Mark Zuckerberg, writing in a Facebook post: WhatsApp is far more private and secure than iMessage, with end-to-end encryption that works across both iPhones and Android, including group chats. With WhatsApp you can also set all new chats to disappear with the tap of a button. And last year we introduced end-to-end encrypted backups too. All of which iMessage still doesn't have.

"Europe is aiming to launch a technology demonstration satellite for secure, quantum-encrypted communications in 2024," reports Space.com, "with a view to developing a larger constellation." The satellite, Eagle-1, will be the first space-based quantum key distribution (QKD) system for the European Union and could lead to an ultrasecure communications network for Europe, according to a statement from the European Space Agency (ESA).

Eagle-1 will spend three years in orbit testing the technologies needed for a new generation of secure communications. The satellite will demonstrate the "feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system," according to ESA...

"European security and sovereignty in a future world of quantum computing is critical to the success of Europe and its Member States," Steve Collar, CEO of SES, said in the statement. He added that the goal is "to advance quantum communications and develop the Eagle-1 system to support secure and sovereign European networks of the future."
SES will be leading a consortium of more than 20 European countries, according to the ESA's statement: Eagle-1 will demonstrate the feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system. To do so, the system will build on key technologies developed under ESA's Scylight programme, with the aim of validating vital components supplied within the EU....

It will allow the EU to prepare for a sovereign, autonomous cross-border quantum secure communications network.

The system will initially use an upgraded optical ground terminal from the German Aerospace Centre (DLR) alongside a new optical ground terminal to be developed by a team from the Netherlands. The Eagle-1 platform satellite from Italian company Sitael will carry a quantum-key payload built by Tesat Spacecom of Germany and will be operated by Luxembourg-headquartered SES.

"A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption," reports VentureBeat. "The flaw enables a hacker to infer the contents of encrypted messages." OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails. For enterprises, this highlights that just because your emails are encrypted, doesn't mean they're safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.

The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.

WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.

Nearly four years after its last major release, VirtualBox 7.0 arrives with a... host of new features. Chief among them are Windows 11 support via TPM, EFI Secure Boot support, full encryption for virtual machines, and a few Linux niceties. From a report: The big news is support for Secure Boot and TPM 1.2 and 2.0, which makes it easier to install Windows 11 without registry hacks (the kind Oracle recommended for 6.1 users). It's strange to think about people unable to satisfy Windows 11's security requirements on their physical hardware, but doing so with a couple clicks in VirtualBox, but here we are. VirtualBox 7.0 also allows virtual machines to run with full encryption, not just inside the guest OSâ"but logs, saved states, and other files connected to the VM. At the moment, this support only works through the command line, "for now," Oracle notes in the changelog.

This is the first official VirtualBox release with a Developer Preview for ARM-based Macs. Having loaded it on an M2 MacBook Air, I can report that the VirtualBox client informs you, extensively and consistently, about the non-production nature of your client. The changelog notes that it's an "unsupported work in progress" that is "known to have very modest performance." A "Beta Warning" shows up in the (new and unified) message center, and in the upper-right corner, a "BETA" warning on the window frame is stacked on top of a construction-style "Dev Preview" warning sign. It's still true that ARM-based Macs don't allow for running operating systems written for Intel or AMD-based processors inside virtual machines. You will, however, be able to run ARM-based Linux installations in macOS Venture that can themselves run x86 processors using Rosetta, Apple's own translation layer.

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.

Privacy-focused cryptocurrency and payments firm MobileCoin, in collaboration with stablecoin platform Reserve, has launched a stablecoin dubbed "Electronic Dollars" (eUSD). CoinDesk reports: According to MobileCoin, eUSD is backed by a basket of other stablecoins, namely, USD coin (USDC), Pax dollar (USDP) and trueUSD (TUSD). Each transaction is said to be encrypted using end-to-end zero-knowledge encryption. In other words, only the transacting parties can see their own transactional data, thanks to encryption that uses zero knowledge proofs (a way of proving something without revealing sensitive information). The stablecoin eUSD is built on the MobileCoin blockchain, which, according to MobileCoin, is optimized for mobile devices. Apparently, MobileCoin was originally designed for integration with encrypted mobile messaging app, Signal. Consequently, eUSD will inherit the features of MobileCoin's native cryptocurrency, MOB, although eUSD users will pay transaction fees (a flat $0.0026 per transaction) in eUSD and not MOB.

