prz writes: PGP just hit its 30th birthday. Before 1991, the average person had essentially no tools to communicate securely over long distances. That changed with PGP, which sparked the Crypto Wars of the 1990s. "Here we are, three decades later, and strong crypto is everywhere," writes PGP developer Phil Zimmermann in a blog post. "What was glamorous in the 1990s is now mundane. So much has changed in those decades. That's a long time in dog years and technology years. My own work shifted to end-to-end secure telephony and text messaging. We now have ubiquitous strong crypto in our browsers, in VPNs, in e-commerce and banking apps, in IoT products, in disk encryption, in the TOR network, in cryptocurrencies. And in a resurgence of implementations of the OpenPGP protocol. It would seem impossible to put this toothpaste back in the tube."

He continues: "Yet, we now see a number of governments trying to do exactly that. Pushing back against end-to-end encryption. [...] The need for protecting our right to a private conversation has never been stronger. Many democracies are sliding into populist autocracies. Ordinary citizens and grassroots political opposition groups need to protect themselves against these emerging autocracies as best as they can. If an autocracy inherits or builds a pervasive surveillance infrastructure, it becomes nearly impossible for political opposition to organize, as we can see in China. Secure communications is necessary for grassroots political opposition in those societies."

"It's not only personal freedom at stake. It's national security," says Zimmermann. "We must push back hard in policy space to preserve the right to end-end encryption."

Slashdot reader ochinko (user #19,311) shares The Register's report about a recent presentation by Google engineer Peter Hochschild. His team discovered machines with higher-than-expected hardware errors that "showed themselves sporadically, long after installation, and on specific, individual CPU cores rather than entire chips or a family of parts." The Google researchers examining these silent corrupt execution errors (CEEs) concluded "mercurial cores" were to blame CPUs that miscalculated occasionally, under different circumstances, in a way that defied prediction...The errors were not the result of chip architecture design missteps, and they're not detected during manufacturing tests. Rather, Google engineers theorize, the errors have arisen because we've pushed semiconductor manufacturing to a point where failures have become more frequent and we lack the tools to identify them in advance.

In a paper titled "Cores that don't count" [PDF], Hochschild and colleagues Paul Turner, Jeffrey Mogul, Rama Govindaraju, Parthasarathy Ranganathan, David Culler, and Amin Vahdat cite several plausible reasons why the unreliability of computer cores is only now receiving attention, including larger server fleets that make rare problems more visible, increased attention to overall reliability, and software development improvements that reduce the rate of software bugs. "But we believe there is a more fundamental cause: ever-smaller feature sizes that push closer to the limits of CMOS scaling, coupled with ever-increasing complexity in architectural design," the researchers state, noting that existing verification methods are ill-suited for spotting flaws that occur sporadically or as a result of physical deterioration after deployment.

Facebook has noticed the errors, too. In February, the social ad biz published a related paper, "Silent Data Corruption at Scale," that states, "Silent data corruptions are becoming a more common phenomena in data centers than previously observed...."

The risks posed by misbehaving cores include not only crashes, which the existing fail-stop model for error handling can accommodate, but also incorrect calculations and data loss, which may go unnoticed and pose a particular risk at scale. Hochschild recounted an instance where Google's errant hardware conducted what might be described as an auto-erratic ransomware attack. "One of our mercurial cores corrupted encryption," he explained. "It did it in such a way that only it could decrypt what it had wrongly encrypted."
How common is the problem? The Register notes that Google's researchers shared a ballpark figure "on the order of a few mercurial cores per several thousand machines similar to the rate reported by Facebook."

Security researcher Gabi Cirlig's findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses -- which could be used to get a user's rough location down to the town or neighborhood of the user -- were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the data.

"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.

If you use Alexa, Echo, or any other Amazon device, you have just over a week to opt out of an experiment that leaves your personal privacy and security hanging in the balance. From a report: On June 8, the merchant, Web host, and entertainment behemoth will automatically enroll the devices in Amazon Sidewalk. The new wireless mesh service will share a small slice of your Internet bandwidth with nearby neighbors who don't have connectivity and help you to their bandwidth when you don't have a connection.

By default, Amazon devices including Alexa, Echo, Ring, security cams, outdoor lights, motion sensors, and Tile trackers will enroll in the system. And since only a tiny fraction of people take the time to change default settings, that means millions of people will be co-opted into the program whether they know anything about it or not. The Amazon webpage linked above says Sidewalk "is currently only available in the US." [...] Amazon has published a white paper detailing the technical underpinnings and service terms that it says will protect the privacy and security of this bold undertaking. To be fair, the paper is fairly comprehensive, and so far no one has pointed out specific flaws that undermine the encryption or other safeguards being put in place. But there are enough theoretical risks to give users pause.

