Mark Tyson reports via Tom's Hardware: A commercial smartphone or Linux computer can be used to crack RSA-2048 encryption, according to a prominent research scientist. Dr Ed Gerck is preparing a research paper with the details but couldn't hold off from bragging about his incredible quantum computing achievement (if true) on his LinkedIn profile. Let us be clear: the claims seem spurious, but it should be recognized that the world isn't ready for an off-the-shelf system that can crack RSA-2048, as major firms, organizations, and governments haven't yet transitioned to encryption tech that is secured for the post-quantum era.

In his social media post, Gerck states that a humble device like a smartphone can crack the strongest RSA encryption keys in use today due to a mathematical technique that "has been hidden for about 2,500 years -- since Pythagoras." He went on to make clear that no cryogenics or special materials were used in the RSA-2048 key-cracking feat. BankInfoSecurity reached out to Gerck in search of some more detailed information about his claimed RSA-2048 breakthrough and in the hope of some evidence that what is claimed is possible and practical. Gerck shared an abstract of his upcoming paper. This appears to show that instead of using Shor's algorithm to crack the keys, a system based on quantum mechanics was used, and it can run on a smartphone or PC.

In some ways, it is good that the claimed breakthrough doesn't claim to use Shor's algorithm. Alan Woodward, a professor of computer science at the University of Surrey, told BankInfoSecurity that no quantum computer in existence has enough gates to implement Shor's algorithm and break RSA-2048. So at least this part of Gerck's explanation checks out. However, the abstract of Gerck's paper looks like it is "all theory proving various conjectures - and those proofs are definitely in question," according to Woodward. The BankInfoSecurity report on Gerck's "QC Algorithms: Faster Calculation of Prime Numbers" paper quotes other skeptics, most of whom are waiting for more information and proofs before they organize a standing ovation for Gerck.

An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

To explore America's "transition to a post-quantum world," the Washington Post interviewed U.S. federal official Nick Polk, who is focused on national security issues including quantum computing and is also a senior advisor to a White House federal chief information security officer): The Washington Post: The U.S. is in the early stages of a major shift focused on bolstering government network defenses, pushing federal agencies to adopt a new encryption standard known as post-quantum cryptography that aims to prevent systems from being vulnerable to advanced decryption techniques enabled by quantum computers in the near future...

Nick Polk: We've been using asymmetric encryption for a very long time now, and it's been ubiquitous since about 2014, when the U.S. government and some of the large tech companies decided that they're going to make it a default on most web browsers... Interestingly enough, regarding the post-quantum cryptographic standards being developed, the only thing that's quantum about them is that it has "quantum" in the name. It's really just a different type of math that's much more difficult for a quantum computer to be able to reverse-engineer. The National Institute of Standards and Technology is looking at different mathematical models to cover all their bases. The interesting thing is that these post-quantum standards are actually being used to protect classical computers that we have now, like laptops...

Given the breadth of the U.S. government and the amount of computing power we use, we really see ourselves and our role as a steward of the tech ecosystem. One of the things that came out of [this week's Inside Quantum Technology conference in New York City] was that we are very quickly moving along with the private sector to migrate to post-quantum cryptography. I think you're gonna see very shortly a lot of very sensitive private sector industries start to migrate or start to advertise that they're going to migrate. Banks are a perfect example. That means meeting with vendors regularly, and testing their algorithms to ensure that we can accurately and effectively implement them on federal systems...

The administration and national security memorandum set 2035 as our deadline as a government to migrate our [national security] systems to post-quantum cryptography. That's supposed to time with the development of operational quantum computers. We need to ensure that we start now, so that we don't end up not meeting the deadline before computers are operational... This is a prioritized migration for the U.S. government. We're going to start with our most critical systems — that includes what we call high-value assets, and high-impact systems. So for example, we're gonna prioritize systems that have personal health information.

That's our biggest emphasis — both when we talk to private industry and when we encourage agencies when they talk to their contractors and vendors — to really think about where your most sensitive data is and then prioritize those systems for migration.

Unciphered, a Seattle-based startup, claims to have cracked the seemingly unbreakable encryption of IronKey S200, a decade-old USB thumb drive. By exploiting an undisclosed vulnerability in the device, the company says it can bypass the drive's feature that erases its contents after 10 incorrect password attempts. The breakthrough came within a day of receiving a test device, suggesting that the firm's hacking technique, powered by high-performance computing, could have far-reaching implications.

