An anonymous reader quotes a report from MacRumors: The macOS Sonoma update that is in testing allows Mac owners who opt to use Google Chrome, Microsoft Edge, or another browser to use Apple's Password Manager for filling passwords. Developers and public beta testers running macOS Sonoma can use their iCloud Keychain passwords with non-Safari browsers at this time, autofilling passwords and one-time codes. Third-party browsers can also save new passwords.

Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.

An anonymous reader quotes a report from the Washington Post: If you're printing something on actual paper, there's a good chance it's important, like a tax form or a job contract. But popular printing products and services won't promise not to read it. In fact, they won't even promise not to share it with outside marketing firms. The spread of digital file-sharing -- along with obnoxious business practices by printing manufacturers -- has pushed many U.S. households to give up at-home printers and rely on nearby printing services instead. At the same time, major printer manufacturers have adopted mobile apps and cloud-based storage, creating new opportunities to collect personal data from customers. Whether you're walking to the corner store or sending your files to the cloud, it's tough to figure out whether you're printing in private.

Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they're collecting and why. Some services, like the New York Public Library and PrintWithMe, do both. Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some -- including Canon, FedEx and Staples -- declined to answer basic questions about their privacy practices. Wondering whether your printer app or printing service stores the content of your documents? Here's The Washington Post Help Desk's at-a-glance guide to printer privacy. Here's a summary of each company's privacy policy as it pertains to storing the content of your files:

HP: HP's privacy policy states that it does not store the content of files when using their printers or HP Smart app, providing reassurance that they do not invade privacy by snooping into print jobs.
Canon: Canon's privacy policy indicates that it can collect personal data, including files and content, which may be used for marketing purposes. However, Canon did not disclose whether they store, use, or share the content of printed documents.
FedEx: FedEx's privacy policy states that it collects user-uploaded information, including the contents of documents uploaded for printing services, leaving room for potential advertising or sharing with third parties. Although FedEx prioritizes customer privacy, it did not specify the extent of encryption or whether document content is included.
UPS: While the UPS Store, a subsidiary of UPS, can store the contents of printed documents, it does not use this information for marketing or advertising without user consent. The storage duration is undisclosed, but UPS honors customer requests for data deletion.
Staples: According to Staples' privacy policy, the company can store personal data such as copy/print materials, driver's license numbers, passport numbers, and mail contents. They may also use copy/print materials for advertising. The duration of data storage is not disclosed.
PrintWithMe: PrintWithMe, a company placing printers in shared spaces, temporarily stores printed documents with a third-party cloud provider for 24 hours. CEO Jonathan Treble assures that the data is never used for advertising.
Your local library: The New York Public Library, one of the largest library systems, does not store the contents of printed documents. Their computers only retain file names and delete them at the end of the day. However, privacy policies may vary among different libraries, so it is advisable to inquire beforehand.

An anonymous reader shares a report: If you have any interest in retro-computing, you know it can be difficult to round up the last official bug fixes and updates available for early Internet-era versions of Windows like 95, 98, and NT 4.0. A new independent project called "Windows Update Restored" is aiming to fix that, hosting lightly modified versions of old Windows Update sites and the update files themselves so that fresh installs of these old operating systems can grab years' worth of fixes that aren't present on old install CDs and disks. These old versions of Windows relied primarily on a Windows Update web app to function rather than built-in updaters like the ones used in current Windows versions. Microsoft took down the version of the site that could scan and update Windows 95 and 98 sometime in mid-2011. The Windows Update Restored site is a lightly modified version of Microsoft's original code, and the site itself doesn't use any kind of SSL or TLS encryption, so ancient Internet Explorer versions can still access it without modification. You'll need at least Internet Explorer 5 to access the Windows Update Restored update sites; that browser is no longer available directly from Microsoft, but the Windows Update Restored site offers download links to IE5 and IE5.5 in all supported languages.

An anonymous reader quotes a report from TechCrunch: Nearly 70 IT security and privacy academics have added to the clamor of alarm over the damage the U.K.'s Online Safety Bill could wreak to, er, online safety unless it's amended to ensure it does not undermine strong encryption. Writing in an open letter (PDF), 68 U.K.-affiliated security and privacy researchers have warned the draft legislation poses a stark risk to essential security technologies that are routinely used to keep digital communications safe.

"As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill," the academics warn, echoing concerns already expressed by end-to-end encrypted comms services such as WhatsApp, Signal and Element -- which have said they would opt to withdraw services from the market or be blocked by U.K. authorities rather than compromise the level of security provided to their users. [...] "We understand that this is a critical time for the Online Safety Bill, as it is being discussed in the House of Lords before being returned to the Commons this summer," they write. "In brief, our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online."

