Encryption

Apple Removes Cloud Encryption Feature From UK After Backdoor Order 134

Apple is removing its most advanced, end-to-end encrypted security feature for cloud data in the United Kingdom [alternative source], in a stunning development after the government ordered the company to build a backdoor for accessing user data. From a report: The company said Friday that Advanced Data Protection, an optional feature that adds end-to-end encryption to a wide assortment of user data is no longer available in the UK for new users.

This layer of security covers iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders and text message backups. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said in a statement. "ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."
Privacy

Nearly 10 Years After Data and Goliath, Bruce Schneier Says: Privacy's Still Screwed (theregister.com) 57

Ten years after publishing his influential book on data privacy, security expert Bruce Schneier warns that surveillance has only intensified, with both government agencies and corporations collecting more personal information than ever before. "Nothing has changed since 2015," Schneier told The Register in an interview. "The NSA and their counterparts around the world are still engaging in bulk surveillance to the extent of their abilities."

The widespread adoption of cloud services, Internet-of-Things devices, and smartphones has made it nearly impossible for individuals to protect their privacy, said Schneier. Even Apple, which markets itself as privacy-focused, faces limitations when its Chinese business interests are at stake. While some regulation has emerged, including Europe's General Data Protection Regulation and various U.S. state laws, Schneier argues these measures fail to address the core issue of surveillance capitalism's entrenchment as a business model.

The rise of AI poses new challenges, potentially undermining recent privacy gains like end-to-end encryption. As AI assistants require cloud computing power to process personal data, users may have to surrender more information to tech companies. Despite the grim short-term outlook, Schneier remains cautiously optimistic about privacy's long-term future, predicting that current surveillance practices will eventually be viewed as unethical as sweatshops are today. However, he acknowledges this transformation could take 50 years or more.
United States

UK Demand For a Back Door To Apple Data Threatens Americans, Lawmakers Say (msn.com) 94

Members of key congressional oversight committees wrote to the United States' new top intelligence official Thursday to warn that a British order demanding government access to Apple users' encrypted data imperils Americans. From a report: Ron Wyden, a Democrat on the Senate Intelligence Committee, and Andy Biggs, a Republican on the House Judiciary committee, wrote to just-sworn-in National Intelligence Director Tulsi Gabbard and asked her to demand the United Kingdom retract its order.

If the top U.S. ally does not back off, they said, Gabbard should consider limiting the deep intelligence sharing and cooperation on cybersecurity between the countries. The Post first reported the existence of the confidential British order last week. It directs Apple to create a back door into its Advanced Data Protection offering, which allows users to fully encrypt data from iPhones and Mac computers when putting it in Apple's iCloud storage. Apple cannot retrieve such content even when served with a court order, frustrating authorities looking for evidence of terrorism, child abuse and other serious crimes.

The order was issued under the Investigatory Powers Act, which allows the British Home Office to require technical cooperation from companies and forbids those companies from disclosing anything about the demands. It would apply globally, though the U.K. authorities would have to ask Apple for information stored by specific customers.

AI

DeepSeek IOS App Sends Data Unencrypted To ByteDance-Controlled Servers (arstechnica.com) 68

An anonymous Slashdot reader quotes a new article from Ars Technica: On Thursday, mobile security company NowSecure reported that [DeepSeek] sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it's in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said. What's more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok...

[DeepSeek] is "not equipped or willing to provide basic security protections of your data and identity," NowSecure co-founder Andrew Hoog told Ars. "There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company's data and identity at risk...." This data, along with a mix of other encrypted information, is sent to DeepSeek over infrastructure provided by Volcengine a cloud platform developed by ByteDance. While the IP address the app connects to geo-locates to the US and is owned by US-based telecom Level 3 Communications, the DeepSeek privacy policy makes clear that the company "store[s] the data we collect in secure servers located in the People's Republic of China...."

US lawmakers began pushing to immediately ban DeepSeek from all government devices, citing national security concerns that the Chinese Communist Party may have built a backdoor into the service to access Americans' sensitive private data. If passed, DeepSeek could be banned within 60 days.

Encryption

UK Orders Apple To Let It Spy on Users' Encrypted Accounts (msn.com) 96

The UK government has ordered Apple to create a backdoor allowing access to encrypted cloud backups of users worldwide, Washington Post reported Friday, citing multiple sources familiar with the matter. The unprecedented demand, issued last month through a technical capability notice under the UK Investigatory Powers Act, requires Apple to provide blanket access to fully encrypted material rather than assistance with specific accounts.

