The Almighty Buck

South African Bank To Replace 12 Million Cards After Employees Stole Master Key (theverge.com) 36

Postbank, the banking division of South Africa's Post Office, has lost more than $3.2 million from fraudulent transactions and will now have to replace more than 12 million cards for its customers after employees printed and then stole its master key. ZDNet reports: The Sunday Times of South Africa, the local news outlet that broke the story, said the incident took place in December 2018 when someone printed the bank's master key on a piece of paper at its old data center in the city of Pretoria. The bank suspects that employees are behind the breach, the news publication said, citing an internal security audit they obtained from a source in the bank.

The master key is a 36-digit code (encryption key) that allows its holder to decrypt the bank's operations and even access and modify banking systems. It is also used to generate keys for customer cards. The internal report said that between March and December 2019, the rogue employees used the master key to access accounts and make more than 25,000 fraudulent transactions, stealing more than $3.2 million (56 million rand) from customer balances. Following the discovery of the breach, Postbank will now have to replace all customer cards that have been generated with the master key, an operation the bank suspects it would cost it more than one billion rands (~$58 million). This includes replacing normal payment cards, but also cards for receiving government social benefits. Sunday Times said that roughly eight to ten million of the cards are for receiving social grants, and these were where most of the fraudulent operations had taken place.

Privacy

How Accurate Were Ray Kurzweil's Predictions for 2019? (lesswrong.com) 70

In 1999, Ray Kurzweil made predictions about what the world would be like 20 years in the future. Last month the community blog LessWrong took a look at how accurate Kurzweil's predictions turned out to be: This was a follow up to a previous assessment about his predictions about 2009, which showed a mixed bag, roughly evenly divided between right and wrong, which I'd found pretty good for 10-year predictions... For the 2019 predictions, I divided them into 105 separate statements, did a call for volunteers [and] got 46 volunteers with valid email addresses, of which 34 returned their predictions... Of the 34 assessors, 24 went the whole hog and did all 105 predictions; on average, 91 predictions were assessed by each person, a total of 3078 individual assessments...

Kurzweil's predictions for 2019 were considerably worse than those for 2009, with more than half strongly wrong.

The assessors ultimately categorized just 12% of Kurzweil's predictions as true, with another 12% declared "weakly true," while another 10% were classed as "cannot decide." But 52% were declared "false" -- with another 15% also called "weakly false."

Among Kurzweil's false predictions for the year 2019:
  • "Phone" calls routinely include high-resolution three-dimensional images projected through the direct-eye displays and auditory lenses... Thus a person can be fooled as to whether or not another person is physically present or is being projected through electronic communication.
  • The all-enveloping tactile environment is now widely available and fully convincing.

"As you can see, Kurzweil suffered a lot from his VR predictions," explains the LessWrong blogpost. "This seems a perennial thing: Hollywood is always convinced that mass 3D is just around the corner; technologists are convinced that VR is imminent."

But the blog post also thanks Kurzweil, "who, unlike most prognosticators, had the guts and the courtesy to write down his predictions and give them a date. I strongly suspect that most people's 1999 predictions about 2019 would have been a lot worse."

And they also took special note of Kurzweil's two most accurate predictions. First, "The existence of the human underclass continues as an issue." And second:

"People attempt to protect their privacy with near-unbreakable encryption technologies, but privacy continues to be a major political and social issue with each individual's practically every move stored in a database somewhere."


Programming

GitHub, Android, Python, Go: More Software Adopts Race-Neutral Terminology (zdnet.com) 413

"The terms 'allowlist' and 'blocklist' describe their purpose, while the other words use metaphors to describe their purpose," reads a change description on the source code for Android -- from over a year ago. 9to5Mac calls it "a shortened version of Google's (internal-only) explanation" for terminology changes which are now becoming more widespread.

And Thursday GitHub's CEO said they were also "already working on" renaming the default branches of code from "master" to a more neutral term like "main," reports ZDNet: GitHub lending its backing to this movement effectively ensures the term will be removed across millions of projects, and effectively legitimizes the effort to clean up software terminology that started this month.

