Feed aggregator

AfPIF Brings Together Internet Players

CircleID - 1 hour 15 sec ago

If you are passionate about ICT policy, Peering, and Interconnection, then the Africa Peering and Interconnection Forum (AfPIF) is the place to be. The 7th annual AfPIF takes place in Dar es Salaam, Tanzania from 30 August – 1 September 2016. AfPIF is a multistakeholder forum organized by the Internet Society that brings together a diverse range of business leaders, infrastructure providers, Internet service providers (ISPs), Internet Exchange Points (IXPs), international financial institutions, policy-makers, and regulators from all over the world.

By attending AfPIF, you will get a better insight into how IXPs in Africa operate and how they sustain their activities. You will have the opportunity to meet regional IXP staff and talk about the key issues and challenges they face when dealing with Internet number resources and the wider Internet industry. You will also get an opportunity to interact with AFRINIC staff, who have been very active in meeting the interconnection needs of Africa through their IPv6 training courses, AFRINIC Government Working Group (AfGWG), and Fund for Internet Research and Education (FIRE Africa) among others. Don't forget to ask them how to get Internet number resources, and the implications of IPv4 exhaustion.

By working together, we'll build solutions to things like boosting local content, streamlining infrastructure, and lowering the cost of connectivity. This is an important and exciting time, especially considering Africa is home to some of the world's fastest growing economies. And if you don't have an IXP in your city or country, you will learn how to build one from scratch. The full program for the event is available here. To paraphrase Tanzania's new President mantra, "Hapa Kazi tu". Here its Just Work.

Written by Mwendwa Kivuva, Project Manager at AFRINIC

Follow CircleID on Twitter

More under: Access Providers, Broadband, Cloud Computing, Data Center, IP Addressing, IPv6, Policy & Regulation, Telecom

Categories: External commentary

Singapore Plans to Cut Off Internet Access for Government Agencies

CircleID - Wed, 2016-08-24 19:14

"Singapore is planning to cut off web access for public servants as a defence against potential cyber attack," according to a report today in the Guardian. The policy, due to be in place by May, is warned by some security experts as being too drastic and counter-productive however other experts said that "the kind of threats governments face today, Singapore had little choice but to restrict internet access."

— "FireEye, a cyber security company, found that organisations in south-east Asia were 80% more likely than the global average to be hit by an advanced cyber attack, with those close to tensions over the South China Sea - where China and others have overlapping claims - particularly targeted."

— "Public servants would still be able to surf the web but only on separate personal or agency-issued devices."

Follow CircleID on Twitter

More under: Cyberattack, Policy & Regulation, Security

Categories: External commentary

Does Apple's Cloud Key Vault Answer the Key Escrow Question?

CircleID - Wed, 2016-08-24 18:43

In a recent talk at Black Hat, Apple's head of security engineering (Ivan Krstić) described many security mechanisms in iOS. One in particular stood out: Apple's Cloud Key Vault, the way that Apple protects cryptographic keys stored in iCloud. A number of people have criticized Apple for this design, saying that they have effectively conceded the "Going Dark" encryption debate to the FBI. They didn't, and what they did was done for very valid business reasons — but they're taking a serious risk, one that could answer the Going Dark question in the other way: back-up copies of cryptographic keys are far too dangerous to leave lying around.

Going Dark, briefly, is the notion that law enforcement will be cut off from vital sources of evidence because of strong encryption. FBI directory James Comey, among others, has called for vendors to provide some alternate way for law enforcement — with a valid warrant — to bypass the encryption. On the other hand, most non-government cryptographers feel that any possible "exceptional access" mechanism is unreasonably dangerous.

The problem Apple wanted to solve is this. Suppose that you have some sort of iToy — an iPhone, an iPad, etc. — or Mac. These systems allow you to back up your keychain to Apple's iCloud service, where they're protected by your AppleID (an email address) and password. If you buy a new device from Apple, your keychain can be downloaded to it once you log on to iCloud. (Note: uploading keys to iCloud is optional and disabled by default, though you are prompted about enabling it during device setup.)

That's a fine notion, and very consumer-friendly: people want to be able to back up their devices securely (remember that iToys themselves are strongly encrypted), and recover their information if their device is lost or stolen. The trick is doing this securely, and in particular guarding against brute force attacks on the PIN or password. To do this, iOS uses a "Secure Enclave" — a special co-processor that rate-limits guesses and (by default) erases the phone after too many incorrect guesses. (The details are complex; see Krstić's talk for details.) The problem is this: how do you ensure that level of protection for keys that are stored remotely, when the attacker can just hack into or subpoena an iCloud server and guess away. Apple's solution to this problem is even more complex (again, see Krstić's talk), but fundamentally, Apple relies on a Hardware Security Module (HSM) to protect these keys against guessing attacks. It's supposed to be impossible to hack HSMs, and while they do have master keys that are written to smartcards, Apple solved this problem very simply: they ran the smartcards through a blender…

So: it would seem that this solves the Going Dark problem. Instead of destroying these smart cards, suppose that Apple stored one copy in Tim Cook's safe and another in James Comey's. Problem solved, right? Not so fast.