Apple is likely to discontinue its encrypted storage service in the UK rather than compromise user security globally, the report said. The company would still face pressure to provide backdoor access for users in other countries, including the United States. The order was issued under Britain's 2016 Investigatory Powers Act, which makes it illegal to disclose such government demands, according to the report. While Apple can appeal to a secret technical panel and judge, the law requires compliance during any appeal process. The company told Parliament in March that the UK government should not have authority to decide whether global users can access end-to-end encryption.
Ubuntu

Ubuntu's Dev Discussions Will Move From IRC to Matrix (omgubuntu.co.uk) 70

The blog OMG Ubuntu reports: Ubuntu's key developers have agreed to switch to Matrix as the primary platform for real-time development communications involving the distro. From March, Matrix will replace IRC as the place where critical Ubuntu development conversations, requests, meetings, and other vital chatter must take place... Only the current #ubuntu-devel and #ubuntu-release Libera IRC channels are moving to Matrix, but other Ubuntu development-related channels can choose to move — officially, given some projects were using Matrix over IRC already.

As a result, any major requests to/of the key Ubuntu development teams with privileged access can only be actioned if requests are made on Matrix. Canonical-employed Ubuntu developers will be expected to be present on Matrix during working hours... The aim is to streamline organisation, speed up decision making, ensure key developers are reliably reachable, and avoid discussions and conversations from fragmenting across multiple platforms... It's hoped that in picking one platform as the 'chosen one' the split in where the distro's development discourse takes place can be reduced and greater transparency in how and when decisions are made restored.

IRC remains popular with many Ubuntu developers but its old-school, lo-fi nature is said to be off-putting to newer contributors. They're used to richer real-time chat platforms with more features (like discussion history, search, offline messaging, etc). It's felt this is why many newer developers employed by Canonical prefer to discuss and message through the company's internal Mattermost instance — which isn't publicly accessible. Many Ubuntu teams, flavours, and community chats already take place on Matrix...

"End-users aren't directly affected, of course," they point out. But an earlier post on the same blog notes that Matrix "is increasingly ubiquitous in open-source circles. GNOME uses it, KDE embraces it, Linux Mint migrated last year, Mozilla a few years before, and it's already widely used by Ubuntu community members and developers." IRC remains unmatched in many areas but is, rightly or wrongly, viewed as an antiquated communication platform. IRC clients aren't pretty or plentiful, the syntax is obtuse, and support for 'modern' comforts like media sending, read receipts, etc., is lacking.To newer, younger contributors IRC could feel ancient or cumbersome to learn.

Though many of IRC's real and perceived shortcomings are surmountable with workarounds, clients, bots, scripts, and so on, support for those varies between channels, clients, servers, and user configurations. Unlike IRC, which is a centralised protocol relying on individual servers, Matrix is federated. It lets users on different servers to communicate without friction. Plus, Matrix features encryption, message history, media support, and so, meeting modern expectations.

Social Networks

Pixelfed Creator Crowdfunds More Capacity, Plus Open Source Alternatives to TikTok and WhatsApp (techcrunch.com) 11

An anonymous reader shared this report from TechCrunch: The developer behind Pixelfed, Loops, and Sup, open source alternatives to Instagram, TikTok, and WhatsApp, respectively, is now raising funds on Kickstarter to fuel the apps' further development. The trio is part of the growing open social web, also known as the fediverse, powered by the same ActivityPub protocol used by X alternative Mastodon... [and] challenge Meta's social media empire... "Help us put control back into the hands of the people!" [Daniel Supernault, the Canadian-based developer behind the federated apps] said in a post on Mastodon where he announced the Kickstarter's Thursday launch.

As of the time of writing, the campaign has raised $58,383 so far. While the goal on the Kickstarter site has been surpassed, Supernault said that he hopes to raise $1 million or more so he can hire a small team... A fourth project, PubKit, is also a part of these efforts, offering a toolset to support developers building in the fediverse... The stretch goal of the Kickstarter campaign is to register the Pixelfed Foundation as a not-for-profit and grow its team beyond volunteers. This could help address the issue with Supernault being a single point of failure for the project... Mastodon CEO Eugen Rochko made a similar decision earlier this month to transition to a nonprofit structure. If successful, the campaign would also fund a blogging app as an alternative to Tumblr or LiveJournal at some point in the future.