The academics, who hold professorships and other positions at universities around the country -- including a number of Russell Group research-intensive institutions such as King's College and Imperial College in London, Oxford and Cambridge, Edinburgh, Sheffield and Manchester to name a few -- say their aim with the letter is to highlight "alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on." "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties," the experts warn, adding: "The history of 'no one but us' cryptographic backdoors is a history of failures, from the Clipper chip to DualEC. All technological solutions being put forward share that they give a third party access to private speech, messages and images under some criteria defined by that third party."

Last week, Apple publicly voiced its opposition to the bill. The company said in a statement: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

Apple has criticised powers in the UK's Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp and Signal to scan messages for child abuse material. From a report: Its intervention comes as 80 organisations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient reading the message. Police, the government and some high-profile child protection charities maintain the tech -- used in apps such as WhatsApp and Apple's iMessage -- prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.

But in a statement Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. "Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

Investigations triggered by the cracking of encrypted phones three years ago have so far led to more than 6,500 arrests worldwide and the seizure of hundreds of tons of drugs, French, Dutch and European Union prosecutors said Tuesday. From a report: The announcement underscored the staggering scale of criminality -- mainly drugs and arms smuggling and money laundering -- that was uncovered as a result of police and prosecutors effectively listening in to criminals using encrypted EncroChat phones. "It helped to prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime," European Union police and judicial cooperation agencies Europol and Eurojust said in a statement.

The French and Dutch investigation gained access to more than 115 million encrypted communications between some 60,000 criminals via servers in the northern French town of Roubaix, prosecutors said at a news conference in the nearby city of Lille. As a result, 6,558 suspects have been arrested worldwide, including 197 "high-value targets." Seized drugs included 30.5 million pills, 103.5 metric tons (114 tons) of cocaine, 163.4 metric tons (180 tons) of cannabis and 3.3 metric tons (3.6 tons) of heroin. The investigations also led to nearly 740 million euros ($809 million) in cash being recovered and assets or bank accounts worth another 154 million euros ($168 million) frozen.

Privacy-focused firm DuckDuckGo has released a public beta of its browser for Windows, offering more default privacy protections and an assortment of Duck-made browsing tools. From a report: Like its Mac browser, DuckDuckGo (DDG) uses "the underlying operating system rendering API" rather than its own forked browser code. That's "a Windows WebView2 call that utilizes the Blink rendering engine underneath," according to DuckDuckGo's blog post. Fittingly, the browser reports itself as Microsoft Edge at most header-scanning sites. Inside the DuckDuckGo browser, you'll find:

1. Duck Player, which shows (most) YouTube videos "without privacy-invading ads" and doesn't feed your recommendations
2. Tracker blocking that DDG cites as "above and beyond" other browsers, including third-party tracker loading
3. Enforced encryption
4. The "fire button" that instantly closes all tabs and clears website data
5. Cookie pop-up management, automatically selecting a private option and hiding "I accept" pop-ups
6. Email protection, making it easier to use an auto-forwarding duck.com address on web forms

America's Federal Trade Commission is soliciting public comments on the business practices of cloud computing providers, trying to understand security risks and competitive dynamics. (Questions include "To what extent are particular segments of the economy reliant on a small handful of cloud service providers and what are the data security impacts of this reliance?") They've already received dozens of comments (including one from Red Hat).

But there's also three questions about open-source software:


"To what extent do cloud providers offer products based on open-source software?"

- "What is the impact of such offerings on competition?"

- "How have recent changes to the terms of open-source licenses affected cloud providers' ability to offer products based on open-source software?"


This has drawn a response from the Free Software Foundation — and they're urging others to join in. "Since it isn't every day that the FTC solicits public comments on subjects in which the free software community is so well-versed, let's take this opportunity to submit comments that support digital sovereignty." The hope is to persuade policy makers to make software freedom and privacy a central part of any future considerations made in the areas of storage, computation, and services. Such comments will be made part of the public record, so any participation promises to have a lasting impact...

[W]e have prepared the following points for consideration:


- When considering rules and regulations in technology that stand to protect people's fundamental civil liberties, it is important to start from the question, "does this decision improve digital sovereignty or diminish it?"

