Encryption

Security Experts Say New EU Rules Will Damage WhatsApp Encryption (theverge.com) 169

Corin Faife writes via The Verge: On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company -- defined as having a market capitalization of more than 75 billion euros or a user base of more than 45 million people in the EU -- create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users.

Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

Crime

US Extradites REvil Ransomware Member To Stand Trial For Kaseya Attack (bleepingcomputer.com) 14

The U.S. Department of Justice announced that alleged REvil ransomware affiliate, Yaroslav Vasinskyi, was extradited to the United States last week to stand trial for the Kaseya cyberattack. BleepingComputer reports: Vasinkyi, a 22-year-old Ukrainian national, was arrested in November 2021 while entering Poland for his cybercrime activities as a REvil member. Vasinkyi is believed to be a REvil ransomware affiliate tasked to breach corporate networks worldwide, steal unencrypted data, and then encrypt all of the devices on the network. Shortly after Vasinkyi was arrested, the DOJ announced that he was responsible for the ransomware attack against Kaseya, a managed services provider, impacting thousands of companies worldwide.

"In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to "endpoints" on Kaseya customer networks," explained the U.S. DoJ announcement. "After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software."
Vasinskyi is facing the following charges: conspiracy to commit fraud and related activity in connection with computers; intentional damage to protected computers; and conspiracy to commit money laundering.

"If convicted for all counts, Vasinskyi will be sentenced to a total of 115 years in prison," adds BleepingComputer. "Additionally, he will also forfeit all property and financial assets."
Cellphones

Samsung Shattered Encryption On 100 Million Phones (threatpost.com) 20

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Threatpost reports: Researchers at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. What's more, cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws primarily affect devices that use ARM's TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions. TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad." "They used a single key and allowed IV re-use," Green said. "So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," he said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs. Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

Security

Linux Malware Attacks are Increasing, and Businesses Aren't Ready (zdnet.com) 63

ZDNet reports: Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity — and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there's also a lack of focus on managing and detecting threats against them.

This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key.

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they're not paid a ransom.... Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency....

Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems — that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren't in use and avoiding sharing one account across multiple users.

Privacy

It's Back: Senators Want 'EARN IT' Bill To Scan All Online Messages (eff.org) 212

A group of lawmakers have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that "would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe," writes Joe Mullin via the Electronic Frontier Foundation. "It's a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online -- backups, websites, cloud photos, and more -- is scanned." From the report: The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all -- specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse. The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. [...]

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary "best practices" for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill's sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites -- the government will already have access to the user data, through the platform. [...] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That's completely false, no matter whether it's called "client side scanning" or another misleading new phrase. The EARN IT Act doesn't target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies -- from the largest ones to the very smallest ones -- as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

Encryption

Messenger's End-To-End Encrypted Chats and Calls Are Available To Everyone (theverge.com) 41

Messenger has fully rolled out end-to-end encryption (E2EE) to everyone, with toggles to encrypt text messages as well as group chats and calls. As The Verge notes, Messenger first added E2EE in 2016 back when it was still called Facebook Messenger and Meta was still Facebook. "Meta has discussed switching to E2EE as a default, but that may not happen until next year at the earliest, as some regulators claim this would harm public safety," adds The Verge. From the report: There are two ways Messenger users can opt in to the secure chats, either via vanish mode, by swiping up on an existing chat to enter one where messages automatically disappear when the window is closed or the original version that was introduced in 2016 as Secret Conversations. You can turn that on by toggling the lock icon when you start a new chat.

In addition to a full rollout of the feature, Messenger has some new features to enable as well. Now, in end-to-end encrypted chats, you can use GIFs, stickers, reactions, and long-press to reply or forward messages. The encrypted chats also now support verified badges so that people can identify authentic accounts. You can also save media exchanged in the chats, and there's a Snapchat-style screenshot notification that will be rolling out over the next few weeks.

Bitcoin

Quantum Computers Are a Million Times Too Small To Hack Bitcoin (newscientist.com) 61

MattSparkes shares a report from New Scientist: Quantum computers would need to become around one million times larger than they are today in order to break the SHA-256 algorithm that secures bitcoin, which would put the cryptocurrency at risk from hackers. Breaking this impenetrable code is essentially impossible for ordinary computers, but quantum computers, which can exploit the properties of quantum physics to speed up some calculations, could theoretically crack it open.

