While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now.

Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...].

As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

Zoom is piloting showing ads to users on its free "Basic" tier, the company has announced in a blog post. From a report: Ads will appear on the browser page shown to users at the end of a call. Zoom says ads are being rolled out to free users in "certain countries," though its blog post doesn't detail exactly which these are. Users on the service's Basic tier will only see ads if they join a meeting hosted by another Basic tier user. Although ads won't be shown during meetings themselves, it's still a potentially big shift for the videoconferencing service. Zoom has typically imposed only minor restrictions on its free tier, which helped the service explode in popularity last year as people around the world adapted to working and socializing from home. Even its end-to-end encryption, which Zoom initially said would be limited to paid users, ended up coming to free users after all.

Hive, a ransomware group that has hit over 30 organizations since June 2021, now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. BleepingComputer reports: However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path. It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files. The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.

Amazon is officially entering the race to develop a quantum computer, joining U.S. and Chinese rivals in the quest to harness the properties of nature's tiniest particles into computing power far surpassing existing machines. From a report: Amazon will base its quantum team at a new center on the campus of Caltech in Pasadena, Calif., which officially opens this week. Caltech described it as the first "corporate-partnership building" on the university's campus, showing "Caltech's interests in bringing fundamental science to the marketplace." The investment reflects growing corporate interest in quantum computers, which are still at an early stage of development but could someday crack problems that existing computers can't, such as identifying new materials to capture and remove carbon dioxide from the atmosphere, or new chemical compounds to treat intractable diseases. In the defense sphere, some scientists believe quantum computers might someday be able to break existing forms of encryption, making them a hot development priority for the United States, China and other nations.

76-year-old John Gilmore co-founded the EFF in 1990, and in the 31 years since he's "provided leadership and guidance on many of the most important digital rights issues we advocate for today," the EFF said in a statement Friday.

"But in recent years, we have not seen eye-to-eye on how to best communicate and work together," they add, announcing "we have been unable to agree on a way forward with Gilmore in a governance role." That is why the EFF Board of Directors has recently made the difficult decision to vote to remove Gilmore from the Board.

We are deeply grateful for the many years Gilmore gave to EFF as a leader and advocate, and the Board has elected him to the role of Board Member Emeritus moving forward. "I am so proud of the impact that EFF has had in retaining and expanding individual rights and freedoms as the world has adapted to major technological changes," Gilmore said. "My departure will leave a strong board and an even stronger staff who care deeply about these issues."

John Gilmore co-founded EFF in 1990 alongside John Perry Barlow, Steve Wozniak and Mitch Kapor, and provided significant financial support critical to the organization's survival and growth over many years. Since then, Gilmore has worked closely with EFF's staff, board, and lawyers on privacy, free speech, security, encryption, and more. In the 1990s, Gilmore found the government documents that confirmed the First Amendment problem with the government's export controls over encryption, and helped initiate the filing of Bernstein v DOJ, which resulted in a court ruling that software source code was speech protected by the First Amendment and the government's regulations preventing its publication were unconstitutional. The decision made it legal in 1999 for web browsers, websites, and software like PGP and Signal to use the encryption of their choice.

Gilmore also led EFF's effort to design and build the DES Cracker, which was regarded as a fundamental breakthrough in how we evaluate computer security and the public policies that control its use. At the time, the 1970s Data Encryption Standard (DES) was embedded in ATM machines and banking networks, as well as in popular software around the world. U.S. government officials proclaimed that DES was secure, while secretly being able to wiretap it themselves. The EFF DES Cracker publicly showed that DES was in fact so weak that it could be broken in one week with an investment of less than $350,000. This catalyzed the international creation and adoption of the much stronger Advanced Encryption Standard (AES), now widely used to secure information worldwide....

EFF has always valued and appreciated Gilmore's opinions, even when we disagree. It is no overstatement to say that EFF would not exist without him. We look forward to continuing to benefit from his institutional knowledge and guidance in his new role of Board Member Emeritus.
Gilmore also created the alt* hierarchy on Usenet, co-founded the Cypherpunks mailing list, and was one of the founders of Cygnus Solutions (according to his page on Wikipedia).

