If you're a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you're out of luck. From a report: Free calls won't be encrypted, and law enforcement will be able to access your information in case of 'misuse' of the platform. Zoom CEO Eric Yuan today said that the video conferencing app's upcoming end-to-end encryption feature will be available to only paid users.

"Zoom plans to strengthen the encryption of its service for paying customers," reports Newsweek, "but the upgrade will not be available to users of its free service." Zoom security consultant Alex Stamos later confirmed the details of the reported move in an interview with Reuters, which first reported the changes on Friday. But he also told the news outlet that Zoom's plans could still change. "The CEO is looking at different arguments," Stamos said.

"The current plan is paid customers plus enterprise accounts where the company knows who they are." In the wake of privacy concerns, he added that Zoom was making significant efforts to upgrade safety and trust on its platform. In an emailed statement to Newsweek, a Zoom spokesperson said: "Zoom's approach to end-to-end encryption is very much a work in progress — everything from our draft cryptographic design, which was just published last week, to our continued discussions around which customers it would apply to." The tech company's plans to boost the encryption of video calls on its platform have been revealed a month after it was reported that half a million Zoom account credentials were being sold on the Dark Web.
Zoom's increased usage during lockdowns brought increase scrutiny, reports CNET, which "revealed several Zoom security problems and the fact that an earlier Zoom boast of end-to-end encryption was baseless."

Last week, Kotaku reported on a new project, called Insignia, "that aims to recreate the original Xbox Live service, potentially restoring online play to many dozens of classic Xbox games that fell offline when the original Xbox Live service closed on April 15, 2010." From the report: The project's announcement on the r/originalxbox subreddit came from SoullessSentinel, a screen name of one Luke Usher. Usher is well known in the vintage Xbox community as the lead developer of Cxbx-Reloaded, arguably the most advanced PC-based emulator of the 2001 Xbox hardware. (Microsoft's classic console has proven notoriously tricky to emulate over the years.)

As a demonstration of Insignia's progress, Usher shared a video depicting the creation of a new Xbox Live account via the Xbox's system UI. It's a cool trick, as this process has not been technically possible since the online service's April 2010 closure. (In a cheeky touch, the video names the newly created account HiroProtagonist, the Gamertag of Xbox co-creator J Allard.) Insignia will work with normal, unmodded consoles, provided the user can perform a one-time process to retrieve their unit's internal encryption keys. Long-existing Xbox soft-mod techniques, which require physical copies of exploitable games like Splinter Cell or MechAssault but do not necessarily alter the console's hardware or operating system, should suffice for accomplishing this key retrieval. Once that initial setup's completed, Usher envisions a more or less vanilla Xbox Live experience, complete with matchmaking, voice chat, messaging, and almost everything else you might remember. (One exception would come in a lack of proprietary game DLC, which Insignia and its developers lack rights to distribute.) Anti-cheating measures are also in the works, as well as reporting and banning mechanisms for truly bad actors. The project works by using a DNS man-in-the-middle maneuver to redirect all of Xbox Live's original server calls to new addresses that point to Insignia's work-in-progress infrastructure.

"The current plan is for Insignia to be a centralized service run by Usher and associates," reports Kotaku. "He believes keeping it centralized will prevent player populations from diluting across multiple third-party servers, and that it will not be much of a resource burden." "The server," he noted, "is used for authentication, matchmaking, storing friends lists, etc. but actual game traffic is usually P2P between Xboxes, so the requirements for our server are pretty low."

After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Samsung and South Korean telecom giant SK Telecom have debuted the Galaxy A Quantum 5G smartphone, sporting a quantum random number generation (RNG) chipset. It's the first commercialization of quantum technology for mobile phones, and it will serve as a significant bellwether for full quantum encryption's chances of going mainstream. Threatpost reports: Quantum encryption in general has been touted as being "unhackable" because it generates random numbers and secure keys that cannot be predicted, via particles that can't be intercepted, eavesdropped upon or spoofed. The very laws of physics themselves prevent successful cracking, the theory goes. However, researchers have proven more than once that this isn't the case -- though hacks so far have required sustained physical access to a device.

In any event, the Samsung phone will provide an interesting test case for the technology -- though details are scant in terms of how the chipset actually works. The Galaxy will use quantum security in a few different scenarios, according to an SK press release (translated with Google Translate). These include logging into carrier accounts on the device; securely storing personal documents via a blockchain-enabled "Quantum Wallet" and for biometric-based mobile payments at retail stores. Online payment protection is also on the roadmap. SK Telecom also plans to roll out open APIs for developers to begin incorporating the technology on an OEM and application basis.

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. From a report: Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains. The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product. In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that's increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.

Christopher Wray, the FBI director who has been one of the fiercest critics of encryption under the Trump administration, previously worked as a lawyer for WhatsApp, where he defended the practice, according to new court filings. From a report: The documents, which were released late on Wednesday night as part of an unrelated matter, show Wray worked for WhatsApp in 2015 while he was an attorney for the Washington law firm of King & Spalding. While there are sparse details about the precise nature of the work, the filings indicate that Wray strongly defended the need for end-to-end encryption in his previous representation of WhatsApp, the popular messaging application owned by Facebook. Wray's earlier work -- which has not previously been public -- contradicts his current position on encryption, which protects users' communications and other data from being read by outsiders. The Trump administration and major technology companies like Facebook have been at odds over the need to offer customers encryption services, with the White House and law enforcement officials arguing the technology represents a security risk by protecting the communication of terrorists and criminals.

