Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Government

Homeland Security Border Agents Can Seize Your Phone (cnn.com) 314

Slashdot reader v3rgEz writes: A Wall Street Journal reporter has shared her experienced of having her phones forcefully taken at the border -- and how the Department of Homeland Security insists that your right to privacy does not exist when re-entering the United States. Indeed, she's not alone: Documents previously released under FOIA show that the DHS has a long-standing policy of warrantless (and even motiveless) seizures at the border, essentially removing any traveler's right to privacy.
"The female officer returned 30 minutes later and said I was free to go," according to the Journal's reporter, adding. "I have no idea why they wanted my phones..."
Blackberry

BlackBerry CEO 'Disturbed' By Apple's Hard Line On Encryption (theinquirer.net) 202

An anonymous reader writes: BlackBerry CEO John Chen said he is "disturbed" by Apple's tough approach to encryption and user privacy, warning that the firm's attitude is harmful to society. Earlier this year, Chen said in response to Apple resisting the government's demands to unlock an iPhone belonging to one of the San Bernardino shooters: "We are indeed in a dark place when companies put their reputations above the greater good." During BlackBerry's Security Summit in New York this week, Chen made several more comments about Apple's stance on encryption. "One of our competitors, we call it 'the other fruit company,' has an attitude that it doesn't matter how much it might hurt society, they're not going to help," he said. "I found that disturbing as a citizen. I think BlackBerry, like any company, should have a basic civil responsibility. If the world is in danger, we should be able to help out." He did say there was a lot of "nonsense" being reported about BlackBerry and its approach to how it handles user information. "Of course, there need to be clear guidelines. The guidelines we've adopted require legal assets. A subpoena for certain data. But if you have the data, you should give it to them," he said. "There's some complete nonsense about what we can and can't do. People are mad at us that we let the government have the data. It's absolute garbage. We can't do that." Chen also warned that mandatory back doors aren't a good idea either, hinting at the impending Investigatory Powers Bill. "There's proposed legislation in the U.S., and I'm sure it will come to the EU, that every vendor needs to provide some form of a back door. That is not going to fly at all. It just isn't," he said.
Facebook

Facebook Messenger Hits 1B Monthly Active Users, Accounts For 10 Percent Of All VoIP Calls (techcrunch.com) 55

Speaking of instant messaging and VoIP call apps, Facebook announced on Wednesday that Facebook Messenger has hit the 1 billion monthly active users milestone. The company adds that Messenger is just more than a text messenger -- in addition to the ambitious bot gamble, a digital assistant, and the ability to send money to friends -- Messenger now accounts for 10 percent of all VoIP calls made globally. Messenger's tremendous growth also underscores Facebook's mammoth capture of the world. The social network is used by more than 1.6 billion people actively every month. WhatsApp, the chat client it owns, is also used by more than one billion people.

TechCrunch has a brilliant story on the growth of Messenger from the scratch.
Microsoft

Skype Finalizes Its Move To the Cloud; To Kill Older Clients -- Remains Tight Lipped About Privacy (arstechnica.com) 74

When it was first created, Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing muscle and bandwidth acted as "supernodes," and coordinated connections between other machines on the network. This p2p system was generally perceived as being relatively private, a belief that has since been debunked. There were several technical challenges, which led Microsoft to move most of Skype's operations to the cloud. Ars Technica is reporting that the company has finalized the switch. From the article: Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.The issue, as the report points out, is that Microsoft is strangely not talking about privacy and security concerns. The article adds: The Ed Snowden leaks raised substantial questions about the privacy of services such as Skype and have caused an increasing interest in platforms that offer end-to-end encryption. The ability to intercept or wiretap Skype came as a shock to many, especially given Skype's traditionally peer-to-peer infrastructure. Accordingly, we've seen similar services such as iMessage, WhatsApp, and even Facebook Messenger, start introducing end-to-end encryption. The abandonment of Skype's peer-to-peer system can only raise suspicions here.Matthew Green, who teaches cryptography at Johns Hopkins, said: "The surprising thing here is not that Microsoft can intercept Skype calls (duh) but that they won't just admit it."
Bug

Juniper OS Flaw Allowed Forged Certificates (arstechnica.com) 26

Slashdot reader disccomp shares an article from Ars Technica: In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...

"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."

