A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?



Paul Haskell-Dowland, Author provided

Paul Haskell-Dowland, Edith Cowan University and Brianna O’Shea, Edith Cowan University

Passwords have been used for thousands of years as a means of identifying ourselves to others and in more recent times, to computers. It’s a simple concept – a shared piece of information, kept secret between individuals and used to “prove” identity.

Passwords in an IT context emerged in the 1960s with mainframe computers – large centrally operated computers with remote “terminals” for user access. They’re now used for everything from the PIN we enter at an ATM, to logging in to our computers and various websites.

But why do we need to “prove” our identity to the systems we access? And why are passwords so hard to get right?




Read more:
The long history, and short future, of the password


What makes a good password?

Until relatively recently, a good password might have been a word or phrase of as little as six to eight characters. But we now have minimum length guidelines. This is because of “entropy”.

When talking about passwords, entropy is the measure of predictability. The maths behind this isn’t complex, but let’s examine it with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”.

If a one-character password only contains one lowercase letter, there are only 26 possible passwords (“a” to “z”). By including uppercase letters, we increase our password space to 52 potential passwords.

The password space continues to expand as the length is increased and other character types are added.

Making a password longer or more complex greatly increases the potential ‘password space’. More password space means a more secure password.

Looking at the above figures, it’s easy to understand why we’re encouraged to use long passwords with upper and lowercase letters, numbers and symbols. The more complex the password, the more attempts needed to guess it.

However, the problem with depending on password complexity is that computers are highly efficient at repeating tasks – including guessing passwords.

Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.

By leveraging this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible, in a process called brute force attacks.

And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as US$25.

Also, because passwords are almost always used to give access to sensitive data or important systems, this motivates cyber criminals to actively seek them out. It also drives a lucrative online market selling passwords, some of which come with email addresses and/or usernames.

You can purchase almost 600 million passwords online for just AU$14!

How are passwords stored on websites?

Website passwords are usually stored in a protected manner using a mathematical algorithm called hashing. A hashed password is unrecognisable and can’t be turned back into the password (an irreversible process).

When you try to login, the password you enter is hashed using the same process and compared to the version stored on the site. This process is repeated each time you login.

For example, the password “Pa$$w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm. Try it yourself.

When faced with a file full of hashed passwords, a brute force attack can be used, trying every combination of characters for a range of password lengths. This has become such common practice that there are websites that list common passwords alongside their (calculated) hashed value. You can simply search for the hash to reveal the corresponding password.

This screenshot of a Google search result for the SHA hashed password value ‘02726d40f378e716981c4321d60ba3a325ed6a4c’ reveals the original password: ‘Pa$$w0rd’.

The theft and selling of passwords lists is now so common, a dedicated website — haveibeenpwned.com — is available to help users check if their accounts are “in the wild”. This has grown to include more than 10 billion account details.

If your email address is listed on this site you should definitely change the detected password, as well as on any other sites for which you use the same credentials.




Read more:
Will the hack of 500 million Yahoo accounts get everyone to protect their passwords?


Is more complexity the solution?

You would think with so many password breaches occurring daily, we would have improved our password selection practices. Unfortunately, last year’s annual SplashData password survey has shown little change over five years.

The 2019 annual SplashData password survey revealed the most common passwords from 2015 to 2019.

As computing capabilities increase, the solution would appear to be increased complexity. But as humans, we are not skilled at (nor motivated to) remember highly complex passwords.

We’ve also passed the point where we use only two or three systems needing a password. It’s now common to access numerous sites, with each requiring a password (often of varying length and complexity). A recent survey suggests there are, on average, 70-80 passwords per person.

The good news is there are tools to address these issues. Most computers now support password storage in either the operating system or the web browser, usually with the option to share stored information across multiple devices.

Examples include Apple’s iCloud Keychain and the ability to save passwords in Internet Explorer, Chrome and Firefox (although less reliable).

Password managers such as KeePassXC can help users generate long, complex passwords and store them in a secure location for when they’re needed.

While this location still needs to be protected (usually with a long “master password”), using a password manager lets you have a unique, complex password for every website you visit.

This won’t prevent a password from being stolen from a vulnerable website. But if it is stolen, you won’t have to worry about changing the same password on all your other sites.

There are of course vulnerabilities in these solutions too, but perhaps that’s a story for another day.




Read more:
Facebook hack reveals the perils of using a single account to log in to other services


The Conversation


Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University and Brianna O’Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Can I still be hacked with 2FA enabled?



Shutterstock

David Tuffley, Griffith University

Cybersecurity is like a game of whack-a-mole. As soon as the good guys put a stop to one type of attack, another pops up.

Usernames and passwords were once good enough to keep an account secure. But before long, cybercriminals figured out how to get around this.

Often they’ll use “brute force attacks”, bombarding a user’s account with various password and login combinations in a bid to guess the correct one.

To deal with such attacks, a second layer of security was added in an approach known as two-factor authentication, or 2FA. It’s widespread now, but does 2FA also leave room for loopholes cybercriminals can exploit?