The startup's focus is not just technological; it's after a specific IronKey that holds 7,002 bitcoins, valued at roughly $235 million, stored in a Swiss bank vault. The device belongs to Stefan Thomas, a Swiss crypto entrepreneur, who has forgotten the password and has only two password attempts left before losing access to his fortune. Unciphered believes its hacking capabilities could unlock Thomas' crypto vault and is preparing to reach out to him to offer its services. The only problem: Thomas doesn't seem to want their help. Wired: Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company's new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined. Thomas had already made a "handshake deal" with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else -- even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. "We cracked the IronKey," says Nick Fedoroff, Unciphered's director of operations. "Now we have to crack Stefan. This is turning out to be the hardest part." In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. "I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new," Thomas wrote. "It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see." In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled "What is Bitcoin?" that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000.

"In 2023, the state of our digital privacy is: Very Creepy." That's the verdict from Mozilla's first-ever "Annual Consumer Creep-o-Meter," which attempts to set benchmarks for digital privacy and identify trends: Since 2017, Mozilla has published 15 editions of *Privacy Not Included, our consumer tech buyers guide. We've reviewed over 500 gadgets, apps, cars, and more, assessing their security features, what data they collect, and who they share that data with. In 2023, we compared our most recent findings with those of the past five years. It quickly became clear that products and companies are collecting more personal data than ever before — and then using that information in shady ways...

Products are getting more secure, but also a lot less private. More companies are meeting Mozilla's Minimum Security Standards like using encryption and providing automatic software updates. That's good news. But at the same time, companies are collecting and sharing users' personal data like never before. And that's bad news. Many companies now view their hardware or software as a means to an end: collecting that coveted personal data for targeted advertising and training AI. For example: The mental health app BetterHelp shares your data with advertisers, social media platforms, and sister companies. The Japanese car manufacturer Nissan collects a wide range of information, including sexual activity, health diagnosis data, and genetic information — but doesn't specify how.

An increasing number of products can't be used offline. In the past, the privacy conscious could always buy a connected device but turn off connectivity, making it "dumb." That's no longer an option in many cases. The number of connected devices that require apps and can't be used offline are increasing. This trend, coupled with the first, means it's harder and harder to keep your data private.
Privacy policies also need improvement. "Legalese, ambiguity, and policies that sprawl across multiple documents and URLs are the status quo. And it's getting worse, not better. Companies use these policies as a shield, not an actual resource for consumers." They note that Toyota has more than 10 privacy policy documents, and that it would actually take five hours to read all the privacy documents the Meta Quest Pro VR headset.

In the end they advise opting out of data collection when possible, enabling security features, and "If you're not comfortable with a product's privacy, don't buy it. And, speak up. Over the years, we've seen companies respond to consumer demand for privacy, like when Apple reformed app tracking and Zoom made end-to-end encryption a free feature."

You can also take a quiz that calculates your own privacy footprint (based on whether you're using consumer tech products like the Apple Watch, Nintendo Switch, Nook, or Telegram). Mozilla's privacy advocates award the highest marks to privacy-protecting products like Signal, Sonos' SL Speakers, and the Pocketbook eReader (an alternative to Amazon's Kindle. (Although 100% of the cars reviewed by Mozilla "failed to meet our privacy and security standards.")

The graphics on the site help make its point. As you move your mouse across the page, the cartoon eyes follow its movement...

An anonymous reader shares a Tom's Hardware report: Unfortunately, a default setting in Windows 11 Pro, having its software BitLocker encryption enabled, robs as much as 45 percent of the speed from your SSD as it forces your processor to encrypt and decrypt everything. According to our tests, random writes and reads -- which affect the overall performance of your PC -- get hurt the most, but even large sequential transfers are affected.

While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out. (You can circumvent this with tools like Rufus, if you want, though that's obviously not an official solution as it allows users to bypass the Microsoft's intent.) If you bought a prebuilt PC with Windows 11 Pro, there's a good chance software BitLocker is enabled on it right now. Windows 11 Home doesn't support BitLocker so you won't have encryption enabled there.