Data Storage

Encrypted DNA Storage Investigated by DOE Researchers (darkreading.com) 42

Biological engineers at a Department of Energy lab "are experimenting with encrypted DNA storage for archival applications." Slashdot reader ancientribe shares an article from Dark Reading: Using this method, the researchers could theoretically store 2.2 petabytes of information in one gram of DNA. That's 200 times the printed material at the Library of Congress... Instead of needing a 15,000 square-foot building to store 35,000 boxes of inactive records and archival documents, Sandia National Laboratories can potentially store information on much less paper, in powder form, in test tubes or petri dishes, or even as a bacterial cell... "Hard drives fail and very often the data can't be recovered," explains Bachand. "With DNA, it's possible to recover strands that are 10,000 to 20,000 years old... even if someone sneezes and the powder is lost, it's possible to recover all the information by just recovering one DNA molecule."
Bitcoin

'Tor and Bitcoin Hinder Anti-Piracy Efforts' (torrentfreak.com) 103

An anonymous reader writes: A new report published by the European Union Intellectual Property Office identifies a wide range of 'business models' that are used by pirate sites. The organization, which announced a new collaboration with Europol this week, signals Bitcoin and the Tor network as two key threats to ongoing anti-piracy efforts. According to the research, several infringing business models rely on encryption-based technologies. The Tor network and Bitcoin, for example, are repeatedly mentioned as part of this "shadow landscape." "It more and more relies on new encrypted technologies like the TOR browser and the Bitcoin virtual currency, which are employed by infringers of IPR to generate income and hide the proceeds of crime from the authorities," the report reads.
Encryption

UK Gov Says New Home Sec Will Have Powers To Ban End-to-end Encryption (theregister.co.uk) 282

An anonymous reader writes: During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption. Earl Howe, a Minister of State for Defence and the British government's Deputy Leader in the House of Lords, gave the first explicit admission that the new legislation would provide the government with the ability to force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data".

This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.

Security

Maxthon Web Browser Sends Sensitive Data To China (securityweek.com) 119

Reader wiredmikey writes: Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors. Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP. Further analysis (PDF) revealed that ueipdata.zip contains an encrypted file named dat.txt. This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number. Interestingly, In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.
Encryption

VPN Provider Removes Russian Presence After Servers Seized (thestack.com) 89

An anonymous reader quotes a report from The Stack: VPN provider Private Internet Access has pulled out of Russia in the wake of new internet surveillance legislation in the country. The company claims that some of its Russian servers were seized by the government as punishment for not complying with the rules, which ask providers to log and hold all Russian internet traffic and session data for up to a year. Upon learning of the federal action, the company immediately removed its Russian availability and announced that it would no longer be operating in the region. "We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process," wrote Private Internet Access in a blog post. The company advises users to update their desktop clients. They also noted that its manual configurations now support the "strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096." Putin has given Federal Security Agents two weeks to produce "encryption keys" for the internet.
Encryption

FBI Agent: Decrypting Data 'Fundamentally Alters' Evidence (vice.com) 89

Joseph Cox, reporting for Motherboard: An FBI agent has brought up an interesting question about the nature of digital evidence: Does decrypting encrypted data "fundamentally alter" it, therefore contaminating it as forensic evidence? According to a hearing transcript filed last week, FBI Special Agent Daniel Alfin suggested just that. The hearing was related to the agency's investigation into dark web child pornography site Playpen. In February 2015, the FBI briefly assumed control of Playpen and delivered its users a network investigative technique (NIT) -- or a piece of malware -- in an attempt to identify the site's visitors. [...] According to experts called by the defense in the affected case, the fact that the data was unencrypted means there is a chance that sensitive, identifying information of people who had not been convicted of a crime was being sent over the internet, and could have been manipulated. (Alfin paints this scenario as unlikely, saying that an attacker would have to know the IP address the FBI was using, have some sort of physical access to the suspect's computer to learn his MAC address, and other variables.)
Encryption