The funds will also help the apps manage the influx of new users. On Pixelfed.social, the main Pixelfed instance, (like Mastodon, anyone can run a Pixelfed server), there are now more than 200,000 users, thanks in part to the mobile app's launch, according to the campaign details shared with TechCrunch. The server is also now the second-largest in the fediverse, behind only Mastodon.social, according to network statistics from FediDB. New funds will help expand the storage, CDNs, and compute power needed for the growing user base and accelerate development. In addition, they'll help Supernault dedicate more of his time to the apps and the fediverse as a whole while also expanding the moderation, security, privacy, and safety programs that social apps need.

As a part of its efforts, Supernault also wants to introduce E2E encryption to the fediverse.

The Kickstarter campaign promises "authentic sharing reimagined," calling the apps "Beautiful sharing platforms that puts you first. No ads, no algorithms, no tracking — just pure photography and authentic connections... More Privacy, More Safety. More Variety. " Pixelfed/Loops/Sup/Pubkit isn't a ambitious dream or vaporware — they're here today — and we need your support to continue our mission and shoot for the moon to be the best social communication platform in the world.... We're following the both the Digital Platform Charter of Rights & Ethical Web Principles of the W3C for all of our projects as guidelines to building platforms that help people and provide a positive social benefit.
The campaign's page says they're building "a future where social networking respects your privacy, values your freedom, and prioritizes your safety."
Encryption

Europol Chief Says Big Tech Has 'Responsibility' To Unlock Encrypted Messages (ft.com) 80

Technology giants must do more to co-operate with law enforcement on encryption or they risk threatening European democracy, according to the head of Europol, as the agency gears up to renew pressure on companies at the World Economic Forum in Davos this week. From a report: Catherine De Bolle told the Financial Times she will meet Big Tech groups in the Swiss mountain resort to discuss the matter, claiming that companies had a "social responsibility" to give the police access to encrypted messages that are used by criminals to remain anonymous. "Anonymity is not a fundamental right," said the EU law enforcement agency's executive director.

"When we have a search warrant and we are in front of a house and the door is locked, and you know that the criminal is inside of the house, the population will not accept that you cannot enter." In a digital environment, the police needed to be able to decode these messages to fight crime, she added. "You will not be able to enforce democracy [without it]."

Nintendo

Nintendo Admits Emulators Are Legal Despite Crackdown (androidauthority.com) 32

Nintendo's top intellectual property lawyer has acknowledged that video game emulators are technically legal, even as the company continues to shut down popular emulation projects worldwide. Speaking at the Tokyo eSports Festa, Koji Nishiura, deputy general manager of Nintendo's intellectual property department, said emulators violate the law only when they bypass encryption, copy copyrighted console programs, or direct users to pirated material. The statement comes after Nintendo forced the closure of several major emulation projects last year, including Yuzu, Citra, and Ryujinx.
Encryption

Ransomware Crew Abuses AWS Native Encryption, Sets Data-Destruct Timer for 7 Days (theregister.com) 18

A new ransomware group called Codefinger targets AWS S3 buckets by exploiting compromised or publicly exposed AWS keys to encrypt victims' data using AWS's own SSE-C encryption, rendering it inaccessible without the attacker-generated AES-256 keys. While other security researchers have documented techniques for encrypting S3 buckets, "this is the first instance we know of leveraging AWS's native secure encryption infrastructure via SSE-C in the wild," Tim West, VP of services with the Halcyon RISE Team, told The Register. "Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data," he warned. From the report: ... in addition to encrypting the data, Codefinder marks the compromised files for deletion within seven days using the S3 Object Lifecycle Management API â" the criminals themselves do not threaten to leak or sell the data, we're told. "This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said. "Data destruction represents an additional risk to targeted organizations."

Codefinger also leaves a ransom note in each affected directory that includes the attacker's Bitcoin address and a client ID associated with the encrypted data. "The note warns that changes to account permissions or files will end negotiations," the Halcyon researchers said in a report about S3 bucket attacks shared with The Register. While West declined to name or provide any additional details about the two Codefinger victims -- including if they paid the ransom demands -- he suggests that AWS customers restrict the use of SSE-C.