2FA via text message

There are various types of 2FA. The most common method is to be sent a single-use code as an SMS message to your phone, which you then enter following a prompt from the website or service you’re trying to access.

Most of us are familiar with this method as it’s favoured by major social media platforms. However, while it may seem safe enough, it isn’t necessarily.

Hackers have been known to trick mobile phone carriers (such as Telstra or Optus) into transferring a victim’s phone number to their own phone.




Read more:
$2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise


Pretending to be the intended victim, the hacker contacts the carrier with a story about losing their phone, requesting a new SIM with the victim’s number to be sent to them. Any authentication code sent to that number then goes directly to the hacker, granting them access to the victim’s accounts.
This method is called SIM swapping. It’s probably the easiest of several types of scams that can circumvent 2FA.

And while carriers’ verification processes for SIM requests are improving, a competent trickster can talk their way around them.

Authenticator apps

The authenticator method is more secure than 2FA via text message. It works on a principle known as TOTP, or “time-based one-time password”.

TOTP is more secure than SMS because a code is generated on your device rather than being sent across the network, where it might be intercepted.

The authenticator method uses apps such as Google Authenticator, LastPass, 1Password, Microsoft Authenticator, Authy and Yubico.

However, while it’s safer than 2FA via SMS, there have been reports of hackers stealing authentication codes from Android smartphones. They do this by tricking the user into installing malware (software designed to cause harm) that copies and sends the codes to the hacker.

The Android operating system is easier to hack than the iPhone iOS. Apple’s iOS is proprietary, while Android is open-source, making it easier to install malware on.

2FA using details unique to you

Biometric methods are another form of 2FA. These include fingerprint login, face recognition, retinal or iris scans, and voice recognition. Biometric identification is becoming popular for its ease of use.

Most smartphones today can be unlocked by placing a finger on the scanner or letting the camera scan your face – much quicker than entering a password or passcode.

However, biometric data can be hacked, too, either from the servers where they are stored or from the software that processes the data.

One case in point is last year’s Biostar 2 data breach in which nearly 28 million biometric records were hacked. BioStar 2 is a security system that uses facial recognition and fingerprinting technology to help organisations secure access to buildings.

There can also be false negatives and false positives in biometric recognition. Dirt on the fingerprint reader or on the person’s finger can lead to false negatives. Also, faces can sometimes be similar enough to fool facial recognition systems.

Another type of 2FA comes in the form of personal security questions such as “what city did your parents meet in?” or “what was your first pet’s name?”




Read more:
Don’t be phish food! Tips to avoid sharing your personal information online


Only the most determined and resourceful hacker will be able to find answers to these questions. It’s unlikely, but still possible, especially as more of us adopt public online profiles.

Person looks at a social media post from a woman, on their mobile.
Often when we share our lives on the internet, we fail to consider what kinds of people may be watching.
Shutterstock

2FA remains best practice

Despite all of the above, the biggest vulnerability to being hacked is still the human factor. Successful hackers have a bewildering array of psychological tricks in their arsenal.

A cyber attack could come as a polite request, a scary warning, a message ostensibly from a friend or colleague, or an intriguing “clickbait” link in an email.

The best way to protect yourself from hackers is to develop a healthy amount of scepticism. If you carefully check websites and links before clicking through and also use 2FA, the chances of being hacked become vanishingly small.

The bottom line is that 2FA is effective at keeping your accounts safe. However, try to avoid the less secure SMS method when given the option.

Just as burglars in the real world focus on houses with poor security, hackers on the internet look for weaknesses.

And while any security measure can be overcome with enough effort, a hacker won’t make that investment unless they stand to gain something of greater value.The Conversation

David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Morrison government to invest $211 million in fuel security to protect against risk and price pressures


Michelle Grattan, University of Canberra

The Morrison government is acting to protect Australia’s fuel security as the international outlook becomes more uncertain and prices will be under increasing pressure.

Under the plan, operating through market and regulatory measures, the government will invest $211 million in new domestic diesel storage facilities, changes to create a minimum onshore stockholding, and support for local refineries.


Treasury

Announcing the program with Energy Minister Angus Taylor, Scott Morrison said the changes “will ensure Australian families and businesses can access the fuel they need, when they need it, for the lowest possible price”.

Australia’s fuel supplies are always potentially vulnerable to international instability, something that the pandemic – with its disruption to supply chains – has just reinforced. Local refineries are also under economic pressures, with potential consequences for prices.

The measures are:

  • a $200 million investment in a competitive grants program to build an extra 780 megalitres of onshore diesel storage with industry

  • creation of a minimum stockholding obligation for key transport fuels, and

  • working with refiners on a market design process for a refining production payment.

The government is seeking to have the $200 million grants for new storage matched by state governments or industry. Its focus will be on projects in strategic regional locations, connected to refineries and with connections to existing fuel infrastructure.