The eUSD relies on what seems to be a centralized governance structure where the MobileCoin Foundation acts as the primary governing body. The foundation elects "governors" who are authorized to mint and burn eUSD. The stablecoin's collateral is held in a popular Ethereum multisignature (multisig) wallet called Safe (formerly "Gnosis Safe"). New eUSD is only minted after governors confirm an equivalent amount of collateral has been transferred to the Safe wallet. "Anybody can inspect the contract holding this basket [of collateral], to see what the current balances are. It's a Gnosis safe, which is also one of the most highly regarded contracts on Ethereum for holding assets," Henry Holtzman, MobileCoin's chief innovation officer explained during an interview with CoinDesk.

Similarly, if a user redeems eUSD, the token is "verifiably burned" and governors release the corresponding collateral. Verifiable burning is when burned eUSD is sent to a "burn address" that renders it "visible" for transparency purposes, "but unspendable." However, everyday users won't typically engage in burning and minting. An individual seeking eUSD would simply purchase it on an exchange. Approved liquidity providers (LPs) would be the ones minting large amounts of eUSD. To our knowledge, no project has created a native stablecoin with privacy properties, which is a first-class citizen in the ecosystem, and which never requires the use of 'non-private' transaction technologies to use normally. In short, no one has yet actually created a private digital dollar," MobileCoin stated in the eUSD white paper.

Holtzman said that eUSD uses a "reserve-auditor" program that "connects to the Safe wallet via an application programming interface (API) and verifies that each newly minted eUSD has a corresponding amount of collateral in the wallet." Holtzman added: "We'll release it all open source. So if you want to run your own copy [of the reserve auditor], you can. You can examine it to make sure we really are backed exactly as we claim," Holtzman told CoinDesk.

Iran's government is trying to limit internet access, reports CNBC — while Iranians are trying a variety of technologies to bypass the blocks: Outages first started hitting Iran's telecommunications networks on September 19, according to data from internet monitoring companies Cloudflare and NetBlocks, and have been ongoing for the last two and a half weeks. Internet monitoring groups and digital rights activists say they're seeing "curfew-style" network disruptions every day, with access being throttled from around 4 p.m. local time until well into the night. Tehran blocked access to WhatsApp and Instagram, two of the last remaining uncensored social media services in Iran. Twitter, Facebook, YouTube and several other platforms have been banned for years.

As a result, Iranians have flocked to VPNs, services that encrypt and reroute their traffic to a remote server elsewhere in the world to conceal their online activity. This has allowed them to restore connections to restricted websites and apps. On September 22, a day after WhatsApp and Instagram were banned, demand for VPN services skyrocketed 2,164% compared to the 28 days prior, according to figures from Top10VPN, a VPN reviews and research site. By September 26, demand peaked at 3,082% above average, and it has continued to remain high since, at 1,991% above normal levels, Top10VPN said....

Mahsa Alimardani, a researcher at free speech campaign group Article 19, said a contact she's been communicating with in Iran showed his network failing to connect to Google, despite having installed a VPN. "This is new refined deep packet inspection technology that they've developed to make the network extremely unreliable," she said. Such technology allows internet service providers and governments to monitor and block data on a network. Authorities are being much more aggressive in seeking to thwart new VPN connections, she added....

VPNs aren't the only techniques citizens can use to circumvent internet censorship. Volunteers are setting up so-called Snowflake proxy servers, or "proxies," on their browsers to allow Iranians access to Tor — software that routes traffic through a "relay" network around the world to obfuscate their activity.

Great Firewall Report (GFW), an organization that monitors and reports on China's censorship efforts, has this week posted a pair of assessments indicating a crackdown on TLS encryption-based tools used to evade the Firewall. The Register reports: The group's latest post opens with the observation that starting on October 3, "more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC." Trojan is a tool that promises it can leap over the Great Firewall using TLS encryption. Xray, V2ray and VLESS are VPN-like internet tunneling and privacy tools. It's unclear what the reference to gRPC describes -- but it is probably a reference to using the gRPC Remote Procedure Call (RPC) framework to authenticate client connections to VPN servers.

GFW's analysis of this incident is that "blocking is done by blocking the specific port that the circumvention services listen on. When the user changes the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked." Interestingly, domain names used with these tools are not added to the Great Firewall's DNS or SNI blacklists, and blocking seems to be automatic and dynamic. "Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools," the organization asserts. An alternative circumvention tool, naiveproxy, appears not to be impacted by these changes. "It's not hard to guess why China might have chosen this moment to upgrade the Great Firewall: the 20th National Congress of the Chinese Communist Party kicks off next week," notes the Register. "The event is a five-yearly set piece at which Xi Jinping is set to be granted an unprecedented third five-year term as president of China."

An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."