WhatsApp has sued the Indian government challenging the second largest internet market's new regulations that could allow authorities to make people's private messages "traceable," and conduct mass surveillance. From a report: The Facebook-owned instant messaging service, which identifies India as its biggest market by users, said it filed the lawsuit in the High Court of Delhi on Wednesday. It said New Delhi's "traceability" requirement -- which would require WhatsApp to help New Delhi identify the originator of a particular message -- violated citizens' constitutional right to privacy.

"Civil society and technical experts around the world have consistently argued that a requirement to 'trace' private messages would break end-to-end encryption and lead to real abuse. WhatsApp is committed to protecting the privacy of people's personal messages and we will continue to do all we can within the laws of India to do so," WhatsApp said in a statement. India first proposed WhatsApp to make software changes to make the originator of a message traceable in 2018. The suggestion came at a time when WhatsApp was grappling with containing spread of false information in India, where circulation of such information had resulted in multiple real-life casualties. But its suggestion didn't become the law until this year. Traceability requirement is part of New Delhi's sweeping IT rules that also require social media firms to appoint several officers in India to address on-ground concerns, and also gives authorities greater power over taking down posts it deems offensive. Further reading: India says WhatsApp's lawsuit over new regulations a clear act of defiance.

The ability to boot from an external drive on an Apple Silicon Mac may not be an option for much longer, with the creation and use of the drives apparently being phased out by Apple, according to developers of backup tools. Apple Insider reports: Mike Bombich, the founder of Bombich Software behind Carbon Copy Cloner, wrote in a May 19 blog post that the company will continue to make bootable backups for both Intel and Apple Silicon Macs, and will "continue to support that functionality as long as macOS supports it." However, with changes in the way a Mac functions with the introduction of Apple Silicon, the ability to use external booting could be limited, in part due to Apple's design decisions.

The first problem is with macOS Big Sur, as Apple made it so macOS resides on a "cryptographically sealed Signed System Volume," which could only be copied by Apple Software Restore. While CCC has experience with ASR, the tool was deemed to be imperfect, with it failing "with no explanation" and operating in a "very one-dimensional" way. The second snag was Apple Fabric, a storage system that uses per-file encryption keys. However, ASR didn't work for months until the release of macOS 11.3 restored it, but even then kernel panics ensued when cloning back to the original internal storage.

In December, Bombich spoke to Apple about ASR's reliability and was informed that Apple was working to resolve the problem. During the call, Apple's engineers also said that copying macOS system files was "not something that would be supportable in the future." "Many of us in the Mac community could see that this was the direction Apple was moving, and now we finally have confirmation," writes Bombich. "Especially since the introduction of APFS, Apple has been moving towards a lockdown of macOS system files, sacrificing some convenience for increased security." [...] While CCC won't drop the ability to copy the System folder, the tool is "going to continue to offer it with a best effort' approach." Meanwhile, for non-bootable data restoration, CCC's backups do still work with the macOS Migration Assistant, available when booting up a new Mac for the first time.

Lanodonal shares a report from the BBC: Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover. The Conti ransomware group was reportedly asking the Irish health service for $20 million to restore services after the "catastrophic hack." But now the criminals have handed over the software tool for free.The Irish government says it is testing the tool and insists it did not, and would not, be paying the hackers. Taoiseach (Irish prime minister) MicheÃl Martin said on Friday evening that getting the software tool was good, but that enormous work is still required to rebuild the system overall.

Conti is still threatening to publish or sell data it has stolen unless a ransom is paid. On its darknet website, it told the Health Service Executive (HSE), which runs Ireland's healthcare system, that "we are providing the decryption tool for your network for free." "But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation." It was unclear why the hackers gave the tool -- known as a decryption key -- for free, said Health Minister Stephen Donnelly. In an alert made public Thursday by the American Hospital Association, the FBI said the Conti group has also hit at least 16 U.S. medical and first response networks in the past year.

Apple has compromised on data security to placate Chinese authorities, the New York Times reported Monday, citing internal company documents and interviews with current and former Apple employees and security experts. An excerpt from the story: At the data center in Guiyang, which Apple hoped would be completed by next month, and another in the Inner Mongolia region, Apple has largely ceded control to the Chinese government. Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers they're meant to secure.