"This can be achieved by leveraging the Condition element in IAM policies to prevent unauthorized applications of SSE-C on S3 buckets, ensuring that only approved data and users can utilize this feature," he explained. Plus, it's important to monitor and regularly audit AWS keys, as these make very attractive targets for all types of criminals looking to break into companies' cloud environments and steal data. "Permissions should be reviewed frequently to confirm they align with the principle of least privilege, while unused keys should be disabled, and active ones rotated regularly to minimize exposure," West said.
An AWS spokesperson said it notifies affected customers of exposed keys and "quickly takes any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment."

They also directed users to this post about what to do upon noticing unauthorized activity.
Communications

Italy Plans $1.6 Billion SpaceX Telecom Security Deal (yahoo.com) 27

An anonymous reader quotes a report from Bloomberg: Italy is in advanced talks with Elon Musk's SpaceX for a deal to provide secure telecommunications for the nation's government -- the largest such project in Europe, people with knowledge of the matter said Sunday. Discussions are ongoing, and a final agreement on the five-year contract hasn't been reached, said the people, who asked not to be identified citing confidential discussions. The project has already been approved by Italy's Intelligence Services as well as Italy's Defense Ministry, they said. Italy on Monday confirmed discussions are ongoing, saying no deal had yet been reached. "The talks with SpaceX are part of normal government business," the government said.

The negotiations, which had stalled until recently, appeared to move forward after Italian Prime Minister Giorgia Meloni visited President-elect Donald Trump in Florida on Saturday. The Italian government said the two didn't discuss the issue during their meeting. Italian officials have been negotiating on a $1.6 billion deal aimed at supplying Italy with a full range of top-level encryption for telephone and Internet services used by the government, the people said. The plan also includes communications services for the Italian military in the Mediterranean area as well as the rollout of so-called direct-to-cell satellite services in Italy for use in emergencies like terror attacks or natural disasters, they said. The possible deal has been under review since mid-2023. It's been opposed by some Italian officials concerned about how the services may detract from local carriers.

Privacy

Telegram Hands US Authorities Data On Thousands of Users (404media.co) 13

Telegram's Transparency Report reveals a sharp increase in U.S. government data requests, with 900 fulfilled requests affecting 2,253 users. "The news shows a massive spike in the number of data requests fulfilled by Telegram after French authorities arrested Telegram CEO Pavel Durov in August, in part because of the company's unwillingness to provide user data in a child abuse investigation," notes 404 Media. From the report: Between January 1 and September 30, 2024, Telegram fulfilled 14 requests "for IP addresses and/or phone numbers" from the United States, which affected a total of 108 users, according to Telegram's Transparency Reports bot. But for the entire year of 2024, it fulfilled 900 requests from the U.S. affecting a total of 2,253 users, meaning that the number of fulfilled requests skyrocketed between October and December, according to the newly released data. "Fulfilled requests from the United States of America for IP address and/or phone number: 900," Telegram's Transparency Reports bot said when prompted for the latest report by 404 Media. "Affected users: 2253," it added.

A month after Durov's arrest in August, Telegram updated its privacy policy to say that the company will provide user data, including IP addresses and phone numbers, to law enforcement agencies in response to valid legal orders. Up until then, the privacy policy only mentioned it would do so when concerning terror cases, and said that such a disclosure had never happened anyway. Even though the data technically covers the entire of 2024, the jump from a total of 108 affected users in October to 2253 as of now, indicates that the vast majority of fulfilled data requests were in the last quarter of 2024, showing a huge increase in the number of law enforcement requests that Telegram completed.
You can access the platform's transparency reports here.
Microsoft

FSF Urges Moving Off Microsoft's GitHub to Protest Windows 11's Requiring TPM 2.0 (fsf.org) 152

TPM is a dedicated chip or firmware enabling hardware-level security, housing encryption keys, certificates, passwords, and sensitive data, "and shielding them from unauthorized access," Microsoft senior product manager Steven Hosking wrote last month, declaring TPM 2.0 to be "a non-negotiable standard for the future of Windows."

Or, as BleepingComputer put it, Microsoft "made it abundantly clear... that Windows 10 users won't be able to upgrade to Windows 11 unless their systems come with TPM 2.0 support." (This despite the fact that Statcounter Global data "shows that more than 61% of all Windows systems worldwide still run Windows 10.") They add that Microsoft "announced on October 31 that Windows 10 home users will be able to delay the switch to Windows 11 for one more year if they're willing to pay $30 for Extended Security Updates."