But, in reality, these efforts started years ago, in 2014, when the Drupal project first moved in to replace "master/slave" terminology with "primary/replica." Drupal's move was followed by the Python programming language, Chromium (the open source browser project at the base of Chrome), Microsoft's Roslyn .NET compiler, and the PostgreSQL and Redis database systems... The PHPUnit library and the Curl file download utility have stated their intention to replace blacklist/whitelist with neutral alternatives. Similarly, the OpenZFS file storage manager has also replaced its master/slave terms used for describing relations between storage environments with suitable replacements. Gabriel Csapo, a software engineer at LinkedIn, said on Twitter this week that he's also in the process of filing requests to update many of Microsoft's internal libraries.

A recent change description for the Go programming language says "There's been plenty of discussion on the usage of these terms in tech. I'm not trying to have yet another debate." It's clear that there are people who are hurt by them and who are made to feel unwelcome by their use due not to technical reasons but to their historical and social context. That's simply enough reason to replace them.

Anyway, allowlist and blocklist are more self-explanatory than whitelist and blacklist, so this change has negative cost.

That change was merged on June 9th -- but 9to5Mac reports it's just one of many places these changes are happening. "The Chrome team is beginning to eliminate even subtle forms of racism by moving away from terms like 'blacklist' and 'whitelist.' Google's Android team is now implementing a similar effort to replace the words 'blacklist' and 'whitelist.'" And ZDNet reports more open source projects are working on changing the name of their default Git repo from "master" to alternatives like main, default, primary, root, or another, including the OpenSSL encryption software library, automation software Ansible, Microsoft's PowerShell scripting language, the P5.js JavaScript library, and many others.
Encryption

Some States Have Embraced Online Voting. It's a Huge Risk. (politico.com) 338

An anonymous reader quotes a report from Politico: On Sunday, researchers at the Massachusetts Institute of Technology and the University of Michigan revealed numerous security flaws in the product that West Virginia and Delaware are using, saying it "represents a severe risk to election security and could allow attackers to alter election results without detection." In fact, it may be a decade or more before the U.S. can safely entrust the internet with the selection of its lawmakers and presidents, according to some experts. Still, a handful of states are pushing ahead, with the encouragement of one politically connected tech entrepreneur -- and the tempting logic of the question, "If we can bank online, why can't we vote the same way?" These are the problems with that logic:

1) Elections are different. Lots of people bank, shop and socialize online -- putting their money and personal details at potential risk of theft or other exploitation. But elections are unique for two reasons: They are anonymous and irreversible. Aside from party caucuses and conventions, virtually all U.S. elections use secret ballots and polling places designed for privacy. That protects people from being blackmailed or bribed to vote a certain way -- but it also means that, barring an advance in the technology, voters have no way to verify that their ballots were correctly counted or challenge the results. That's far different from a consumer's ability to contest a fraudulent credit card purchase, which depends on their financial institution linking their activity to their identity.

2) The internet is a dangerous place. Even if it were possible to require electronic ballots to travel through servers only in the U.S., no method exists to ensure security at every server along the way. It would be like trusting FedEx to deliver a package that had to pass through warehouses with unlocked doors, open windows and no security cameras. The most effective way to protect data along these digital paths is "end-to-end" encryption [...] Researchers have not figured out how to use end-to-end encryption in internet voting.

3) People's devices may already be compromised. It's hard enough to protect a ballot as it transits the internet, but what really keeps experts up at night is the thought of average Americans using their computers or phones to cast that ballot in the first place. Internet-connected devices are riddled with malware, nefarious code that can silently manipulate its host machine for myriad purposes. [...] Importantly, election officials cannot peer into their voters' devices and definitively sweep them for malware. And without a secure device, end-to-end encryption is useless, because malware could just subvert the encryption process.

4) Hackers have lots of potential targets. What could an attacker do? "There are literally hundreds of different threats," said Joe Kiniry, chief scientist of the election tech firm Free & Fair. Among the options: Attacking the ballot; Attacking the election website; Tampering with ballots in transit; Bogging down the election with bad data; and/or The insider threat involving a "bad" employee tampering with an election from the inside.