He's also apparently Slashdot user #35,813 (though he hasn't posted a comment since 2004).

An anonymous reader shares a report from Reuters: The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog" website, which had been used to leak victim data and extort companies, is no longer available. Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.

VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list." [...] U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls. Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.

After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet. When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement. "The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.

"I'm done with paying for a virtual private network," writes the New York Times' lead consumer technology writer. [Alternate URLs here and here.] The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That's a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can't trust a product that claims to protect your privacy, what good is it? "Trusting these people is really critical," Matthew Green, a computer scientist who studies encryption, said about VPN providers. "There's no good way to know what they're doing with your data, which they have huge amounts of control over...."

As a mainstream privacy tool, it's no longer an ideal solution. This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network [on the cloud] for free, which wasn't easy... Not only is it free to use, but I no longer have to worry about trust because the operator of the technology is me.
"But I also learned that many casual users may not even need a VPN anymore," the article concludes. (Unless you're living in an authoritarian country and trying to reach information beyond its firewall.) One cybersecurity firm tells the Times that journalists with sensitive contacts or business executives carrying trade secrets might also still benefit from a VPN. But (according to the firm) the rest of us can just try two-factor authentication and keeping all of our software up-to-date. (And if you'd rather not use a public wifi network — use your phone as a mobile hot spot.)

The article also notes that 95% of the top 1,000 websites are now already encrypted with HTTPS, according to W3Techs.

It also points out that one VPN company accused of developing malware nonetheless spent close to a billion dollars to buy at least four other VPN services — and then also bought several VPN review sites, which then give top ratings to VPN services it owns...

"October 5 marks the official release of Windows 11, a new version of the operating system that doesn't do anything at all to counteract Windows' long history of depriving users of freedom and digital autonomy," writes Free Software Foundation campaigns manager Greg Farough.

"While we might have been encouraged by Microsoft's vague, aspirational slogans about community and togetherness, Windows 11 takes important steps in the wrong direction when it comes to user freedom." Microsoft claims that "life's better together" in their advertising for this latest Windows version, but when it comes to technology, there is no surer way of keeping users divided and powerless than nonfree softwarechoosing to create an unjust power structure, in which a developer knowingly keeps users powerless and dependent by withholding information. Increasingly, this involves not only withholding the source code itself, but even basic information on how the software works: what it's really doing, what it's collecting, and how often it's snitching on users. "Snitching" may sound dramatic, but Windows 11 will now require a Microsoft account to be connected to every user account, granting them the ability to correlate user behavior with one's personal identity. Even those who think they have nothing to hide should be wary of sharing potentially all of their computing activity with any company, much less one with a track record of abuse like Microsoft...

We expect Microsoft to use its tighter control on cryptography that happens in Windows as a way to impose more severe Digital Restrictions Management (DRM) onto media and applications, and as a way to ensure that no application can run in Windows without Microsoft's approval. In cases like these, it's no longer appropriate to call a machine running Windows a "personal" computer, as it obeys Microsoft more than it does its user. Indeed, it's bitterly ironic that Microsoft is calling the program that verifies a system's compatibility with Windows 11 a "PC Health Check." We counter that a healthy PC is one that respects its user's wishes, runs free software, and doesn't purposefully restrict them through treacherous computing. It would also never send the user's encryption keys back to its corporate overlords. Intrepid users will likely find a way around this requirement, yet it doesn't change the fact that the majority of Windows users will be forced into a treacherous computing scheme...

Sometimes, Microsoft realizes that it can't be quite so overtly antisocial. We've commented many times before on the hypocrisy involved in saying that Microsoft "loves open source" and "loves Linux," two ways of mentioning free software without reference to freedom. At the same time, Microsoft employees do make contributions to free software, contributions which benefit many others. Yet they do not extend this philosophy to their operating system, and in the last few years, they've made an attempt to impair the ways free software makes "life better together" further by making critical functions of Microsoft GitHub rely on nonfree JavaScript and directing users toward Service as a Software Substitute (SaaSS) platforms. By attacking user freedom through Windows, and the free software community directly by means of nonfree JavaScript, Microsoft proves that it has no plans to loosen its grip on users.