But last week the Free Software Foundation's campaigns manager delivered a message on the FSF's official blog: "Keep putting pressure on Microsoft." Grassroots organization against a corporation as large as Microsoft is never easy. They have the advertising budget to claim that they "love Linux" (sic), not to mention the money and political willpower to corral free software developers from around the world on their nonfree platform Microsoft GitHub. This year's International Day Against DRM took aim at one specific injustice: their requiring a hardware TPM module for users being forced to "upgrade" to Windows 11. As Windows 10 will soon stop receiving security updates, this is a (Microsoft-manufactured) problem for users still on this operating system. Normally, offloading cryptography to a different hardware module could be seen as a good thing — but with nonfree software, it can only spell trouble for the user...

What's crucial now is to keep putting pressure on Microsoft, whether that's through switching to GNU/Linux, avoiding new releases of their software, or actions as simple as moving your projects off of Microsoft GitHub. If you're concerned about e-waste or have friends who work to combat climate change, getting them together to tell them about free software is the perfect way to help our movement grow, and free a few more users from Microsoft's digital restrictions. If you're concerned about e-waste or have friends who work to combat climate change, getting them together to tell them about free software is the perfect way to help our movement grow, and free a few more users from Microsoft's digital restrictions.

United States

US Government Tells Officials, Politicians To Ditch Regular Calls and Texts (reuters.com) 38

The U.S. government is urging senior government officials and politicians to ditch phone calls and text messages following intrusions at major American telecommunications companies blamed on Chinese hackers. From a report: In written guidance, opens new tab released on Wednesday, the Cybersecurity and Infrastructure Security Agency said "individuals who are in senior government or senior political positions" should "immediately review and apply" a series of best practices around the use of mobile devices.

The first recommendation: "Use only end-to-end encrypted communications." End-to-end encryption -- a data protection technique which aims to make data unreadable by anyone except its sender and its recipient -- is baked into various chat apps, including Meta's WhatsApp, Apple's iMessage, and the privacy-focused app Signal. Neither regular phone calls nor text messages are end-to-end encrypted, which means they can be monitored, either by the telephone companies, law enforcement, or - potentially - hackers who've broken into the phone companies' infrastructure.

Encryption

Was the US Telecom Breach Inevitable, Proving Backdoors Can't Be Secure? (theintercept.com) 76

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.

Thanks to Slashdot reader mspohr for sharing the article.
Slashdot.org

25 Years Ago Today: Slashdot Parodied by Suck.com (archive.org) 22

25 years ago today, the late, great Suck.com played a prank on Slashdot. Their daily column of pop-culture criticism was replaced by... Suckdot, a parody site satirically filled with Slashdot-style headlines like "Linux Possibly Defamed Somewhere." RabidZelot was one of a bunch to report: "In Richmond, California, this afternoon, this dude said something bad about Linux at the Hilltop Mall near the fountains right after the first showing of Phantom Menace let out. He was last seen heading towards Sears and has a 'Where Do You Want to Go Today?' T-shirt and brown hair. Let us know when you spot him."

( Read More... | 0 of 72873 comments)

There's more Slashdot-style news blurbs like "Red Hat Reports Income". (In which Red Hat founder Bob Young finds a quarter on the way to the conference room, and adds it to the company's balance sheet...) Its list of user-submitted "Ask Suckdot" questions include geek-mocking topics like "Is Overclocking Worth That Burning Smell?" and "HOW DO I TURN OFF SHIFT_LOCK?" And somewhere there's even a parody of Jon Katz (an early contributor to Slashdot's content) — though clicking "Read More" on the essay leads to a surprising message from the parodist admitting defeat. "Slashdot has roughly 60 million links on its front page. I'm simply not going to waste any more of my life making fun of each and every one of them. Half the time you can't tell the real Slashdot from the parody anyway."

