Someone in control of an email address long associated with Encrochat, a company that sells custom encrypted phones often used by organized criminals, tells Motherboard the company is shutting down after a law enforcement hacking operation against its customers. From a report: The news comes as law enforcement agencies have arrested multiple criminal users of Encrochat across Europe in what appears to be a large scale, coordinated operation against the phone network and its users. "We have been forced to make the difficult decision to shut down our service and our business permanently," the person wrote in an email to Motherboard. "This [sic] following several attacks carried out by a foreign organization that seems to originate in the UK." The email address has been linked to Encrochat for years, but Motherboard could not confirm the identity of the person currently using the account. Motherboard also separately obtained screenshots of text messages sent over the past week of alleged Encrochat users discussing a wave of arrests associated with the Encrochat takeover. Encrochat is part of the encrypted phone industry, which sells devices pre-loaded with private messaging apps, sometimes have the GPS or camera functionality physically removed, and can be remotely wiped by the user.

After Motherboard discovered multiple servers on Discord containing pirated porn, the chat platform removed them and banned the owners of each. From a report: "Discord prohibits the sale, dissemination, and promotion of cracked accounts," a spokesperson told Motherboard. "We ban users and shut down servers that are responsible for this behavior. In cases of copyrighted material, we respond promptly to DMCA takedown requests and take the appropriate action." The bans are permanent, and the owners can no longer access their accounts for any purpose. Former members of those servers can no longer access those servers, either.

During Motherboard's reporting, Google removed an OnlyFans scraping Chrome extension when approached for comment. Stolen content is a problem that has plagued the adult industry for as long as porn has existed on the internet. Several owners of premium platforms similar to OnlyFans urged the industry to do better in how it safeguards content, by protecting models from theft using more advanced fingerprinting, watermarking, copyright takedown support, and technology that could prevent scrapers from using these tools to begin with.

Weeks after Zoom said it will offer end-to-end encryption to only paying customers -- a move that was received poorly by several privacy and security advocates, the popular video calling software said on Wednesday it is making some amendments: We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE (end-to-end encryption) as an advanced add-on feature for all of our users around the globe -- free and paid -- while maintaining the ability to prevent and fight abuse on our platform. To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools -- including our Report a User function -- we can continue to prevent and fight abuse.

Mozilla, Electronic Frontier Foundation (EFF), and more than 19,000 internet users today urged Zoom CEO Eric Yuan to reverse his decision to deny end-to-end encryption to users of its free service end-to-end encryption, saying it puts activists and other marginalized groups at risk. Earlier this month, Zoom announced it will offer end-to-end encryption, but only to those who pay. From a statement: The pressure to reverse the decision comes as racial justice activists are using tools like Zoom to organize protests. Without end-to-end encryption, information shared in their online meetings could be intercepted -- a concern that has been legitimized by both recent actions by law enforcement and a long-term history of discriminatory policing. Mozilla and EFF today are presenting an open letter to Yuan, co-signed by 19,000 people, maintaining that privacy and best-in-class security should be the default, not something that only the wealthy or businesses can afford.

Postbank, the banking division of South Africa's Post Office, has lost more than $3.2 million from fraudulent transactions and will now have to replace more than 12 million cards for its customers after employees printed and then stole its master key. ZDNet reports: The Sunday Times of South Africa, the local news outlet that broke the story, said the incident took place in December 2018 when someone printed the bank's master key on a piece of paper at its old data center in the city of Pretoria. The bank suspects that employees are behind the breach, the news publication said, citing an internal security audit they obtained from a source in the bank.

The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank's operations and even access and modify banking systems. It is also used to generate keys for customer cards. The internal report said that between March and December 2019, the rogue employees used the master key to access accounts and make more than 25,000 fraudulent transactions, stealing more than $3.2 million (56 million rand) from customer balances. Following the discovery of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, an operation the bank suspects it would cost it more than one billion rands (~$58 million). This includes replacing normal payment cards, but also cards for receiving government social benefits. Sunday Times said that roughly eight to ten million of the cards are for receiving social grants, and these were where most of the fraudulent operations had taken place.