To find out just how much software BitLocker impacts performance, we ran a series of tests with three scenarios: unencrypted (no BitLocker), software BitLocker (the Windows 11 Pro default), and with hardware BitLocker (OPAL) enabled. While the software encryption increased latency and decreased transfer rates, hardware encryption and no encryption at all were basically tied. If you have software BitLocker enabled, you may want to change your settings.

Matthew Sparkes reports via NewScientist: A prominent cryptography expert has told New Scientist that a US spy agency could be weakening a new generation of algorithms designed to protect against hackers equipped with quantum computers. Daniel Bernstein at the University of Illinois Chicago says that the US National Institute of Standards and Technology (NIST) is deliberately obscuring the level of involvement the US National Security Agency (NSA) has in developing new encryption standards for "post-quantum cryptography" (PQC). He also believes that NIST has made errors -- either accidental or deliberate -- in calculations describing the security of the new standards. NIST denies the claims.

Bernstein alleges that NIST's calculations for one of the upcoming PQC standards, Kyber512, are "glaringly wrong," making it appear more secure than it really is. He says that NIST multiplied two numbers together when it would have been more correct to add them, resulting in an artificially high assessment of Kyber512's robustness to attack. "We disagree with his analysis," says Dustin Moody at NIST. "It's a question for which there isn't scientific certainty and intelligent people can have different views. We respect Dan's opinion, but don't agree with what he says." Moody says that Kyber512 meets NIST's "level one" security criteria, which makes it at least as hard to break as a commonly used existing algorithm, AES-128. That said, NIST recommends that, in practice, people should use a stronger version, Kyber768, which Moody says was a suggestion from the algorithm's developers.

NIST is currently in a period of public consultation and hopes to reveal the final standards for PQC algorithms next year so that organizations can begin to adopt them. The Kyber algorithm seems likely to make the cut as it has already progressed through several layers of selection. Given its secretive nature, it is difficult to say for sure whether or not the NSA has influenced the PQC standards, but there have long been suggestions and rumors that the agency deliberately weakens encryption algorithms. In 2013, The New York Times reported that the agency had a budget of $250 million for the task, and intelligence agency documents leaked by Edward Snowden in the same year contained references to the NSA deliberately placing a backdoor in a cryptography algorithm, although that algorithm was later dropped from official standards.

SpzToid writes: Ubuntu 23.10, codenamed Mantic Minotaur, is the 39th Ubuntu release, and it's one of the three smaller interim releases Canonical puts out between long-term support (LTS) versions. This last interim before the next LTS doesn't stand out with bold features you can identify at a glance. But it does set up some useful options and upgrades that should persist in Ubuntu for some time.

Two of the biggest changes in Ubuntu 23.10 are in the installer. Ubuntu now defaults to a "Default installation," which is quite different from what the "default" was even just one release prior. "Default" is described as "Just the essentials, web browser, and basic utilities," while "Full" is "An offline-friendly selection of office tools, utilities, web browser, and games." "Default" is somewhat similar to what "Minimal" used to be in prior versions, while "Full" is intended for those who are offline or have slow connections or just want as many options as possible right away.

Elsewhere in the installer, you can now choose ZFS as your primary file system. There's also an experimental option to set up Trusted Platform Module (TPM) full-disk encryption rather than rely entirely on passphrases to encrypt your disk. This brings Ubuntu up to speed with Windows in offering a way to both secure your system and find out the hard way that you lack a backup key to get in after messing with your boot options. (Kidding! Somewhat.)

Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."

TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."

At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."

Long-time Slashdot reader mejustme writes: The NIST elliptic curves that power much of modern cryptography were generated in the late '90s by hashing seeds provided by the NSA. Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in early 2023 leaving behind a cryptographic mystery."

That's from the blog of Filippo Valsorda, who was in charge of cryptography and security on the Go team at Google until 2022, (and was on the Cryptography team at Cloudflare until 2017). But more importantly, he adds that "I'm announcing a $12,288 bounty for cracking these five hashes, tripled to $36,864 if the recipient chooses to donate it to a 501(c)(3) charity of their choice."

There are hints to which phrase was used as the seed. [Before his death] Dr. Jerry Solinas said he thought he'd used something similar to "Jerry deserves a raise.

