Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman. From a report: Mr. Barr's appeal was an escalation of an ongoing fight between the Justice Department and Apple pitting personal privacy against public safety. "This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence," Mr. Barr said, calling on Apple and other technology companies to find a solution and complaining that Apple has provided no "substantive assistance."

Apple has given investigators materials from the iCloud account of the gunman, Second Lt. Mohammed Saeed Alshamrani, a member of the Saudi air force training with the American military, who killed three sailors and wounded eight others on Dec. 6. But the company has refused to help the F.B.I. open the phones themselves, which would undermine its claims that its phones are secure.

b-dayyy shared this overview from the Linux Security site: Strong encryption is imperative to securing sensitive data and protecting individuals' privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies... This fear of strong, unbroken encryption is not only unfounded -- it is dangerous. Encryption with built-in backdoors which provide special access for select groups not only has the potential to be abused by law enforcement and government agencies by allowing them to eavesdrop on potentially any digital conversation, it could also be easily exploited by threat actors and criminals.

U.S. Attorney General William Barr and U.S. senators are currently pushing for legislation that would force technology companies to build backdoors into their products, but technology companies are fighting back full force. Apple and Facebook have spoken out against the introduction of encryption backdoors, warning that it would introduce massive security and privacy threats and would serve as an incentive for users to choose devices from overseas. Apple's user privacy manager Erik Neuenschwander states, "We've been unable to identify any way to create a backdoor that would work only for the good guys." Facebook has taken a more defiant stance on the issue, adamantly saying that it would not provide access to encrypted messages in Facebook and WhatsApp.

Senator Lindsey Graham has responded to this resistance authoritatively, advising the technology giants to "get on with it", and stating that the Senate will ultimately "impose its will" on privacy advocates and technologists. However, Graham's statement appears unrealistic, and several lawmakers have indicated that Congress won't make much progress on this front in 2020...

Encryption is an essential component of digital security that should be embraced, not feared. In any scenario, unencrypted data is subject to prying eyes. Strong, unbroken encryption is vital in protecting privacy and securing data both in transit and in storage, and backdoors would leave sensitive data vulnerable to tampering and theft.

Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules. From a report: In an open letter to India's IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet. The Indian government proposed a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.

The originally proposed rules say that intermediaries -- which the government defines as those services that facilitate communication between two or more users and have five million or more users in India -- will have to proactively monitor and filter their users' content and be able to trace the originator of questionable content to avoid assuming full liability for their users' actions. "By tying intermediaries' protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures," the experts wrote in the letter, coordinated by the Internet Society

An anonymous reader quotes a report from The New York Times: The encryption debate between Apple and the F.B.I. might have found its new test case. The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement's access to smartphones. Dana Boente, the F.B.I.'s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. The F.B.I. has a search warrant for the devices and is seeking Apple's assistance executing it, the people said.

Apple said in a statement that it had given the F.B.I. all the data "in our possession" related to the Pensacola case when it was asked a month ago. "We will continue to support them with the data we have available," the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone. Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices -- but they did not, according to one of the people familiar with the investigation. "The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government," the report adds. "Instead, the government is seeking the data that is on the two phones, the official said."

"Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity." Apple did not comment on the request.

Lucas123 writes: There is a growing movement among fintech companies, banks, healthcare services, universities and others toward disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without intervening administrative authorities. The wallets would carry encryption keys provided by third parties and could be used to digitally sign transactions or provide access to verifying information, everything from bank-issued credit lines to diplomas -- all of which are controlled by the user through public key infrastructure (PKI). The blockchain ledger and PKI technology is hidden behind user-friendly mobile applications. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don't yet amount to an entire ecosystem, but they will grow over the next few years, according to Gartner.

Encrypted email provider ProtonMail has officially launched its new calendar in public beta. The move is part of the Swiss company's broader push to offer privacy-focused alternatives to Google's key products. From a report: ProtonMail has been talking about its plans to launch an encrypted calendar for a while. But starting from today, all ProtonMail users on a paid plan will be able to access ProtonCalendar, and it will be opened to everyone when it exits beta in 2020. "Our goal is to create and make widely accessible online products [that] serve users instead of exploiting them," said ProtonMail CEO Andy Yen. ProtonMail hasn't set out to reinvent the wheel in terms of the features and format of ProtonCalendar. It sports a clean interface with views by month and day, color-coded event types, and so on. It is also tied to a user's ProtonMail email account.

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."

Visa has issued a statement warning consumers that cybercriminals are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data. Engadget reports: The company's fraud disruption teams are investigating several incidents in which a hacking group known as Fin8 defrauded fuel dispenser merchants. In each case, the attackers gained access to the POS networks via malicious emails and other unknown means. They then installed POS scraping software that exploited the lack of security with old-school mag stripe cards that lack a PIN code.

The hack doesn't appear to affect more secure chip-and-pin cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor's main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren't firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached. There's not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it's transferred or use a chip-and-PIN policy.