In 1999, Ray Kurzweil made predictions about what the world would be like 20 years in the future. Last month the community blog LessWrong took a look at how accurate Kurzweil's predictions turned out to be: This was a follow up to a previous assessment about his predictions about 2009, which showed a mixed bag, roughly evenly divided between right and wrong, which I'd found pretty good for 10-year predictions... For the 2019 predictions, I divided them into 105 separate statements, did a call for volunteers [and] got 46 volunteers with valid email addresses, of which 34 returned their predictions... Of the 34 assessors, 24 went the whole hog and did all 105 predictions; on average, 91 predictions were assessed by each person, a total of 3078 individual assessments...

Kurzweil's predictions for 2019 were considerably worse than those for 2009, with more than half strongly wrong.
The assessors ultimately categorized just 12% of Kurzweil's predictions as true, with another 12% declared "weakly true," while another 10% were classed as "cannot decide." But 52% were declared "false" -- with another 15% also called "weakly false."

Among Kurzweil's false predictions for the year 2019:

• "Phone" calls routinely include high-resolution three-dimensional images projected through the direct-eye displays and auditory lenses... Thus a person can be fooled as to whether or not another person is physically present or is being projected through electronic communication.

• The all-enveloping tactile environment is now widely available and fully convincing.

"As you can see, Kurzweil suffered a lot from his VR predictions," explains the LessWrong blogpost. "This seems a perennial thing: Hollywood is always convinced that mass 3D is just around the corner; technologists are convinced that VR is imminent."

But the blog post also thanks Kurzweil, "who, unlike most prognosticators, had the guts and the courtesy to write down his predictions and give them a date. I strongly suspect that most people's 1999 predictions about 2019 would have been a lot worse."

And they also took special note of Kurzweil's two most accurate predictions. First, "The existence of the human underclass continues as an issue." And second:

"People attempt to protect their privacy with near-unbreakable encryption technologies, but privacy continues to be a major political and social issue with each individual's practically every move stored in a database somewhere."

"The terms 'allowlist' and 'blocklist' describe their purpose, while the other words use metaphors to describe their purpose," reads a change description on the source code for Android -- from over a year ago. 9to5Mac calls it "a shortened version of Google's (internal-only) explanation" for terminology changes which are now becoming more widespread.

And Thursday GitHub's CEO said they were also "already working on" renaming the default branches of code from "master" to a more neutral term like "main," reports ZDNet: GitHub lending its backing to this movement effectively ensures the term will be removed across millions of projects, and effectively legitimizes the effort to clean up software terminology that started this month.

But, in reality, these efforts started years ago, in 2014, when the Drupal project first moved in to replace "master/slave" terminology with "primary/replica." Drupal's move was followed by the Python programming language, Chromium (the open source browser project at the base of Chrome), Microsoft's Roslyn .NET compiler, and the PostgreSQL and Redis database systems... The PHPUnit library and the Curl file download utility have stated their intention to replace blacklist/whitelist with neutral alternatives. Similarly, the OpenZFS file storage manager has also replaced its master/slave terms used for describing relations between storage environments with suitable replacements. Gabriel Csapo, a software engineer at LinkedIn, said on Twitter this week that he's also in the process of filing requests to update many of Microsoft's internal libraries.
A recent change description for the Go programming language says "There's been plenty of discussion on the usage of these terms in tech. I'm not trying to have yet another debate." It's clear that there are people who are hurt by them and who are made to feel unwelcome by their use due not to technical reasons but to their historical and social context. That's simply enough reason to replace them.

Anyway, allowlist and blocklist are more self-explanatory than whitelist and blacklist, so this change has negative cost.
That change was merged on June 9th -- but 9to5Mac reports it's just one of many places these changes are happening. "The Chrome team is beginning to eliminate even subtle forms of racism by moving away from terms like 'blacklist' and 'whitelist.' Google's Android team is now implementing a similar effort to replace the words 'blacklist' and 'whitelist.'" And ZDNet reports more open source projects are working on changing the name of their default Git repo from "master" to alternatives like main, default, primary, root, or another, including the OpenSSL encryption software library, automation software Ansible, Microsoft's PowerShell scripting language, the P5.js JavaScript library, and many others.