Morrison said fuel security was essential for Australia’s national security and the country was fortunate there hadn’t been a significant supply shock in more than 40 years. Fuel security underpinned the entire economy, and the industry itself supported thousands of workers, he said. “This plan is also about helping keep them in work.”

Taylor acknowledged the pressure refineries are under.

The government says modelling indicates a domestic refining capability is worth some $4.9 billion over a decade to Australian consumers is terms of price suppression.

The construction of diesel storage will support up to 950 jobs, with 75 new ongoing jobs, many in the regions, the government says.

“A minimum stockholding obligation will act as a safety net for petrol and jet fuel stocks and increased diesel stockholdings by 40%,” Morrison and Taylor said in their statement.

They stressed the government’s commitment to onshore refining capacity. The industry’s viability is under threat.

The planned production payment scheme is to protect from an estimated 1 cent per litre rise that, according to modelling, would hit fuel if all refineries onshore were to close. Refineries receiving the support will have to commit to stay operating locally.

Under the minimum stockholding requirements, petrol and jet fuel stocks would be kept no lower than current commercial levels, which are about 24 consumption days.

Diesel stocks would increase by 40%, to be at 28 consumption cover days. This would add about 10 days to Australia’s International Energy Agency compliance total.

In July Australia had 84 IEA days including stocks on water. Implementing a minimum stock holding obligation would bring Australia into line with most IEA members which regulate their fuel industries to meet their security needs. Under the IEA treaty member countries are required to have 90 days of stocks.

(IEA days and consumption cover days are different.)

Refineries will be exempt from the obligations to hold additional stocks.

The production payments will ensure a minimum value of 1.15 cents per litre to refineries. A competitive process will determine the location of new storage facilities.

The government says it recognises “the future refining sector in Australia will not look like the past. However, this framework will ensure the market is viable for both our future needs and can support Australia during a severe fuel disruption.”The Conversation

Michelle Grattan, Professorial Fellow, University of Canberra

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Face masks and facial recognition will both be common in the future. How will they co-exist?



Pixabay, CC BY-SA

Paul Haskell-Dowland, Edith Cowan University

It’s surprising how quickly public opinion can change. Winding the clocks back 12 months, many of us would have looked at a masked individual in public with suspicion.

Now, some countries have enshrined face mask use in law. They’ve also been made compulsory in Victoria and are recommended in several other states.

One consequence of this is that facial recognition systems in place for security and crime prevention may no longer be able to fulfil their purpose. In Australia, most agencies are silent about the use of facial recognition.

But documents leaked earlier this year revealed Australian Federal Police and state police in Queensland, Victoria and South Australia all use Clearview AI, a commercial facial recognition platform. New South Wales police also admitted using a biometrics tool called PhotoTrac.




Read more:
Your face is part of Australia’s ‘national security weapon’: should you be concerned?


What is facial recognition?

Facial recognition involves using computing to identify human faces in images or videos, and then measuring specific facial characteristics. This can include the distance between eyes, and the relative positions of the nose, chin and mouth.

This information is combined to create a facial signature, or profile. When used for individual recognition – such as to unlock your phone – an image from the camera is compared to a recorded profile. This process of facial “verification” is relatively simple.

However, when facial recognition is used to identify faces in a crowd, it requires a significant database of profiles against which to compare the main image.

These profiles can be legally collected by enrolling large numbers of users into systems. But they’re sometimes collected through covert means.

Facial ‘verification’ (the method used to unlock smartphones) compares the main image with a single pre-saved facial signature. Facial ‘identification’ requires examining the image against an entire database of facial signatures.
teguhjatipras/pixabay

The problem with face masks

As facial signatures are based on mathematical models of the relative positions of facial features, anything that reduced the visibility of key characteristics (such as the nose, mouth and chin) interferes with facial recognition.

There are already many ways to evade or interfere with facial recognition technologies. Some of these evolved from techniques designed to evade number plate recognition systems.

Although the coronavirus pandemic has escalated concerns around the evasion of facial recognition systems, leaked US documents show these discussions taking place back in 2018 and 2019, too.

This clip shows how fashion designers are outsmarting facial recognition surveillance / YouTube.

And while the debate on the use and legality of facial recognition continues, the focus has recently shifted to the challenges presented by mask-wearing in public.

On this front, the US National Institute of Standards and Technology (NIST) coordinated a major research project to evaluate how masks impacted the performance of various facial recognition systems used across the globe.

Its report, published in July, found some algorithms struggled to correctly identify mask-wearing individuals up to 50% of the time. This was a significant error rate compared to when the same algorithms analysed unmasked faces.

Some algorithms even struggled to locate a face when a mask was covering too much of it.

Finding ways around the problem

There are currently no usable photo data sets of mask-wearing people that can be used to train and evaluate facial recognition systems.

The NIST study addressed this problem by superimposing masks (of various colours, sizes and positions) over images of faces, as seen here:

While this may not be a realistic portrayal of a person wearing a mask, it’s effective enough to study the effects of mask-wearing on facial recognition systems.