No program that you're forbidden to copy, modify, or share can truly bring people "together" in the way that Microsoft claims.

Thankfully, and right outside the window, there's a true community of users you and your loved ones can join...

Let's stop falling for the trap of chasing short-term, superficial improvements in proprietary software that may seem to make life better, and instead opt for free software, the only software that can support the best versions of ourselves.
The post urges readers to sign (or renew!) their pledge not to use Windows and to help a friend install GNU/Linux, "sending Microsoft the strong message that software that subjugates its users has no place in Windows.... If you don't feel ready to take the plunge and switch entirely, you can use our resources like the Free Software Directory to find programs you can use as starting points for your free software journey."

The post also has harsh words for TPM, warning that "when it's deployed by a proprietary software company, its relationship to the user isn't one based on trust, but based on treachery. When fully controlled by the user, TPM can be a useful way to strengthen encryption and user privacy, but when it's in the hands of Microsoft, we're not optimistic."

And when it comes to Microsoft teams, "it seems that no Windows user can avoid it any longer.... we hope Teams' unpopularity and its newfound, unwanted place in Windows will encourage users to seek out conferencing programs that they themselves can control."

Google executive Hiroshi Lockheimer has called on Apple to adopt the Rich Communication Services (RCS) protocol that would enable improved and more secure messaging between iPhone and Android devices. From a report: RCS brings a number of modern features -- including support for audio messages, group chats, typing indicators and read receipts -- and end-to-end encryption to traditional text messaging. But it's unlikely Apple will play ball.

[...] Lockheimer, senior vice president for Android, has encouraged the company to change its mind. In response to a tweet about how group chats are incompatible between iPhone and Android devices, Lockheimer said, "group chats don't need to break this way. There exists a Really Clear Solution." "Here's an open invitation to the folks who can make this right: we are here to help." Lockheimer doesn't mention Apple specifically, but it's clear that the "folks" he is referring to are those in Cupertino, who have been against RCS.

Messaging app Telegram gained over 70 million new users during Monday's Facebook outage, its founder Pavel Durov said on Tuesday, as people worldwide were left without key messaging services for nearly six hours. Reuters reports: Facebook blamed its outage, which kept its 3.5 billion users from accessing services such as WhatsApp, Instagram and Messenger, on a faulty configuration change. "The daily growth rate of Telegram exceeded the norm by an order of magnitude, and we welcomed over 70 million refugees from other platforms in one day," Durov wrote on his Telegram channel. Durov said some users in the Americas may have experienced slower speeds as millions rushed to sign up at the same time, but that the service worked as usual for the majority.

"The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users," reports the Washington Examiner.

The expiring certificate was issued by Let's Encrypt — though ZDNet notes there's been lots of warnings about its pending expiration: Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet that Let's Encrypt put everyone on notice back in May about the expiration of the Root CA Thursday and offered alternatives and workarounds to ensure that devices would not be affected during the changeover. They have also kept a running forum thread open on this issue with fairly quick responses, Nikkel added.
Thursday night the Washington Examiner describes what happened when the big day arrived: Tech giants — such as Amazon, Google, Microsoft, and Cisco, as well as many smaller tech companies — were still battling with an endless array of issues by the end of the night... At least 2 million people have seen an error message on their phones, computers, or smart gadgets in the past 24 hours detailing some internet connectivity problems due to the certificate issue, according to Scott Helme, an internet security researcher and well-known cybersecurity expert. "So many people have been affected, even if it's only the inconvenience of not being able to visit certain websites or some of their apps not working," Helme said.

"This issue has been going on for many hours, and some companies are only just getting around to fixing it, even big companies with a lot of resources. It's clearly not going smoothly," he added.

