Scuttlebutt: an "off-grid" P2P social network that runs without servers and can fall back to sneakernet

Dominic Tarr is a developer who lives on a self-steering sailboat in New Zealand; he created Scuttlebutt, a secure messaging system that can run without servers, even without ISPs. Read the rest

Drill a single hole in an ATM and you can comprehensively pwn it

A presentation by Igor Soumenkov at Kaspersky's Security Analyst Summit reveals that the method behind a rash of mysterious ATM heists that left behind no evidence of hacking -- only a single small hole drilled by the machines' PIN pads -- were likely accomplished by using the hole to insert a $15 connector that allowed thieves to hijack the ATMs and order them to spit out all their money. Read the rest

Bipartisan bill would end warrantless border searches of US persons' data

Under the Protecting Data at the Border Act, devices "belonging to or in the possession of a United States person" (a citizen or Green Card holder) could no longer be searched at the border without a warrant. Agents would no longer be able to deny US persons entry or exit on the basis of a refusal to allow such a search (but they could seize the equipment). Read the rest

Anarchist bitcoin hacker flies to Syria to join a 4-million person anarchist collective the size of Massachusetts

Amir Taaki is a well-known anarchist bitcoin hacker whose project, Dark Wallet, is meant to create strong anonymity for cryptocurrency transactions; when he discovered that anarchists around the world had gone to Rojava, a district in Kurdish Syria on the Turkish border, to found an anarchist collective with 4,000,000 members "based on principles of local direct democracy, collectivist anarchy, and equality for women," he left his home in the UK to defend it. Read the rest

Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest

Washington Post and Jigsaw launch a collaborative pop-up dictionary of security jargon

Information security's biggest obstacle isn't the mere insecurity of so many of our tools and services: it's the widespread lack of general knowledge about fundamental security concepts, which allows scammers to trick people into turning off or ignoring security red flags. Read the rest

EFF presents: a guide to protecting your data privacy when crossing the US border

The Electronic Frontier Foundation has just updated its 2011 guide to Digital Privacy at the U.S. Border with an all new edition that covers the law, administrative rules, technological options and potential repercussions of crossing the US border while not undergoing the warrantless seizure and indefinite retention of all of your sensitive data -- in a guide that breaks out the different risks for US citizens, US permanent residents, and visitors to the USA. Read the rest

London cops use an insecure mail-server that lets third parties intercept mail in transit

Best practice for mail-servers is to turn on TLS by default, which means that when that mail server talks to other mail servers, it encrypts the connection to thwart eavesdroppers. Though the practice (sometimes called "opportunistic encryption") started out as something only paranoid organizations partook of, it's now so widespread that Google warns you if you attempt to use Gmail to send a message to someone whose server won't accept encrypted connections. Read the rest

Trump vs leaks: Spicer's staff forced to undergo "phone searches" and delete privacy apps

Sean Spicer -- spokesman for the leakiest White House in history -- summoned his staff to a surprise meeting where they were forced undergo a "phone check" where they unlocked their phones to prove they had "nothing to hide." Read the rest

The basics of crypto, in 4.5 pages, using only small words lawmakers can understand

Ed Felten (previously) -- copyfighter, Princeton computer scientist, former deputy CTO of the White House -- has published a four-and-a-half-page "primer for policymakers" on cryptography that explains how encryption for filesystems and encryption for messaging works, so they can be less ignorant. Read the rest

A "travel mode" for social media - after all, you don't take all your other stuff with you on the road

As the US government ramps up its insistence that visitors (and US citizens) unlock their devices and provide their social media accounts, the solution have run the gamut from extreme technological caution, abandoning mobile devices while traveling, or asking the government to rethink its policy. But Maciej Cegłowski has another solution: a "travel mode" for our social media accounts. Read the rest

Proof-of-concept ransomware locks up the PLCs that control power plants

In Out of Control: Ransomware for Industrial Control Systems, three Georgia Tech computer scientists describe their work to develop LogicLocker, a piece of proof-of-concept ransomware that infects the programmable logic controllers that are used to control industrial systems like those in power plants. Read the rest

How to legally cross a US (or other) border without surrendering your data and passwords

The combination of 2014's Supreme Court decision not to hear Cotterman (where the 9th Circuit held that the data on your devices was subject to suspicionless border-searches, and suggested that you simply not bring any data you don't want stored and shared by US government agencies with you when you cross the border) and Trump's announcement that people entering the USA will be required to give border officers their social media passwords means that a wealth of sensitive data on our devices and in the cloud is now liable to search and retention when we cross into the USA. Read the rest

After shutting down to protect user privacy, Lavabit rises from the dead

In 2013, Lavabit -- famous for being the privacy-oriented email service chosen by Edward Snowden to make contact with journalists while he was contracting for the NSA -- shut down under mysterious, abrupt circumstances, leaving 410,000 users wondering what had just happened to their email addresses. Read the rest

Barcelona government officially endorses Tor-based whistleblower platform

Xnet, a wonderful Spanish activist group, has created the Anti-Corruption Complaint Box, a whistleblowing platform for the city of Barcelona that allows people to file anonymous claims in a Globalleaks repository, with their anonymity protected by Tor. Read the rest

Whatsapp: Facebook's ability to decrypt messages is a "limitation," not a "defect"

Facebook spokespeople and cryptographers say that Facebook's decision to implement Open Whisper Systems' end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user's knowledge reflects a "limitation" -- a compromise that allows users to continue conversations as they move from device to device -- and not a "defect." Read the rest

A critical flaw (possibly a deliberate backdoor) allows for decryption of Whatsapp messages -- UPDATED

Update: Be sure to read the followup discussion, which explains Facebook's point of view, that this is a deliberate compromise, and not a defect, that makes the app more usable for a wide variety of users, while putting them to little additional risk (namely, that Facebook might change its mind; or be forced to spy on its users; or suffer a security breach or internal rogue employee).

When Facebook implemented Open Whisper Systems' end-to-end encrypted messaging protocol for Whatsapp, they introduced a critical flaw that exposes more than a billion users to stealthy decryption of their private messages: in Facebook's implementation, the company can force Whatsapp installations to silently generate new cryptographic keys (without any way for the user to know about this unless a deep settings checkbox had been ticked), which gives the company the ability to decrypt user messages, including messages that have already been sent in the past.. Read the rest

More posts