Long-time Slashdot reader schwit1 shares a report from The Intercept: The Heat Initiative, a nonprofit child safety advocacy group, was formed earlier this year to campaign against some of the strong privacy protections Apple provides customers. The group says these protections help enable child exploitation, objecting to the fact that pedophiles can encrypt their personal data just like everyone else. When Apple launched its new iPhone this September, the Heat Initiative seized on the occasion, taking out a full-page New York Times ad, using digital billboard trucks, and even hiring a plane to fly over Apple headquarters with a banner message. The message on the banner appeared simple: 'Dear Apple, Detect Child Sexual Abuse in iCloud' -- Apple's cloud storage system, which today employs a range of powerful encryption technologies aimed at preventing hackers, spies, and Tim Cook from knowing anything about your private files.

Something the Heat Initiative has not placed on giant airborne banners is who's behind it: a controversial billionaire philanthropy network whose influence and tactics have drawn unfavorable comparisons to the right-wing Koch network. Though it does not publicize this fact, the Heat Initiative is a project of the Hopewell Fund, an organization that helps privately and often secretly direct the largesse -- and political will -- of billionaires. Hopewell is part of a giant, tightly connected web of largely anonymous, Democratic Party-aligned dark-money groups, in an ironic turn, campaigning to undermine the privacy of ordinary people.

For an organization demanding that Apple scour the private information of its customers, the Heat Initiative discloses extremely little about itself. According to a report in the New York Times, the Heat Initiative is armed with $2 million from donors including the Children's Investment Fund Foundation, an organization founded by British billionaire hedge fund manager and Google activist investor Chris Cohn, and the Oak Foundation, also founded by a British billionaire. The Oak Foundation previously provided $250,000 to a group attempting to weaken end-to-end encryption protections in EU legislation, according to a 2020 annual report. The Heat Initiative is helmed by Sarah Gardner, who joined from Thorn, an anti-child trafficking organization founded by actor Ashton Kutcher. [...] Critics say these technologies aren't just uncovering trafficked children, but ensnaring adults engaging in consensual sex work. "My goal is for child sexual abuse images to not be freely shared on the internet, and I'm here to advocate for the children who cannot make the case for themselves," Gardner said, declining to name the Heat Initiative's funders. "I think data privacy is vital. I think there's a conflation between user privacy and known illegal content."

Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country's recently passed Online Safety Bill forced Signal to build "backdoors" into its end-to-end encryption. From a report: "We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving," Whittaker said. "And that's never not true." The Online Safety Bill, which was passed into law in September, includes a clause -- clause 122 -- that, depending on how it's interpreted, could allow the U.K.'s communications regulator, Ofcom, to break the encryption of apps and services under the guise of making sure illegal material such as child sexual exploitation and abuse content is removed.

Ofcom could fine companies not in compliance up to $22.28 million, or 10% of their global annual revenue, under the bill -- whichever is greater. Whittaker didn't mince words in airing her fears about the Online Safety Bill's implications. "We're not about political stunts, so we're not going to just pick up our toys and go home to, like, show the bad U.K. they're being mean," she said. "We're really worried about people in the U.K. who would live under a surveillance regime like the one that seems to be teased by the Home Office and others in the U.K."

For over 30 years the EFF has presented awards recognizing those "advancing innovation and championing digital rights," according to its web site, celebrating "the accomplishments of people working toward a better future... both in the public eye and behind the scenes."

This year's ceremony — hosted by Cory Doctorow — didn't just recognize Sci-Hub's founder. The EFF also gave its award for "Communications Policy" to the Signal Foundation — and its "Information Democracy" award to the Library Freedom Project.

From the Electronic Frontier Foundation web site: Since 2013, with the release of the unified app and the game-changing Signal Protocol, Signal has set the bar for private digital communications. With its flagship product, Signal Messenger, Signal provides real communications privacy, offering easy-to-use technology that refuses the surveillance business model on which the tech industry is built. To ensure that the public doesn't have to take Signal's word for it, Signal publishes their code and documentation openly, and licenses their core privacy technology to allow others to add privacy to their own products. Signal is also a 501(c)(3) nonprofit, ensuring that investors and market pressure never provides an incentive to weaken privacy in the name of money and growth. This allows Signal to stand firm against growing international legislative pressure to weaken online privacy, making it clear that end-to-end encryption either works for everyone or is broken for everyone — there is no half measure.

