Microsoft

Microsoft Warns of 'Stealthy DDoS Malware' Targeting Linux Devices (zdnet.com) 76

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities...

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.

Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions."
Hardware

iFixit On Right To Repair's Remaining Obstacles, Hope (arstechnica.com) 22

iFixit CEO Kyle Wiens sat down with Ars Technica to discuss the fight for the right to repair. Here's an excerpt from their report: Tech repairs got complicated in 1998 when Congress passed the Digital Millennium Copyright Act [PDF]. Section 1201 of the copyright law essentially made it illegal to distribute tools for, or to break encryption on, manufactured products. Created with DVD piracy in mind, it made fixing things like computers and tractors significantly harder, if not illegal, without manufacturer permission. It also represented "a total sea change from what historic property rights have been," Wiens said. This makes Washington, DC, the primary battleground for the fight for the right to repair. "Because this law was passed at the federal level, the states can't preempt. Congress at the federal level reset copyright policy. This fix has to happen at the US federal level," Wiens told Ars Technica during the Road to Frontiers talk.

The good news is that every three years, the US Copyright Office holds hearings to discuss potential exemptions. Right to repair advocates are hoping Congress will schedule this year's hearing soon. Wiens also highlighted the passing of the Freedom to Repair Act [PDF] introduced earlier this year as critical for addressing Section 1201 and creating a permanent exemption for repairing tech products.

Apple's self-service repair program launched last month marked a huge step forward for the right to repair initiated by a company that has shown long-standing resistance. Wiens applauded the program, which provides repair manuals for the iPhone 12, 13, and newest SE and will eventually extend to computers. He emphasized how hard it is for iFixit to reverse-engineer such products to determine important repair details, like whether a specific screw is 1 or 1.1 mm. [...]

Wiens envisioned a world where gadgets not only last longer but where you may also build relationships with local businesses to keep your products functioning. He lamented the loss of businesses like local camera and TV repair shops extinguished by vendors no longer supplying parts and tools. [...] He also discussed the idea of giving gadgets second and even third lives: An aged smartphone could become a baby monitor or a smart thermostat. "I think we should be talking about lifespans of smartphones in terms of 20, 25 years," Wiens said.
The livestream of the discussion can be viewed here.
China

Hong Kong Considers Blocking Telegram As Part of Crackdown On Doxing (ibtimes.sg) 25

Hong Kong is planning a ban on the Telegram messaging service, which is widely used by pro-democracy activists. International Business Times reports: Local media reported that the ban on Telegram was being considered as a means to crack down on rampant doxing, under which pro-democracy campaigners are exposing online sensitive personal data of government officials and citizens. Hong Kong's privacy commissioner for personal data might decide in favor of blocking or restricting access to Telegram in the first such move, the Sing Tao Daily reported, according to Bloomberg. The execution of such a ban would mean that the former British colony has taken a step closer to China-style smothering of personal and civil liberties.
Encryption

NSA Says 'No Backdoor' for Spies in New US Encryption Scheme (bloomberg.com) 99

The US is readying new encryption standards that will be so ironclad that even the nation's top code-cracking agency says it won't be able to bypass them. From a report: The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor. The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today's computers can't. But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.
Encryption

End-To-End Encryption Is Coming To Google Messages Group Texts (engadget.com) 11

Google is expanding end-to-end encryption (E2EE) to include group texts in the Messages app. The feature will be available as an open beta later this year. Engadget reports: Google hasn't revealed more details about E2EE in group chats, but it will surely be similar to how the option works in one-on-one conversations. Everyone in the group will need to have RCS chat functions switched on to use the feature. You'll be able to tell if a message you're about to share with the group is encrypted if there's a lock icon on the send button. The Messages app now has more than 500 million monthly active users with RCS. So, there's already a large number of people who'd be able to take advantage of E2EE in group chats.
EU

New EU Rules Would Require Chat Apps To Scan Private Messages for Child Abuse (theverge.com) 204