The US National Security Agency (NSA) published last week a security assessment of today's most popular video conferencing, text chatting, and collaboration tools. From a report: The guidance contains a list of security criteria that the NSA hopes companies take into consideration when selecting which telework tool/service they want to deploy in their environments. The NSA document is not only meant for US government and military entities but the private sector as well. The idea behind the NSA's initiative is to give military, public, and private organizations an overview of all of a tools' features, so IT staff don't make wrong decisions, expecting that a tool provides certain features that are not actually living up to the reality. Per the NSA's document, the assessed criteria answers to basic questions like:

Does the service implement end-to-end (E2E) encryption?
Does the E2E encryption use strong, well-known, testable encryption standards?
Is multi-factor authentication (MFA) available?
Can users see and control who connects to collaboration sessions?
Does the tool's vendor share data with third parties or affiliates?
Do users have the ability to securely delete data from the service and its repositories as needed (both on client and server-side)?
Is the tool's source code public (e.g. open source)?
Is the service FedRAMP approved for official US government use?

Google has announced the general availability of a long-awaited feature -- the ability to manage Windows 10 devices through G Suite. From a report: Until today, companies that used G Suite to manage corporate endpoints could only enroll Android, iOS, Chrome, and Jamboard devices. Once enrolled in a G Suite enterprise plan, system administrators at these companies would have full control over the enrolled devices, to ensure that company data was safeguarded from sloppy employees. G Suite admins could enforce security policies related to login operations, file storage, encryption, and other features. Starting this week, the same features are now also available for working with Windows 10 devices, Google announced in a blog post. These include the ability to, among other things: Log into Windows 10 systems using a Google account, control Windows 10 update rules, and change Windows 10 settings remotely.

An anonymous reader quotes a report from The Verge: On Friday, Apple and Google revised their ambitious automatic contact-tracing proposal, just two weeks after the system was first announced. An Apple representative said the changes were the result of feedback both companies had received about the specifications and how they might be improved. The companies also released a "Frequently Asked Questions" page, which rehashes much of the information already made public. On a call accompanying the announcement, representatives from each company pledged for the first time to disable the service after the outbreak had been sufficiently contained. Such a decision would have to be made on a region-by-region basis, and it's unclear how public health authorities would reach such a determination. However, the engineers stated definitively that the APIs were not intended to be maintained indefinitely.

Under the new encryption specification, daily tracing keys will now be randomly generated rather than mathematically derived from a user's private key. Crucially, the daily tracing key is shared with the central database if a user decides to report their positive diagnosis. As part of the change, the daily key is now referred to as the "temporary tracing key," and the long-term tracing key included in the original specification is no longer present. The new encryption specification also establishes specific protections around the metadata associated with the system's Bluetooth transmissions. Along with the random codes, devices will also broadcast their base power level (used in calculating proximity) and which version of the tool they are running. The companies are also changing the language they use to describe the project. The protocols were initially announced as a contact-tracing system, it is now referred to as an "exposure notification" system. The companies say the name change reflects that the new system should be "in service of broader contact tracing efforts by public health authorities."

One of the largest VPN companies, NordVPN, is rolling out NordLynx -- it's first mainstream WireGuard virtual private network for its Windows, Mac, Android and iOS client-software applications. ZDNet reports: NordVPN's own tests have shown NordLynx easily outperforms the other protocols, IKEv2/IPsec and OpenVPN. How much faster? According to NordVPN's 256,886 speed tests, "When a user connects to a nearby VPN server and downloads content that's served from a content delivery network (CDN) within a few thousand miles/kilometers, they can expect up to twice higher download and upload speed." While speed is what customers will notice, security experts like WireGuard for its code's simplicity. With only about 4,000 lines of code, WireGuard's code can be comprehensively reviewed by a single individual.

Besides WireGuard, NordVPN adds in its double Network Address Translation (NAT) system to protect users' privacy. This enables users to establish a secure VPN connection while storing no identifiable user data on a server. You're assigned a dynamic local IP address that remains assigned only while the session is active. User authentication is done with the help of a secure external database. To switch to NordLynx, users need to update their NordVPN app to the latest version. The NordLynx protocol can be chosen manually from the Settings menu.

As cities across the United States continue shelter-in-place orders due to the COVID-19 pandemic, some in-person court proceedings are now taking place over Zoom. "It's an unprecedented moment for the justice system, which is typically slow to adapt to new technology," writes Zoe Schiffer from The Verge. "No one is sure if that's a good thing." From the report: Critics worry the change has made it more difficult for the public to access court proceedings. Court watchers -- volunteers who monitor hearings to hold judges and prosecutors accountable -- say their access has evaporated during the pandemic. There's also concern that remote hearings can unfairly advantage fancy law firms that can pay for good lighting and stable internet connections. Zoom has also had major security flaws, including default settings that didn't include meeting passwords (a problem the company has now fixed) and a misleading definition of end-to-end encryption. (The company claimed meetings were end-to-end encrypted; they are not.) But supporters say going online is critical for protecting public health. For those in detention, postponing a hearing means potentially spending more time in jail, while appearing in person could put the individual and those around them at risk.