5) Audits have faulted the major internet voting vendors' security. Virtually every audit of an internet voting system has revealed serious, widespread security vulnerabilities, although the ease with which a hacker could exploit them varies.

6) Internet voting advocates disagree. Election officials who embrace internet voting deny the risks are as serious as the experts say.

7) What it would take to make internet voting secure. Secure internet voting depends on two major advances: technology that allows voters' computers and phones to demonstrate that they are malware-free, and end-to-end encryption to protect ballots in transit. [...] Solving these problems would require expensive, long-term collaboration between virtually every big-name hardware- and software-maker, Kiniry said.
Note: Each point listed above has been abbreviated for brevity. You can read the full article here.
United States

Congress Seeks Answers on Juniper Networks Breach Amid Encryption Fight (reuters.com) 42

A group of U.S. lawmakers preparing to fight a legislative attack on encrypted communications is trying to establish what happened when encryption was subverted at a Silicon Valley maker of networking gear. From a report: Democrat Ron Wyden, who sits on the Senate Intelligence Committee, said the 2015 incident at Sunnyvale-based Juniper Networks could shed light on the risks of compromised encryption before an expected hearing on the proposed legislation. The EARN IT Act could penalize companies that offer security that law enforcement can't easily penetrate. "Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users' conversations," Wyden told Reuters. ""Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans' personal data, as well as government and corporate systems." In a letter to Juniper Chief Executive Rami Rahim sent late Tuesday, Wyden, Republican Senator Mike Lee of the Judiciary Committee, and the chairmen of the House Judiciary and Homeland Security committees asked what had happened to an investigation Juniper announced after it found "unauthorized code" inside its widely used NetScreen security software in 2015.
Encryption

IBM Releases Fully Homomorphic Encryption Toolkit For iOS and MacOS (zdnet.com) 46

New submitter IBMResearch shares a report from ZDNet: IBM's new toolkit aims to give developers easier access to fully homomorphic encryption (FHE), a nascent technology with significant promise for a number of security use cases. "Today, files are often encrypted in transit and at rest but decrypted while in use, creating a security vulnerability," reports ZDNet. "This often compels organizations to make trade-offs and go through long vetting processes in order to ensure they can keep their valuable data protected while still gaining some value out of it. FHE aims to resolve that issue."

"While the technology holds great potential, it does require a significant shift in the security paradigm," the report adds. "Typically, inside the business logic of an application, data remains decrypted, [Flavio Bergamaschi, FHE pioneer and IBM Researcher] explained. But with the implementation of FHE, that's no longer the case -- meaning some functions and operations will change."

The toolkit is available today in GitHub for MacOS and iOS, and it will soon be available for Linux and Android.
Encryption

Matthew Green on Zoom Not Offering End-To-End Encryption To Free Users (twitter.com) 39

Earlier this week video conferencing service Zoom said it will not offer its forthcoming, complete version of end-to-end encryption to its free users so that it can work better with law enforcement to curb abuse on the platform. Matthew Green, who teaches cryptography at Johns Hopkins, looks at the broader implication of this move: Obviously I don't think you should have to pay for E2E encryption. The thing that's really concerning me is that there's a strong push from the US and other governments to block the deployment of new E2E encryption. You can see this in William Barr's "open letter to Facebook." But this is part of an older trend. Law enforcement and intelligence agencies can't get Congress to ban E2E, so they're using all the non-legislative tools they have to try to stop it. And, it turns out, this works. Not against the big entrenched providers who have already deployed E2E. But against the new upstarts who want to use crypto to solve trust problems.

And the Federal government has an enormous amount of power. Power over tools like Section 230. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions. So if you're a firm that wants to deploy E2E to your customers, even if there's a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption. And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their "free" tiers) and there are people who want that data. Encryption is an amazing tool to protect it. The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. "Communications security" isn't something that only activists and eggheads care about. Now for companies that are exposed to this corrupt dynamic, there's an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for everyone. And there's some logic to this position.