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users' private messages for child sexual abuse material (CSAM) and "grooming" behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive. From a report: After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. "This document is the most terrifying thing I've ever seen," tweeted cryptography professor Matthew Green. "It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration." Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, "This looks like a shameful general #surveillance law entirely unfitting for any free democracy." (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.) The regulation would establish a number of new obligations for "online service providers" -- a broad category that includes app stores, hosting companies, and any provider of "interpersonal communications service."
Security

Hackers Are Actively Exploiting BIG-IP Vulnerability With a 9.8 Severity Rating (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched.
BIG-IP users can check exploitability via a one-line bash script that can be found here.
Security

Russia Hit With 'Unprecedented' Breaches By Pro-Ukrainian Cyberattackers (stripes.com) 40

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.

Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!
Twitter

Can Elon Musk Spur Cybersecurity Innovation At Twitter? (securityweek.com) 138

"Twitter DMs should have end to end encryption like Signal," Elon Musk tweeted Wednesday to his 89 million followers, "so no one can spy on or hack your messages."

And on Monday, Musk also announced hopes to "authenticate all humans."

But now Security Week is wondering if Musk's acquisition of Twitter will ultimately mean not just better security at Twitter but also innovation for the entire cybersecurity industry: Twitter has struggled with consistent security leadership, hiring and firing multiple CISOs even as nation-state adversaries target Twitter's massive user base with computer-generated disinformation campaigns...."Even if you don't like the guy, you have to root for Twitter to beat the bots," said one prominent CISO interviewed by SecurityWeek on Tuesday. "I think we will all benefit from any security features they [Twitter] can create."

Jamie Moles, a senior technical manager at ExtraHop, said the bot-elimination mission could have spinoff benefits for the entire industry. "While this seems like a Sisyphean task, if he's successful, the methods used by Twitter to eliminate bots from the platform may generate new techniques that improve the detection and identification of spam emails, spam posts, and other malicious intrusion attempts," Moles said. If Musk and his team can train AI to be more effective in combating this, it may well be a boon to security practitioners everywhere," Moles added.

"Identity is one area I expect to see movement. In addition to just detecting bots and spam better, I think we will see Twitter do a better job around verifying humans. There are a lot of things to fix there," said one CISO who requested anonymity because his company does security-related business with Twitter. Industry watchers also expect to see the company improve the multi-factor authentication (MFA) adoption numbers among its massive user base....

If Twitter can build a reliably secure platform with a new approach to distinguishing between human and bot traffic and fresh flavors of MFA and encryption, this could be a big win for the entire industry and users around the world.

Thanks to Slashdot reader wiredmikey for sharing the story
Microsoft

Microsoft Edge Is Getting a Built-In VPN Powered By Cloudflare (xda-developers.com) 34

An anonymous reader quotes a report from XDA Developers: Microsoft is testing a VPN-like service for its Edge browser, adding a new layer of security and privacy to the browsing experience. A recently-discovered support page on Microsoft's website details the "Microsoft Edge Secure Network" feature, which provides data encryption and prevents online tracking, courtesy of Cloudflare. While it isn't available yet, even if you have the latest Dev channel build, the Microsoft Edge Secure Network feature appears to be similar in nature to Cloudflare's 1.1.1.1 service. This is essentially a proxy or VPN service, which encrypts your browsing data so that it's safe from prying eyes, including your ISP. It also keeps your location private, so you can use it to access geo-restricted websites, or content that's blocked in your country.

Microsoft Edge's Secure Network mode will require you to be signed into your Microsoft account, and that's because the browser keeps track of how much data you've used in this mode. You get 1GB of free data per month, and that's tied to your Microsoft account. Most VPN services aren't free, so this shouldn't come as a surprise. Cloudflare itself doesn't keep any personally-identifiable user data, and any data related to browsing sessions is deleted every 25 hours. Information related to your data usage is also deleted at the end of each monthly period.

Social Networks

House Republicans Demand Twitter's Board Preserve All Records About Elon Musk's Bid To Buy the Company (cnbc.com) 288

A group of 18 House Republicans is asking Twitter's board to preserve all records related to Elon Musk's offer to buy the company, setting up a potential congressional probe should the party win back the majority this fall. CNBC: In letters shared exclusively with CNBC, Republicans on the House Judiciary Committee asked Twitter Board Chairman Bret Taylor and other members of the board to preserve any messages from official or personal accounts, including through encryption software, that relate to Twitter's consideration of Musk's offer.