The Library Freedom Project (LFP) is radically rethinking the library professional organization by creating a network of values-driven librarian-activists taking action together to build information democracy. LFP offers trainings, resources, and community building for librarians on issues of privacy, surveillance, intellectual freedom, labor rights, power, technology, and more — helping create safer, more private spaces for library patrons to feed their minds and express themselves. Their work is informed by a social justice, feminist, anti-racist approach, and they believe in the combined power of long-term collective organizing and short-term, immediate harm reduction.

The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is "technically feasible" to do so, postponing measures that critics say threaten users' privacy. Financial Times: A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users' security. The statement is set to outline that Ofcom, the tech regulator, will only require companies to scan their networks when a technology is developed that is capable of doing so, according to people briefed on the plan. Many security experts believe it could be years before any such technology is developed, if ever.

"A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content," the statement will say. The online safety bill, which has been in development for several years and is now in its final stages in parliament, is one of the toughest attempts by any government to make Big Tech companies responsible for the content that is shared on their networks.

An anonymous reader quotes a report from BleepingComputer: Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich. FIDO2 is the second major version of the Fast IDentity Online authentication standard, and FIDO2 keys are used for passwordless authentication and as a multi-factor authentication (MFA) element. Google explains that a quantum-resistant FIDO2 security key implementation is a crucial step towards ensuring safety and security as the advent of quantum computing approaches and developments in the field follow an accelerating trajectory.

To protect against quantum computers, a new hybrid algorithm was created by combining the established ECDSA algorithm with the Dilithium algorithm. Dilithium is a quantum-resistant cryptographic signature scheme that NIST included in its post-quantum cryptography standardization proposals, praising its strong security and excellent performance, making it suitable for use in a wide array of applications. This hybrid signature approach that blends classic and quantum-resistant features wasn't simple to manifest, Google says. Designing a Dilithium implementation that's compact enough for security keys was incredibly challenging. Its engineers, however, managed to develop a Rust-based implementation that only needs 20KB of memory, making the endeavor practically possible, while they also noted its high-performance potential.

The hybrid signature schema was first presented in a 2022 paper (PDF) and recently gained recognition at the ACNS (Applied Cryptography and Network Security) 2023, where it won the "best workshop paper" award. This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO U2F and FIDO2 standards. The tech giant hopes that its proposal will be adopted by FIDO2 as a new standard and supported by major web browsers with large user bases. The firm calls the application of next-gen cryptography at the internet scale "a massive undertaking" and urges all stakeholders to move quickly to maintain good progress on that front.

"It was difficult to maintain a poker face when the leader of a big US tech firm I was chatting to said there was a definite tipping point at which the firm would exit the UK," writes a BBC technology editor: Many of these companies are increasingly fed up. Their "tipping point" is UK regulation — and it's coming at them thick and fast. The Online Safety Bill is due to pass in the autumn. Aimed at protecting children, it lays down strict rules around policing social media content, with high financial penalties and prison time for individual tech execs if the firms fail to comply. One clause that has proved particularly controversial is a proposal that encrypted messages, which includes those sent on WhatsApp, can be read and handed over to law enforcement by the platforms they are sent on, if there is deemed to be a national security or child protection risk...

Currently messaging apps like WhatsApp, Proton and Signal, which offer this encryption, cannot see the content of these messages themselves. WhatsApp and Signal have both threatened to quit the UK market over this demand.

The Digital Markets Bill is also making its way through Parliament. It proposes that the UK's competition watchdog selects large companies like Amazon and Microsoft, gives them rules to comply with and sets punishments if they don't. Several firms have told me they feel this gives an unprecedented amount of power to a single body. Microsoft reacted furiously when the Competition and Markets Authority (CMA) chose to block its acquisition of the video game giant Activision Blizzard. "There's a clear message here — the European Union is a more attractive place to start a business than the United Kingdom," raged chief executive Brad Smith. The CMA has since re-opened negotiations with Microsoft. This is especially damning because the EU is also introducing strict rules in the same vein — but it is collectively a much larger and therefore more valuable market.