[...] In China, Apple has ceded legal ownership of its customers' data to Guizhou-Cloud Big Data, or GCBD, a company owned by the government of Guizhou Province, whose capital is Guiyang. Apple recently required its Chinese customers to accept new iCloud terms and conditions that list GCBD as the service provider and Apple as "an additional party." Apple told customers the change was to "improve iCloud services in China mainland and comply with Chinese regulations."

The terms and conditions included a new provision that does not appear in other countries: "Apple and GCBD will have access to all data that you store on this service" and can share that data "between each other under applicable law." Under the new setup, Chinese authorities ask GCBD -- not Apple -- for Apple customers' data, Apple said. Apple believes that gives it a legal shield from American law, according to a person who helped create the arrangement. GCBD declined to answer questions about its Apple partnership. Matthew Green, who teaches cryptography at Johns Hopkins, commented on Times' story: "Apple asked a lot of people to back them against the FBI in 2015. They used every tool in the legal arsenal to prevent the US from gaining access to their phones. Do they think anyone is going to give them the benefit of the doubt now?"

A tech columnist for Inc. noticed that on June 8th Amazon will finally power up its massive "Sidewalk" mesh network (which uses Bluetooth and 900MHz radio signals to communicate between devices). And millions and millions of Amazon customers are all already "opted in" by default: The idea behind it is actually really smart — make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn't located close to your WiFi router, but it happens to be near an Echo Dot, it can use Sidewalk to stay connected.

The same is true if your internet connection is down. Your smart devices can connect to other smart devices, even if they aren't in your home. The big news on this front is that Tile is joining the Sidewalk network on June 14. That means that if you lose a Tile tracker, it can connect to any of the millions of Echo or Ring devices in your neighborhood and send its location back to you.

That's definitely a nice benefit, but it's also where things get a little murky from a privacy standpoint. That's because other people's devices, like your neighbor's, can also connect to your network. Amazon is pretty clear that Sidewalk uses three layers of encryption so that no data is shared between say, someone's Tile tracker and your network. The signal from the Tile is encrypted all the way back to the Tile app on your iPhone or Android smartphone... [But] whether or not you want your device connecting to other devices, or want your neighbors connecting to your WiFi, Amazon went ahead and made Sidewalk opt-out.
Opt out (for all your devices) using Alexa app's More tab (at the bottom): Settings > Account Settings > Amazon Sidewalk > Enabled.

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

An anonymous reader quotes a report from Gizmodo: A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking. Ramon Rozas, who has practiced law for 25 years, told Gizmodo that he was compelled to pursue a new trial after reading a widely shared blog post written by the CEO of the encryption chat app Signal, Moxie Marlinspike. It was just about a week ago that Marlinspike brutally dunked on Cellebrite -- writing, in a searing takedown, that the company's products lacked basic "industry-standard exploit mitigation defenses," and that security holes in its software could easily be exploited to manipulate data during cell phone extraction.

Given the fact that Cellebrite's extraction software is used by law enforcement agencies the world over, questions have naturally emerged about the integrity of investigations that used the tech to secure convictions. For Rozas, the concerns center around the fact that "Cellebrite evidence was heavily relied upon" to convict his client, who was charged in relation to an armed robbery. The prosecution's argument essentially turned on that data, which was extracted from the suspect's phone using the company's tools. In a motion recently filed, Rozas argued that because "severe defects" have since been uncovered about the technology, a "new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself." "I think it's going to take a while to figure out what the exact legal ramifications of this are," says Megan Graham, a Clinical Supervising Attorney at the Samuelson Law, Technology & Public Policy Clinic with Berkeley Law School. "I don't know how likely it is that cases would be thrown out," she said, adding that a person who has already been convicted would likely have to "show that someone else identified this vulnerability and exploited it at the time" -- not an especially easy task.

"Going forward, I think it's just hard to tell," Graham said. "We now know that this vulnerability exists, and it creates concerns about the security of Cellebrite devices and the integrity of evidence." But there's a lot that we don't know, she emphasized. Among Graham's concerns, she said that "we don't know if the vulnerability is being exploited," and that makes it difficult to discern when it could become an issue in past cases. "I think there will be cases where defense attorneys are able to get judges engaged [on this issue]. They will present the security concerns, worries about manipulated evidence, and it might be persuasive. I think there will be a wide array of responses when it comes to how this plays out in cases," she said.