Unfortunately, solving Going Dark can't be done with a simple piece of code in one place. It's many different problems, each of which needs its own secure solution; furthermore, the entire system — the set of all of these solutions, and the processes they rely on — has to be secure, as well as the code and processes for combining them.

The first part is the cryptographic protocols and code to implement the key upload functions. As I mentioned, these mechanisms are exceedingly complex. Although I do not know of any flaws in either the protocols or the code, I won't be even slightly surprised by bugs in either or both. This stuff is really hard to get right.

The next step is protecting the master keys. Apple's solution — a blender — is simple and elegant, and probably reliable. If we want some sort of exceptional access, though, we can't do that: these smartcards have to exist. Not only must they be protected when not in use, they must be protected when in use: who can get them, what can be decrypted, how the requests are authenticated, what to do about requests from other countries, and more. This isn't easy, either; it only seems that way from 30,000 feet. Apple got out of that game by destroying the cards, but if you want exceptional access that doesn't work.

There's another risk, though, one that Apple still runs: are the HSMs really secure? The entire scheme rests on the assumption that they are, but is that true? We don't know, but research suggests that they may not be. HSMs are, after all, computers, and their code and the APIs to them are very hard to get right. If there is a flaw, Apple may never know, but vital secrets will be stolen.

Was Apple wrong, then, to build such an elaborate system? Clearly, no lesser design would have met their requirements: being able to recover old backups with just a password as the only authentication mechanism, while keeping a strict limit on password-guessing. But are those requirements correct? Here's where life gets really tricky. Apple is a consumer device company; their prime goal is to make the customers happy — and customers get really unhappy when they lose their data. There are more secure designs possible, if you give up this remote recovery requirement, but those are more appropriate for defense gear, for situations where it's better to lose the data than to let it be compromised by the enemy. Apple's real problem is that they're trying to satisfy consumer needs while still defending against nation-state adversaries. I hope they've gotten it right — but I won't be even slightly surprised if they haven't.

Written by Steven Bellovin, Professor of Computer Science at Columbia University

Follow CircleID on Twitter

More under: Cloud Computing, Security

Categories: External commentary

Internet Access: A Chokepoint for Development

CircleID - Wed, 2016-08-24 15:30

In the 1980's internet connectivity meant allowing general public to communicate and share knowledge and expertise with each other instantly and where it was not possible otherwise. Take the story of Anatoly Klyosov, connecting Russia to the western world for the first time in 1982, as an example. A bio-chemist who was not allowed to leave the soviet territory for security reasons. The internet enabled him to participate in meetings with his counterparts at Harvard University, University of Stockholm and beyond.

With the evolution of the internet, the purpose of connecting to the internet has also evolved. People, now, can not only hold conversations but also get both public and private sector services at home such as healthcare, education, statistics, legal, financial, telecommunication and others. People are able to do business from home with the help of e-commerce and provide services beyond the traditional national boundaries.

The discussion here is how to enable people to connect to the internet and take advantage of all the benefits that the internet provides to them. What factors play crucial role in setting up the environment for connecting the unconnected individuals whether living in urban part of the world or rural. Surprisingly 57% of the world's population are urban unconnected. 68% of the population in Asia Pacific has no broadband connection.

At a regional IGF event in Taipei, Taiwan, the Asia Pacific regional Internet Governance Forum, where more than 500 Internet Governance practitioners and experts participated. I was given the task to present our group's understanding and analysis of the theme "Cyber Connectivity" where four sessions were held. We had sessions on Disaster and Disabilities in terms of Crisis & Management, Overcoming challenges in APAC outreach and participation in the new Internet era, Promoting alternative access models at the last mile & Fostering MSME (Micro, Small & Medium Enterprises) participation in the digital economy.

A number of use cases and examples of internet connectivity that has taken place in the region over the past decade were shared. Mahabir Pun from Nepal presented his efforts in connecting the remote rural villages of Himalaya, Vu Huang Lien shared his experiences of connecting the rural parts of Vietnam, Google representative shared their plans on connecting more people in India and Intel shared their experiences which they called "connecting people to their potential" where they spent US$ 1 billion globally on providing hands-on training and entrepreneurship skills.

All diverse sessions had somewhat common barriers or challenges for connectivity. While some of the challenges were not of relevance to participants from urban parts of Japan or Taiwan but the rural parts of the same countries and many other developing and least developed countries still face most of the challenges that I will highlight briefly. While each of these challenges or needs could be and should be elaborated in-depth to verify them and study them further, I will be as concise as possible to highlight their hindrance in connecting or enabling the next ~4 billion to connect.

