For several years, I've been honored to volunteer on the advisory board of Simply Secure (previously) a nonprofit consultancy that does open research on usability in cryptographic privacy tools and consults with firms to help make their tools more broadly usable and accessible, especially for vulnerable groups who are often left out of consideration when secure tools are being designed. Read the rest

It's been nearly three weeks since the publication of Efail, a critical set of attacks against PGP/GPG-encrypted emails that was so hard to mitigate that EFF's recommendation was to stop using it for mail altogether until a solution could be worked out. Read the rest

The revelation that encrypted email is vulnerable to a variety of devastating attacks (collectively known as "Efail") has set off a round of soul-searching by internet security researchers and other technical people -- can we save email? Read the rest

I have a lot of respect for ex-Microsoft Chief Software Architect Ray Ozzie, but when I saw that he'd taken to promoting a Clipper-Chip-style key escrow system, I was disheartened -- I'm a pretty keen observer of these proposals and have spent a lot of time having their problems explained to me by some of the world's leading cryptographers, and this one seemed like it had the same problems as all of those dead letters. Read the rest

The U.S. Senate today confirmed President Donald Trump’s selection to lead the National Security Agency and U.S. Cyber Command. Paul Nakasone will replace Mike Rogers, who is retiring. Read the rest

It's 2018, five years after Edward Snowden's documents revealed the scope of US and allied mass surveillance; after a string of revelations about creepy private-sector cyber-arms-dealers who sell spying tools to stalkers, criminals, and autocratic governments, Google has proposed "Chat," a new Android standard for instant messaging with no encryption and hence zero protection against snooping. Read the rest

Ben Cartwright-Cox observed that he could modulate the bass frequencies in electronic dance music/dubstep in a way that was easy to detect with a signal processor and inaudible to his unaided ears, so he wrote some code to hide messages in the wubwubwub. Read the rest

It's been a year since someone hacked all 156 of Dallas's emergency tornado sirens, setting them off in the middle of the night, and the security picture for cities' emergency PA systems keeps getting uglier. Read the rest

Marketing companies frequently "anonymize" their dossiers on internet users using hashes of their email addresses -- rather than the email addresses themselves -- as identifiers in databases that are stored indefinitely, traded, sold, and leaked. Read the rest

In a paper published by the International Association for Cryptologic Research, a group of Harvard and MIT cryptographers demonstrate that even if the government were to backdoor encryption and lock up anyone who used non-backdoored systems, people could still hide undetectable, secure, private messages within the messages sent over the compromised systems. Read the rest

Cloudflare, a company with a history of resisting surveillance and censorship orders (albeit imperfectly and sometimes with undesirable consequences) has announced a new DNS service, hosted at the easy-to-remember address of 1.1.1.1, which accepts connections under the still-novel DNS-over-HTTPS protocol, and which has privacy designed in, with all logs written only to RAM (never to disk) and flushed every 24 hours. Read the rest

The Electronic Frontier Foundation is running an excellent series on the potential and pitfalls of secure messaging app -- this is very timely given the ramping up of state surveillance and identity theft, not to mention anyone looking to #DeleteFacebook and transition away from Facebook Messenger. Read the rest

Since 2016, when an FBI agent first used a dead suspect's finger to unlock his phone, police forces across the USA have made a routine practice of unlocking phones using suspects and victims' dead fingers, saving big on buying cyberwar tools like Cellebrite's $1500-$3000 unlocker, or Grayshift's $30k/year Graykey. Read the rest

In An Empirical Analysis of Traceability in the Monero Blockchain, a group of eminent computer scientists analyze a longstanding privacy defect in the Monero cryptocurrency, and reveal a new, subtle flaw, both of which can be used to potentially reveal the details of transactions and identify their parties. Read the rest

Saleem Rashid is a 15 year old self-taught British programmer who discovered a fatal defect in the Ledger Nano S, an offline cryptocurrency wallet that is marketed as being "tamper-proof." Read the rest

The epidemic of cryptojacking malware isn't merely an outgrowth of the incentive created by the cryptocurrency bubble -- that's just the motive, and the all-important the means and opportunity were provided by the same leaked NSA superweapon that powered last year's Wannacry ransomware epidemic. Read the rest

"Idea-instructions" bills itself as "An ongoing series of nonverbal algorithm assembly instructions", with a half-dozen illustrations of popular computer science concepts covered to date; the latest covers Public-Key Crypto, one of the most important and elusive concepts from modern crypto. Read the rest