It’s possible images of real masked people would allow more details to be extracted to improve recognition systems – perhaps by estimating the nose’s position based on visible protrusions in the mask.

Many facial recognition technology vendors are already preparing for a future where mask use will continue, or even increase. One US company offers masks with customers’ faces printed on them, so they can unlock their smartphones without having to remove it.

Growing incentives for wearing masks

Even before the coronavirus pandemic, masks were a common defence against air pollution and viral infection in countries including China and Japan.




Read more:
I’ve always wondered: why many people in Asian countries wear masks, and whether they work


Political activists also wear masks to evade detection on the streets. Both the Hong Kong and Black Lives Matter protests have reinforced protesters’ desire to dodge facial recognition by authorities and government agencies.

As experts forecast a future with more pandemics, rising levels of air pollution, persisting authoritarian regimes and a projected increase in bushfires producing dangerous smoke – it’s likely mask-wearing will become the norm for at least a proportion of us.

Facial recognition systems will need to adapt. Detection will be based on features that remain visible such as the eyes, eyebrows, hairline and general shape of the face.

Such technologies are already under development. Several suppliers are offering upgrades and solutions that claim to deliver reliable results with mask-wearing subjects.

For those who oppose the use of facial recognition and wish to go undetected, a plain mask may suffice for now. But in the future they might have to consider alternatives, such as a mask printed with a fake computer-generated face.The Conversation

Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

TikTok can be good for your kids if you follow a few tips to stay safe


Tashatuvango/Shutterstock

Joanne Orlando, Western Sydney University

The video-sharing app TikTok is a hot political potato amid concerns over who has access to users’ personal data.

The United States has moved to ban the app. Other countries, including Australia, have expressed concern.

But does this mean your children who use this app are at risk? If you’re a parent, let me explain the issues and give you a few tips to make sure your kids stay safe.

A record-breaker

Never has an app for young people been so popular. By April this year the TikTok app had been downloaded more than 2 billion times worldwide.

The app recently broke all records for the most downloaded app in a quarterly period, with 315 million downloads globally in the first three months of 2020.

Its popularity with young Aussies has sky-rocketed. Around 1.6 million Australians use the app, including about one in five people born since 2006. That’s an estimated 537,000 young Australians.

Like all social media apps, TikTok siphons data about its users such as email address, contacts, IP address and geolocation information.

TikTok was fined $US5.8 million (A$8 million) to settle US government claims it illegally collected personal information from children.

As a Chinese company, ByteDance, owns TikTok, US President Donald Trump and others are also worried about the app handing over this data to the Chinese state. TikTok denies it does this.




Read more:
China could be using TikTok to spy on Australians, but banning it isn’t a simple fix


Just days ago the Trump administration signed an executive order to seek a ban on TikTok operating or interacting with US companies.

Youngsters still TikToking

There is no hint of this stopping our TikToking children. For them it’s business as usual, creating and uploading videos of themselves lip-syncing, singing, dancing or just talking.

The most recent trend on TikTok – Taylor Swift Love Story dance – has resulted in more than 1.5 million video uploads in around two weeks alone.

But the latest political issues with TikTok raise questions about whether children should be on this platform right now. More broadly, as we see copycat sites such as Instagram Reels launched, should children be using any social media platforms that focus on them sharing videos of themselves at all?

The pros and cons

The TikTok app has filled a genuine social need for this young age group. Social media sites can offer a sense of belonging to a group, such as a group focused on a particular interest, experience, social group or religion.

TikTok celebrates diversity and inclusivity. It can provide a place where young people can join together to support each other in their needs.

During the COVID-19 pandemic, TikTok has had huge numbers of videos with coronavirus-related hashtags such as #quarantine (65 billion views), #happyathome (19.5 billion views) and #safehands (5.4 billion views).

Some of these videos are funny, some include song and dance. The World Health Organisation even posted its own youth-oriented videos on TikTok to provide young people with reliable public health advice about COVID-19.

The key benefit is the platform became a place where young people joined together from all corners of the planet, to understand and take the stressful edge off the pandemic for themselves and others their age. Where else could they do that? The mental health benefits this offers can be important.

Let’s get creative

Another benefit lies in the creativity TikTok centres on. Passive use of technology, such as scrolling and checking social media with no purpose, can lead to addictive types of screen behaviours for young people.

Whereas planning and creating content, such as making their own videos, is meaningful use of technology and curbs addictive technology behaviours. In other words, if young people are going to use technology, using it creatively, purposefully and with meaning is the type of use we want to encourage.

Users of TikTok must be at least 13 years old, although it does have a limited app for under 13s.

Know the risks

Like all social media platforms, children are engaging in a space in which others can contact them. They may be engaging in adult concepts that they are not yet mature enough for, such as love gone wrong or suggestively twerking to songs.




Read more:
The secret of TikTok’s success? Humans are wired to love imitating dance moves


The platform moves very quickly, with a huge amount of videos, likes and comments uploaded every day. Taking it all in can lead to cognitive overload. This can be distracting for children and decrease focus on other aspects of their life including schoolwork.

