In 2012, the Wall Street Journal first reported on a mysterious cellphone surveillance tool being used by law-enforcement; years later, we learned that the origin of this report was an obsessive jailhouse lawyer who didn't believe that the cops had caught him the way they said they had. Read the rest
Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling "Field Level Encryption" which encrypts the data in database fields with its own key -- possibly a different key for every user or every field. That means that attackers will have to compromise a lot of cryptographic keys as well as breaking into a server. Read the rest
A really bad new law in Australia gives police the right to force companies like Apple to 'backdoor', or create encryption circumvention alternatives, in all their products. The issue has been controversial in the U.S. for a long time, and spiked in 2016 after the mass shooting in San Bernardino. Read the rest
Signal is an encrypted messaging app for smartphones and desktops that I and a lot of other folks use on a daily basis to communicate with discretion and security. I like it so much that I've moved away from using other services on my iOS and Android phones to using Signal for all of the texting I do, even with those who don't use the app. Unfortunately, according to The Verge, the Signal team is having a difficult time trying to provide its services to users in the UAE, Egypt and Oman, where the app has been banned by the government. Considering the fact that these states aren't known for treating political dissidents and minorities none too well, that's a big deal. For some people, encrypted comms are essential to avoiding incarceration or worse.
The crux of Signal's issues with providing services to users in these countries is that Amazon, whose CloudFront web services Signal's parent company, Open Whisper System, uses, has banned domain-fronting. Domain-fronting, put simply, is a technique for making traffic from one site look like it's from another site. In an email received by Open Whisper System's founder, Moxie Marlinspike (best damn name in the business,) the General Manager of Amazon CloudFront called Open Whisper Systems' domain-fronting out, telling Marlinspike that Amazon would love to have their business, but not his company refuses to comply with their no domain-fronting policies.
Read the restWhen access to Signal was originally censored in Egypt, Oman, Qatar, and UAE, we responded by through Google App Engine.
In a recent presentation at the Real World Crypto symposium, researchers affiliated with Brown University and a startup called Pixek presented their work developing an app that encrypts photos at the moment they're taken and uploads them in encrypted form to a cloud server, in such a way that the keys remain on the user's device, meaning the service provider can't view the photos. Read the rest
Earlier this month, UK Home Secretary Amber Rudd idiotically insisted that "real people" don't need encrypted messaging apps; but as foolish a statement as that was, there was a kernel of truth to it. Read the rest
An article at News From the Lab (pdf) has 30 pages of copy from the support chat of a ransomware app: desperate pleas from victims for their files back, or, failing that, discounts on the unlock fee. [via]
A state judge in the Brazilian state of Sergipe has ordered all mobile phone operators in the country to block Facebook-owned WhatsApp for 72 hours, nationwide. Those five telecom providers put the ban into effect today, and it affects about 100 million people. In Brazil, WhatsApp is the most popular messaging app. Read the rest
There's been an awful lot of talk about “cyber pathogens” and “cyber bombs” lately from the mouths of American officials discussing terrorism, and how we will vanquish it. President Obama mentioned “cyber ops” against Islamic State terrorists in one recent address. Today, we know a little more about what was behind last week's cyber-hawkish hacking headlines. Read the rest
Federal investigators have discovered major security vulnerabilities in the state health insurance websites for California, Kentucky and Vermont that could allow criminals to access sensitive personal data for hundreds of thousands of people. Read the rest
The #FBIvsApple legal case may be over, but the fight over security, privacy, and the right to live free of surveillance has just begun. The Justice Department is expected to drop its legal action against Apple, possibly as soon as today, because an 'outside method' to bypass security on the San Bernardino gunman's iPhone has proven successful, a federal law enforcement official said Monday. Read the rest
In a surprising turn of events, the U.S. government on Monday paused its battle with Apple over an iPhone, and what may be its greater goal of mandating “backdoors” in consumer encryption. On Monday afternoon, the Justice Department told a judge it needs a couple weeks to try 'new' ways of accessing whatever may be on the device, without Apple's help--and with an assist from unnamed experts from outside the agency. Read the rest
"Everywhere they went, the attackers left behind their throwaway phones."
Buried in the New York Times story Mark poked fun at earlier for its Crypto Panic vibe, a confirmation of sorts that there's really no evidence the terrorists used crypto at all. There is lots of evidence they used throwaway burner phones to evade detection while planning mass murder. Again, no evidence encryption, none, period. This is significant because these attacks, and similar ones that followed, are at the core of an anti-encryption charm offensive by the FBI and Department of Justice, now targeted at Apple's iPhone.
Ars Technica rehashes the details of the NYT piece and then puts it plainly:
Until we have stronger evidence to the contrary, it seems likely that encryption played little or no part in the Paris terrorist attacks.
The NYT story on the Paris attackers makes just as much (if not more) sense if you replace "encryption" with "magic" pic.twitter.com/1ATUU1fzRM
— Christopher Soghoian (@csoghoian) March 20, 2016
The government of Iran claims to have obtained “thousands of pages of information” from devices used by the U.S. Navy sailors briefly detained in January. Read the rest
In response to the FBI's attack on Apple's use of encryption-based security methods, some of the biggest names in technology are reported to be planning an expanded use of encryption for user data that passes through, or is stored on, their products and services. Read the rest