There was an expectation before the certificate expired, Helme said, that the problem would be limited to gadgets and devices bought before 2017 that use the Let's Encrypt digital certificate and haven't updated their software. However, many users faced issues on Thursday despite having the most cutting-edge devices and software on hand. Dozens of major tech products and services have been significantly affected by the certificate expiration, such as cloud computing services for Amazon, Google, and Microsoft; IT and cloud security services for Cisco; sellers unable to log in on Shopify; games on RocketLeague; and workflows on Monday.com.
Security researcher Scott Helme also told ZDNet he'd also confirmed issues at many other companies, including Guardian Firewall, Auth0, QuickBooks, and Heroku — but there might be many more beyond that: "For the affected companies, it's not like everything is down, but they're certainly having service issues and have incidents open with staff working to resolve. In many ways, I've been talking about this for over a year since it last happened, but it's a difficult problem to identify. it's like looking for something that could cause a fire: it's really obvious when you can see the smoke...!"

Digital certificates expert Tim Callan added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs while radically decreasing their average lifespan. "That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal," he said.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.
From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.

With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition.
The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

Epik's massive data breach is already affecting lives. Today the Washington Post describes a real estate agent in Pompano Beach who urged buyers on Facebook to move to "the most beautiful State." His name and personal details "were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com". The real estate brokerage where he worked then dropped him as an agent. The brokerage's owner told the Post they didn't "want to be involved with anyone with thoughts or motives like that."

"Some users appear to have relied on Epik to lead a double life," the Post reports, "with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online." (Alternate URL here.) Epik, based outside Seattle, said in a data-breach notice filed with Maine's attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed.... Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing "the detective work" trying to decipher who is behind a single extremist domain. The Epik data set, she said, "is like somebody has just handed you all the detective work — the names, the people behind the accounts..."

Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous....

Aubrey "Kirtaner" Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack's origins but said it was fueled by hackers' frustrations over Epik serving as a refuge for far-right extremists. "Everyone is tired of hate," Cottle said. "There hasn't been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now ... the tide is turning, and there's a swell moving back in their direction."
Earlier in the week, the Post reported: Since the hack, Epik's security protocols have been the target of ridicule among researchers, who've marveled at the site's apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public... The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

EFF.org has the story: For the last month, civil liberties and human rights organizations, researchers, and customers have demanded that Apple cancel its plan to install photo-scanning software onto devices. This software poses an enormous danger to privacy and security. Apple has heard the message, and announced that it would delay the system while consulting with various groups about its impact. But in order to trust Apple again, we need the company to commit to canceling this mass surveillance system.

The delay may well be a diversionary tactic. Every September, Apple holds one of its big product announcement events, where Apple executives detail the new devices and features coming out. Apple likely didn't want concerns about the phone-scanning features to steal the spotlight.

But we can't let Apple's disastrous phone-scanning idea fade into the background, only to be announced with minimal changes down the road. To make sure Apple is listening to our concerns, EFF turned to an old-school messaging system: aerial advertising.

During Apple's event, a plane circled the company's headquarters carrying an impossible-to-miss message: "Apple, don't scan our phones!" The evening before Apple's event, protestors also rallied nationwide in front of Apple stores. The company needs to hear us, and not just dismiss the serious problems with its scanning plan. A delay is not a cancellation, and the company has also been dismissive of some concerns, referring to them as "confusion" about the new features.

Apple's iMessage is one of the preeminent end-to-end encrypted chat clients. End-to-end encryption is what allows users to exchange messages without having them intercepted and read by repressive governments, corporations, and other bad actors. We don't support encryption for its own sake: we fight for it because encryption is one of the most powerful tools individuals have for maintaining their digital privacy and security in an increasingly insecure world.

Now that Apple's September event is over, Apple must reach out to groups that have criticized it and seek a wider range of suggestions on how to deal with difficult problems, like protecting children online...

The world, thankfully, has moved towards encrypted communications over the last two decades, not away from them, and that's a good thing. If Apple wants to maintain its reputation as a pro-privacy company, it must continue to choose real end-to-end encryption over government demands to read user's communication.

Privacy matters now more than ever. It will continue to be a selling point and a distinguishing feature of some products and companies. For now, it's an open question whether Apple will continue to be one of them.