An anonymous reader quotes a report from Gizmodo: The NYPD says it wants to reimagine its current police communication system and transition to encrypted messages by 2024, according to a recent amNY report confirmed by Gizmodo. While law enforcement has spent years fighting to make encryption less accessible for everyday people, police think they need a little more privacy. Critics worry a turn towards encryption by law enforcement could reduce transparency, hamstring the news media, and potentially jeopardize the safety of protestors looking to stay a step ahead.

According to amNY, the NYPD's new plan would allow law enforcement officers discretion on whether or not to publicly disclose newsworthy incidents. That means the NYPD essentially would get to dictate the truth unchallenged in a number of potentially sensitive local stories. The report suggests police are floating the idea of letting members of the news media monitor certain radio transmissions through an NYPD-controlled mobile app. There's a catch though. According to the report, the app would send radio information with a delay. Users may also have to pay a subscription fee to use the service, the paper said.

The NYPD confirmed its planning a "systems upgrade" in the coming years in an email to Gizmodo. "The NYPD is undergoing a systems upgrade that is underway and that will be complete after 2024," a spokesperson for the Deputy Commissioner of Public Information said. "This infrastructure upgrade allows the NYPD to transmit in either an encrypted or non-encrypted format," the NYPD said. "Some parts of the city have had the necessary equipment installed and the Department will begin testing the technology in these areas later this year. We are currently evaluating encryption best practices and will communicate new policies and procedures as we roll out this upgraded technology." The spokesperson claimed the department intends to listen to and consider the needs of the news media during the transition process. "The entire public safety news coverage system depends on scanners, and if scanners and scanner traffic are no longer available to newsrooms then news reporting about crime, fire -- it's going to be very hit or miss," CaliforniansAware General Counsel Terry Francke told the Reporters Committee in a blog post.

"Cutting off the media from getting emergency transmissions represents the clearest regression of the NYPD policy of transparency in its history," New York Press Photographers Association President Bruce Cotler said in an interview with amNY. "We believe shutting down radio transmissions is a danger to the public and to the right of the public to know about important events."

Gizmodo notes that New York joins a growing list of cities considering encrypting radio communications. "Denver, Baltimore, Virginia Beach, Sioux City, Iowa, and Racine, Wisconsin have all moved to implement the technology in recent years."

The head of WhatsApp has warned UK ministers that moves to undermine encryption in a relaunched online safety bill would threaten the security of the government's own communications and embolden authoritarian regimes. From a report: In an interview with the Financial Times, Will Cathcart, who runs the Meta-owned messaging app, insisted that alternative techniques were available to protect children using WhatsApp, without having to abandon the underlying security technology that safeguards its more than 2bn users. The UK's bill, which the government argues will make the internet safer, has become a focus of global debate over whether companies such as Google, Meta and Twitter should be forced to proactively scan and remove harmful content on their networks.

Tech companies claim it is not technically possible for encrypted messaging apps to scan for material such as child pornography without undermining the security of the entire network, which prevents anyone -- including platform operators -- from reading users' messages. Cathcart said the UK's ultimate position on the issue would have a global impact. "If the UK decides that it is OK for a government to get rid of encryption, there are governments all around the world that will do exactly the same thing, where liberal democracy is not as strong, where there are different concerns that really implicate deep-seated human rights," he said, citing Hong Kong as a potential example.

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. described what it called Morgan Stanley's "extensive failures," over a five-year period beginning in 2015, to safeguard customer information, in part by not properly disposing of hard drives and servers that ended up for sale on an internet auction site.

On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers. The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said. An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm's data on those devices.

Morgan Stanley is "a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware," the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C. The firm should, at a minimum, get "some kind of verification of data destruction from the vendors you sell equipment to," the consultant wrote, according to the S.E.C. Morgan Stanley eventually bought the hard drives back from the consultant. Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the "vast majority" of them, the commission said. The settlement also notes that Morgan Stanley "had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a 'hardware refresh program' in 2019," reports the Times. "Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said."

The short answers are "yes" and "no." America's Constitution prohibits government intervention into public expression, reports the business-news radio show Marketplace, "protecting free speech and expression "through, for example.... writing, protesting and coding languages like JavaScript, HTML, Python and Perl."