- In the case of computing, (e.g. word processing, spreadsheet, and graphic design programs), the typical options diminish digital sovereignty because the computations are being run on another computer under someone else's control, inaccessible to the end user, who therefore does not have the essential freedoms to share, modify, and study the computations (i.e. the program). The only real solution to this is to offer free "as in freedom" replacements of those programs, so that end users may maintain control over their computing.

- In the case of storage, today's typical options diminish digital sovereignty because many storage providers only provide unencrypted options for storage. It is imperative that individuals and businesses who choose third-party storage always have the choice to encrypt their storage, and the encryption keys must be entirely within the control of the end user, not the third-party provider.

- In the case of services (such as email, teleconferencing, and videoconferencing), while the source code that runs services need not necessarily be made public, end users deserve to be able to access such services via a free software client. In such cases, it is imperative that service providers implement a design of interoperability, so that end users may use the service with any choice of client.

- Free software allows end users to inspect the software for possible security flaws, while proprietary software does not. Therefore free software is the only realistic option for an end user to achieve verifiable security...


Unfortunately, the FTC's website requires nonfree JavaScript (reCAPTCHA, specifically) to comment on a document, and the FTC has declined repeated requests for instructions for how to submit comments by paper form.

If you're not in the habit of avoiding nonfree JavaScript for the sake of your freedom, which we recommend, you can also leave comments on the FTC's website. While you're there, let webmaster@ftc.gov know about the injustice of proprietary JavaScript and encourage them to respect the freedom of their users...

The deadline to submit is June 21, which is just enough time to publish something meaningful on the topic in support of free software.

New submitter ole_timer shares a report from Wired: TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans -- and the US government -- increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West. In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "Entity List," a vaguely named trade restrictions list that highlights companies "acting contrary to the foreign policy interests of the United States." Specifically, the bureau noted that Hualan had been added to the list for "acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army."

Yet nearly two years later, Hualan -- and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016 -- still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too. The disconnect between the Commerce Department's warnings and Western government customers means that chips sold by Hualan's subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor's Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China's government to stealthily decrypt Western agencies' secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.

"If a company is on the Entity List with a specific warning like this one, it's because the US government says this company is actively supporting another country's military development," says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. "It's saying you should not be purchasing from them, not just because the money you're spending is going to a company that will use those proceeds in the furtherance of another country's military objectives, but because you can't trust the product." [...] The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. "At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments," he says. "It seems very significant. And it's probably not a one-off mistake."

Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password. Tom's Hardware reports: Before we go further, it is worth pointing out that CyberCX's BIOS password bypass demonstration was done on several Lenovo laptops that it had retired from service. The blog shows that the easily reproducible bypass is viable on the Lenovo ThinkPad L440 (launched Q4 2013) and the Lenovo ThinkPad X230 (launched Q3 2012). Other laptop and desktop models and brands that have a separate EEPROM chip where passwords are stored may be similarly vulnerable. [...] From reading various documentation and research articles, CyberCX knew that it needed to follow the following process on its BIOS-locked Lenovo laptops: Locate the correct EEPROM chip; Locate the SCL and SDA pins; and Short the SCL and SDA pins at the right time.

Checking likely looking chips on the mainboard and looking up series numbers eventually lead to being able to target the correct EEPROM. In the case of the ThinkPad L440, the chip is marked L08-1 X (this may not always be the case). An embedded video in the CyberCX blog post shows just how easy this 'hack' is to do. Shorting the L08-1 X chip pins requires something as simple as a screwdriver tip being held between two of the chip legs. Then, once you enter the BIOS, you should find that all configuration options are open to be changed. There is said to be some timing needed, but the timing isn't so tight, so there is some latitude. You can watch the video for a bit of 'technique.'

CyberCX includes some quite in-depth analysis of how its BIOS hack works and explains that you can't just short the EEPROM chips straight away as you turn the machine on (hence the need for timing). Some readers may be wondering about their own laptops or BIOS-locked machines they have seen on eBay and so on. CyberCX says that some modern machines with the BIOS and EEPROM packages in one Surface Mount Device (SMD) would be more difficult to hack in this way, requiring an "off-chip attack." The cyber security firm also says that some motherboard and system makers do indeed already use an integrated SMD. Those particularly worried about their data, rather than their system, should implement "full disk encryption [to] prevent an attacker from obtaining data from the laptop's drive," says the security outfit.

An anonymous reader quotes a report from Ars Technica: Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm. [...]