The Guardian tells the story of "a viral sensation in the global underworld," the high-security An0m phones, which launched with "a grassroots marketing campaign, identifying so-called influencers — 'well-known crime figures who wield significant power and influence over other criminal associates', according to a US indictment — within criminal subcultures." An0m could not be bought in a shop or on a website. You had to first know a guy. Then you had to be prepared to pay the astronomical cost: $1,700 for the handset, with a $1,250 annual subscription, an astonishing price for a phone that was unable to make phone calls or browse the internet.

Almost 10,000 users around the world had agreed to pay, not for the phone so much as for a specific application installed on it. Opening the phone's calculator allowed users to enter a sum that functioned as a kind of numeric open sesame to launch a secret messaging application. The people selling the phone claimed that An0m was the most secure messaging service in the world. Not only was every message encrypted so that it could not be read by a digital eavesdropper, it could be received only by another An0m phone user, forming a closed loop system entirely separate from the information speedways along which most text messages travel. Moreover, An0m could not be downloaded from any of the usual app stores. The only way to access it was to buy a phone with the software preinstalled...

[U]sers could set an option to wipe the phone's data if the device went offline for a specified amount of time. Users could also set especially sensitive messages to self-erase after opening, and could record and send voice memos in which the phone would automatically disguise the speaker's voice. An0m was marketed and sold not so much to the security conscious as the security paranoid...

An0m was not, however, a secure phone app at all. Every single message sent on the app since its launch in 2018 — 19.37m of them — had been collected, and many of them read by the Australian federal police (AFP) who, together with the FBI, had conceived, built, marketed and sold the devices.

On 7 June 2021, more than 800 arrests were made around the world....
Law enforcement agencies ultimately saw An0m as a creative workaround for unbreakable encryption, according to the Guardian. "Why debate tech companies on privacy issues through costly legal battles if you can simply trick criminals into using your own monitored network?"

The Guradian's story was shared by jd (Slashdot user #1,658), who sees an ethical question. "As the article notes, what's to stop a tyrant doing the same against rivals or innocent protestors?"

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised. From a report: The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud -- iCloud on iPhones and Google Drive on Android -- in an unencrypted format. [...] Now WhatsApp says it is patching this weak link in the system.

The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional. In the "coming weeks," users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based "backup key vault" that WhatsApp has developed.

The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services. The Register reports: Prominent in details briefed to the news media this week (including The Register) were accusations that Facebook harbours paedophiles, terrorists, and mobsters and that British police forces would effectively be blinded to the scale of criminality on the social networking platform, save for cases where crimes are reported. It's a difficult and nuanced topic made no simpler or easier by the fact that government officials seem hellbent on painting it in black and white.

Government and law enforcement officials who briefed the press on condition of anonymity earlier this week* sought to paint a picture of the internet going dark if Facebook's plans for end-to-end encryption (E2EE) went forward, in terms familiar to anyone who remembers how Western nation states defended themselves from public upset after former NSA sysadmin Edward Snowden's 2013 revelations of illegal mass surveillance. The US National Centre for Missing and Exploited Children (NCMEC) generates around 20 million reports of child sexual abuse material (CSAM) every year, of which 70 per cent would be "lost" if E2E encryption were put in place, claimed British officials.

The government's long-signaled push to deter Facebook from implementing E2EE comes, inevitably, at a significant cost to taxpayers: London ad agency M&C Saatchi has been hired at an undisclosed cost by the Home Office to tell the public that Facebook (and WhatsApp) harbours criminals. The ad campaign will run online, in newspapers and on radio stations with the aim of turning public opinion against E2EE -- and, presumably, driving home the message that encryption itself is something inherently bad. Other announcements due this week, from notoriously anti-encryption Home Secretary Priti Patel and intergovernmental meetings, will explicitly condemn Facebook's contemplated rollout of E2EE.