The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon. But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon's mouth feels even worse. But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what's going to happen to the next company? And the next? Once the precedent is set that E2E encryption is too "dangerous" to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it's going to be hard to put it back. Anyway, this might be an interesting academic debate if we were in normal times. But we're not. Anyone who looks at the state of our government and law enforcement systems -- and feels safe with them reading all our messages -- is living in a very different world than I am.

IT

Dropbox is Working On Its Own Password Manager (androidpolice.com) 22

AndroidPolice: Dropbox just unceremoniously dumped a brand new app on the Play Store with no fanfare or formal announcement. The new Dropbox Passwords app, according to its listing, is a password manager available exclusively in an invite-only private beta for some Dropbox customers. Based on screenshots and description, the app seems pretty barebones -- or "minimal," depending on your tastes. Dropbox seems to intentionally avoid calling it a "password manager," though its functionality otherwise appears about the same as other solutions. Like other password managers, Dropbox Password can generate passwords for new accounts as required and sync them remotely so you can access all your passwords on multiple devices. It also uses zero-knowledge encryption to store those passwords remotely.
Privacy

Zoom Won't Encrypt Free Calls Because it Wants To Comply With Law Enforcement (thenextweb.com) 70

If you're a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you're out of luck. From a report: Free calls won't be encrypted, and law enforcement will be able to access your information in case of 'misuse' of the platform. Zoom CEO Eric Yuan today said that the video conferencing app's upcoming end-to-end encryption feature will be available to only paid users.
Security

Zoom's New, Stronger Encryption May Only Protect Paying Clients (newsweek.com) 21

"Zoom plans to strengthen the encryption of its service for paying customers," reports Newsweek, "but the upgrade will not be available to users of its free service." Zoom security consultant Alex Stamos later confirmed the details of the reported move in an interview with Reuters, which first reported the changes on Friday. But he also told the news outlet that Zoom's plans could still change. "The CEO is looking at different arguments," Stamos said.

"The current plan is paid customers plus enterprise accounts where the company knows who they are." In the wake of privacy concerns, he added that Zoom was making significant efforts to upgrade safety and trust on its platform. In an emailed statement to Newsweek, a Zoom spokesperson said: "Zoom's approach to end-to-end encryption is very much a work in progress — everything from our draft cryptographic design, which was just published last week, to our continued discussions around which customers it would apply to." The tech company's plans to boost the encryption of video calls on its platform have been revealed a month after it was reported that half a million Zoom account credentials were being sold on the Dark Web.

Zoom's increased usage during lockdowns brought increase scrutiny, reports CNET, which "revealed several Zoom security problems and the fact that an earlier Zoom boast of end-to-end encryption was baseless."
XBox (Games)

Insignia Project Aims To Resurrect Xbox Live For the Original Xbox (kotaku.com) 19

Last week, Kotaku reported on a new project, called Insignia, "that aims to recreate the original Xbox Live service, potentially restoring online play to many dozens of classic Xbox games that fell offline when the original Xbox Live service closed on April 15, 2010." From the report: The project's announcement on the r/originalxbox subreddit came from SoullessSentinel, a screen name of one Luke Usher. Usher is well known in the vintage Xbox community as the lead developer of Cxbx-Reloaded, arguably the most advanced PC-based emulator of the 2001 Xbox hardware. (Microsoft's classic console has proven notoriously tricky to emulate over the years.)

As a demonstration of Insignia's progress, Usher shared a video depicting the creation of a new Xbox Live account via the Xbox's system UI. It's a cool trick, as this process has not been technically possible since the online service's April 2010 closure. (In a cheeky touch, the video names the newly created account HiroProtagonist, the Gamertag of Xbox co-creator J Allard.) Insignia will work with normal, unmodded consoles, provided the user can perform a one-time process to retrieve their unit's internal encryption keys. Long-existing Xbox soft-mod techniques, which require physical copies of exploitable games like Splinter Cell or MechAssault but do not necessarily alter the console's hardware or operating system, should suffice for accomplishing this key retrieval. Once that initial setup's completed, Usher envisions a more or less vanilla Xbox Live experience, complete with matchmaking, voice chat, messaging, and almost everything else you might remember. (One exception would come in a lack of proprietary game DLC, which Insignia and its developers lack rights to distribute.) Anti-cheating measures are also in the works, as well as reporting and banning mechanisms for truly bad actors.
The project works by using a DNS man-in-the-middle maneuver to redirect all of Xbox Live's original server calls to new addresses that point to Insignia's work-in-progress infrastructure.