An anonymous reader quotes a report from Politico: On Sunday, researchers at the Massachusetts Institute of Technology and the University of Michigan revealed numerous security flaws in the product that West Virginia and Delaware are using, saying it "represents a severe risk to election security and could allow attackers to alter election results without detection." In fact, it may be a decade or more before the U.S. can safely entrust the internet with the selection of its lawmakers and presidents, according to some experts. Still, a handful of states are pushing ahead, with the encouragement of one politically connected tech entrepreneur -- and the tempting logic of the question, "If we can bank online, why can't we vote the same way?" These are the problems with that logic:

1) Elections are different. Lots of people bank, shop and socialize online -- putting their money and personal details at potential risk of theft or other exploitation. But elections are unique for two reasons: They are anonymous and irreversible. Aside from party caucuses and conventions, virtually all U.S. elections use secret ballots and polling places designed for privacy. That protects people from being blackmailed or bribed to vote a certain way -- but it also means that, barring an advance in the technology, voters have no way to verify that their ballots were correctly counted or challenge the results. That's far different from a consumer's ability to contest a fraudulent credit card purchase, which depends on their financial institution linking their activity to their identity.

2) The internet is a dangerous place. Even if it were possible to require electronic ballots to travel through servers only in the U.S., no method exists to ensure security at every server along the way. It would be like trusting FedEx to deliver a package that had to pass through warehouses with unlocked doors, open windows and no security cameras. The most effective way to protect data along these digital paths is "end-to-end" encryption [...] Researchers have not figured out how to use end-to-end encryption in internet voting.

3) People's devices may already be compromised. It's hard enough to protect a ballot as it transits the internet, but what really keeps experts up at night is the thought of average Americans using their computers or phones to cast that ballot in the first place. Internet-connected devices are riddled with malware, nefarious code that can silently manipulate its host machine for myriad purposes. [...] Importantly, election officials cannot peer into their voters' devices and definitively sweep them for malware. And without a secure device, end-to-end encryption is useless, because malware could just subvert the encryption process.

4) Hackers have lots of potential targets. What could an attacker do? "There are literally hundreds of different threats," said Joe Kiniry, chief scientist of the election tech firm Free & Fair. Among the options: Attacking the ballot; Attacking the election website; Tampering with ballots in transit; Bogging down the election with bad data; and/or The insider threat involving a "bad" employee tampering with an election from the inside.

5) Audits have faulted the major internet voting vendors' security. Virtually every audit of an internet voting system has revealed serious, widespread security vulnerabilities, although the ease with which a hacker could exploit them varies.

6) Internet voting advocates disagree. Election officials who embrace internet voting deny the risks are as serious as the experts say.

7) What it would take to make internet voting secure. Secure internet voting depends on two major advances: technology that allows voters' computers and phones to demonstrate that they are malware-free, and end-to-end encryption to protect ballots in transit. [...] Solving these problems would require expensive, long-term collaboration between virtually every big-name hardware- and software-maker, Kiniry said. Note: Each point listed above has been abbreviated for brevity. You can read the full article here.

A group of U.S. lawmakers preparing to fight a legislative attack on encrypted communications is trying to establish what happened when encryption was subverted at a Silicon Valley maker of networking gear. From a report: Democrat Ron Wyden, who sits on the Senate Intelligence Committee, said the 2015 incident at Sunnyvale-based Juniper Networks could shed light on the risks of compromised encryption before an expected hearing on the proposed legislation. The EARN IT Act could penalize companies that offer security that law enforcement can't easily penetrate. "Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users' conversations," Wyden told Reuters. ""Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans' personal data, as well as government and corporate systems." In a letter to Juniper Chief Executive Rami Rahim sent late Tuesday, Wyden, Republican Senator Mike Lee of the Judiciary Committee, and the chairmen of the House Judiciary and Homeland Security committees asked what had happened to an investigation Juniper announced after it found "unauthorized code" inside its widely used NetScreen security software in 2015.

New submitter IBMResearch shares a report from ZDNet: IBM's new toolkit aims to give developers easier access to fully homomorphic encryption (FHE), a nascent technology with significant promise for a number of security use cases. "Today, files are often encrypted in transit and at rest but decrypted while in use, creating a security vulnerability," reports ZDNet. "This often compels organizations to make trade-offs and go through long vetting processes in order to ensure they can keep their valuable data protected while still gaining some value out of it. FHE aims to resolve that issue."