"As Congress continues to examine Big Tech and how to best protect Americans' free speech rights, this letter serves as a formal request that you preserve all records and materials relating to Musk's offer to purchase Twitter, including Twitter's consideration and response to this offer, and Twitter's evaluation of its shareholder interests with respect to Musk's offer," said the letter, led by Ranking Member Jim Jordan, R-Ohio.

"You should construe this preservation notice as an instruction to take all reasonable steps to prevent the destruction or alteration, whether intentionally or negligently, of all documents, communications, and other information, including electronic information and metadata, that is or may be potentially responsive to this congressional inquiry," the letter continued. The request signals that should Republicans take back the majority in the House in the 2022 midterm elections, they may launch an investigation into Twitter, especially if the company declines to take the offer from Musk.

Encryption

Researchers Break World Record For Quantum-Encrypted Communications (engadget.com) 53

Researchers in Beijing have set a new quantum secure direct communication (QSDC) world record of 102.2 km (64 miles), smashing the previous mark of 18 km (11 miles), The Eurasian Times reported. Engadget reports: Transmission speeds were extremely slow at 0.54 bits per second, but still good enough for text message and phone call encryption over a distance of 30 km (19 miles), wrote research lead Long Guilu in Nature. The work could eventually lead to hack-proof communication, as any eavesdropping attempt on a quantum line can be instantly detected. QSDC uses the principal of entanglement to secure networks. Quantum physics dictates that entangled particles are linked, so that if you change the property of one by measuring it, the other will instantly change, too -- effectively making hacking impossible. In theory, the particles stay linked even if they're light-years apart, so such systems should work over great distances.

The same research team set the previous fiber record, and devised a "novel design of physical system with a new protocol" to achieve the longer distance. They simplified it by eliminating the "complicated active compensation subsystem" used in the previous model. "This enables an ultra-low quantum bit error rate (QBER) and the long-term stability against environmental noises." As a result, the system can withstand much more so-called channel loss that makes it impossible to decode encrypted messages. That in turn allowed them to extend the fiber from 28.3km to the record 102.2 km distance. "The experiment shows that intercity quantum secure direct communication through the fiber is feasible with present-day technology," the team wrote in Nature.

Encryption

British Encryption Startup Arqit Overstates Its Prospects, Former Staff and Others Say (wsj.com) 19

Arqit says its encryption system can't be broken by quantum computers, but former employees and people outside the company question the relevance of its technology. The Wall Street Journal: A U.K. cybersecurity startup rocketed to a multibillion-dollar valuation when it listed publicly last fall on the promise of making encryption technology that would protect the defense industry, corporations and consumers alike from the prying eyes of next-generation computer systems. Founder and Chief Executive David Williams told investors at the time that his company, Arqit Quantum had an "impressive backlog" of revenue and was ready "for hyperscale growth." But Arqit has given investors an overly optimistic view of its future revenue and the readiness and workability of its signature encryption system, according to former employees and other people familiar with the company, and documents viewed by The Wall Street Journal.

While the company says it has a solution to a quantum-computing security challenge that U.S. intelligence last year said "could be devastating to national security systems and the nation," government cybersecurity experts in the U.S. and the U.K. have cast doubt on the utility of Arqit's system. Arqit's stock price reached its highest level to date of $38.06 on Nov. 30 and has since fallen, to $15.06 on April 14, amid a broad pullback of young tech stocks. When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to the people. The encryption technology the company hinges on -- a system to protect against next-generation quantum computers -- might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols. Arqit disputed that its encryption system was only a prototype at the company's market debut. "This was a live production software release and not a demonstration or trial," said a company representative. "It was being used by enterprise customers on that day and subsequently for testing and integration purposes, because they need to build Arqit's software into their products."