"The current plan is for Insignia to be a centralized service run by Usher and associates," reports Kotaku. "He believes keeping it centralized will prevent player populations from diluting across multiple third-party servers, and that it will not be much of a resource burden." "The server," he noted, "is used for authentication, matchmaking, storing friends lists, etc. but actual game traffic is usually P2P between Xboxes, so the requirements for our server are pretty low."
Encryption

The FBI Successfully Broke Into a Gunman's iPhone, But It's Still Very Angry at Apple (theverge.com) 211

After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Encryption

Quantum Security Goes Live With Samsung Galaxy (threatpost.com) 51

Samsung and South Korean telecom giant SK Telecom have debuted the Galaxy A Quantum 5G smartphone, sporting a quantum random number generation (RNG) chipset. It's the first commercialization of quantum technology for mobile phones, and it will serve as a significant bellwether for full quantum encryption's chances of going mainstream. Threatpost reports: Quantum encryption in general has been touted as being "unhackable" because it generates random numbers and secure keys that cannot be predicted, via particles that can't be intercepted, eavesdropped upon or spoofed. The very laws of physics themselves prevent successful cracking, the theory goes. However, researchers have proven more than once that this isn't the case -- though hacks so far have required sustained physical access to a device.

In any event, the Samsung phone will provide an interesting test case for the technology -- though details are scant in terms of how the chipset actually works. The Galaxy will use quantum security in a few different scenarios, according to an SK press release (translated with Google Translate). These include logging into carrier accounts on the device; securely storing personal documents via a blockchain-enabled "Quantum Wallet" and for biometric-based mobile payments at retail stores. Online payment protection is also on the roadmap. SK Telecom also plans to roll out open APIs for developers to begin incorporating the technology on an OEM and application basis.

Microsoft

Windows 10 Previews DNS Over HTTPS (thurrott.com) 90

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."
Businesses

Zoom Acquires Keybase To Get End-to-End Encryption Expertise (techcrunch.com) 59

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. From a report: Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains. The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product. In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that's increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.
Encryption

Documents Reveal FBI Head Defended Encryption for WhatsApp Before Becoming Fierce Critic (theguardian.com) 34

Christopher Wray, the FBI director who has been one of the fiercest critics of encryption under the Trump administration, previously worked as a lawyer for WhatsApp, where he defended the practice, according to new court filings. From a report: The documents, which were released late on Wednesday night as part of an unrelated matter, show Wray worked for WhatsApp in 2015 while he was an attorney for the Washington law firm of King & Spalding. While there are sparse details about the precise nature of the work, the filings indicate that Wray strongly defended the need for end-to-end encryption in his previous representation of WhatsApp, the popular messaging application owned by Facebook. Wray's earlier work -- which has not previously been public -- contradicts his current position on encryption, which protects users' communications and other data from being read by outsiders. The Trump administration and major technology companies like Facebook have been at odds over the need to offer customers encryption services, with the White House and law enforcement officials arguing the technology represents a security risk by protecting the communication of terrorists and criminals.
Security

NSA's Guide For Choosing a Safe Text Chat and Video Conferencing Service (zdnet.com) 73

The US National Security Agency (NSA) published last week a security assessment of today's most popular video conferencing, text chatting, and collaboration tools. From a report: The guidance contains a list of security criteria that the NSA hopes companies take into consideration when selecting which telework tool/service they want to deploy in their environments. The NSA document is not only meant for US government and military entities but the private sector as well. The idea behind the NSA's initiative is to give military, public, and private organizations an overview of all of a tools' features, so IT staff don't make wrong decisions, expecting that a tool provides certain features that are not actually living up to the reality. Per the NSA's document, the assessed criteria answers to basic questions like:

Does the service implement end-to-end (E2E) encryption?
Does the E2E encryption use strong, well-known, testable encryption standards?
Is multi-factor authentication (MFA) available?
Can users see and control who connects to collaboration sessions?
Does the tool's vendor share data with third parties or affiliates?
Do users have the ability to securely delete data from the service and its repositories as needed (both on client and server-side)?
Is the tool's source code public (e.g. open source)?
Is the service FedRAMP approved for official US government use?