In the UK, proposed amendments to the Investigatory Powers Act, which included tech firms getting Home Office approval for new security features before worldwide release, incensed Apple so much that it threatened to remove Facetime and iMessage from the UK if they go through. Clearly the UK cannot, and should not, be held to ransom by US tech giants. But the services they provide are widely used by millions of people. And rightly or wrongly, there is no UK-based alternative to those services.
The article concludes that "It's a difficult line to tread. Big Tech hasn't exactly covered itself in glory with past behaviours — and lots of people feel regulation and accountability is long overdue."

"Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography," writes Chrome's technical program manager for security, Devon O'Brien.

"Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success." As a step down this path, Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115. This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:

X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
Kyber-768 — a quantum-resistant Key Encapsulation Method, and NIST's PQC winner for general encryption

In order to identify ecosystem incompatibilities with this change, we are rolling this out to Chrome and to Google servers, over both TCP and QUIC and monitoring for possible compatibility issues. Chrome may also use this updated key agreement when connecting to third-party server operators, such as Cloudflare, as they add support. If you are a developer or administrator experiencing an issue that you believe is caused by this change, please file a bug.
The Register delves into Chrome's reasons for implementing this now: "It's believed that quantum computers that can break modern classical cryptography won't arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?" said O'Brien. "The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves." O'Brien says that while symmetric encryption algorithms used to defend data traveling on networks are considered safe from quantum cryptanalysis, the way the keys get negotiated is not. By adding support for a hybrid KEM, Chrome should provide a stronger defense against future quantum attacks...

Rebecca Krauthamer, co-founder and chief product officer at QuSecure, told The Register in an email that while this technology sounds futuristic, it's useful and necessary today... [T]he arrival of capable quantum computers should not be thought of as a specific, looming date, but as something that will arrive without warning. "There was no press release when the team at Bletchley Park cracked the Enigma code, either," she said.

British technology minister Michelle Donelan defended plans to require messaging apps to provide access to encrypted private messages when needed to protect children from abuse, which major platforms say would undermine the privacy of their users. From a report: Donelan told the BBC that the government was not against encryption, and the access would only be requested as a last resort, under Britain's Online Safety Bill which is expected to become law later this year. "I, like you, want my privacy because I don't want people reading my private messages. They'd be very bored but I don't want them to do it," said Donelan, minister for science, innovation and technology. "However, we do know that on some of these platforms, they are hotbeds sometimes for child abuse and sexual exploitation. And we have to be able access that information should that problem occur."

Speaking of SMSes, Google announced today it's making its Messages by Google app more secure with improvements to RCS, or Rich Communication Services -- a protocol aimed at replacing SMS and is more on par with the advanced features found in Apple's iMessage. From a report: The company says it will now make RCS the default for both new and existing Messages app users. In addition, end-to-end encryption for group chats is now fully rolled out to all RCS users. The latter had launched into an open beta earlier this year after earlier tests, but was not fully launched until now. With this update, all conversations between users in Messages, whether 1:1 or group chats, will now be kept private, Google says.

Since rolling out RCS to U.S. Android users in 2019, Google has been campaigning in an effort to pressure Apple into adopting the technology in its own messaging service, iMessage. It even launched a website last year to explain why RCS benefits consumers, noting "It's not about the color of the bubbles. It's the blurry videos, broken group chats, missing read receipts and typing indicators, no texting over Wi-Fi and more."

Federal regulators continued their crackdown against employees of Wall Street firms using private messaging apps to communicate, with 11 brokerage firms and investment advisers agreeing Tuesday to pay $549 million in fines. From a report: Wells Fargo, BNP Paribas, Societe Generale and Bank of Montreal were hit with the biggest penalties by the Securities and Exchange Commission and the Commodity Futures Trading Commission. Together, the brokerage and investment advisory arms of those four financial institutions accounted for nearly 90 percent of the fines, according to statements released by the regulators.

The latest round of fines adds to the nearly $2 billion in penalties against big Wall Street banks announced last year for similar violations. In all, the regulators have now penalized more than two dozen banks and investment firms for not properly policing employees use of "off channel" messaging services like WhatsApp, iMessage and Signal. The S.E.C. charged the financial institutions for failing to properly "maintain and preserve" all official communications by their employees. Federal securities laws require banks and investments firms to maintain records and make sure their employees are not conducting company business using unauthorized means of communication.