GNU is Not Unix

Richard Stallman Speaks on Cryptocurrency, Blockchain, GNU Taler, and Encryption (libreplanet.org) 96

During a 92-minute presentation Wednesday on the state of the free software movement, Richard Stallman spoke at length on a wide variety of topics, including the need for freedom-respecting package systems.

But Stallman also shared his deepest thoughts on a topic dear to the hearts of Slashdot readers: privacy and currency: I won't order from online stores, because I can't pay them . For one thing, the payment services require running non-free JavaScript... [And] to pay remotely you've got to do it by credit card, and that's tracking people, and I want to resist tracking too.... This is a really serious problem for society, that you can't order things remotely anonymously.

But GNU Taler is part of the path to fixing that. You'll be able to get a Taler token from your bank, or a whole bunch of Taler tokens, and then you'll be able to use those to pay anonymously.

Then if the store can send the thing you bought to a delivery box in your neighborhood, the store doesn't ever have to know who you are.

But there's another issue Stallman touched on earlier in his talk: There is a proposed U.S. law called KOSA which would require mandatory age-verification of users -- which means mandatory identification of users, which is likely to mean via face recognition. And it would be in every commercial software application or electronic service that connects to the internet.... [It's] supposedly for protecting children. That's one of the favorite excuses for surveillance and repression: to protect the children. Whether it would actually protect anyone is dubious, but they hope that won't actually be checked.... You can always propose a completely useless method that will repress everyone....
So instead, Stallman suggests that age verification could be handled by.... GNU Taler: Suppose there's some sort of service which charges money, or even a tiny amount of money, and is only for people over 16, or people over 18 or whatever it is. Well, you could get from your bank a Taler token that says the person using this token is over 16. This bank has verified that.... So then the site only needs to insist on a 16-or-over Taler token, and your age is verified, but the site has no idea who you are.

Unfortunately that won't help if user-identifying age-tracking systems are legislated now. The code of Taler works, but it's still being integrated with a bank so that people could actually start to use it with real businesses.

Read on for Slashdot's report on Stallman's remarks on cryptocurrencies and encryption, or jump ahead to...
GNU is Not Unix

Richard Stallman Calls for Software Package Systems that Help Maintain Your Freedoms (libreplanet.org) 92

Last week 69-year-old Richard Stallman gave a 92-minute presentation on the state of the free software movement. Stallman covered numerous topics, but also added as an aside at one point: Ubuntu of course is a non-free distro, and I wouldn't recommend that anyone use it. Some important packages are now distributed only through their non-freedom-respecting package system, and not as Debian packages. So it's even harder than before to get any freedom out of an Ubuntu installation.
But Stallman also sees a larger issue: Another area where we have problems is there are several languages which come with a package library -- basically people post packages in them. And that might be fine if they had a good criterion for the licensing of the libraries people upload into those sites -- but they're not developed by free software activists, and they don't have such a criterion. There are non-free packages in those libraries too.

Now, some of them make it possible to find out whether a library is free. Some of them, it's difficult. Sometimes -- yeah, you could probably look at the source code and see what licenses are in it, and then you could look up those licenses in GNU.org/licenses/license-list.html and see if all those licenses are free... The problem is, they don't help you. At the very least they should make it easy to say, "Show me only the free packages." And then, "Show me only the GPL-compatible packages, because I'm writing a GPL-covered program, and I can't use the libraries that are not GPL compatible. And I certainly won't ever think of using a non-free library."

They're not interested in helping people move forward in freedom. And so we need people to write front-ends for those package archives, which will show only the freely-licensed packages, and which can be asked to show which ones are GPL-compatible, or show only those. This way they will be usable easily by the free software community. If you like one of the languages that has this problem, please show your appreciation for that language by reconciling its use with maintaining freedom.

And this leads Stallman to a related setback for the free software movement: the containers themselves that are packaging some programs with the libraries they need: The old way of doing this was you would make sure that your program said which versions of libraries it was compiled to work with, and in the source code you'd use something like Autoconf so that it could work with the various library versions. And this way you could build the program for a wide variety of free operating systems and versions of them.