Three young girls video themselves on a smartphone.
How to stay safe and still have fun with TikTok.
Luiza Kamalova/Shutterstock

So here are a few tips for keeping your child safe, as well as getting the most out of the creative/educational aspects of TikTok.

  1. as with any social network, use privacy settings to limit how much information your child is sharing

  2. if your child is creating a video, make sure it is reviewed before it’s uploaded to ensure it doesn’t include content that can be misconstrued or have negative implications

  3. if a child younger than 13 wants to use the app, there’s a section for this younger age group that includes extra safety and privacy features

  4. if you’re okay with your child creating videos for TikTok, then doing it together or helping them plan and film the video can be a great parent-child bonding activity

  5. be aware of the collection of data by TikTok, encourage your child to be aware of it, and help them know what they are giving away and the implications for them.

Happy (safe) TikToking!The Conversation

Joanne Orlando, Researcher: Children and Technology, Western Sydney University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Hong Kong activists now face a choice: stay silent, or flee the city. The world must give them a path to safety



Sipa USA Willie Siau / SOPA Images/Sipa U

Brendan Clift, University of Melbourne

In recent days, the prime ministers of the UK and Australia each declared they are working toward providing safe haven visas for Hong Kong residents. In the US, lawmakers passed a bill that would impose sanctions on businesses and individuals that support China’s efforts to restrict Hong Kong’s autonomy.

The prospect of a shift from rhetoric to action reveals just how dire the situation in China’s world city has become.

July 1 is usually associated with Hong Kong’s annual pro-democracy march. This year, it saw around 370 arrests as protesters clashed with police under the shadow of a brand new national security law.




Read more:
‘We fear Hong Kong will become just another Chinese city’: an interview with Martin Lee, grandfather of democracy


Hong Kong police have been cracking down hard on demonstrators for over a year – with Beijing’s blessing – and most of this week’s arrests were possible simply because police had banned the gathering.

But ten arrests were made under the national security law for conduct including the possession of banners advocating Hong Kong independence.

Already, a pro-democracy political party has disbanded and activists are fleeing the city.

What’s in the national security law and how it could be applied

The national security law had been unveiled just hours earlier, its details kept secret until this week. It was imposed on Hong Kong in unprecedented circumstances when Chief Executive Carrie Lam, Beijing’s appointed leader in the city, bypassed the local legislature and promulgated it directly.

The law creates four main offences: secession, subversion, terrorism and collusion with foreign forces to endanger national security.

Hong Kong law already contains some offences of this sort, including treason, a disused colonial relic, and terrorism, tightly defined by statute. The new national security offences are different beasts – procedurally unique and alarmingly broad.

Secession, for example, includes the acts of inciting, assisting, supporting, planning, organising or participating in the separation or change of status of any part of China, not necessarily by force. This is calculated to prevent even the discussion of independence or self-determination for Hong Kong.

More than 300 people were detained at a protest this week and ten were arrested under the new law.
e: Sipa USA Willie Siau/SOPA Images/Sipa U

Collusion includes making requests of or receiving instructions from foreign countries, institutions or organisations to disrupt laws or policies in or impose sanctions against Hong Kong or China.

This is aimed at barring Hong Kongers from lobbying foreign governments or making representations at the United Nations, which many protesters have done in the past year.

The law contains severe penalties: for serious cases, between ten years and life imprisonment. It also overrides other Hong Kong laws. The presumption in favour of bail, for instance, will not apply in national security cases, facilitating indefinite detention of accused persons.

Defendants can be tried in Hong Kong courts, but in a major departure from the city’s long-cherished judicial independence, the chief executive will personally appoint the judges for national security cases.

The chief executive also decides if a trial involves state secrets – a concept defined very broadly in China. In these cases, open justice is abandoned and trials will take place behind closed doors with no jury.

A black Hong Kong flag burning last month during an anti-government demonstration.
Viola Kam/SOPA Images/Sipa USA

While Hong Kong courts can apply the new national security law, the power to interpret it lies with Beijing alone. And in the most serious cases, mainland Chinese courts can assume jurisdiction.

This raises the prospect of political prisoners being swallowed up by China’s legal system, which features no presumption of innocence and nominal human rights guarantees. China also leads the world in executions.

Much of the national security law’s content contradicts fundamental principles of Hong Kong’s common law legal system and the terms of its mini-constitution, the Basic Law.

Even the territory’s justice minister – another unelected political appointee – has admitted the systems are incompatible.




Read more:
Hong Kong: does British offer of citizenship to Hongkongers violate Thatcher’s deal with China?


Why it is deliberately vague

In the typical style of mainland Chinese laws, the national security law is drafted in vague and general terms. This is designed to give maximum flexibility to law enforcement and prosecutors, while provoking maximum fear and compliance among the population.

The government has said calls for independence for Hong Kong, Tibet, Xinjiang and even Taiwan are now illegal, as is the popular protest slogan “liberate Hong Kong; revolution of our times”.

