Why do encryption tools suck?


Mailvelope is a browser extension that is described as the easiest way for mere mortals to send PGP-encrypted messages. Researchers at Brigham Young University brought in a group of people unfamiliar with Mailvelope and observed them try to install it and use it to send an encrypted email. Almost everyone was unable to do it. The researchers concluded that "modern PGP tools are still unusable for the masses."

From the study:

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. This demonstrates that encrypting email with PGP, as implemented in Mailvelope, is still unusable for the masses.

Image: Wikipedia Read the rest

Right to Encrypt is under fire in America. Savecrypto.org is fighting for your crypto rights.


The Intercept just published an amazing article by Jim Bamford yesterday talking about how the NSA exploited a backdoor in Vodafone to spy on Greek politicians and journalists during the 2004 Olympics.

Bamford is an American author and journalist best known for his writing about United States intelligence agencies, and in particular the National Security Agency.

In a meticulous investigation, Bamford reports at the Intercept that the NSA was behind the notorious, legendary “Athens Affair”. After the 2004 Olympics, the Greek government discovered that an unknown attacker had hacked into Vodafone’s “lawful intercept” system, the phone company’s method of wiretapping voice calls. The attacker spied on phone calls of the president and other Greek politicians and journalists before the hack was found out.

Freedom of the Press Foundation director Trevor Timm wrote for the Guardian about why this is exactly why encryption backdoors are so dangerous.

What are encryption backdoors? For non-techie readers, basically these are ways the government can unencrypt your "locked" communications if they decide they want to see your private material for any secret reason.

And in related news, rumor has it the White House is nearing a decision on whether to embrace the right to encryption for American citizens, or join the FBI in calling for backdoors.

Dozens of civil liberties groups, including Freedom of the Press Foundation, launched this site and petition today that feeds into the White House petition system: savecrypto.org.

If you care about this issue, right now is the time to take action. Read the rest

If the FBI has a backdoor to Facebook or Apple encryption, we are less safe

It seems pretty clear the next battle in Congress will almost certainly be over encryption.

A computer researcher haggled with a Russian ransomware criminal


If you accidentally install Troldash (via spam email) on your computer, it will encrypt your hard drive and lock up your files. Troldash will display an email address to contact the criminal, who will offer to sell you the key to decrypt your hard drive. Natalia Kolesova, a researcher at the security firm Checkpoint, intentionally installed Troldash on a test machine and engaged in an email exchange with the scammer to see if he or she would negotiate the 250 euro ransom.

Posing as a victim named Olga, the researcher contacted the scam artist, and received a reply with instructions to pay 250 euros to get the files back.

Suspecting the reply was automated, Ms Kolesova pressed for a more human response, asking more details about how to transfer the money, and pleading with the hacker to not make them pay.

Responding in Russian, the scammer offered to accept 12,000 roubles, a discount of around 15%. After Ms Kolesova pleaded further, the email response read: "The best I can do is bargain."

Eventually the unknown man or woman was talked into accepting 7,000 roubles - 50% less than the first demand.

"Perhaps if I had continued bargaining, I could have gotten an even bigger discount," Ms Kolesova concluded.

Image: Shutterstock Read the rest

Facebook rolls out new encryption features

Photo: Reuters
The update allows users to post their public email encryption key on their Facebook profile, so others can encrypt future emails to that user.

The Tor challenge: run a Tor node for great justice

EFF, Freedom of the Press Foundation, Free Software Foundation and The Tor Project have launched The Tor Challenge, a campaign to encourage people to run Tor nodes. "Tor is a powerful tool that helps you stay anonymous online. It can protect your privacy as you browse the Internet and circumvent government censorship of the webpages you visit. We need your help to keep Tor strong. Run a Tor relay today." Here's how to get started. Read the rest

Lavabit founder Levison: decision to close was like 'putting a beloved pet to sleep'

Amy Goodman at Democracy Now interviewed Ladar Levison, founder/owner/operator of Lavabit, the security-focused email service Edward Snowden used to invite attendees to a Moscow press conference; the service was abruptly closed last week with an explanation pointing to US government interference. He joined the show from Washington DC with his lawyer, Jesse Binnall. Goodman asks Levison to explain why he closed the company: Read the rest

70-year old wartime cipher uncracked

"A World War Two code found strapped to the leg of a dead pigeon stuck in a chimney for the last 70 years may never be broken, a British intelligence agency said on Friday." Read the rest

Cartoon explains how world's cutest encrypted chat service works

Cryptocat Adventure! from Nadim Kobeissi on Vimeo.

Sean Bonner shared this cute video for Cryptocat, a web-based service that enables secure, encrypted online chatting and file transfer between two parties.

The creator of Cryptocat, a 22-year old named Nadim Kobeissi, says Cryptocat has earned him the dreaded "SSSS" mark of suspicion on his boarding passes. From Wired:

When he flies through the US, he’s generally had the notorious “SSSS” printed on his boarding pass, marking him for searches and interrogations — which Kobeissi says have focused on his development of the chat client.

His SSSS’s can mean hours of waiting, and Kobeissi says he has been searched, questioned, had his bags and even his passport taken away and returned later. But he’s kept his sense of humor about the experience, even joking from the airport on his Twitter account.

Cryptocat Read the rest

US doxes Bin Laden (always use encryption, kids)

CNET's Emil Protalinski reports that Osama bin Laden did not encrypt the thousands of files stored in the Pakistani compound where he was killed, and "17 of the 6,000 documents have now been publicly released." (via @ioerror) Read the rest

Defendant's encrypted laptop yields secrets

After seizing an encrypted laptop from defendant Ramona Fricosu, prosecutors headed into difficult waters: could she be forced to unlock it? A judge ordered her to give up the password, raising issues of unreasonable search and seizure and the right not to incriminate oneself. Fricosu's lawyers suggested she had forgotten it, but a showdown was averted: she either turned the password over or they figured it out some other way. [Wired] Read the rest

Prime Suspect, or Random Acts of Keyness

The foundation of Web security rests on the notion that two very large prime numbers, numbers divisible only by themselves and 1, once multiplied together are irreducibly difficult to tease back apart. Researchers have discovered, in some cases, that a lack of entropy—a lack of disorder in the selection of prime numbers—means by analogy that most buildings on the Web would stand in spite of gale winds and magnitude 10 earthquakes, while others can be pushed over with a finger or a breath. The weakness affects as many as 4 in 1,000 publicly available secured Web servers, but it appears in practice that few to no popular Web sites are at risk.

Read the rest

How to encrypt your disks

Seth Schoen at the EFF has a suggestion for an extra New Year's Resolution: Full-disk encryption on all your computers. Read the rest