Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

If Uncle Sam could quit using insecure .zip files to swap info across the 'net, that would be great, says Silicon Ron Wyden

Senator urges NIST to do something about it

Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam's employees using insecure .zip files and other archive formats to electronically transfer information.

The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America's National Institute of Standards and Technology (NIST), asking that the standards body put together a guidance document for government workers on alternatives to .zip archiving tools.

"I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet," Silicon Ron urged. "Government agencies routinely share and receive sensitive data through insecure methods – such as emailing .zip files – because employees are not provided the tools and training to do so safely."

As Wyden points out, data security experts have long considered the encryption algorithms used by stock .zip archiving tools, including those built into some editions of Microsoft Windows and Apple macOS, to be next to useless: they are usually too weak and can be easily cracked. Thus, creating password-protected .zip files to send government and other sensitive documents over the 'net is considered unwise because the underlying algorithms used are probably insufficient, unless the sender goes out of their way to use software that employs stronger encryption.

Lady looking at phone with the world map in the background connecting with the phone

US govt staffers use personal gear on work networks, handle biz docs on the reg – study

READ MORE

For instance, back in 2005, eggheads devised a simple method to crack encrypted password-protected .zip archives created by Windows XP. The weak cipher used, and other since-cracked encryption methods, are still employed by many .zip archiving tools today.

And this is assuming the archives are password protected at all.

When government employees use these insecure tools to create .zip archives, Wyden argues, they are potentially putting sensitive information at risk of decryption and theft, and possibly creating a national security hazard should the messages be intercepted or the scrambled compressed archives be stolen.

The senator is not alone, either. Security experts agree that agency workers should not be using .zip archive tools for moving government documents.

"We cryptographers are arguing over PGP key sizes," noted Associate Professor Matthew Green, a cryptography expert at Johns Hopkins University in Baltimore. "Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 1990s. This is one of those areas (like legacy SMS) where we’ve somehow gotten stuck with the least common denominator.

"There’s a huge opportunity for smart people in this field to come up with something much better."

It appears Wyden wants NIST to do just that.

"The government must ensure that federal workers have the tools and training they need to safely share sensitive data," he wrote. "To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like