Posting Hong Kong independence stickers can now lead to severe punishments.
Sipa USA Willie Siau / SOPA Images/Sipa U

A Beijing spokesman has said the charge of collusion to “provoke hatred” against the Hong Kong government could be used against people who spread rumours that police beat protesters to death in a notorious subway station clash last year, echoing the infamous mainland Chinese law against “picking quarrels and provoking trouble”.

The law does not appear to be retroactive, but fears that it could be interpreted that way have caused a flurry of online activity as people have deleted social media accounts and posts associating them with past protests.

This is unsurprising given the Hong Kong government’s record of trawling through old social media posts for reasons to bar non-establishment candidates from standing at elections.

Dissent in any form becomes extremely hazardous

Despite the promise of autonomy for Hong Kong, enshrined in a pre-handover treaty with the UK that China claims is now irrelevant, the national security law has escalated the project to “harmonise” the upstart region by coercive means, rather than addressing the root causes of dissatisfaction.

Under the auspices of the new law, the Chinese government will openly establish a security agency, with agents unaccountable under local law, in Hong Kong for the first time. It has also authorised itself in the new law to extend its tendrils further into civil society, with mandates to manage the media, the internet, NGOs and school curricula.

Under the weight of this authoritarian agenda, dissent in any form becomes an extremely hazardous prospect. It is no doubt Beijing’s intention that it will one day be impossible – or better yet, something Hong Kongers would not even contemplate.




Read more:
China is taking a risk by getting tough on Hong Kong. Now, the US must decide how to respond


The aim of silencing all opposing voices – including those overseas – is clear from the purported extraterritorial operation of the law.

The international community has condemned Beijing’s actions, but its members have a responsibility to follow words with actions. The least that democratic countries like the US, UK, Australia and others can do is offer a realistic path to safety for the civic-minded Hong Kongers who have stood up to the world’s premier authoritarian power at grave personal risk.

Some 23 years after China achieved its long-held ambition of regaining Hong Kong, it has failed to win hearts and minds and has brought out the big stick. Its promises may have been hollow, but its threats are not.The Conversation

Brendan Clift, Teaching Fellow and PhD candidate, University of Melbourne

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Don’t be phish food! Tips to avoid sharing your personal information online



Shutterstock

Nik Thompson, Curtin University

Data is the new oil, and online platforms will siphon it off at any opportunity. Platforms increasingly demand our personal information in exchange for a service.

Avoiding online services altogether can limit your participation in society, so the advice to just opt out is easier said than done.

Here are some tricks you can use to avoid giving online platforms your personal information. Some ways to limit your exposure include using “alternative facts”, using guest check-out options, and a burner email.

Alternative facts

While “alternative facts” is a term coined by White House press staff to describe factual inaccuracies, in this context it refers to false details supplied in place of your personal information.




Read more:
Hackers are now targeting councils and governments, threatening to leak citizen data


This is an effective strategy to avoid giving out information online. Though platforms might insist you complete a user profile, they can do little to check if that information is correct. For example, they can check whether a phone number contains the correct amount of digits, or if an email address has a valid format, but that’s about it.

When a website requests your date of birth, address, or name, consider how this information will be used and whether you’re prepared to hand it over.

There’s a distinction to be made between which platforms do or don’t warrant using your real information. If it’s an official banking or educational institute website, then it’s important to be truthful.

But an online shopping, gaming, or movie review site shouldn’t require the same level of disclosure, and using an alternative identity could protect you.

Secret shopper

Online stores and services often encourage users to set up a profile, offering convenience in exchange for information. Stores value your profile data, as it can provide them additional revenue through targeted advertising and emails.

But many websites also offer a guest checkout option to streamline the purchase process. After all, one thing as valuable as your data is your money.

So unless you’re making very frequent purchases from a site, use guest checkout and skip profile creation altogether. Even without disclosing extra details, you can still track your delivery, as tracking is provided by transport companies (and not the store).

Also consider your payment options. Many credit cards and payment merchants such as PayPal provide additional buyer protection, adding another layer of separation between you and the website.

Avoid sharing your bank account details online, and instead use an intermediary such as PayPal, or a credit card, to provide additional protection.

If you use a credit card (even prepaid), then even if your details are compromised, any potential losses are limited to the card balance. Also, with credit cards this balance is effectively the bank’s funds, meaning you won’t be charged out of pocket for any fraudulent transactions.

Burner emails

An email address is usually the first item a site requests.

They also often require email verification when a profile is created, and that verification email is probably the only one you’ll ever want to receive from the site. So rather than handing over your main email address, consider a burner email.

This is a fully functional but disposable email address that remains active for about 10 minutes. You can get one for free from online services including Maildrop, Guerilla Mail and 10 Minute Mail.

Just make sure you don’t forget your password, as you won’t be able to recover it once your burner email becomes inactive.

The 10 Minute Mail website offers free burner emails.
screenshot

The risk of being honest

Every online profile containing your personal information is another potential target for attackers. The more profiles you make, the greater the chance of your details being breached.

