Lance Bellers - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

China's anti-terror law mandates tech firm cooperation

News roundup: China passes anti-terror law requiring tech firms' help on surveillance, while new analysis of North Korea's Red Star OS shows different approach to cybersecurity.

China passed a new, wide ranging anti-terror law this week that includes provisions requiring telecom operators and Internet service providers to provide technical assistance, including decryption, to government authorities investigating terrorist activities.

According to the report by China's official Xinhua news agency, those firms will also be called on to "prevent dissemination of information on terrorism and extremism."

Li Shouwei, deputy head of the parliament's criminal law division under the legislative affairs committee, said at a press conference that the new law would "not affect companies' normal business nor install backdoors to infringe intellectual property rights," reflecting an approach that, at least publicly, appears to be similar to that advocated by U.S. politicians who have been engaging in the debate over strong encryption.

"The clause reflects lessons China has learned from other countries and is a result of wide solicitation of public opinion," Li told reporters, adding, that the new anti-terror law would not infringe on "citizens' freedom of speech on the Internet and their religious freedom."

U.S. legislators recently passed the oft-criticized Cybersecurity Information Sharing Act promoting information sharing between the private sector and federal government, and now members of Congress and law enforcement officials such as FBI Director James Comey have called for greater access to encrypted communications. Speaking at RSA Conference 2014 in San Francisco, Comey said that surveillance is necessary for effective law enforcement. Earlier this month, in senate testimony, Comey said: "We want to get to a place where if a judge issues an order, the company figures out how to supply that information to a judge and figures out on its own how to do that."

North Korea's Red Star OS takes another approach to security

Meanwhile, software researchers presenting their analysis of North Korea's Red Star OS at the Chaos Communication Congress in Hamburg this week reported that the totalitarian regime's homegrown OS features customized encryption algorithms, tamper protection and file watermarking to track illegal copying.

The operating system, based on Red Hat Fedora and KDE and emulating the look of OS X, has been extensively modified by North Korean developers, according to researchers Florian Grunow and Niklaus Schiess of German IT security company ERNW GmbH.

Red Star OS was designed with security in mind and includes a firewall, virus scanner and encryption software that, while based on standard encryption algorithms such as AES, includes modifications which the researchers speculated were to avoid any backdoors that might have been placed in those algorithms. However, Grunow said that the operating system is a "privacy nightmare."

One feature incorporated into Red Star OS is a mechanism that adds a watermark to any file mounted to a Red Star OS file system, which allows North Korean authorities to trace files passed from one user to another whether by network or passed along in portable storage media like USB drives.

Red Star OS also continuously monitors hashes of certain key files to protect the integrity of the system. If any of those files have been modified, the OS will reboot, instantly.

And in other news:

  • News Year's Day is the beginning of the end for SHA-1. As previously announced by Microsoft, Google and Mozilla, up-to-date browsers will begin flagging websites signed with SHA-1 certificates issued after January 1, 2016. When encountering a SHA-1 certificate, the Firefox browser will show an "Untrusted Connection" error and Chrome (starting with version 48) will display a certificate error. Microsoft has announced that, starting on that date, "Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016." Such certificates should not be issued, however, because the CA/Browser Forum baseline requirements call for certificate authorities to stop issuing SHA-1 certificates by that date. Experts have been calling for deprecation of SHA-1 due to weakness in the face of increasing computing power since 2004.
  • U.S. Representative Michael McCaul (R-Texas) and Senator Mark Warner (D-Virginia) proposed "a national commission on security and technology challenges in the digital age" in a recent editorial in The Washington Post. The Congressmen wrote: "Because extremists are 'going dark,' law enforcement officials warn that we are 'going blind' in our efforts to track them." The commission would be tasked with finding solutions to the security challenge of detecting and disrupting terrorist group communications without weakening encryption used for commerce and privacy with backdoors. McCaul, chairman of the House Homeland Security Committee, previously called for establishment of the commission early in December in in what he called the first annual State of the Homeland Security Defense Address, where he proposed bringing together "the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground."

Next Steps

Find out how Chinese hackers are bypassing privacy tools

Learn more about what law enforcement officials in the U.S., UK and EU want to do about encryption

Read about the recent high-level cyber summit between China and the U.S.

Dig Deeper on Information security laws, investigations and ethics