Well, that's some work, so some developers, they release a free program -- not all of them release free programs, but some of them do release free programs -- using containers. And the container has one set of libraries in it. And how do you really know what's in there? It's not straightforward to verify that all the libraries in the container are free, and a lot of people won't realize that they should even think about it. So the use of containers, as they are implemented nowadays by people who are not free software activists and are not particularly concerned with this question, is an obstacle to verifying that you're installing free software.

Well, maybe some of these container systems could be improved, or maybe another one could be designed to solve these problems. If a container packaging system were designed by people who care about freedom, they might find good ways to satisfy this goal, as well as others. So it's something you could possibly work on.

GNU is Not Unix

Richard Stallman Speaks on the State of Free Software, and Answers Questions (libreplanet.org) 112

Richard Stallman celebrated his 69th birthday last month. And Wednesday, he gave a 92-minute presentation called "The State of the Free Software Movement."

Stallman began by thanking everyone who's contributed to free software, and encouraged others who want to help to visit gnu.org/help. "The Free Software movement is universal, and morally should not exclude anyone. Because even though there are crimes that should be punished, cutting off someone from contributing to free software punishes the world. Not that person."

And then he began by noting some things that have gotten better in the free software movement, including big improvements in projects like GNU Emacs when displaying external packages. (And in addition, "GNU Health now has a hospital management facility, which should make it applicable to a lot more medical organizations so they can switch to free software. And [Skype alternative] GNU Jami got a big upgrade.")

What's getting worse? Well, the libre-booted machines that we have are getting older and scarcer. Finding a way to support something new is difficult, because Intel and AMD are both designing their hardware to subjugate people. If they were basically haters of the public, it would be hard for them to do it much worse than they're doing.

And Macintoshes are moving towards being jails, like the iMonsters. It's getting harder for users to install even their own programs to run them. And this of course should be illegal. It should be illegal to sell a computer that doesn't let users install software of their own from source code. And probably shouldn't allow the computer to stop you from installing binaries that you get from others either, even though it's true in cases like that, you're doing it at your own risk. But tying people down, strapping them into their chairs so that they can't do anything that hurts themselves -- makes things worse, not better. There are other systems where you can find ways to trust people, that don't depend on being under the power of a giant company.

We've seen problems sometimes where supported old hardware gets de-supported because somebody doesn't think it's important any more — it's so old, how could that matter? But there are reasons...why old hardware sometimes remains very important, and people who aren't thinking about this issue might not realize that...


Stallman also had some advice for students required by their schools to use non-free software like Zoom for their remote learning. "If you have to use a non-free program, there's one last thing... which is to say in each class session, 'I am bitterly ashamed of the fact that I'm using Zoom for this class.' Just that. It's a few seconds. But say it each time.... And over time, the fact that this is really important to you will sink in."

And then halfway through, Stallman began taking questions from the audience...

Read on for Slashdot's report on Stallman's remarks, or jump ahead to...
Social Networks

WhatsApp To Launch 'Communities' (techcrunch.com) 5

Meta is throwing billions of dollars into building out the metaverse as the future of social networking but in the near term, the tech giant is looking toward the power of messaging to connect users in a more personal way. From a report: On that front, the company today introduced its plans for a significant update to its WhatsApp messaging app that will allow users to now not only connect privately with friends and family, as before, but also participate in larger discussion groups, called Communities. These groups aim to serve as a more feature-rich replacement for people's larger group chats with added support for tools like file-sharing of up to 2GB, 32-person group calls, emoji reactions, as well as admin tools and moderation controls, among other things.

The feature has been under development for some time as the next big iteration for the WhatsApp platform, meant to capitalize on the app's existing end-to-end encryption as well as users' growing desire to join private communities outside of larger social platforms, like Facebook. In particular, Communities could present a challenge to other messaging apps like Telegram -- which has recently become a prominent player in communications related to the Russia-Ukraine war -- in addition to other private messaging platforms, like iMessage or Signal, as well as apps like GroupMe, Band, Remind and others used to communicate with groups.