[Mark Webber at the University of Sussex, UK, and his colleagues] calculated that breaking bitcoin's encryption in this 10 minute window would require a quantum computer with 1.9 billion qubits, while cracking it in an hour would require a machine with 317 million qubits. Even allowing for a whole day, this figure only drops to 13 million qubits. This is reassuring news for bitcoin owners because current machines have only a tiny fraction of this -- IBM's record-breaking superconducting quantum computer has only 127 qubits, so devices would need to become a million times larger to threaten the cryptocurrency, something Webber says is unlikely to happen for a decade.
The study has been published in the journal AVS Quantum Science.
China

Security Flaws Seen In China's Mandatory Olympics App For Athletes (nytimes.com) 29

schwit1 writes: The mandatory smartphone app that athletes will use to report health and travel data when they are in China for the Olympics next month has serious encryption flaws, according to a new report, raising security questions about the systems that Beijing plans to use to track Covid-19 outbreaks.

Portions of the app that will transmit coronavirus test results, travel information and other personal data failed to verify the signature used in encrypted transfers, or didn't encrypt the data at all, according to the report by Citizen Lab, a University of Toronto cybersecurity watchdog. The group also found that the app includes a series of political terms marked for censorship in its code, though it does not appear to actively use the list to filter communications.

And Olympic Athletes will be punished if they engage In Wrong Speak.

Security

Biden To Expand National Security Agency Role in Government Cybersecurity (wsj.com) 18

President Biden on Wednesday expanded the National Security Agency's role in protecting the U.S. government's most sensitive computer networks, issuing a directive intended to bolster cybersecurity within the Defense Department and intelligence agencies. From a report: The memorandum signed by Mr. Biden mandates baseline cybersecurity practices and standards, such as two-factor authentication and use of encryption, for so-called national security systems, which include the Defense Department and intelligence agencies and the federal contractors that support them. It effectively aligns the cybersecurity standards imposed on national security agencies with those previously established for civilian agencies under an executive order Mr. Biden signed last May. Affected agencies will soon be expected to implement various cybersecurity protocols, including use of certain cloud technologies and software that can detect security problems on a network. Cybersecurity failures have plagued the U.S. government for decades, including thefts of detailed personnel records and military secrets that have been blamed on Russia, China and other adversaries. While national security agencies are generally seen as more secure than their civilian counterparts, they have endured significant breaches, too.
Opera

Opera Launches a Dedicated Crypto Browser (engadget.com) 21

Opera has launched its Web3 "Crypto Browser" into beta with features like a built-in crypto wallet, easy access to cryptocurrency/NFT exchanges, support for decentralized apps (dApps) and more. From a report: The aim is to "simplify the Web3 user experience that is often bewildering for mainstream users," Opera EVP Jorgen Arnensen said in statement. A key feature is the built-in non-custodial wallet that will support blockchains including Ethereum, Bitcoin, Celo and Nervos from the get-go. It also announced partnerships with Polygon and others. The idea is to let you access your crypto without the need for any extensions, with the option of using third-party wallets as well. You can purchase cryptocurrencies via a fiat to crypto on-ramp, swap crypto directly in-wallet, send and receive it and check your wallet balance. It even has a secure clipboard that ensures other apps can't data when you copy/paste. The other primary function is support for Web3, aka blockchain-based decentralized internet, aka the buzzy new thing among crypto enthusiasts (and skeptics). On top of providing extra security via blockchain encryption, it allows users to access things like GameFi "where you can earn as you play your way through all sorts of metaverses," Opera notes. It also offers a "Crypto Corner" with the latest blockchain news that also "lets you grow your Web3 skills," according to Opera.
Privacy

Winter Olympics: Athletes Advised To Use Burner Phones In Beijing (bbc.com) 54

New submitter sperm shares a report from the BBC: The Beijing Winter Olympics app that all Games attendees must use contains security weaknesses that leave users exposed to data breaches, analysts say. The My2022 app will be used by athletes, audience members and media for daily Covid monitoring. The app will also offer voice chats, file transfers and Olympic news.