Windows

You Can Now Manage Windows 10 Devices Through G Suite (zdnet.com) 55

Google has announced the general availability of a long-awaited feature -- the ability to manage Windows 10 devices through G Suite. From a report: Until today, companies that used G Suite to manage corporate endpoints could only enroll Android, iOS, Chrome, and Jamboard devices. Once enrolled in a G Suite enterprise plan, system administrators at these companies would have full control over the enrolled devices, to ensure that company data was safeguarded from sloppy employees. G Suite admins could enforce security policies related to login operations, file storage, encryption, and other features. Starting this week, the same features are now also available for working with Windows 10 devices, Google announced in a blog post. These include the ability to, among other things: Log into Windows 10 systems using a Google account, control Windows 10 update rules, and change Windows 10 settings remotely.
Privacy

Apple and Google Pledge To Shut Down Coronavirus Tracker When Pandemic Ends (theverge.com) 63

An anonymous reader quotes a report from The Verge: On Friday, Apple and Google revised their ambitious automatic contact-tracing proposal, just two weeks after the system was first announced. An Apple representative said the changes were the result of feedback both companies had received about the specifications and how they might be improved. The companies also released a "Frequently Asked Questions" page, which rehashes much of the information already made public. On a call accompanying the announcement, representatives from each company pledged for the first time to disable the service after the outbreak had been sufficiently contained. Such a decision would have to be made on a region-by-region basis, and it's unclear how public health authorities would reach such a determination. However, the engineers stated definitively that the APIs were not intended to be maintained indefinitely.

Under the new encryption specification, daily tracing keys will now be randomly generated rather than mathematically derived from a user's private key. Crucially, the daily tracing key is shared with the central database if a user decides to report their positive diagnosis. As part of the change, the daily key is now referred to as the "temporary tracing key," and the long-term tracing key included in the original specification is no longer present. The new encryption specification also establishes specific protections around the metadata associated with the system's Bluetooth transmissions. Along with the random codes, devices will also broadcast their base power level (used in calculating proximity) and which version of the tool they are running. The companies are also changing the language they use to describe the project. The protocols were initially announced as a contact-tracing system, it is now referred to as an "exposure notification" system. The companies say the name change reflects that the new system should be "in service of broader contact tracing efforts by public health authorities."

The Internet

NordVPN Unveils First Mainstream WireGuard Virtual Private Network (zdnet.com) 51

One of the largest VPN companies, NordVPN, is rolling out NordLynx -- it's first mainstream WireGuard virtual private network for its Windows, Mac, Android and iOS client-software applications. ZDNet reports: NordVPN's own tests have shown NordLynx easily outperforms the other protocols, IKEv2/IPsec and OpenVPN. How much faster? According to NordVPN's 256,886 speed tests, "When a user connects to a nearby VPN server and downloads content that's served from a content delivery network (CDN) within a few thousand miles/kilometers, they can expect up to twice higher download and upload speed." While speed is what customers will notice, security experts like WireGuard for its code's simplicity. With only about 4,000 lines of code, WireGuard's code can be comprehensively reviewed by a single individual.

Besides WireGuard, NordVPN adds in its double Network Address Translation (NAT) system to protect users' privacy. This enables users to establish a secure VPN connection while storing no identifiable user data on a server. You're assigned a dynamic local IP address that remains assigned only while the session is active. User authentication is done with the help of a secure external database. To switch to NordLynx, users need to update their NordVPN app to the latest version. The NordLynx protocol can be chosen manually from the Settings menu.

Slashdot Top Deals