Encryption

US Military Makes 'Significant Effort' in Quantum-Resistant Cryptography (stripes.com) 48

David Spirk, the chief data officer for America's Department of Defense, "called for the Pentagon to make urgent investments to defend against potential espionage from quantum computers" that could crack the encryption on sensitive data, Bloomberg reports: "I don't think that there's enough senior leaders getting their heads around the implications of quantum," Spirk said. "Like AI, I think that's a new wave of compute that when it arrives is going to be a pretty shocking moment to industry and government alike."

"We have to pick up pace because we have competitors who are also attempting to accelerate," he added.

Spirk's comments come amid warnings that U.S. adversaries, particularly China, are aggressively pursuing advanced technologies that could radically accelerate the pace of modern warfare. China is investing in AI and quantum sciences as part of its plan to become an innovation superpower, according to the Pentagon's latest annual report to Congress on China's military power. China is "at or near the lead on numerous science fields," including AI and quantum, it said. The National Security Agency, meanwhile, said last year that the adversarial use of a quantum computer "could be devastating" to the U.S. and its national security systems. The NSA said it could take 20 years or more to roll out new post-quantum cryptography that would resist such code-cracking.

Tim Gorman, a spokesperson at the Pentagon, said the Department of Defense was taking post-quantum cryptography seriously and coordinating with Congress and across government agencies. He added there was "a significant effort" underway.

A January presidential memo further charged agencies with establishing a timeline for transitioning to quantum resistant cryptography.

Privacy

Border Patrol's Use of Amazon's Wickr Messaging App Draws Scrutiny (nbcnews.com) 19

A letter from the National Archives and Records Administration hints at growing unease with government officials' use of some encrypted messaging apps. NBC News: In October, Laurence Brewer, the chief records officer of the National Archives and Records Administration, told officials at U.S. Customs and Border Protection he was worried about how the agency was using an app called Wickr. The Amazon-owned encrypted messaging platform is known for its ability to automatically delete messages. Brewer, who is responsible for ensuring that government officials handle records correctly, wrote in a letter that he was "concerned about agencywide deployment of a messaging application that has this functionality without appropriate policies and procedures governing its use." Brewer addressed his letter to Eric Hysen, the chief information officer of the Department of Homeland Security. It was uploaded to the National Archives website, and its concerns had not been previously reported. The document offers a rare insight into Customs and Border Protection's use of Wickr, and highlights the broader worries that some officials and watchdogs have about the growing use of messaging apps at all levels of the U.S. government.

Wickr was bought by Amazon's cloud-computing division last June and has contracts with a number of government agencies. Customs and Border Protection (CBP), which has been criticized by human rights activists and immigration lawyers over what they say are its secretive practices, has spent more than $1.6 million on Wickr since 2020, according to public procurement records. But little is known about how the agency has deployed the app, which is popular among security-minded people ranging from journalists to criminals. Its auto-deletion feature has made the platform a cause of concern among government record keepers, as well as external watchdogs, who worry that Wickr and other similar apps are creating ways for customs officials to sidestep government transparency requirements.

Security

Wyze Cam Security Flaw Gave Hackers Access To Video; Went Unfixed For Almost Three Years (9to5mac.com) 24

An anonymous reader quotes a report from 9to5Mac: A major Wyze Cam security flaw easily allowed hackers to access stored video, and it went unfixed for almost three years after the company was alerted to it, says a new report today. Additionally, it appears that Wyze Cam v1 -- which went on sale back in 2017 -- will never be patched, so it will remain vulnerable for as long as it is used.

Bleeping Computer reports: "A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years. The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication. Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions."

And as if that weren't bad enough, it gets worse. Many people re-use existing SD cards they have laying around, some of which still have private data on them, especially photos. The flaw gave access to all data on the card, not just files created by the camera. Finally, the AES encryption key is also stored on the card, potentially giving an attacker live access to the camera feed. Altogether, Bitdefender security researchers advised the company of three vulnerabilities. It took Wyze six months to fix one, 21 months to fix another, and just under two years to patch the SD card flaw. The v1 camera still hasn't been patched, and as the company announced last year that it has reached end-of-life status, so it appears it never will.

Slashdot Top Deals