Suck.com was a fixture in the early days of the web, launched in 1995 (and pre-dating the launch of Slashdot by two years). It normally published link-heavy commentary every weekday for nearly six years. Contributing writer Greg Knauss was apparently behind much of the Suckdot parody — even taking a jab at Slashdot's early online podcast, "Geeks in Space" (1999-2001). [Suckdot informs its readers in 1999 that "The latest installment of Geeks Jabbering at a Mic is up..."] Other Suckdot headlines?
  • Minneapolis-St. Paul Star-Tribune Uses Words "Red" and "Hat" in Article
  • BSD Repeatedly Ignored
  • DVD Encryption Cracked: Godzilla for Everybody!
  • Linus Ascends Bodily Into Heaven
  • iMac: Ha Ha Ha Ha Wimp

There were no hard feelings. Seven months later Slashdot was even linking to Greg Knauss's Suck.com essay proclaiming that "Mozilla is dead, or might as well be..."

So whatever happened to Suck.com? Though it stopped publishing in 2001, an outpouring of nostalgia in 2005 apparently prompted its owners at Lycos.com to continue hosting its content through 2018. (This unofficial history notes that one fan scrambling to archive the site was Aaron Swartz.) Though it's not clear what happened next, here in 2024 its original domain is now up for sale — at an asking price of $1 million.

But all of Suck.com's original content is still available online — including its Suckdot parody — at archive.org. Which, mercifully, is still here a full 28 years after launching in 1996...


Encryption

Google Criticized for 'Misleading' Encryption Claims About Its Text-Messaging App (daringfireball.net) 63

Google's app store claims that their text-messaging app Google Messages means "conversations are end-to-end encrypted".

"That is some serious bullshit," argues tech blogger John Gruber: It's shamefully misleading regarding Google Messages's support for end-to-end encryption... Google Messages does support end-to-end encryption, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares "Conversations are end-to-end encrypted", full stop...

I realize that "Some conversations are end-to-end encrypted" will naturally spur curiosity regarding which conversations are encrypted and which aren't, but that's the truth. And users of the app should be aware of that. "RCS conversations with other Google Messages users are encrypted" would work.

Then, in the "report card" section of the listing, it states the following:

Data is encrypted in transit
Your data is transferred over a secure connection


Which, again, is only true sometimes. It's downright fraudulent to describe Google Messages's transit security this way.... [D]epending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it's quite likely most of your messages won't be secure... E2EE is never available for SMS, and never available if a participant in the chat is using any RCS client (on Android or Apple Messages) other than Google Messages. That's an essential distinction that should be made clear, not obfuscated.

Gruber's earlier blog post had pointed out that the RCS standard "has no encryption; E2EE RCS chats in Google Messages use Google's proprietary extension and are exclusive to the Google Messages app, so RCS chats between Google Messages and other apps, most conspicuously Apple Messages, are not encrypted."

And in his newer post, Gruber adds, "While I'm at it, it's also embarrassing that Google Voice has no support for RCS at all. It's Google's own app and service, and Google has been the world's most vocal proponent of RCS messaging."
Encryption

US Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack (nbcnews.com) 58

An anonymous reader shared this report from NBC News: Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers...

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications. "Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said. The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts...

The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.

Officials said the breach seems to include some live calls of specfic targets and also call records (showing numbers called and when). "The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed."

"The scope of the telecom compromise is so significant, Greene said, that it was 'impossible" for the agencies "to predict a time frame on when we'll have full eviction.'"
Government

China Wiretaps Americans in 'Worst Hack in Our Nation's History' (gizmodo.com) 91

Longtime Slashdot reader mspohr shares a report from Gizmodo: Hackers for the Chinese government were able to deeply penetrate U.S. telecommunications infrastructure in ways that President Joe Biden's administration hasn't yet acknowledged, according to new reports from the Washington Post and New York Times. The hackers were able to listen to phone calls and read text messages, reportedly exploiting the system U.S. authorities use to wiretap Americans in criminal cases. The worst part? The networks are still compromised and it may take incredibly drastic measures to boot them from U.S. systems.

The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.

Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.

Microsoft

Microsoft's Controversial Recall Scraper is Finally Entering Public Preview 47

Microsoft has released a public preview of its redesigned Windows Recall feature, five months after withdrawing the original version due to security concerns. The feature will initially be available only on Qualcomm Snapdragon X Elite and Plus Copilot+ PCs running Windows Insider Dev channel build 26120.2415.

Recall, which continuously captures and indexes screenshots and text for later search, now includes mandatory encryption, opt-in activation, and Windows Hello authentication. The feature requires Secure Boot, BitLocker encryption, and attempts to automatically mask sensitive data like passwords and credit card numbers. The feature is exclusive to Copilot+ PCs equipped with neural processing units for local AI processing.

Slashdot Top Deals