US Government Will Not Force Companies To Decode Encrypted Data... For Now (washingtonpost.com) 104

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.

First Successful Collision Attack On the SHA-1 Hashing Algorithm (google.com) 76

Artem Tashkinov writes: Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function. They describe their work in the paper "Freestart collision for full SHA-1". The work paves the way for full SHA-1 collision attacks, and the researchers estimate that such attacks will become reality at the end of 2015. They also created a dedicated web site humorously called The SHAppening.

Perhaps the call to deprecate the SHA-1 standard in 2017 in major web browsers seems belated and this event has to be accelerated.

United States

NSF Awards $74.5 Million To Support Interdisciplinary Cybersecurity Research (nsf.gov) 8

aarondubrow writes: The National Science Foundation announced $74.5 million in grants for basic research in cybersecurity. Among the awards are projects to understand and offer reliability to cryptocurrencies; invent technologies to broadly scan large swaths of the Internet and automate the detection and patching of vulnerabilities; and establish the science of censorship resistance by developing accurate models of the capabilities of censors. According to NSF, long-term support for fundamental cybersecurity research has resulted in public key encryption, software security bug detection, spam filtering and more.

Jimmy Wales and Former NSA Chief Ridicule Government Plans To Ban Encryption 175

Mickeycaskill writes: Jimmy Wales has said government leaders are "too late" to ban encryption which authorities say is thwarting attempts to protect the public from terrorism and other threats. The Wikipedia founder said any attempt would be "a moronic, very stupid thing to do" and predicted all major web traffic would be encrypted soon. Wikipedia itself has moved towards SSL encryption so all of its users' browsing habits cannot be spied on by intelligence agencies or governments. Indeed, he said the efforts by the likes of the NSA and GCHQ to spy on individuals have actually made it harder to implement mass-surveillance programs because of the public backlash against Edward Snowden's revelations and increased awareness of privacy. Wales also reiterated that his site would never co-operate with the Chinese government on the censorship of Wikipedia. "We've taken a strong stand that access to knowledge is a principle human right," he said. derekmead writes with news that Michael Hayden, the former head of the CIA and the NSA, thinks the US government should stop railing against encryption and should support strong crypto rather than asking for backdoors. The US is "better served by stronger encryption, rather than baking in weaker encryption," he said during a panel on Tuesday.

Newly Found TrueCrypt Flaw Allows Full System Compromise 106

itwbennett writes: James Forshaw, a member of Google's Project Zero team has found a pair of flaws in the discontinued encryption utility TrueCrypt that could allow attackers to obtain elevated privileges on a system if they have access to a limited user account. 'It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered,' writes Lucian Constantin.

How the FBI Hacks Around Encryption 91

Advocatus Diaboli writes with this story at The Intercept about how little encryption slows down law enforcement despite claims to the contrary. To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy. But that's just not true. In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it's called hacking.

Hacking — just like kicking down a door and looking through someone's stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant. And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects' devices. Doing so gives them the same access the suspects have to communications — before they've been encrypted, or after they've been unencrypted.

Edward SnowdenTalks Alien Communications With Neil deGrasse Tyson 142

An anonymous reader writes: Edward Snowden, the former contractor who leaked National Security Agency secrets publicly in 2013, is now getting attention for an odd subject: aliens. In a podcast interview with astrophysicist Neil deGrasse Tyson, Snowden suggested that alien communications might be encrypted so well that humans trying to eavesdrop on extraterrestrials would have no idea they were hearing anything but noise. There's only a small window in the development of communication in which unencrypted messages are the norm, Snowden said.
United States

Obama Administration Explored Ways To Bypass Smartphone Encryption 142

An anonymous reader writes: According to a story at The Washington Post, an Obama Administration working group considered four backdoors that tech companies could adopt to allow the government to break encrypted communications stored on phones of suspected terrorists or criminals. The group concluded that the solutions were "technically feasible," but they group feared blowback. "Any proposed solution almost certainly would quickly become a focal point for attacks. Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce 'backdoors' or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation," said the unclassified memo. You can read the draft paper on technical options here.

Chinese Researchers Propose Tor-Inspired Overhaul of Bitcoin 46

Patrick O'Neill writes: Although Bitcoin was never designed to be anonymous, many of its users have used it as if it were. Now, two prominent Chinese researchers are proposing a system that encrypts all new Bitcoin transactions layer by layer to beat network analysis that can unmask Bitcoin users. The new research is inspired by the Tor anonymity network. The researchers' paper is at arXiv. (Also covered by The Stack.)

Under Public Pressure, India Withdraws Draft Encryption Policy 35

An anonymous reader writes: The government of India withdrew its draft policy on encryption owing to public responses just a day after releasing the document. The Communications and Information Technology minister Ravi Shankar Prasad said — "I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded." While it is encouraging that the government recognized it mistake and withdrew, many fear that this is part of a larger problem when it comes to this government taking technology policy decisions. Recently, the government was in the dock for its lack of clarity on Net Neutrality.