Specifically protecting code started with the 1995 case of cryptographer Daniel Bernstein, who challenged America's "export controls" on encryption (which regulated it like a weapon). But they also spoke to technology lawyer Kendra Albert, a clinical instructor at Harvard Law School's Cyberlaw Clinic, about the specific parameters of how America protects code as a form of expression: Albert: I think that the reality was that the position that code was a form of expression is in fact supported by a long history of First Amendment law. And that it, you know, is very consistent with how we see the First Amendment interpreted across a variety of contexts.... [O]ne of the questions courts ask is whether a regulation or legislation or a government action is specifically targeting speech, or whether the restrictions on speech are incidental, but not the overall intention. And that's actually one of the places you see kind of a lot of these difficulties around code as speech. The nature of many kinds of regulation may mean that they restrict code because of the things that particular forms of software code do in the world. But they weren't specifically meant to restrict the expressive conduct. And courts end up then having to sort of go through a test that was originally developed in the context of someone burning a draft card to figure out — OK, is this regulation, is the burden that it has on this form of expressive speech so significant that we can't regulate in this way? Or is this just not the focus, and the fact that there are some restrictions on speech as a result of the government attempting to regulate something else should not be the focus of the analysis?

Q: Congress and federal agencies as well as some states are looking to tighten regulations around cryptocurrencies and blockchain technology. What role do you think the idea of code as speech will play in this environment moving forward?

Albert: The reality is that the First Amendment is not a total bar to regulation of speech. It requires the government meet a higher standard for regulating certain kinds of speech. That runs, to some extent, in conflict with how people imagine what "code is speech" does as sort of a total restriction on the regulation of software, of code, because it has expressive content. It just means that we treat code similarly to how we treat other forms of expression, and that the government can regulate them under certain circumstances.

The makers of the secure telnet client PuTTY also sell a service monitoring company security services — and this July Mandiant Managed Defense "identified a novel spear phish methodology," according to a post on the company's blog: [The threat cluster] established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.... This activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files written to directories commonly used by threat actors....

The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe.... [T]he PuTTY.exe binary in the malicious archive does not have a digital signature. The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version. Sections like these are typically indicative of packed or encrypted data. The suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper investigation on the host and the file itself.

The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host.
"The executable embedded in each ISO file is a fully functional PuTTY application compiled using publicly available PuTTY version 0.77 source code," the blog post points out.

Ars Technica notes that Mandiant's researchers believe it's being pushed by groups with ties to North Korea: The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan's community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.

Three Iranian nationals charged with hacking into US-based computer networks sent ransom demands to the printers of at least some of their victims, according to an indictment unsealed today. The ransom demands allegedly sought payments in exchange for BitLocker decryption keys that the victims could use to regain access to their data. The three defendants remain at large and outside the US, the DOJ said. From a report: "The defendants' hacking campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and exfiltrate data and information from victims' computer systems," the US Department of Justice said in a press release. Defendants Mansour Ahmadi, Ahmad Khatibi, Amir Hossein Nickaein, "and others also conducted encryption attacks against victims' computer systems, denying victims access to their systems and data unless a ransom payment was made." The indictment in US District Court for the District of New Jersey describes a few incidents in which ransom demands were sent to printers on hacked networks. In one case, a printed message sent to an accounting firm allegedly said, "We will sell your data if you decide not to pay or try to recover them." In another incident, the indictment said a Pennsylvania-based domestic violence shelter hacked in December 2021 received a message on its printers that said, "Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable. Just contact us."

Seven years ago, Slashdot reader #66,542 announced "Panopticlick 2.0," a site showing how your web browser handles trackers.

But it was just one of the many privacy-protecting projects Peter Eckersley worked on, as a staff technologist at the EFF for more than a decade. Eckersley also co-created Let's Encrypt, which today is used by hundreds of millions of people.

Friday the EFF's director of cybersecurity announced the sudden death of Eckersley at age 43. "If you have ever used Let's Encrypt or Certbot or you enjoy the fact that transport layer encryption on the web is so ubiquitous it's nearly invisible, you have him to thank for it," the announcement says. "Raise a glass."

Peter Eckersley's web site is still online, touting "impactful privacy and cybersecurity projects" that he co-created, including not just Let's Encrypt, Certbot, and Panopticlick, but also Privacy Badger and HTTPS Everywhere. And in addition, "During the COVID-19 pandemic he convened the the stop-covid.tech group, advising many groups working on privacy-preserving digital contact tracing and exposure notification, assisting with several strategy plans for COVID mitigation." You can also still find Peter Eckersley's GitHub repositories online.

But Peter "had apparently revealed recently that he had been diagnosed with cancer," according to a tribute posted online by security company Sophos, noting his impact is all around us: If you click on the padlock in your browser [2022-09-0T22:37:00Z], you'll see that this site, like our sister blog site Sophos News, uses a web certificate that's vouched for by Let's Encrypt, now a well-established Certificate Authority (CA). Let's Encrypt, as a CA, signs TLS cryptographic certificates for free on behalf of bloggers, website owners, mail providers, cloud servers, messaging services...anyone, in fact, who needs or wants a vouched-for encryption certificate, subject to some easy-to-follow terms and conditions....