MIT Says Their Anonymity Network Is More Secure Than Tor (pcmag.com) 81

An anonymous reader writes from a report via PC Magazine: Following the recent vulnerabilities in Tor, researchers at MIT's Computer Science and Artificial Intelligence Laboratory and the Ecole Polytechnique Federale de Lausanne have been working on a new anonymity network that they say is more secure than Tor. While the researchers are planning to present their new system, dubbed Riffle, at the Privacy Enhancing Technologies Symposium later this month, they did say the system uses existing cryptographic techniques, but in new ways. A series of servers are what make up Riffle, each of which "permutes the order in which it receives messages before passing them on to the next," according to a news release. "For instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order -- say C, B, A. The second server would permute them before sending them to the third, and so on." Nobody would know which was which by the time they exited the last server. Both Tor and MIT's anonymity network use onion encryption. Riffle uses a technique called verifiable shuffle in addition to onion encryption to thwart tampering and prevent adversaries from infiltrating servers with their own code. Last but not least, it uses authentication encryption to verify the authenticity of an encrypted message. The researchers say their system provides strong security while using bandwidth much more efficiently than similar solutions.
Electronic Frontier Foundation

EFF Delivers 210,000 Signatures Opposing Trans-Pacific Partnership (eff.org) 101

An anonymous Slashdot reader writes: "The TPP is simply bad for tech users and innovators," writes the Electronic Frontier Foundation, arguing the proposed trade agreement for the Pacific Rim "exports the most onerous parts of U.S. copyright law and prevents the U.S. from improving them in the future, while failing to include the balancing provisions that work for users and innovators, such as fair use." At a press conference, the EFF delivered 210,000 signatures gathered in conjunction with other activist groups "to call on Democratic Party Leader Nancy Pelosi to stop the Trans-Pacific Partnership from going to a vote during the 'lame duck' session of Congress following the November election."

More signatures are still being collected online, to be delivered on July 21. In a statement, the EFF adds that the TPP also "does nothing to safeguard the free and open Internet, by including phony provisions on net neutrality and encryption, trade secrets provisions that carry no exceptions for journalism or whistleblowing, and a simplistic ban on data localization...to buy off big tech."

Facebook

Facebook Messenger To Get End-To-End Encryption 99

Reader wiredmikey writes: Facebook announced Friday it would roll out optional "end to end encryption" for its Messenger application, following a trend aimed at stronger security and protection against snooping. The new feature will be known as "secret conversations" which can be read only by the sender and recipient. Facebook shared technical details about its implementation of the security in a technical white paper (PDF). Facebook earlier this year began implementing this end-to-end encryption on its WhatsApp messaging service.ZDNet's Zack Whittaker, however, warns about a catch in Facebook's effort. He writes: But already the company has faced some criticism for not encrypting messages by default, instead making the service opt-in, like Apple's iMessage, or even Facebook's other chat app, WhatsApp, which recently switched on default end-to-end encryption earlier this year. Cryptographer and Johns Hopkins professor Matthew Green, who reviewed an early version of the system, said in a tweet that though you "have to turn on encryption per thread," he added that providing encryption to almost a billion people makes it hard to "put that genie back in the bottle."
Encryption

Putin Gives Federal Security Agents Two Weeks To Produce 'Encryption Keys' For The Internet (gawker.com) 296

An anonymous reader writes: The President of the Russian Federation, Vladimir Putin, has ordered the Federal Security Service (FSB) to produce "encryption keys" to decrypt all data on the internet, and the FSB has two weeks to do it, Meduza reports. The head of the FSB, Alexander Bortnikov, is responsible for accomplishing such a task. "The new 'anti-terrorist' laws require all 'organizers of information distribution' that add 'additional coding' to transmitted electronic messages to provide the FSB with any information necessary to decrypt those messages," reports Meduza. "It's still unclear what information exactly online resources are expected to turn over, given that all data on the internet is encoded, one way or another, and in many instances encryption keys for encrypted information simply don't exist." Some of the details of the executive order include requiring telecom providers and "organizers of information distribution" to store copies of the content of all information they transmit for six months and store the metadata for three years so the Kremlin can access it whenever they want. In order for that to happen, ISPs would need to build new data centers capable of holding all that information and buy imported equipment, all without state subsidies, where they risk going bankrupt. To actually operate the data centers, the Russian government would need to upgrade Russia's outdated electrical grid and cables, which could cost between $30 and $77 billion. What about the "encryption keys?" In addition to storing all the transmitted information, "organizers of information distribution" have to turn over "any information necessary to decrypt those messages." Therefore, "additional coding" will need to be added to all electronic messages to act as instructions for the FSB to "decode" them. Many services and websites don't have "keys" or are fundamentally unsharable, like banks and financial institutions. Nearly all electronic information needs to be "encoded" in some way. Bortnikov has two weeks and the clock starts now. Good luck!
Android

Android KeyStore Encryption Scheme Broken (threatpost.com) 58

Reader msm1267 writes: The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.>In an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.
KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device. Mohamed Sabt and Jacques Traore, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is "non-provably secure," and could have "severe consequences." The two point out in their paper "Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.

