Snowden will develop pro-privacy crypto tools

He made the announcement at the HOPEX conference in New York this past weekend, calling on other attendees to join him in a project to "improve the future by encoding our rights into programs and protocols by which we rely every day."

(via /.)

(Image: SHH, Liz Welsh, CC-BY)

Snowden: Dropbox is an NSA surveillance target, use Spideroak instead


A remarkable moment from last night's remarkable Snowden video from the Guardian.

Read the rest

Finnish national broadcaster will transmit blockchain over terrestrial digital TV network

The Finnish national broadcaster has partnered with Kryptoradio to broadcast the Bitcoin blockchain over the digital television network making it accessible over a non-Internet channel to 95% of the Finnish population.

Read the rest

Digital First Aid Kit: where to turn when you're DoSed or have your accounts hijacked

A group of NGOs, including the Electronic Frontier Foundation, offer a suite of tools for diagnosing and mitigating the kinds of attacks faced by dissidents and independent media all over the world, especially when they threaten the powerful.

Read the rest

Fake Google subdomain certificates found in the wild

An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.

Read the rest

"Personal Internet security" is a team sport


My latest column in Locus magazine, Security in Numbers, looks at the impossibility of being secure on your own -- if you use the Internet to talk to other people, they have to care about security, too.

Read the rest

Blackphone: a privacy-conscious phone that actually works


The Blackphone is a secure mobile phone whose operating system is based on Android, designed to minimize the amount of data you leak as you move through the world through a combination of encryption and systems design that takes your privacy as its first priority.

Read the rest

Cyber-crooks turn to Bitcoin extortion


Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims.

Read the rest

Possible hidden Latin warning about NSA in Truecrypt's suicide note


When the anonymous authors of the Truecrypt security tool mysteriously yanked their software last month, there was widespread suspicion that they had been ordered by the NSA to secretly compromise their software. A close look at the cryptic message they left behind suggests that they may have encoded a secret clue in the initials of each word of the sentence ("Using TrueCrypt is not secure as it may contain unfixed security issues"), the Latin phrase "uti nsa im cu si" which some claim can be translated as a warning that the NSA had pwned Truecrypt.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

Whistleblower org says it will go to jail rather than turning over its keys


The Project on Government Oversight (POGO) has told the Obama administration that its leaders will go to jail rather than respond to an extrajudicial administrative subpoena seeking the identity of whistleblowers who disclosed corruption in the Veterans' Administration.

Read the rest

How can you trust your browser?


Tim Bray's Trusting Browser Code explores the political and technical problems with trusting your browser, especially when you're using it to do sensitive things like encrypt and decrypt your email. In an ideal world, you wouldn't have to trust Google or any other "intermediary" service to resist warrants forcing it to turn over your sensitive communications, because it would be technically impossible for anyone to peek into the mail without your permission. But as Bray points out, the complexity and relative opacity of Javascript makes this kind of surety difficult to attain.

Bray misses a crucial political problem, though: the DMCA. Under US law (and similar laws all over the world), telling people about vulnerabilities in DRM is illegal, meaning that a bug in your browser that makes your email vulnerable to spying might be illegal to report, and will thus potentially never be fixed. Now that the World Wide Web Consortium and all the major browser vendors (even including Mozilla) have capitulated on adding DRM to the Web, this is the most significant political problem in the world of trusting your browser.

Read the rest

Time-capsule crypto to help journalists protect their sources


Jonathan Zittrain writes, "I published an op-ed in the Boston Globe today musing on the prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions -- such as the passage of time -- are met. I could see libraries and archives offering such technology as part of accepting papers and manuscripts, especially in the wake of the "Belfast Project" situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely."

I'm less enthusiastic about this than Jonathan is. I think calibrating the strength of your time-capsule is very hard. If the NSA might be an order of magnitude faster than the rest of us at brute-force cryptanalysis, that means you need to make your 10-year capsule strong enough to last for 100 years just to be on the safe side. Same goes for proof-of-work.

Read the rest

Encrypt like a boss with the Email Self-Defense Guide


Libby writes, "Today the Free Software Foundation is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder. We're releasing it as part of Reset the Net, a global day of action to push back against the surveillance-industrial complex. The guide will get you encrypting your emails in under 30 minutes, and takes you all the way through sending and receiving your first encrypted email."

Email Self-Defense - a guide to fighting surveillance with GnuPG (Thanks, Libby!)

Today is the day we Reset the Net

Today is the day we Reset the Net! It’s been one year since the Edward Snowden disclosures hit the news and the whole world woke up to the scale of mass, indiscriminate Internet surveillance — a spying campaign that was only possible because our own tools leak our private information in great gouts. Reset the Net provides you with a technical, political, and social toolkit to harden our Internet against the spies; and Boing Boing is proud to be playing a role.

Read the rest