On Tuesday, academic researchers unveiled new research demonstrating attacks that provide a novel way to exploit these types of side channels. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader -- or of an attached peripheral device -- during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs. Power LEDs are designed to indicate when a device is turned on. They typically cast a blue or violet light that varies in brightness and color depending on the power consumption of the device they are connected to.

There are limitations to both attacks that make them unfeasible in many (but not all) real-world scenarios (more on that later). Despite this, the published research is groundbreaking because it provides an entirely new way to facilitate side-channel attacks. Not only that, but the new method removes the biggest barrier holding back previously existing methods from exploiting side channels: the need to have instruments such as an oscilloscope, electric probes, or other objects touching or being in proximity to the device being attacked. In Minerva's case, the device hosting the smart card reader had to be compromised for researchers to collect precise-enough measurements. Hertzbleed, by contrast, didn't rely on a compromised device but instead took 18 days of constant interaction with the vulnerable device to recover the private SIKE key. To attack many other side channels, such as the one in the World War II encrypted teletype terminal, attackers must have specialized and often expensive instruments attached or near the targeted device. The video-based attacks presented on Tuesday reduce or completely eliminate such requirements. All that's required to steal the private key stored on the smart card is an Internet-connected surveillance camera that can be as far as 62 feet away from the targeted reader. The side-channel attack on the Samsung Galaxy handset can be performed by an iPhone 13 camera that's already present in the same room. Videos here and here show the video-capture process of a smart card reader and a Samsung Galaxy phone, respectively, as they perform cryptographic operations. "To the naked eye, the captured video looks unremarkable," adds Ars.

"But by analyzing the video frames for different RGB values in the green channel, an attacker can identify the start and finish of a cryptographic operation."

An anonymous reader quotes a report from The Register: The world got a first glimpse into the US government's far-reaching surveillance of American citizens' communications -- namely, their Verizon telephone calls -- 10 years ago this week when Edward Snowden's initial leaks hit the press. [...] In the decade since then, "reformers have made real progress advancing the bipartisan notion that Americans' liberty and security are not mutually exclusive," [US Senator Ron Wyden (D-OR)] said. "That has delivered tangible results: in 2015 Congress ended bulk collection of Americans' phone records by passing the USA Freedom Act." This bill sought to end the daily snooping into American's phone calls by forcing telcos to collect the records and make the Feds apply for the information.

That same month, a federal appeals court unanimously ruled that the NSA's phone-records surveillance program was unlawful. The American Civil Liberties Union (ACLU) and the New York Civil Liberties Union sued to end the secret phone spying program, which had been approved by the Foreign Intelligence Surveillance Court, just days after Snowden disclosed its existence. "Once it was pushed out into open court, and the court was able to hear from two sides and not just one, the court held that the program was illegal," Ben Wizner, director of the ACLU Speech, Privacy and Technology project, told The Register. The Freedom Act also required the federal government to declassify and release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC), and authorized the appointment of independent amici -- friends of the court intended to provide an outside perspective. The FISC was established in 1978 under the FISA -- the legislative instrument that allows warrantless snooping. And prior to the Freedom Act, this top-secret court only heard the government's perspective on things, like why the FBI and NSA should be allowed to scoop up private communications.

"To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then," Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, told The Register. Wyden also pointed to the sunsetting of the "deeply flawed surveillance law," Section 215 of the Patriot Act, as another win for privacy and civil liberties. That law expired in March 2020 after Congress did not reauthorize it. "For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them -- more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships," Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn and Andrew Crocker said. James Clapper, the former US Director of National Intelligence, "stated publicly that the Snowden disclosures accelerated by seven years the adoption of commercial encryption," Wizner said. "At the individual level, and at the corporate level, we are more secure."

"And at the corporate level, what the Snowden revelations taught big tech was that even as the government was knocking on the front door, with legal orders to turn over customer data, it was breaking in the backdoor," Wizner added. "Government was hacking those companies, finding the few points in their global networks where data passed unencrypted, and siphoning it off." "If you ask the government -- if you caught them in a room, and they were talking off the record -- they would say the biggest impact for us from the Snowden disclosures is that it made big tech companies less cooperative," he continued. "I regard that as a feature, not a bug."