But cybersecurity group Citizen Lab says the app fails to provide encryption on many of its files. China has dismissed the concerns. Questions about the app come amid a rise in warnings about visitors' tech security ahead of the Games, which begin on 4 February. People attending the Beijing Olympics should bring burner phones and create email accounts for their time in China, cyber security firm Internet 2.0 said on Tuesday. Several countries have also reportedly told athletes to leave their main devices at home.
The report also says that it's found a "censorship keywords" list built into the app, and a feature that allows people to flag other "politically sensitive" expressions.
Encryption

UK Gov't Plans Publicity Blitz To Undermine Privacy of Your Chats (rollingstone.com) 53

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. From the report: One key objective: mobilizing public opinion against Facebook's decision to encrypt its Messenger app. The Home Office has hired the M&C Saatchi advertising agency -- a spin-off of Saatchi and Saatchi, which made the "Labour Isn't Working" election posters, among the most famous in UK political history -- to plan the campaign, using public funds. According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt -- placing an adult and child (both actors) in a glass box, with the adult looking "knowingly" at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.
Google

Google Says iMessage Is Too Powerful (arstechnica.com) 219

Google took to Twitter this weekend to complain that iMessage is just too darn influential with today's kids. Ron Amadeo writes via Ars Technica: The company was responding to a Wall Street Journal report detailing the lock-in and social pressure Apple's walled garden is creating among US teens. iMessage brands texts from iPhone users with a blue background and gives them additional features, while texts from Android phones are shown in green and only have the base SMS feature set. According to the article, "Teens and college students said they dread the ostracism that comes with a green text. The social pressure is palpable, with some reporting being ostracized or singled out after switching away from iPhones." Google feels this is a problem.

"iMessage should not benefit from bullying," the official Android Twitter account wrote. "Texting should bring us together, and the solution exists. Let's fix this as one industry." Google SVP Hiroshi Lockheimer chimed in, too, saying, "Apple's iMessage lock-in is a documented strategy. Using peer pressure and bullying as a way to sell products is disingenuous for a company that has humanity and equity as a core part of its marketing. The standards exist today to fix this."

The "solution" Google is pushing here is RCS, or Rich Communication Services, a GSMA standard from 2008 that has slowly gained traction as an upgrade to SMS. RCS adds typing indicators, user presence, and better image sharing to carrier messaging. It is a 14-year-old carrier standard, though, so it lacks many of the features you would want from a modern messaging service, like end-to-end encryption and support for non-phone devices. Google tries to band-aid over the aging standard with its "Google Messaging" client, but the result is a lot of clunky solutions that don't add up to a good modern messaging service. Since RCS replaces SMS, Google has been on a campaign to get the industry to make the upgrade. After years of protesting, the US carriers are all onboard, and there is some uptake among the international carriers, too. The biggest holdout is Apple, which only supports SMS through iMessage.
"Google clearly views iMessage's popularity as a problem, and the company is hoping this public-shaming campaign will get Apple to change its mind on RCS," writes Amadeo in closing. "But Google giving other companies advice on a messaging strategy is a laughable idea since Google probably has the least credibility of any tech company when it comes to messaging services. If the company really wants to do something about iMessage, it should try competing with it."

Further reading:
Eddy Cue Wanted To Bring iMessage To Android In 2013
Apple Says iMessage On Android 'Will Hurt Us More Than Help Us'
Businesses

Moxie Marlinspike Has Stepped Down as CEO of Signal (theverge.com) 29

Signal founder Moxie Marlinspike is stepping down as CEO of the company, he announced in a blog post on Monday. Executive chairman Brian Acton will serve as acting CEO until a replacement is found. From a report: "Every day, I'm struck by how boundless Signal's potential looks, and I want to bring in someone with fresh energy and commitment to make the most of that," Marlinspike wrote. "I now feel very comfortable replacing myself as CEO based on the team we have." The company has met with several CEO candidates "over the last few months," Marlinspike wrote, but the search remains ongoing. Founded in 2014, Signal has grown into one of the most trusted and robust apps for encrypted messaging. The service has more than 40 million monthly users and is regularly recommended in security guides. Established as a nonprofit, the company is not supported by advertising or app sales, instead relying on donations and a recently launched sustainer program.
Facebook

Amid Facebook Controversies, Meta's Head of PR 'Leaves a Company on Fire' (gizmodo.com) 43

Gizmodo writes that "It's hard to blame someone for running away from a burning building. The same can be applied to Silicon Valley, where the head of public relations at Meta, Facebook's parent company, is stepping down." His departure comes as the tech giant struggles to put out several PR fires, most notable among them the fallout from the "Facebook Papers," a series of damning reports first published by the Journal last fall that included thousands of leaked internal documents.
"The central thesis of Haugen's leaks is that that Facebook and its executives know about the problems Facebook helps ignite and proliferate, from political lies to eating disorders, and don't do enough to stop them," writes Insider.com. They add that whistleblower Haugen "has also taken aim at the company's efforts to expand encryption to increase user privacy, suggesting such a move may make it easier for Facebook to ignore countries conducting espionage on its platforms."

