A finance industry group is pushing an intentionally broken cryptography "standard" called ETS

ETS was originally called "Enterprise TLS," implying that it was an "enterprise-grade" version of TLS, the system used to secure internet sessions (if you visit a URL that starts with "https://", it's being protected with TLS). Read the rest

Huawei president Ren Zhengfei: We won't spy on US even if Chinese law requires us to, what backdoors?

In his first U.S. TV interview, Ren Zhengfei describes Huawei as “a tomato” crushed between two superpowers.

A deep dive into the technical feasibility of Bloomberg's controversial "Chinese backdoored servers" story

Last October, Bloomberg published what seemed to be the tech story of the year: a claim that Supermicro, the leading supplier of servers to clients from the Pentagon and Congress to Amazon, Apple and NASA, had been targeted by Chinese spies who'd inserted devastating, virtually undetectable hardware backdoors into their motherboards by subverting a small subcontractor in China. Read the rest

A year later, giant Chinese security camera company's products are still a security dumpster-fire

A year ago, Chinese white-label CCTV/DVR vendor Xiongmai announced a recall and security update for its devices, whose weak security meant that they had been conscripted into a massive, unstoppable botnet. Read the rest

Tweaks made to Android OS are causing massive security holes

Last month, I used up a good chunk of text talking about how much I’ve come to enjoy using Android-powered smartphones. Unfortunately, a story I ran across over at Wired has convinced me that, at least for the time being, spending significantly more time with my iPhone 6 Plus might be a good idea.

According to the report, for many Android users, it’s not necessary to download an altered .APK file from a shady torrenting website or click an email link that’ll fill your handset up with malware in order to compromise your smartphone’s security. Twenty-five different Android smartphone models, made by well-known manufacturers and available across North America, have been found to be full of security flaws and other exploitable nightmares baked into them. The most frustrating part of it all: none of the exploits detailed in the story would be there if the manufacturers had their shit together

From Wired:

The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn’t have to be there.

Instead, they’re a byproduct of an open Android operating system that lets third-party companies modify code to their own liking. There’s nothing inherently wrong with that; it allows for differentiation, which gives people more choice. Google will release a vanilla version of Android Pie this fall, but it’ll eventually come in all kinds of flavors.

Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates.

Read the rest

Even if governments backdoor crypto, they still won't be able to spy on terrorists

In a paper published by the International Association for Cryptologic Research, a group of Harvard and MIT cryptographers demonstrate that even if the government were to backdoor encryption and lock up anyone who used non-backdoored systems, people could still hide undetectable, secure, private messages within the messages sent over the compromised systems. Read the rest

New Consumers Union report catalogs the potential collateral damage from the crypto wars

In a new white paper, Consumers Union (publishers of Consumer Reports) looks at the "consumer stake in the encryption debate": they note that governments want to ban working cryptography so that cops can spy on crooks, but the reprt does an excellent job enumerating all the applications for crypto beyond mere person to person communications privacy. Read the rest

Germany's proposed anti-cryptography bill: backdoors and hack-backs

This week, German authorities will introduce a law that will allow law enforcement agencies to order companies to insert back doors into their products to assist in law enforcement queries; the law is backed by Thomas de Maizière, Germany's Interior Minister. Read the rest

Australian police seek the right to install malware on home devices during "emergencies"

The Queensland Police have asked the Australian Parliament to give them the right to covertly install malicious software on your home devices in order to conduct mass surveillance during times of "national emergency" Read the rest

Germany mulls sweeping surveillance bill, crypto backdoors and fingerprinting kids

Germany's interior ministry has announced sweeping new surveillance powers ahead of the coming national election, which would include the right to infect residents' computers with malware in order to spy on their encrypted communications (shades of the illegal Bundestrojaner program), ordering tech companies to deliberately introduce defects into their cryptography, and fingerprinting children as young as 6. Read the rest

UK Tories say they'll exploit Manchester's dead to ban working crypto in the UK

One of UK Prime Minister Theresa May's government ministers told a reporter from The Sun that the government is planning on invoking the "Technical Capabilities Orders" section of the Snoopers Charter, a 2016 domestic spying bill; the "orders" allow the government to demand that companies cease using working cryptography in their products and services, substituting it with deliberately defective code that can be broken. Read the rest

Whatsapp: Facebook's ability to decrypt messages is a "limitation," not a "defect"

Facebook spokespeople and cryptographers say that Facebook's decision to implement Open Whisper Systems' end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user's knowledge reflects a "limitation" -- a compromise that allows users to continue conversations as they move from device to device -- and not a "defect." Read the rest

A critical flaw (possibly a deliberate backdoor) allows for decryption of Whatsapp messages -- UPDATED

Update: Be sure to read the followup discussion, which explains Facebook's point of view, that this is a deliberate compromise, and not a defect, that makes the app more usable for a wide variety of users, while putting them to little additional risk (namely, that Facebook might change its mind; or be forced to spy on its users; or suffer a security breach or internal rogue employee).

When Facebook implemented Open Whisper Systems' end-to-end encrypted messaging protocol for Whatsapp, they introduced a critical flaw that exposes more than a billion users to stealthy decryption of their private messages: in Facebook's implementation, the company can force Whatsapp installations to silently generate new cryptographic keys (without any way for the user to know about this unless a deep settings checkbox had been ticked), which gives the company the ability to decrypt user messages, including messages that have already been sent in the past.. Read the rest

Thailand's military-appointed Assembly unanimously passes an internet law combining the world's worst laws

On Dec 15, an amendment to Thailand's 2007 Computer Crime Act passed its National Legislative Assembly -- a body appointed by the country's military after the 2014 coup -- unanimously, and in 180 days, the country will have a new internet law that represents a grab bag of the worst provisions of the worst internet laws in the world, bits of the UK's Snooper's Charter, America's Computer Fraud and Abuse Act, and the dregs of many other failed laws. Read the rest

Free audiobook of Car Wars, my self-driving car/crypto back-door apocalypse story

Last month, Melbourne's Deakin University published Car Wars, a short story I wrote to inspire thinking and discussion about the engineering ethics questions in self-driving car design, moving beyond the trite and largely irrelevant trolley problem. Read the rest

Trump's policies on net neutrality, free speech, press freedom, surveillance, encryption and cybersecurity

Three posts from the Electronic Frontier Foundation dispassionately recount the on-the-record policies of Trump and his advisors on issues that matter to a free, fair and open internet: net neutrality; surveillance, encryption and cybersecurity; free speech and freedom of the press. Read the rest

Bruce Schneier's four-year plan for the Trump years

1. Fight the fights (against more government and commercial surveillance; backdoors, government hacking); 2. Prepare for those fights (push companies to delete those logs; remind everyone that security and privacy can peacefully co-exist); 3. Lay the groundword for a better future (figure out non-surveillance internet business models, privacy-respecting law enforcement, and limits on corporate surveillance); 4. Continue to solve the actual problems (cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections). Read the rest

More posts