A breach in one place can lead to others. Names and emails alone are sufficient for email phishing attacks. And a phish becomes more convincing (and more likely to succeed) when paired with other details such as your recent purchasing history.

Surveys indicate about half of us recycle passwords across multiple sites. While this is convenient, it means if a breach at one site reveals your password, then attackers can hack into your other accounts.

In fact, even just an email address is a valuable piece of intelligence, as emails are used as a login for many sites, and a login (unlike a password) can sometimes be impossible to change.

Obtaining your email could open the door for targeted attacks on your other accounts, such as social media accounts.




Read more:
The ugly truth: tech companies are tracking and misusing our data, and there’s little we can do


In “password spraying” attacks“, cybercriminals test common passwords against many emails/usernames in hopes of landing a correct combination.

The bottom line is, the safest information is the information you never release. And practising alternatives to disclosing your true details could go a long way to limiting your data being used against you.The Conversation

Nik Thompson, Senior Lecturer, Curtin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Australia doesn’t need more anti-terror laws that aren’t necessary – or even used



Mick Tsikas/AAP

Keiran Hardy, Griffith University

Home Affairs Minister Peter Dutton has introduced a new bill that will amend the controversial questioning and detention powers held by the Australian Security Intelligence Organisation (ASIO).

While some changes are welcome, others are a cause for concern. One major change is that the legislation will allow ASIO officers to coercively question children as young as 14.

For this bill to be passed, Home Affairs must offer a stronger justification as to why the expanded powers are needed in the current security climate.




Read more:
Australia has enacted 82 anti-terror laws since 2001. But tough laws alone can’t eliminate terrorism


Calls for new counter-terrorism powers have become commonplace in Australia, to the point where we now have more than 80 laws directed at the threat of terrorism.

Any call for additional powers should be met with careful scrutiny, particularly when the rights of children are at stake.

Repealing controversial detention powers

One of the biggest changes in the bill is that it would repeal ASIO’s power to detain people for questioning. Currently, ASIO has the power to seek a questioning and detention warrant (QDW) that allows people to be detained for up to one week. Detention can be approved if a person is likely to fail to appear for questioning, alert someone involved in terrorism, or tamper with evidence.

During that period, a person can be questioned in eight-hour blocks up to a maximum of 24 hours. This is purely an intelligence-gathering exercise, and is not related to any investigation for a criminal offence. The questioning can be approved if it would

substantially assist the collection of intelligence that is important in relation to a terrorism offence

The questioning is coercive, in that a person faces five years in prison for failing to answer any of ASIO’s questions. The powers are also highly secretive: it’s five years in prison for anyone who reveals anything about a warrant.

These powers are some of Australia’s most controversial anti-terror laws, as no democratic country has granted its domestic intelligence agency the same power to detain people for questioning.

Reviews by the Independent National Security Legislation Monitor, the Parliamentary Joint Committee on Intelligence and Security and the COAG review of counter-terrorism legislation have all recommended this power be repealed. Such a move would be welcome.

Expanded powers to question minors

At the same time, the bill will expand ASIO’s power to seek questioning warrants (QWs). These trigger all the same questioning processes and criminal offences as QDWs, they just don’t allow ASIO to detain the person outside the questioning period.

If the bill passes, QWs will be split into “adult questioning warrants” and “minor questioning warrants”. Minor questioning warrants will be available for children as young as 14 who are “likely to engage in” politically motivated violence.

This significantly widens the current thresholds. QWs are currently available for 16-year-olds only when the attorney-general is satisfied the person “will commit, is committing or has committed a terrorism offence”.

Some additional safeguards will protect minors under the new measures. Before issuing a questioning warrant, for instance, the attorney-general will need to consider the “best interests” of the child.

This is consistent with international law requirements and Australia’s expanded control order regime, which can include electronic tagging and curfews.




Read more:
Control orders for kids won’t make us any safer


Under the proposed laws, a young person can only be questioned in blocks of two hours or less, and a lawyer must be present during all questioning.

However, restrictions currently placed on lawyers will be retained. Lawyers, whether acting for young people or adults, are not allowed to intervene in questioning, except to clarify an ambiguous question. They can even be kicked out of the room, and a new lawyer appointed, if they “unduly” disrupt the questioning.

These restrictions will significantly undermine the ability of lawyers to protect children from any forceful or inappropriate questioning by ASIO officers.

Are the changes even needed?

Dutton has justified the proposed changes by claiming Australia faces a significant threat of terrorism from young people. While we cannot know the intelligence on which this assessment is based, the urgent need for these changes is doubtful.

The statistics show that questioning warrants are used very rarely. The last QW was issued in 2010, and the last one before that in 2006.

Only 16 QWs have ever been issued since their introduction in 2003, and none since the threat from Islamic State emerged.




Read more:
Australia’s quest for national security is undermining the courts and could lead to secretive trials


Given this record, it is difficult to see how QWs for 14-year-olds are suddenly needed to prevent acts of terrorism.