[Judge Vince Chhabria said] that while conducting remote trials makes sense during the pandemic, he's wary of extending this beyond the crisis. "So much of trying a case from the lawyers' perspective is having a feel for the courtroom and for the people in the courtroom and what is interesting to them," he says. "So much of presiding over a trial, as a judge, has to do with feel. I think it would be unfortunate if the new normal became too reliant on remote proceedings." His concern is echoed by Alan Rupe, [employment lawyer at Lewis Brisbois]. "A lot of what I do involves witness credibility," he says. "When you're assessing someone's credibility you have to be in the same room as them."

According to the Financial Times, U.S. senators have been advised not to use videoconferencing platform Zoom over security concerns. From a report: According to three people briefed on the matter, the Senate sergeant-at-arms -- whose job it is to run law enforcement and security on the Capitol -- told senators to find alternative methods for remote working, although he did not implement an outright ban. With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported. The slew of privacy issues prompted Taiwan's government agencies to stop using the service. Google also banned Zoom from its employees' devices.

Signal is warning that an anti-encryption bill circulating in Congress could force the private messaging app to pull out of the U.S. market. PC Magazine reports: Since the start of the coronavirus pandemic, the free app, which offers end-to-end encryption, has seen a surge in traffic. But on Wednesday, the nonprofit behind the app published a blog post, raising the alarm around the EARN IT Act. "At a time when more people than ever are benefiting from these (encryption) protections, the EARN IT bill proposed by the Senate Judiciary Committee threatens to put them at risk," Signal developer Joshua Lund wrote in the post. Although the goal of the legislation, which has bipartisan support, is to stamp out online child exploitation, it does so by letting the U..S government regulate how internet companies should combat the problem -- even if it means undermining the end-to-end encryption protecting your messages from snoops.

If the companies fail to do so, they risk losing legal immunity under Section 230 of the Communications Decency Act, which can shield them from lawsuits concerning objectionable or illegal content posted on their websites or apps. "Some large tech behemoths could hypothetically shoulder the enormous financial burden of handling hundreds of new lawsuits if they suddenly became responsible for the random things their users say, but it would not be possible for a small nonprofit like Signal to continue to operate within the United States," Lund wrote in the blog post.

Video conferencing company Zoom is being used by a shareholder over allegations of fraud and overstating the security protocols in place on its service. Gizmodo reports: In the lawsuit filed Tuesday in the U.S. District Court for the Northern District of California, plaintiff Michael Drieu -- on behalf of individuals who purchased Zoom securities after the company went public last year -- accuses the company of making "materially false and misleading statements" about its product and failing to disclose key information about the service. Namely, the suit cites Zoom as claiming that its product supported end-to-end encryption, when in fact it supports a different form of encryption called transport encryption -- as the Intercept reported last month -- that still allows Zoom to access data.

Additionally, the suit alleges that Zoom's security failures put users "eat an increased risk of having their personal information accessed by unauthorized parties, including Facebook," that these facts would necessarily result in a decline in users, and that the company's responses to ongoing reporting on myriad problems on the service were "misleading at all relevant times." The suit states that the fallout from these incidents was exacerbated by the covid-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organizations turned to Zoom amid social distancing measures and shelter-in-place orders. The suit cites documentation related to Zoom's IPO as evidence that the company misrepresented the security protocols in place for protecting users. Specifically, the suit states, Zoom said it offered "robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls," and -- in what was clearly an embarrassing claim by the company -- that it strives "to live up to the trust our customers place in us by delivering a communications solution that "just works.'"

Taiwan's cabinet has told government agencies to stop using the Zoom conferencing app due to privacy and security woes. Reuters reports: Zoom's daily users ballooned to more than 200 million in March, as coronavirus-induced shutdowns forced employees to work from home and schools switched to the company's free app for conducting and coordinating online classes. However, the company is facing a backlash from users worried about the lack of end-to-end encryption of meeting sessions and "zoombombing," where uninvited guests crash into meetings. If government agencies must hold video conferencing, they "should not use products with security concerns, like Zoom," Taiwan's cabinet said in a statement on Tuesday. It did not elaborate on what the security concerns were. The island's education ministry later said it was banning the use of Zoom in schools.

Taiwan would be the first government formally advising against use of Zoom, although some U.S. schools districts are looking at putting limits on its use after an FBI warning last month. Taiwan's cabinet said domestically-made conferencing apps were preferred, but if needed products from Google and Microsoft could also be considered.

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. From a report: The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab -- widely followed in information security circles -- that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.

An anonymous reader shares a report: Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings. With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using "computer audio" instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption. Further reading: Regarding Zoom.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.