even need a border. Their party will be so pro-illegal immigration that the choice will be enormous,” he said.
Associated Press writers Catherine Lucey and Lisa Mascaro contributed to this report.
Follow Miller and Colvin on twitter at https://twitter.com/ZekeJMiller and https://twitter.com/colvinj
YEMEN: OUR FUTURE?
By Robert C. Koehler
“They must kill and continue to kill, strange as it may seem, in order not to know that they are killing.” — Rene Girard, Things Hidden since the Foundation of the World
Socially sanctioned killing is called war. The word “war” may be the most powerful word in human history, because it creates a mask of respectability for — that is, it conceals — the dehumanization and mass slaughter of a designated enemy, along with limitless environmental contamination. When we’re “waging war,” we have given ourselves permission not to know what we are doing, even if what we’re doing is putting life on Planet Earth in danger of extinction.
Say hello to Yemen, the possible future of all of us!
“Jagged pieces of bomb flew thousands of miles per hour outward, and Rabee’a — still celebrating his success — was almost fully decapitated. The top half of his face was removed, leaving just an open lower jaw; the heat of the blast burned most of his clothes off and charred his skin, so he was left naked, his genitals exposed, his body actually smoking. Next to him, his cousin Al-Qadi, the judge, was burning alive, his blood vessels expelling water and his body inflating. He began to scream.”
These words are from an extraordinary piece of reporting by Jeffrey Stern in New York Times Magazine, about a Saudi bombing raid at a water well in Yemen two years ago, in which 31 people may have died, although, as he pointed out, “It’s hard to know the numbers for sure, because all that was left of many victims were very small parts, very far from one another.”
Three of the dismembered dead were children, if that makes any difference (oh Republican congresspersons).
Also of note: The bombing run, as is hideously typical, came in two waves. The first bomb killed a few people. A second barrage of bombs rained down six hours later, after a crowd of rescuers and onlookers had gathered.
There are several unusual aspects about this story. One is its closeup, personal look at death. Sure, 50,000 Yemenis may have died in the fighting over the three-and-a-half-year course of this war, with another 85,000 dying of starvation (including lots and lots of children), and a million are on the brink of starvation or in danger of contracting cholera (the war has triggered the worst cholera outbreak in recorded history), but unfathomably large numbers like this quickly become abstract, the generic cost of war, as the media focus moves to strategy and politics.
Also unusual is that the dead the story humanizes for us weren’t killed by America’s enemy. These are our dead, you might say. While the Yemen war is being waged by Saudi Arabia, its primary ally and major weapon supplier is the United States. The bombs that dismembered several dozen Yemenis were built by Raytheon, part of the American military-industrial complex and a major supplier of jobs. Stern even visited Tucson, where Raytheon employs 10,000 people; he went to a union hall and talked to some of them. They’re good, decent people!
So what we’re left with is the grotesque paradox of high-tech mass murder, i.e., modern war, waged and supported by the well-meaning and the innocent. Sorry about the dead but, you know, jobs!
All of which leads me to another unusual occurrence, known as S.J. Res. 54: the Senate resolution that passed last week by a vote of 56 to 41 (with seven Republican senators joining all the Democrats), banning U.S. military participation in the Yemen war. Specifically, the resolution prohibits the U.S. military from providing the Saudis with aerial targeting assistance, intelligence sharing and mid-flight aerial refueling, which it is currently doing.
As lots of people have pointed out, right now this resolution is merely symbolic, because it won’t pass, or even come up for a vote, in the House. Furthermore, the resolution doesn’t address the worst aspect of U.S. involvement in this war: the sale of weapons to Saudi Arabia. Billions and billions of dollars’ worth of weapons! Bush, Obama and Trump have all salivated over the Saudi weapons gusher. The U.S. economy is — what? A starving Yemeni child without it?
That said, the Senate resolution nonetheless matters hugely (you might say, in honor of co-sponsor Bernie Sanders). For one thing, Dems gain control of the House next year and the resolution could be reintroduced. Also, according to Reuters, some of the supporters are determined to introduce legislation calling for a ban on weapons sales to the Saudis; in other words, there’s more political action to come regarding U.S. involvement in this war.
But most significantly, this resolution represents the first time Congress has ever demanded the withdrawal of U.S. forces from a war under the War Powers Act, which was passed into law in 1973. It’s the first time Congress has ever stood up to the warmaker in chief or the military-industrial complex.
I declare, by the power vested in me as an ordinary person, that this matters … indeed, that this is not politics as usual or a reflection of competing selfish interests, but a sign that species evolution has gained political traction. Planet Earth cannot survive in a state of endless preparation for war against itself.
I declare that the human race is in the process of redefining itself. The last people to know about this are the powerful, the ones with the largest investment in the status quo, but even they are learning in spite of themselves.
As humanity reaches for a green existence — as it struggles to find its way back into the circle of life — it must step beyond the insanity of war. We must know that we are killing, at long last, and find within the courage to stop.
Robert Koehler, syndicated by PeaceVoice, is a Chicago award-winning journalist and editor.