"While the technology holds great potential, it does require a significant shift in the security paradigm," the report adds. "Typically, inside the business logic of an application, data remains decrypted, [Flavio Bergamaschi, FHE pioneer and IBM Researcher] explained. But with the implementation of FHE, that's no longer the case -- meaning some functions and operations will change."

The toolkit is available today in GitHub for MacOS and iOS, and it will soon be available for Linux and Android.

Earlier this week video conferencing service Zoom said it will not offer its forthcoming, complete version of end-to-end encryption to its free users so that it can work better with law enforcement to curb abuse on the platform. Matthew Green, who teaches cryptography at Johns Hopkins, looks at the broader implication of this move: Obviously I don't think you should have to pay for E2E encryption. The thing that's really concerning me is that there's a strong push from the US and other governments to block the deployment of new E2E encryption. You can see this in William Barr's "open letter to Facebook." But this is part of an older trend. Law enforcement and intelligence agencies can't get Congress to ban E2E, so they're using all the non-legislative tools they have to try to stop it. And, it turns out, this works. Not against the big entrenched providers who have already deployed E2E. But against the new upstarts who want to use crypto to solve trust problems.

And the Federal government has an enormous amount of power. Power over tools like Section 230. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions. So if you're a firm that wants to deploy E2E to your customers, even if there's a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption. And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their "free" tiers) and there are people who want that data. Encryption is an amazing tool to protect it. The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. "Communications security" isn't something that only activists and eggheads care about. Now for companies that are exposed to this corrupt dynamic, there's an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for everyone. And there's some logic to this position.

The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon. But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon's mouth feels even worse. But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what's going to happen to the next company? And the next? Once the precedent is set that E2E encryption is too "dangerous" to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it's going to be hard to put it back. Anyway, this might be an interesting academic debate if we were in normal times. But we're not. Anyone who looks at the state of our government and law enforcement systems -- and feels safe with them reading all our messages -- is living in a very different world than I am.

AndroidPolice: Dropbox just unceremoniously dumped a brand new app on the Play Store with no fanfare or formal announcement. The new Dropbox Passwords app, according to its listing, is a password manager available exclusively in an invite-only private beta for some Dropbox customers. Based on screenshots and description, the app seems pretty barebones -- or "minimal," depending on your tastes. Dropbox seems to intentionally avoid calling it a "password manager," though its functionality otherwise appears about the same as other solutions. Like other password managers, Dropbox Password can generate passwords for new accounts as required and sync them remotely so you can access all your passwords on multiple devices. It also uses zero-knowledge encryption to store those passwords remotely.

If you're a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you're out of luck. From a report: Free calls won't be encrypted, and law enforcement will be able to access your information in case of 'misuse' of the platform. Zoom CEO Eric Yuan today said that the video conferencing app's upcoming end-to-end encryption feature will be available to only paid users.

"Zoom plans to strengthen the encryption of its service for paying customers," reports Newsweek, "but the upgrade will not be available to users of its free service." Zoom security consultant Alex Stamos later confirmed the details of the reported move in an interview with Reuters, which first reported the changes on Friday. But he also told the news outlet that Zoom's plans could still change. "The CEO is looking at different arguments," Stamos said.

"The current plan is paid customers plus enterprise accounts where the company knows who they are." In the wake of privacy concerns, he added that Zoom was making significant efforts to upgrade safety and trust on its platform. In an emailed statement to Newsweek, a Zoom spokesperson said: "Zoom's approach to end-to-end encryption is very much a work in progress — everything from our draft cryptographic design, which was just published last week, to our continued discussions around which customers it would apply to." The tech company's plans to boost the encryption of video calls on its platform have been revealed a month after it was reported that half a million Zoom account credentials were being sold on the Dark Web.
Zoom's increased usage during lockdowns brought increase scrutiny, reports CNET, which "revealed several Zoom security problems and the fact that an earlier Zoom boast of end-to-end encryption was baseless."