Long-time Slashdot reader DesertNomad summarizes a report from EE Times: It's been known for a long time that the various Global Navigation Satellite System (GNSS) systems are easily jammed; the more "interesting" problem is the potential to spoof a GNSS signal and by spoofing use that to cause GNSS receivers to determine incorrect positions. The challenge lies in the observation that the navigation messages can be constructed by bad actors on the ground. Work going on for several years now has been to provide crypto signatures that have the potential to authenticate valid transmissions. Current commercial receivers can't take advantage of that, so there may be industry-wide needs to update the receiver devices.
"The vulnerability of the global positioning system, or GPS, is widely acknowledged..." reports EE Times: Spoofing creates all kinds of havoc. For example, it can be used to hijack autonomous vehicles and send them on alternate routes. Spoofing can alter the routes recorded by vehicle monitors, or break geofences used to guard operational areas. It also poses a risk to critical infrastructure, including power, telecommunication and transportation systems. Jan van Hees, business development and marketing director for GNSS receiver maker Septentrio, provided these analogies: "Jamming involves making so much noise that the [satellite signal] disappears. Spoofing is like a phishing attack on the signal."

The U.S. Coast Guard has recently tracked a growing number of high-profile incidents involving GPS interference. For example, the loss of GPS reception in Israeli ports in 2019 left GPS-guided autonomous cranes inoperable, collateral damage from the Syrian civil war. In 2016, more than 20 ships off the Crimean peninsula were thought to be the victim of a GPS spoofing attack which shifted the ships' positions on electronic chart displays to land.
The article recommends real-world auditing, testing, and risk assessment, adding that one pending fix is signal encryption "including a framework called open service navigation message authentication (OSNMA)." The OSNMA anti-spoofing service developed for the European GNSS system, enables secure transmissions from Galileo satellites to encryption-enabled GNSS receivers. In the midst of final testing, OSNMA will soon be available free to users... A secret key on the satellite is used to generate a digital signature. Both the signature and key are appended to navigation data and transmitted to the receiver. OSNMA is designed to be backward-compatible, so that positioning without OSNMA still works.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

The Electronic Frontier Foundation (EFF) today announced it has enhanced its groundbreaking HTTPS Everywhere browser extension by incorporating rulesets from DuckDuckGo Smarter Encryption. According to the digital rights group's press release, HTTPS Everywhere is "a collaboration with The Tor Project and a key component of EFF's effort to encrypt the web and make the Internet ecosystem safe for users and website owners." From the press release: "DuckDuckGo Smarter Encryption has a list of millions of HTTPS-encrypted websites, generated by continually crawling the web instead of through crowdsourcing, which will give HTTPS Everywhere users more coverage for secure browsing," said Alexis Hancock, EFF Director of Engineering and manager of HTTPS Everywhere and Certbot web encrypting projects. "We're thrilled to be partnering with DuckDuckGo as we see HTTPS become the default protocol on the net and contemplate HTTPS Everywhere's future."

EFF began building and maintaining a crowd-sourced list of encrypted HTTPS versions of websites for a free browser extension -- HTTPS Everywhere -- which automatically takes users to them. That keeps users' web searching, pages visited, and other private information encrypted and safe from trackers and data thieves that try to intercept and steal personal information in transit from their browser. [...] DuckDuckGo, a privacy-focused search engine, also joined the effort with Smarter Encryption to help users browse securely by detecting unencrypted, non-secure HTTP connections to websites and automatically upgrading them to encrypted connections. With more domain coverage in Smarter Encryption, HTTPS Everywhere users are provided even more protection. HTTPS Everywhere rulesets will continue to be hosted through this year, giving our partners who use them time to adjust. We will stop taking new requests for domains to be added at the end of May.

An anonymous reader quotes a report from Motherboard: U.S. Customs and Border Protection (CBP), part of the Department of Homeland Security, recently paid encrypted messaging platform Wickr over $700,000, Motherboard has found. The news highlights the value of end-to-end encryption to law enforcement, while other federal law enforcement agencies routinely lambast the technology for what they say results in visibility on criminals' activities "going dark."