Indeed, in a recent PJCIS inquiry, ASIO explained their lack of use by saying the powers were difficult to approve on a short timeframe. This made them not very useful for the kinds of low-tech attacks seen in recent years, such as stabbings and shootings, which require little advance planning.

If the new powers are passed in the bill, they should at least be sunsetted to expire after three years, rather than the proposed ten. Without this amendment, more extraordinary counter-terrorism powers will be on Australia’s statute books for the foreseeable future.The Conversation

Keiran Hardy, Postdoctoral Research Fellow, Griffith Criminology Institute, Griffith University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

How safe is COVIDSafe? What you should know about the app’s issues, and Bluetooth-related risks



Shutterstock

James Jin Kang, Edith Cowan University and Paul Haskell-Dowland, Edith Cowan University

The Australian government’s COVIDSafe app has been up and running for almost a fortnight, with more than five million downloads.

Unfortunately, since its release many users – particularly those with iPhones – have been in the dark about how well the app works.

Digital Transformation Agency head Randall Brugeaud has now admitted the app’s effectiveness on iPhones “deteriorates and the quality of the connection is not as good” when the phone is locked, and the app is running in the background.

There has also been confusion regarding where user data is sent, how it’s stored, and who can access it.

Conflicts with other apps

Using Bluetooth, COVIDSafe collects anonymous IDs from others who are also using the app, assuming you come into range with them (and their smartphone) for a period of at least 15 minutes.

Bluetooth must be kept on at all times (or at least turned on when leaving home). But this setting is specifically advised against by the Office of the Australian Information Commissioner.

It’s likely COVIDSafe isn’t the only app that uses Bluetooth on your phone. So once you’ve enabled Bluetooth, other apps may start using it and collecting information without your knowledge.

Bluetooth is also energy-intensive, and can quickly drain phone batteries, especially if more than one app is using it. For this reason, some may be reluctant to opt in.

There have also been reports of conflicts with specialised medical devices. Diabetes Australia has received reports of users encountering problems using Bluetooth-enabled glucose monitors at the same time as the COVIDSafe app.

If this happens, the current advice from Diabetes Australia is to uninstall COVIDSafe until a solution is found.

Bluetooth can still track your location

Many apps require a Bluetooth connection and can track your location without actually using GPS.

Bluetooth “beacons” are progressively being deployed in public spaces – with one example in Melbourne supporting visually impaired shoppers. Some apps can use these to log locations you have visited or passed through. They can then transfer this information to their servers, often for marketing purposes.

To avoid apps using Bluetooth without your knowledge, you should deny Bluetooth permission for all apps in your phone’s settings, and then grant permissions individually.

If privacy is a priority, you should also read the privacy policy of all apps you download, so you know how they collect and use your information.

Issues with iPhones

The iPhone operating system (iOS), depending on the version, doesn’t allow COVIDSafe to work properly in the background. The only solution is to leave the app running in the foreground. And if your iPhone is locked, COVIDSafe may not be recording all the necessary data.

You can change your settings to stop your iPhone going into sleep mode. But this again will drain your battery more rapidly.

Brugeaud said older models of iPhones would also be less capable of picking up Bluetooth signals via the app.

It’s expected these issues will be fixed following the integration of contact tracing technology developed by Google and Apple, which Brugeaud said would be done within the next few weeks.




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Vulnerabilities to data interception

If a user tests positive for COVID-19 and consents to their data being uploaded, the information is then held by the federal government on an Amazon Web Services server in Australia.

Data from the app is stored on a user’s device and transmitted in an encrypted form to the server. Although it’s technically possible to intercept such communications, the data would still be encrypted and therefore offer little value to an attacker.

The government has said the data won’t be moved offshore or made accessible to US law enforcement. But various entities, including Australia’s Law Council, have said the privacy implications remain murky.

That said, it’s reassuring the Amazon data centre (based in Sydney) has achieved a very high level of security as verified by the Australian Cyber Security Centre.

Can the federal government access the data?

The federal government has said the app’s data will only be made available to state and territory health officials. This has been confirmed in a determination under the Biosecurity Act and is due to be implemented in law.

Federal health minister Greg Hunt said:

Not even a court order during an investigation of an alleged crime would be allowed to be used [to access the data].

Although the determination and proposed legislation clearly define the who and how of access to COVIDSafe data, past history indicates the government may not be best placed to look after our data.

It seems the government has gone to great lengths to promote the security and privacy of COVIDSafe. However, the government commissioned the development of the app, so someone will have the means to obtain the information stored within the system – the “keys” to the vault.

If the government did covertly obtain access to the data, it’s unlikely we would find out.

And while contact information stored on user devices is deleted on a 21-day rolling basis, the Department of Health has said data sent to Amazon’s server will “be destroyed at the end of the pandemic”. It’s unclear how such a date would be determined.

Ultimately, it comes down to trust – something which seems to be in short supply.




Read more:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy


The Conversation


James Jin Kang, Lecturer, Computig and Security, Edith Cowan University and Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.