And they note that Facebook also lost its VP of Product Communications, Roberta Thomson.

The Wall Street Journal reports that the departure of communications head John Pinette is "creating a void at the top of the department managing the controversies surrounding the tech giant." John Pinette had overseen the company's external communications since 2019. Prior to joining what was then Facebook, Pinette handled business and philanthropic dealings for deceased Microsoft co-founder Paul Allen. He also ran communications for Alphabet Inc.'s Google in Asia and advised Microsoft co-founder Bill Gates in past jobs.
Microsoft

First Microsoft Pluton-powered Windows 11 PCs To Start Rolling Out this Year 61

In November 2020, Microsoft took the wraps off its Pluton security chip, with the goal of bringing it to all Windows 10 PCs. It wasn't until this week, that any of Microsoft's OEMs announced their first Pluton-powered PCs. From a report: At CES, Lenovo unveiled its Ryzen-6000-based ThinkPad Z series laptops running Windows 11, which will integrate the Microsoft Pluton processor. The coming ThinkPad Z series laptops will begin shipping in May 2022. Thanks to Pluton, these devices will be able to receive updated firmware using Windows Update. In the ThinkPad Z13 and Z16, Pluton will help protect Windows Hello credentials, according to Microsoft, by further isolating them from attackers. These new ThinkPads will use Pluton as their TPMs to protect encryption keys from physical attacks, Microsoft officials said. Microsoft pioneered Pluton first in Azure Sphere, its Linux-based microcontroller, and in Xbox. In a January 4 blog post, Microsoft officials noted that Pluton can be configured in three ways: As the Trusted Platform Module (TPM); as a security processor for non-TPM scenarios like platform resiliency; or inside a device where OEMs have opted to ship with the chip turned off.
Encryption

NBC: 'You Probably Don't Need to Rely on a VPN Anymore' (nbcnews.com) 166

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.

The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."
Crime

Google Scans Gmail and Drive For Cartoons of Child Sexual Abuse (forbes.com) 146

A Forbes associate editor covering privacy, cybercrime, and security/surveillance reports on a recently-revealed search warrant.

Instead of investigating a photo, it asked Google to provide information on a suspect who allegedly owned graphic illegal cartoons involving children: That kind of content is potentially illegal to own under U.S. law and can be detected by Google's anti-child sexual material (CSAM) systems, a fact not previously discussed in the public domain, the warrant reveals.... Google also uses machine learning tools to look at files and analyze them for any sign they're of abused children....

As per its legal requirements, Google handed information on what it found, as well as the IP addresses used to access the images, to the National Center for Missing and Exploited Children (NCMEC), which then passed on the findings to the DHS Homeland Security Investigations unit. Investigators used the IP addresses provided by Google to identify the suspect as the alleged owner of the cartoons, and searched his Google account, receiving back information on emails to and from the defendant. It appears the suspect may actually be a known artist. As no charges have been filed, Forbes isn't publishing his name, but the man identified in the warrant had won several small Midwest art competitions, and one artwork from the 1990s had been mentioned in a major West Coast newspaper...

Google, meanwhile, has in recent years released transparency reports showing how many times it reports issues to NCMEC. The figures reveal a disturbing trend. In the first six months of 2021, it found more than 3.4 million pieces of potentially illegal content in 410,000 separate reports. That was up from 2.9 million in 365,000 reports in the last six months of 2020, and well over double that from January to June 2020, when 1.5 million pieces of CSAM material were discovered and reported to NCMEC in 180,000 reports...