Gizmodo highlights the findings of a new ProPublica report on WhatsApp's content moderation system. What they found was that there are at least 1,000 WhatsApp content moderators employed by Facebook's moderator contract firm Accenture to review user-reported content that's been flagged by its machine learning system. "They monitor for, among other things, spam, disinformation, hate speech, potential terrorist threats, child sexual abuse material (CSAM), blackmail, and "sexually oriented businesses,'" reports Gizmodo. "Based on the content, moderators can ban the account, put the user 'on watch,' or leave it alone." From the report: Most can agree that violent imagery and CSAM should be monitored and reported; Facebook and Pornhub regularly generate media scandals for not moderating enough. But WhatsApp moderators told ProPublica that the app's artificial intelligence program sends moderators an inordinate number of harmless posts, like children in bathtubs. Once the flagged content reaches them, ProPublica reports that moderators can see the last five messages in a thread.

WhatsApp discloses, in its terms of service, that when an account is reported, it "receives the most recent messages" from the reported group or user as well as "information on your recent interactions with the reported user." This does not specify that such information, viewable by moderators, could include phone numbers, profile photos, linked Facebook and Instagram accounts, their IP address, and mobile phone ID. And, the report notes, WhatsApp does not disclose the fact that it amasses all users' metadata no matter their privacy settings.

WhatsApp didn't offer much clarity on what mechanism it uses to receive decrypted messages, only that the person tapping the "report" button is automatically generating a new message between themselves and WhatsApp. That seems to indicate that WhatsApp is deploying a sort of copy-paste function, but the details are still unclear. Facebook told Gizmodo that WhatsApp can read messages because they're considered a version of direct messaging between the company and the reporter. They added that users who report content make the conscious choice to share information with Facebook; by their logic, Facebook's collection of that material doesn't conflict with end-to-end encryption. So, yes, WhatsApp can see your messages without your consent.

"The advent of gaming, especially computer gaming, marks a fundamental break in human affairs," argues American economist Tyler Cowen (in a Bloomberg opinion column).

"Gaming is profoundly transforming two central aspects of the modern world: culture and regulation. There will be no turning back... Plenty of trading already takes place in games — involving currencies, markets, prices and contracts. Game creators and players set and enforce the rules, and it is harder for government regulators to play a central role. The lesson is clear: If you wish to create a new economic institution, put it inside a game. Or how about an app that gamifies share trading? Do you wish to experiment with a new kind of stock exchange or security outside the purview of traditional government regulation? Try the world of gaming, perhaps combined with crypto, and eventually your "game" just might influence events in the real world...

[R]egulators are already falling behind. Just as gaming has outraced the world of culture, so will gaming outrace U.S. regulatory capabilities, for a variety of reasons: encryption, the use of cryptocurrency, the difficulties of policing virtual realities, varying rules in foreign jurisdictions and, not incidentally, a lack of expertise among U.S. regulators. (At least the Chinese government's attempt to restrict youth gaming to three hours a week, while foolhardy, reflects a perceptive cultural conservatism.)

Both the culture-weakening and the regulation-weakening features of games follow from their one basic characteristic: They are self-contained worlds. Until now, human institutions and structures have depended on relatively open and overlapping networks of ideas. Gaming is carving up and privatizing those spaces. This shift is the big trend that hardly anyone — outside of gaming and crypto — is noticing.

If the much-heralded "metaverse" ever arrives, gaming will swallow many more institutions, or create countervailing versions of them. Whether or not you belong to the world of gaming, it is coming for your worlds. I hope you are ready.

America's National Security Agency "isn't really sure when or even if quantum computers will be able to crack public key cryptography," writes TechRadar.

They report that the NSA "has expressed its reservations about the potential of quantum computing" in a new FAQ titled Quantum Computing and Post-Quantum Cryptography. "NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist," said the security agency in response to whether it is worried about the potential of adversarial use of quantum computing. In the FAQ, the NSA describes a Cryptographically Relevant Quantum Computer (CRQC) as a quantum computer that's capable of actually attacking real world cryptographic systems, something that's currently infeasible.

While it agrees that such a computer would be "devastating" to the digital security infrastructure, it seems to suggest that it doesn't believe such a CRQC would ever materialize.

However, the growing research in quantum computing has moved the agency to also support the development of post-quantum cryptographic standards, along with plans for eventual transition to such standards.