The real issue that the Snowden leaks revealed is that America's "ordinary system of checks and balances doesn't work very well for secret national security programs," Wizner said. "Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

A new report has revealed that a government agency in the US, namely the Drug Enforcement Agency (DEA), is allegedly using a spyware called Paragon Graphite that shares similarities with the notorious Pegasus spyware. From a report: Pegasus was sold off to the government and other law firms. Moreover, we saw the firm making plenty of purchases through the likes of hackers. The software tends to give in to exploitation that can be achieved through zero clicks, all thanks to the great skill of hackers. Moreover, such software can produce its target without any interaction. [...] New reports by the Financial Times stated how the American Government makes use of this technology as it can pierce all sorts of protections linked to modern-day smart devices. Similarly, it can evade various forms of encryption for messaging applications such as WhatsApp and harvest data thanks to the likes of cloud backups. And yes, it's very similar to its counterpart Pegasus in this ordeal.

For now, the DEA is awfully hushed on the matter and not releasing any more comments on this situation. But it did reveal how its agency ended up purchasing Graphite to be used by agencies in Mexico so they could curb the drug cartel situation. "According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon's signature product nicknamed Graphite," reports the Financial Times. "The malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like Signal or WhatsApp, sometimes harvesting the data from cloud backups -- much like Pegasus does."

The report adds: "Congressman Adam Schiff, the chair of the House Intelligence Committee, wrote to the DEA in December asking for more details on the purchase. Mexico is among the worst abusers of NO's Pegasus which it bought nearly a decade ago.

Schiff wrote: "such use [of spyware] could have potential implications for US national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them."

An anonymous reader quotes a report from Wired: Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content. The document, a European Council survey of member countries' views on encryption regulation, offered officials' behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users' private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy -- or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED's request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy. Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain's position emerging as the most extreme. "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption," Spanish representatives said in the document. The source of the document declined to comment and requested anonymity because they were not authorized to share it.

In its response, Spain said it is "imperative that we have access to the data" and suggests that it should be possible for encrypted communications to be decrypted. Spain's interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain's Ministry of Interior, says the country's position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children's communications. Several other countries say they would give law enforcement access to people's encrypted messages and communications. "Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge," says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI) who reviewed the document. "They are seeing this law is going far beyond what DG home is claiming that it's there for."

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. From a report: "It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. "It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had "suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys. Since then, Matrosov has analyzed data that was released on the Money Message site on the dark web. To his alarm, included in the trove were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. This raises the possibility that the leaked key could push out updates that would infect a computer's most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn't have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn't provide the same kind of key revocation capabilities.

An anonymous reader quotes a report from The Guardian: An EU plan under which all WhatsApp, iMessage and Snapchat accounts could be screened for child abuse content has hit a significant obstacle after internal legal advice said it would probably be annulled by the courts for breaching users' rights. Under the proposed "chat controls" regulation, any encrypted service provider could be forced to survey billions of messages, videos and photos for "identifiers" of certain types of content where it was suspected a service was being used to disseminate harmful material. The providers issued with a so-called "detection order" by national bodies would have to alert police if they found evidence of suspected harmful content being shared or the grooming of children.

Privacy campaigners and the service providers have already warned that the proposed EU regulation and a similar online safety bill in the UK risk end-to-end encryption services such as WhatsApp disappearing from Europe. Now leaked internal EU legal advice, which was presented to diplomats from the bloc's member states on 27 April and has been seen by the Guardian, raises significant doubts about the lawfulness of the regulation unveiled by the European Commission in May last year. The legal service of the council of the EU, the decision-making body led by national ministers, has advised the proposed regulation poses a "particularly serious limitation to the rights to privacy and personal data" and that there is a "serious risk" of it falling foul of a judicial review on multiple grounds.

The EU lawyers write that the draft regulation "would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution." The legal service goes on to warn that the European court of justice has previously judged the screening of communications metadata is "proportionate only for the purpose of safeguarding national security" and therefore "it is rather unlikely that similar screening of content of communications for the purpose of combating crime of child sexual abuse would be found proportionate, let alone with regard to the conduct not constituting criminal offenses." The lawyers conclude the proposed regulation is at "serious risk of exceeding the limits of what is appropriate and necessary in order to meet the legitimate objectives pursued, and therefore of failing to comply with the principle of proportionality". The legal service is also concerned about the introduction of age verification technology and processes to popular encrypted services. "The lawyers write that this would necessarily involve the mass profiling of users, or the biometric analysis of the user's face or voice, or alternatively the use of a digital certification system they note 'would necessarily add another layer of interference with the rights and freedoms of the users,'" reports the Guardian.

"Despite the advice, it is understood that 10 EU member states -- Belgium, Bulgaria, Cyprus, Hungary, Ireland, Italy, Latvia, Lithuania, Romania and Spain -- back continuing with the regulation without amendment."