* * *

1. Government realization and support for broadband connectivity: One of the fundamental challenges to internet growth is the governments' realization and support to the provisioning of internet access. This support could be in form of national policies and legislatures which will enable the market for either foreign investments or domestic economy. Google's representative Paul Harwood also emphasized on government support to local innovation, he said "Innovation in high speed Internet access should be a top public policy priority. Policy makers need to make sure that their countries are Internet ready".

2. Basic Infrastructure: In countries with rugged mountains especially with Himalayas that passes through Afghanistan, Pakistan, India, Nepal, Bhutan and China, or small Islands scattered all over the Pacific such as Vanuatu, Cook Island, Samoa, Fiji, Hawaii, Tonga etc. running fiber optic is challenging and very costly, which makes internet access almost "unaffordable" for end-users. Landlocked countries of Central Asia or Africa, in particular, face the challenge of fiber optic not available beyond the urban parts of the countries. The cost of IP transit takes a toll on the infrastructure development.

3. Basic Literacy: Literacy and internet have direct correlation, the increase in literacy rate allows in the increase of internet usage. A person's ability to read, write and speak in a language that computer applications usually support, is crucial in using the internet.

4. Localization: Some say local content will increase with large number of people getting online, however in the absence of technical possibility for people to write in their own language makes it hard for local content to grow organically. Large Operating System (OS) vendors play crucial role in the enablement of people to read and write in their local languages. There are still a large number of languages that are not supported by the leading desktop or mobile OSs. Language support in operating systems and applications is one hurdle to creating local content and language standardization is another. National localization policies should provide the standardization recommendations to Vendors to accommodate more languages.

5. Local Content: The lack of relevant local content, either locally produced content in a non-local language or local language content produced for that locality, is crucial for allowing citizens to use the internet for their development and livelihoods. The inability of writing text in an application because of OS not supporting the language or unavailability of broadband internet for users to upload large sized videos further deteriorates the content problem.

6. Digital Skills: Aside from basic literacy which allows a person to navigate the internet, digital skills were deemed necessary for making good use of the vast offerings of the internet. Digital skillset are required for using technology at home, at work and for entrepreneurial initiatives. The benefits and services of the evolving internet requires a continuous effort for awareness and education.

7. The need for speed: High speed internet service or broadband internet is required for citizens/consumers to participate, contribute and help evolve the development of the internet.

8. Affordable prices: Studies show that the next 3-4 Billion unconnected people are from the poorest socio-economic group and this would require new business models in order to allow them to connect. Two areas where government and private sector need to focus are; affordable prices for broadband and mobile data, and affordable prices for devices.

9. E-payment: Electronic payment system is considered to be a barrier to e-commerce. Without an e-payment infrastructure and electronic transaction laws, local innovation and entrepreneurship in e-commerce could be a major challenge.

10. Cyber-security: Cyber-security incidents were considered a major threat to enabling people to come online or adopt new(er) technologies. Three recommendations were highlighted.

  1. Awareness about how end-users can protect themselves against cyber-security incidents.
  2. Reactive measures (CIRT establishment and collaboration at regional, sub-regional and global level for information exchange).
  3. Proactive measures for mitigation of cyber incidents.

11. Social and organizational cultures: Change could be identified as one of the big barriers for individuals and organizations to adopt new technologies. Technology applications are built-in with biases that limit people from adopting and using it. At the organization level, there has been internal digital divide within an organization or among the organizations. Take the example of e-government; one government entity will be better equipped to deliver public services through internet while others will be finding it difficult to communicate via email within their organizations.

12. Legal framework: The legal framework is one of the environment factors that facilitates the digital developments. Privacy and data protection laws, cyber-security laws, electronic payment & transaction laws etc. enable individuals' online protection as well as allows digital economy development through foreign or local investment. Large corporations don't make entries into economies that don't provide them legal protection.

13. Regulatory framework: A strong regulatory framework mitigates the negative implications of the internet on business as well as on society in general, by addressing the challenges faced by women and children online for example. Strong and positive regulation provides positive image of the use of the internet especially in cultures that associate negative aspects of the internet such as hacking, financial and social crimes, with the use of the internet. It's also important to consider that regulators at the national levels need the necessary skillset to design, develop and formalize regulatory policies.

One of the fundamental difference between local initiatives and foreign or corporate investments for connectivity was that corporate initiatives were focused on wiring more people. Whereas local initiatives had organic approach and their home-grown efforts were addressing the needs of the local communities. Their approaches were providing a package of connectivity and application. Providing the understanding of the variety of benefits that a home user or an entrepreneur can get from connecting to the internet paves the next few steps for them. This enablement of the user should be fundamental to the connection.

Written by Said Zazai

Follow CircleID on Twitter

More under: Access Providers, Broadband, Internet Governance, Law, Multilinguism, Policy & Regulation, Security, Telecom

Categories: External commentary
Syndicate content
Licensed under Creative Commons Attribution Share-Alike 3.0 - Privacy policy Drupal theme by Kiwi Themes.