Last week, Kotaku reported on a new project, called Insignia, "that aims to recreate the original Xbox Live service, potentially restoring online play to many dozens of classic Xbox games that fell offline when the original Xbox Live service closed on April 15, 2010." From the report: The project's announcement on the r/originalxbox subreddit came from SoullessSentinel, a screen name of one Luke Usher. Usher is well known in the vintage Xbox community as the lead developer of Cxbx-Reloaded, arguably the most advanced PC-based emulator of the 2001 Xbox hardware. (Microsoft's classic console has proven notoriously tricky to emulate over the years.)

As a demonstration of Insignia's progress, Usher shared a video depicting the creation of a new Xbox Live account via the Xbox's system UI. It's a cool trick, as this process has not been technically possible since the online service's April 2010 closure. (In a cheeky touch, the video names the newly created account HiroProtagonist, the Gamertag of Xbox co-creator J Allard.) Insignia will work with normal, unmodded consoles, provided the user can perform a one-time process to retrieve their unit's internal encryption keys. Long-existing Xbox soft-mod techniques, which require physical copies of exploitable games like Splinter Cell or MechAssault but do not necessarily alter the console's hardware or operating system, should suffice for accomplishing this key retrieval. Once that initial setup's completed, Usher envisions a more or less vanilla Xbox Live experience, complete with matchmaking, voice chat, messaging, and almost everything else you might remember. (One exception would come in a lack of proprietary game DLC, which Insignia and its developers lack rights to distribute.) Anti-cheating measures are also in the works, as well as reporting and banning mechanisms for truly bad actors. The project works by using a DNS man-in-the-middle maneuver to redirect all of Xbox Live's original server calls to new addresses that point to Insignia's work-in-progress infrastructure.

"The current plan is for Insignia to be a centralized service run by Usher and associates," reports Kotaku. "He believes keeping it centralized will prevent player populations from diluting across multiple third-party servers, and that it will not be much of a resource burden." "The server," he noted, "is used for authentication, matchmaking, storing friends lists, etc. but actual game traffic is usually P2P between Xboxes, so the requirements for our server are pretty low."

After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Samsung and South Korean telecom giant SK Telecom have debuted the Galaxy A Quantum 5G smartphone, sporting a quantum random number generation (RNG) chipset. It's the first commercialization of quantum technology for mobile phones, and it will serve as a significant bellwether for full quantum encryption's chances of going mainstream. Threatpost reports: Quantum encryption in general has been touted as being "unhackable" because it generates random numbers and secure keys that cannot be predicted, via particles that can't be intercepted, eavesdropped upon or spoofed. The very laws of physics themselves prevent successful cracking, the theory goes. However, researchers have proven more than once that this isn't the case -- though hacks so far have required sustained physical access to a device.

In any event, the Samsung phone will provide an interesting test case for the technology -- though details are scant in terms of how the chipset actually works. The Galaxy will use quantum security in a few different scenarios, according to an SK press release (translated with Google Translate). These include logging into carrier accounts on the device; securely storing personal documents via a blockchain-enabled "Quantum Wallet" and for biometric-based mobile payments at retail stores. Online payment protection is also on the roadmap. SK Telecom also plans to roll out open APIs for developers to begin incorporating the technology on an OEM and application basis.

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. From a report: Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains. The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product. In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that's increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.

Christopher Wray, the FBI director who has been one of the fiercest critics of encryption under the Trump administration, previously worked as a lawyer for WhatsApp, where he defended the practice, according to new court filings. From a report: The documents, which were released late on Wednesday night as part of an unrelated matter, show Wray worked for WhatsApp in 2015 while he was an attorney for the Washington law firm of King & Spalding. While there are sparse details about the precise nature of the work, the filings indicate that Wray strongly defended the need for end-to-end encryption in his previous representation of WhatsApp, the popular messaging application owned by Facebook. Wray's earlier work -- which has not previously been public -- contradicts his current position on encryption, which protects users' communications and other data from being read by outsiders. The Trump administration and major technology companies like Facebook have been at odds over the need to offer customers encryption services, with the White House and law enforcement officials arguing the technology represents a security risk by protecting the communication of terrorists and criminals.