As Google doesn't end-to-end encrypt its communications tools like Gmail or its file storage tech like Drive, it's still possible for the tech company to scan for illegal content. And as it has no plans to introduce those features, law enforcement can still rely on Google to warn NCMEC when abuse happens on its servers. Whether the majority of users will want Google to scan people's accounts so it can help find child abusers, or have improved privacy with end-to-end encryption instead, the Mountain View, California-based business will have to struggle with that balance in perpetuity. The same goes for any one of its rivals.

Crime

2021 Had Six Different Cryptocurrency Heists Over $100 Million (nbcnews.com) 55

More than 20 different times in the last 12 months, at least $10 million was stolen from a cryptocurrency exchange or project, reports NBC News.

"In at least six cases, hackers stole more than $100 million..." By comparison, bank robberies netted perpetrators an average of less than $5,000 per heist last year, according to the FBI's annual crime statistics... "If you hack a Fortune 500 company today, you might steal some usernames and passwords," said Esteban Castaño, the CEO and co-founder of TRM Labs, a company that builds tools for companies to track digital assets. "If you hack a cryptocurrency exchange, you may have millions of dollars in cryptocurrency...."

[W]hile a handful of countries have strict regulations in place, it's relatively easy for tech entrepreneurs to set up an exchange nearly anywhere in the world and run it however they like. Cryptocurrencies generally offer a certain amount of security — taking their name, in part, from "encryption." But the exchanges that manage them, especially new ones building their businesses from scratch, often start with a tiny staff, which means few if any full-time cybersecurity professionals. Their developers may work frantically to make the code work, sometimes accidentally leaving flaws that give hackers a foothold. Combined with the fact that a volatile market often leaves them suddenly holding a fortune, exchanges are a particularly ripe target for criminal hackers....

The problem is exacerbated because many cryptocurrency projects, intent on avoiding government regulations, set up in countries whose law enforcement agencies don't have much power to go after transnational hackers. Or if they are hacked, they tend to be less likely to call for government help on ideological grounds, said Beth Bisbee, head of U.S. investigations at Chainalysis, a company that tracks cryptocurrency transactions for both private companies and government agencies. Some developers "want to be anti-bank and anti-oversight," Bisbee said. "So when something like that happens, they're not necessarily wanting to work with law enforcement, even though they'd be considered to be a victim and it'd be valuable for them to."

Ultimately the article points out that "Most exchange hackers are not caught." (Although in at least one case part of the stolen money was voluntarily returned.)

But what happens after the breach, NBC News asked Dave Jevans, the founder of CipherTrace, a company that tracks theft and fraud in cryptocurrencies. If an exchange is wealthy enough and plans ahead to have an emergency fund, it can compensate its customers if its operation is hacked, Jevans said. If not, they often goes out of business. "Not every exchange is so wealthy or has so much foresight. It just goes, pop, 'We're out of business. Sorry, you're all screwed,'" he said.
Programming

Ruby on Rails Creator Touts 7.0 as One-Person Framework, 'The Way It Used To Be' (hey.com) 62

David Heinemeier Hansson is the creator of Ruby on Rails (as well as the co-founder and CTO of Basecamp, makers of the email software HEY). But he says Wednesday's release of version 7.0 is the version he's been longing for, "The one where all the cards are on the table. No more tricks up our sleeves. The culmination of years of progress on five different fronts at once." The backend gets some really nice upgrades, especially with the encryption work that we did for HEY, so your data can be encrypted while its live in the database.... But it's on the front end things have made a quantum leap. We've integrated the Hotwire frameworks of Stimulus and Turbo directly as the new defaults, together with that hot newness of import maps, which means you no longer need to run the whole JavaScript ecosystem enchilada in your Ruby app...

The part that really excites me about this version, though, is how much closer it brings us to the ideal of The One Person Framework. A toolkit so powerful that it allows a single individual to create modern applications upon which they might build a competitive business. The way it used to be... Rails 7 seeks to be the wormhole that folds the time-learning-shipping-continuum, and allows you to travel grand distances without knowing all the physics of interstellar travel. Giving the individual rebel a fighting chance against The Empire....

The key engine powering this assault is conceptual compression. Like a video codec that throws away irrelevant details such that you might download the film in real-time rather than buffer for an hour. I dedicated an entire RailsConf keynote to the idea...

[I]f there ever was an opening, ever was a chance that we might at least tilt the direction of the industry, now is it.

What a glorious time to be working in web development.

Slashdot Top Deals