Let's Encrypt wasn't the first effort to try to build a free-as-in-freedom and free-as-in-beer infrastructure for online encryption certificates, but the Let's Encrypt team was the first to build a free certificate signing system that was simple, scalable and solid. As a result, the Let's Encrypt project was soon able to to gain the trust of the browser making community, to the point of quickly getting accepted as a approved certificate signer (a trusted-by-default root CA, in the jargon) by most mainstream browsers....

In recent years, Peter founded the AI Objectives Institute, with the aim of ensuring that we pick the right social and economic problems to solve with AI:

"We often pay more attention to how those goals are to be achieved than to what those goals should be in the first place. At the AI Objectives Institute, our goal is better goals."

So Australia's foreign intelligence cybersecurity agency marked its 75th anniversary by collaborating with the Australian mint to release a special commemorative coin with a four-layer secret code. The agency's director even said that if someone cracked all four layers of the code, "maybe they'll apply for a job."

A 14-year-old boy cracked their code "in just over an hour." Australia's national broadcaster reports: The ASD said the coin's four different layers of encryption were each progressively harder to solve, and clues could be found on both sides — but ASD director-general Rachel Noble said in a speech at the Lowy Institute on Friday that the 14-year-old managed it in just over an hour.... "Just unbelievable. Can you imagine being his mum?

"So we're hoping to meet him soon ... to recruit him...."

She also revealed on Friday that there was a fifth level of encryption on the coin which no one had broken yet.

New submitter IsThisNickNameUsed writes: The Australian Mint has released a coin in partnership with the Australian Signals Directorate (ASD) that has incorporated a code-breaking challenge in the design. The coin is to mark the 75th anniversary of the spy agency and incorporates a code with four layers of encryption -- each layer progressively harder to solve. "We thought this was a really fun way to engage people in code-breaking with the hope that, if they make it through all four levels of coding on the coin, maybe they'll apply for a job at the Australian Signals Directorate," said ASD director-general Rachel Noble.

Fitting the codes on the faces of the coin was a complex process, she said. "Ensuring people could see the code to decrypt it was one of the challenges our people were able to solve with ASD, to create a unique and special product."

Ms Noble said that while there were no classified messages on the coin, those who crack the codes could discover "some wonderful, uplifting messages." "Like the early code breakers in ASD, you can get through some of the layers with but a pencil and paper but, right towards the end, you may need a computer to solve the last level," she said.

UPDATE: A 14-year-old boy cracked the code "in just over an hour."

"Major VPN services have shut down service in India, as there is no way to comply with a new law without breaching their own privacy protection standards," reports 9to5Mac. "The law also applies to iCloud Private Relay, but Apple has not yet commented on its own plans." The Wall Street Journal reports: Major global providers of virtual private networks, which let internet users shield their identities online, are shutting down their servers in India to protest new government rules they say threaten their customers' privacy [...] Such rules are "typically introduced by authoritarian governments in order to gain more control over their citizens," said a spokeswoman for Nord Security, provider of NordVPN, which has stopped operating its servers in India. "If democracies follow the same path, it has the potential to affect people's privacy as well as their freedom of speech," she said [...]

Other VPN services that have stopped operating servers in India in recent months are some of the world's best known. They include U.S.-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark. ExpressVPN said it "refuses to participate in the Indian government's attempts to limit internet freedom." The government's move "severely undermines the online privacy of Indian residents," Private Internet Access said. "Customers in India will be able to connect to VPN servers in other countries," adds 9to5Mac. "This is the same approach taken in Russia and China, where operating servers within those countries would require VPN companies to comply with similar legislation."

"Cloud storage services are also subjected to the new rules, though there would be little practical impact on Apple here. iCloud does not use end-to-end encryption, meaning that Apple holds a copy of your decryption key, and can therefore already comply with government demands for information."

The end-to-end encryption email service, Tutanota, says they are receiving reports that Crunchyroll is not allowing the use of their email addresses when signing up for their service. After contacting their team requiring that their domains be unblocked, they received the following response: "The ban of your domains is because we encountered a lot of hackers that used your domains emails to hack our accounts." From a report: In other words, Crunchyroll believes that many hackers used Tutanota domain emails to hack their accounts, which is why they banned Tutanota from their list. Moreover, they recommend users to use email accounts powered by "Big Tech" companies for hassle-free sign up to their services. This is not entirely a new phenomenon, notes It's FOSS. "DeviantArt actively blocked Proton Mail in the past because spammers used the platform to create accounts. Now, they have unblocked them."

Tutanota recently called out Microsoft for blocking Tutanota users from registering an account with its cloud-based collaboration platform, Teams.