Security researchers are accusing Apple of abusing the Digital Millennium Copyright Act (DMCA) to take down a viral tweet and several Reddit posts that discuss techniques and tools to hack iPhones. Lorenzo Franceschi-Bicchierai, reporting for Vice: On Sunday, a security researcher who focuses on iOS and goes by the name Siguza posted a tweet containing what appears to be an encryption key that could be used to reverse engineer the Secure Enclave Processor, the part of the iPhone that handles data encryption and stores other sensitive data. Two days later, a law firm that has worked for Apple in the past sent a DMCA Takedown Notice to Twitter, asking for the tweet to be removed. The company complied, and the tweet became unavailable until today, when it reappeared. In a tweet, Siguza said that the DMCA claim was "retracted." Apple confirmed that it sent the original DMCA takedown request, and later asked Twitter to put the Tweet back online.

At the same time, Reddit received several DMCA takedown requests for posts on r/jailbreak, a popular subreddit where iPhone security researchers and hackers discuss techniques to jailbreak Apple devices, according to the subreddit's moderators. "Admins have not reached out to us in regards to these removals. We have no idea who is submitting these copyright claims," one moderator wrote.

Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.

You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

An anonymous reader quotes a report from ZDNet: Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed]. Proof-of-concept code for reproducing attacks will be released on GitHub.

Facebook said it would not weaken end-to-end encryption across its messaging apps, despite pressure from world governments, in a letter to US Attorney General Bill Barr and UK and Australian leaders. From a report: The letter, sent Monday, came in response to an October open letter from Barr, UK Home Secretary Priti Patel, Australian Minister for Home Affairs Peter Dutton, and then-acting US homeland security secretary Kevin McAleenan, which raised concerns that Facebook's continued implementation of end-to-end encryption on its WhatsApp and Messenger apps would prevent law enforcement agencies from finding illegal activity such as child sexual exploitation, terrorism, and election meddling. The US, UK, and Australian governments asked the social networking company to design a backdoor in its encryption protocols, or a separate way for law enforcement to gain access to user content. "It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it," wrote WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky in Facebook's response. "People's private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do."

From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software. Reuters reports: The law, which will come into force on July 1 next year, has been met with resistance by some electronics retailers, who say the legislation was adopted without consulting them. The law has been presented as a way to help Russian IT firms compete with foreign companies and spare consumers from having to download software upon purchasing a new device. The country's mobile phone market is dominated by foreign companies including Apple, Samsung and Huawei. The legislation signed by Putin said the government would come up with a list of Russian applications that would need to be installed on the different devices.

Paul Sawers, writing for VentureBeat: WhatsApp launched out of beta 10 years ago this month, and the messaging behemoth is now a completely different beast from the one that quietly arrived for iPhone users way back in November 2009. After Facebook shelled out around $20 billion to acquire the app in 2014, WhatsApp introduced voice calls, video calls, group calls, web and desktop apps, end-to-end encryption, and fingperprint unlocking. All the while, Facebook has been figuring out how to monetize its gargantuan acquisition by targeting businesses. However, there remains one glaring chink in WhatsApp's otherwise expansive armor -- namely, the lack of simultaneous multi-device support. Things could be about to change, however.

Given that WhatsApp is tethered to a user's mobile number and all messages are stored locally on devices, rather than on remote servers, syncing and accessing WhatsApp across devices poses something of a challenge. WhatsApp Web allows users to message from their desktop computer, but by essentially mirroring their mobile device -- one can't work without the other. Moreover, WhatsApp Web lacks many of the features of the mobile app, such as voice and video calling. Achieving true multi-device support -- without compromising security -- would be a big game changer for WhatsApp.

Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception. From a report: The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows. These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature. A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream.

"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".

"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."

Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:

- Have automatic security updates, so they're protected against the newest threats

- Use encryption, meaning bad actors can't just snoop on your data

- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

- Require users to change the default password (if applicable), because that makes devices far harder to access

- Privacy policies -- ones that relate to the product specifically, and aren't just generic

Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?

There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.
To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.

"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.

But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

An anonymous reader quotes a report from the Associated Press: Uber will allow passengers and drivers in Brazil and Mexico to record audio of their rides as it attempts to improve its safety record and image, and eventually it hopes to launch the feature into other markets including the United States. The ride-hailing company plans to pilot the feature in cities in both countries in December, although it has no timeline for possible expansion in the US and other markets.

The feature will allow customers to opt into recording all or select trips. Recordings will be stored on the rider or driver's phone and encrypted to protect privacy, and users will not be able to listen to them. They can later share a recording with Uber, which will have an encryption key, if they want to report a problem. Whether the recording feature will deter violent behavior to help riders and drivers is unknown. But Uber stands to benefit because the recordings could help the company mitigate losses and rein in liability for incidents that flare up between drivers and passengers.

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.