India's Worrying Draft Encryption Policy 114

knwny writes: The government of India is working on a new National Encryption Policy the contents of which have raised a few alarms.Among other things, the policy states that citizens and businesses must save all encrypted messages (including personal or unofficial ones) and their plaintext copies for 90 days and make them available to law enforcement agencies as and when demanded. The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India. The policy is posted on this website.

Book Review: Abusing the Internet of Things 26

New submitter sh0wstOpper writes: The topic of the Internet of Things (IoT) is gaining a lot of attention because we are seeing increasing amounts of "things", such as cars, door locks, baby monitors, etc, that are connected and accessible from the Internet. This increases the chances of someone being able to "attack" these devices remotely. The premise of Abusing the Internet of Things is that the distinction between our "online spaces" and our "physical spaces" will become harder to define since the connected objects supporting the IoT ecosystems will have access to both. Keep reading for the rest of sh0wstOpper's review.
United States

Spy Industry Leaders Befuddled Over 'Deep Cynicism' of American Public 403

New submitter autonomous_reader writes: Ars Technica has a story on this week's Intelligence & National Security Summit, where CIA Director John Brennan and FBI Director James Comey had a lot to say about the resistance of the American public to government cyber spying and anti-encryption efforts. Blaming resistance on "people who are trying to undermine" the intelligence mission of the NSA, CIA, and FBI, John Brennan explained it was all a "misunderstanding." Comey explained that "venom and deep cynicism" prevented rational debate of his campaign for cryptographic backdoors.

Xerox PARC Creates Self-Destructing Chip 96

angry tapir writes: Engineers at Xerox PARC have developed a chip that will self-destruct upon command, providing a potentially revolutionary tool for high-security applications. The chip, developed as part of DARPA's vanishing programmable resources project, could be used to store data such as encryption keys and, on command, shatter into thousands of pieces so small, reconstruction is impossible.

Ashley Madison's Passwords Cracked, Soon To Be Released 146

New submitter JustAnotherOldGuy writes with some news that might worry anyone caught up in the Ashley Madison data breach. ("Uh-oh," he says.) Now, besides any other possible repercussions of having one's name on the list of account holders, there's a new wrinkle. The passwords used to secure those accounts were theoretically robustly protected with bcrypt. However, as Ars Technica reports, That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two. This would matter much less if passwords weren't so frequently re-used.

Cryptographers Brace For Quantum Revolution 113

Tokolosh writes: An article in Scientific American discusses the actions needed to address the looming advent of quantum computing and its ability to crack current encryption schemes. Interesting tidbits from the article: "'I'm genuinely worried we're not going to be ready in time,' says Michele Mosca, co-founder of the Institute for Quantum Computing (IQC) at the University of Waterloo..." and "Intelligence agencies have also taken notice. On August 11, the US National Security Agency (NSA) revealed its intention to transition to quantum-resistant protocols when it released security recommendations to its vendors and clients." Another concern is "intercept now, decrypt later", which presumably refers to the giant facility in Utah.In related news, an anonymous reader points out that the NSA has updated a page on its website, announcing plans to shift the encryption of government and military data from current cryptographic schemes to new ones that can resist an attack by quantum computers.

TSA Luggage Lock Master Keys Are Compromised 220

An anonymous reader writes: As the FBI demand encryption master keys for Apple, Microsoft and Google made devices, photographs of the master keys for the TSA Travel Sentry suitcases have now been published in multiple places online (more links in later articles). Cory Doctorow points out this makes it much easier for thieves to open luggage undetectably, without leaving any signs of lock picking. Whilst many have argued that the locks aren't designed to provide real security, the most important thing is that this shows the risk of backdoors in security systems, especially since the TSA has not given any warning about this compromise, which seems to have occurred in 2014 or earlier.

Apple To FBI: Encryption Rules Out Handing Over iMessage Data In Real Time 306

Mark Wilson writes that Apple has balked at a court order to provide the FBI with the contents of text messages among users of its iMessage service, claiming that the encryption it uses to protect these messages makes handing over the messages themselves impossible. From the article: The Justice Department obtained a court order that required Apple to provide real time access to text messages sent between suspects in an investigation involving guns and drugs. Apple has responded by saying that the fact iMessage is encrypted means that it is simply not able to comply with the order. The stand-off between the US government and Apple could last for some time as neither side is willing — or possibly able — to back down.

Law Professor: Tech Companies Are Our Best Hope At Resisting Surveillance 115

An anonymous reader writes: Fusion has an op-ed where Ryan Calo, Assistant Professor of Law at the University of Washington, argues Google, Apple, and Microsoft pushing back against government surveillance may be our only real hope for privacy. He writes: "Both Google and Yahoo have announced that they are working on end-to-end encryption in email. Facebook established its service on a Tor hidden services site, so that users can access the social network without being monitored by those with access to network traffic. Outside of product design, Twitter, Facebook and Microsoft have sent their formidable legal teams to court to block or narrow requests for user information. Encryption tools have traditionally been unwieldy and difficult to use; massive companies turning their attention to better and simpler design, and use by default, could be a game changer. Privacy will no longer be accessible only to tech-savvy users, and it will mean that those who do use encryption will no longer stick out like sore thumbs, their rare use of hard-to-use tools making them a target."

Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure 109

itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.