The contract is related to "Wickr licenses and support," dates from September 2020, and totals at $714,600, according to public procurement records. Wickr is likely most well known for its free consumer app, which lets users send encrypted messages to one another, as well as make encrypted video and audio calls. The app also offers an auto-burn feature, where messages are deleted from a users' device after a certain period of time, with the company claiming these messages "can never be uncovered," according to its website. Wickr also offers various paid products to private companies and government agencies. Wickr Pro and Wickr Enterprise are marketed towards businesses; Wickr RAM is geared specifically for the military. [...] It is not clear which specific Wickr product CBP paid for. A CBP spokesperson told Motherboard in a statement that "The Federal Acquisition Regulations (FAR) and other laws prohibit the unauthorized use and disclosure of proprietary information from federal government contract actions. All publicly available information on this contract has been made available at the link you have provided. Any other information is considered proprietary to the awardee (WICKR) and shall not be divulged outside of the Government."

VentureBeat reports on a "next-generation security" technique that allows data to remain encrypted while it's being processed.

"A security process known as fully homomorphic encryption is now on the verge of making its way out of the labs and into the hands of early adopters after a long gestation period." Companies such as Microsoft and Intel have been big proponents of homomorphic encryption. Last December, IBM made a splash when it released its first homomorphic encryption services. That package included educational material, support, and prototyping environments for companies that want to experiment. In a recent media presentation on the future of cryptography, IBM director of strategy and emerging technology Eric Maass explained why the company is so bullish on "fully homomorphic encryption" (FHE)...

"IBM has been working on FHE for more than a decade, and we're finally reaching an apex where we believe this is ready for clients to begin adopting in a more widespread manner," Maass said. "And that becomes the next challenge: widespread adoption. There are currently very few organizations here that have the skills and expertise to use FHE." To accelerate that development, IBM Research has released open source toolkits, while IBM Security launched its first commercial FHE service in December...

Maass said in the near term, IBM envisions FHE being attractive to highly regulated industries, such as financial services and health care. "They have both the need to unlock the value of that data, but also face extreme pressures to secure and preserve the privacy of the data that they're computing upon," he said.
The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.
Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."

Facebook CEO Mark Zuckerberg will tell lawmakers his plan for "thoughtful reform" of a key tech liability shield rests on requiring best practices for treating illegal content online. From a report: Tech giants are starting to embrace changes to the foundational law that shields platforms from liability from content users post as lawmakers from both parties threaten it. In written testimony ahead of the House hearing Thursday with Google, Twitter and Facebook CEOs, Zuckerberg suggested making Section 230 protections for certain types of unlawful content conditional on platforms' ability to meet best practices to fight the spread of the content. "Instead of being granted immunity, platforms should be required to demonstrate that they have systems in place for identifying unlawful content and removing it," Zuckerberg wrote in the testimony. "Platforms should not be held liable if a particular piece of content evades its detection -- that would be impractical for platforms with billions of posts per day -- but they should be required to have adequate systems in place to address unlawful content." The detection system would be proportionate to platform size, with practices defined by a third party. The best practices would not include "unrelated issues" like encryption or privacy changes, he notes. He also suggested Congress bring more transparency and oversight on how companies make and enforce rules about content that is harmful but still legal.

A company that makes an email app that helps users encrypt their emails paid for fake reviews in an attempt to get more people to download its products, according to leaked emails obtained by Motherboard. An anonymous reader shares a report: The CEO of pEp, a Luxembourg-based company that makes the pEp email encryption apps for Android and iOS, commissioned a marketing company to write fake reviews that he himself wrote in the summer of last year. Leon Schumacher asked the marketing company Mobiaso to post 40 five-star reviews in English, French, and German to the Google Play Store. Schumacher included an Excel spreadsheet that contained the specific text that he wanted Mobiaso to use. "Super easy privacy," one fake review said. "One of the best mail applications. I have never had problems and I suggest it all the time to friends," another said.

"Can we speed up today and do 12 ratings per day do 7 reviews per day (Please use the Texts below for the right countries (that I forwarded already per earlier e-mail)," Schumacher wrote in an email to Mobiaso. pEp, short for Pretty Easy Privacy, develops email encryption apps for both iOS and Android, where it has more than 10,000 installs, according to the stats on the Google Play Store. The company, through its foundation, also funded a new library to encrypt emails using PGP, the decades old technology that allows users to encrypt emails and other files. Mobiaso advertises "iOS reviews" and "Android installs" on its website. One of the services the company offers is App Store Optimization, or ASO, which includes fake reviews. The service has several price tiers, ranging from $160 to $450. Only the two most expensive tiers include fake reviews. "Each app developer/advertiser should remember that without a good ASO search optimization, your target audience wouldn't even find or open your app page," Mobiaso says.