Perhaps woken by news of its next premier first-party title already looking really impressive on emulators, Nintendo has moved to take down key tools for emulating and unlocking Switch consoles, including one that lets Switch owners grab keys from their own device. From a report: Simon Aarons maintained a forked repository of Lockpick, a tool (along with Lockpick_RCM) that grabbed the encryption keys from a Nintendo Switch and allowed it to run officially licensed games. Aarons tweeted on Thursday night that Nintendo had issued DMCA takedown requests to GitHub, asking Lockpick, Lockpick_RCM, and nearly 80 forks and derivations to be taken down under section 1201 of the Digital Millennium Copyright Act, which largely makes illegal the circumvention of technological protection measures that safeguard copyrighted material.

Nintendo's takedown request (RTF file) notes that the Switch contains "multiple technological protection measures" that allow the Switch to play only "legitimate Nintendo video game files." Lockpick tools, combined with a modified Switch, let users grab the cryptographic keys from their own Switch and use them on "systems without Nintendo's Console TPMs" to play "pirated versions of Nintendo's copyright-protected game software." GitHub typically allows repositories with DMCA strikes filed against them to remain open while their maintainers argue their case. Still, it was an effective move. Seeing Nintendo's move on Lockpick, a popular Switch emulator on Android, Skyline, called it quits over the weekend, at least as a public-facing tool you can easily download to your phone. In a Discord post (since removed, along with the Discord itself), developer "Mark" wrote that "the risks associated with a potential legal case are too high for us to ignore, and we cannot continue knowing that we may be in violation of copyright law."

Google will remove the familiar lock icon that allows users to check a website's Transport Layer Security status for the connection, citing research that only a few users correctly understood its precise meaning. From a report: The lock icon has been displayed by web browsers since the 1990s, indicating that the connection to web sites is secured and authenticated with encryption. However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon. This, Google argued, is not harmless since most phishing sites also use the hyper text transfer protocol secure extension (HTTPS) and also display the lock icon. Ergo, a lock icon is not in actual fact an indicator of a site's security. [...] Starting with Chrome version 117, Google will introduce a new "tune" icon, which does not imply a site is trustworthy, and is more obviously clickable. The "tune" icon is more commonly associated with settings and other control, and Google said a more neutral indicator like that prevents the misunderstanding around site security that the lock icon is causing.

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

An anonymous reader quotes a report from ZDNet, written by Steven Vaughan-Nichols: The latest Linux kernel is out with a slew of new features -- and, for once, this release has been nice and easy. [...] Speaking of Rust, everyone's favorite memory-safe language, the new kernel comes with user-mode Linux support for Rust code. Miguel Ojeda, the Linux kernel developer, who's led the efforts to bring Rust to Linux, said the additions mean we're, "getting closer to a point where the first Rust modules can be upstreamed."

Other features in the Linux 6.3 kernel include support and enablement for upcoming and yet-to-be-released Intel and AMD CPUs and graphics hardware. While these updates will primarily benefit future hardware, several changes in this release directly impact today's users' day-to-day experience. The kernel now supports AMD's automatic Indirect Branch Restricted Speculation (IBRS) feature for Spectre mitigation, providing a less performance-intensive alternative to the retpoline speculative execution.

Linux 6.3 also includes new power management drivers for ARM and RISC-V architectures. RISC-V has gained support for accelerated string functions via the Zbb bit manipulation extension, while ARM received support for scalable matrix extension 2 instructions. For filesystems, Linux 6.3 brings AES-SHA2-based encryption support for NFS, optimizations for EXT4 direct I/O performance, low-latency decompression for EROFS, and a faster Brtfs file-system driver. Bottom line: many file operations will be a bit more secure and faster.

For gamers, the new kernel provides a native Steam Deck controller interface in HID. It also includes compatibility for the Logitech G923 Xbox edition racing wheel and improvements to the 8BitDo Pro 2 wired game controllers. Who says you can't game on Linux? Single-board computers, such as BannaPi R3, BPI-M2 Pro, and Orange Pi R1 Plus, also benefit from updated drivers in this release. There's also support for more Wi-Fi adapters and chipsets. These include: Realtek RTL8188EU Wi-Fi adapter support; Qualcomm Wi-Fi 7 wireless chipset support; and Ethernet support for NVIDIA BlueField 3 DPU. For users dealing with complex networks that have both old-school and modern networks, the new kernel can also handle multi-path TCP handling mixed flows with IPv4 and IPv6. Linux 6.3 is available from kernel.org. You can learn how to compile the Linux kernel yourself here.