Google

Google Is Working To Safeguard Chrome From Quantum Computers (theverge.com) 65

Quantum computing could potentially someday be used to retroactively break any communications that were encrypted with today's standard encryption algorithms. Google realizes this, and hence, is ensuring that it doesn't happen. Today, it announced that it has begun to deploy a new type of cryptography called the New Hope algorithm in its Chrome Canary browser that is designed to prevent such decryption attacks. From a report on The Verge: Although quantum computers of this variety are only small and experimental at this stage, Google is taking precautions for the worst case scenario. "While they will, no doubt, be of huge benefit in some areas of study, some of the problems that they [quantum computers] are effective at solving are the ones that we use to secure digital communications," writes Matt Braithwaite, a Google software engineer, in a blog post. "Specifically, if large quantum computers can be built then they may be able to break the asymmetric cryptographic primitives that are currently used in TLS, the security protocol behind HTTPS." In other words, quantum computers could undermine the security of the entire internet. Quantum computers promise computational power far exceeding today's standards by taking advantage of the underpinning physics discipline. So the presence of a hypothetical future quantum computer, Braithwaite adds, puts at risk any and all encrypted internet communication past or present. It's unclear how secure New Hope (PDF) will prove to be for Chrome, and Braithwaite admits it could be less secure than its existing encryption. But Google says New Hope -- developed by researchers Erdem Alkim, Leo Ducas, Thomas Poppelmann and Peter Schwabe -- was the most promising of all post-quantum key-exchange software it looked into last year.
Censorship

UN Council: Seriously, Nations, Stop Switching Off the Internet! (article19.org) 59

An anonymous reader writes: "The United Nations officially condemned the practice of countries shutting down access to the internet at a meeting of the Human Rights Council on Friday," reports the Register newspaper, saying Friday's resolution "effectively extends human rights held offline to the internet," including freedom of expression. "The resolution is a much-needed response to increased pressure on freedom of expression online in all parts of the world," said Thomas Hughes, Executive Director of Article 19, a long-standing British human rights group which had pushed for the resolution. "From impunity for the killings of bloggers to laws criminalizing legitimate dissent on social media, basic human rights principles are being disregarded to impose greater controls over the information we see and share online."

Thirteen countries, including Russia and China, had unsuccessfully urged the deletion of the text guaranteeing internet access, and Article 19 says the new resolution even commits states to address "security concerns on the Internet in accordance with their obligations to protect freedom of expression, privacy and other human rights online." But they also called the resolution a missed opportunity to urge states to strengthen protections on anonymity and encryption, and to clarify the boundaries between state and private ICT actors.

Android

Security Researcher Publishes How-To Guide To Crack Android Full Disk Encryption (thehackernews.com) 84

An anonymous reader writes: Google first implemented Full Disk Encryption in Android by default with Android 5.0 Lollipop in an effort to prevent criminals or government agencies from gaining unauthorized access to one's data. What it does is it encodes all the data on a user's Android device before it's ever written to disk using a user's authentication code. Once it is encrypted, it can only be decrypted if the user enters his/her password. However, security researcher Gal Beniamini has discovered issues with the full disk encryption. He published a step-by-step guide on how one can break down the encryption protections on Android devices powered by Qualcomm Snapdragon processors. The source of the exploit is posted on GitHub. Android's disk encryption on devices with Qualcomm chips is based only on your password. However, Android uses your password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption. The researcher also said Qualcomm or OEMs can comply with government or law enforcement agencies to break the FDE: "Since the key is available to TrustZone, Qualcomm and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device," Beniamini wrote. "This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys."
Encryption

US Efforts To Regulate Encryption Have Been Flawed, Government Report Finds (theguardian.com) 110

An anonymous reader writes from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.

Slashdot Top Deals