From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software. Reuters reports: The law, which will come into force on July 1 next year, has been met with resistance by some electronics retailers, who say the legislation was adopted without consulting them. The law has been presented as a way to help Russian IT firms compete with foreign companies and spare consumers from having to download software upon purchasing a new device. The country's mobile phone market is dominated by foreign companies including Apple, Samsung and Huawei. The legislation signed by Putin said the government would come up with a list of Russian applications that would need to be installed on the different devices.

Paul Sawers, writing for VentureBeat: WhatsApp launched out of beta 10 years ago this month, and the messaging behemoth is now a completely different beast from the one that quietly arrived for iPhone users way back in November 2009. After Facebook shelled out around $20 billion to acquire the app in 2014, WhatsApp introduced voice calls, video calls, group calls, web and desktop apps, end-to-end encryption, and fingperprint unlocking. All the while, Facebook has been figuring out how to monetize its gargantuan acquisition by targeting businesses. However, there remains one glaring chink in WhatsApp's otherwise expansive armor -- namely, the lack of simultaneous multi-device support. Things could be about to change, however.

Given that WhatsApp is tethered to a user's mobile number and all messages are stored locally on devices, rather than on remote servers, syncing and accessing WhatsApp across devices poses something of a challenge. WhatsApp Web allows users to message from their desktop computer, but by essentially mirroring their mobile device -- one can't work without the other. Moreover, WhatsApp Web lacks many of the features of the mobile app, such as voice and video calling. Achieving true multi-device support -- without compromising security -- would be a big game changer for WhatsApp.

Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception. From a report: The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows. These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature. A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream.

"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".

"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."

Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:

- Have automatic security updates, so they're protected against the newest threats

- Use encryption, meaning bad actors can't just snoop on your data

- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

- Require users to change the default password (if applicable), because that makes devices far harder to access

- Privacy policies -- ones that relate to the product specifically, and aren't just generic

Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?

There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.
To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.

"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.

But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

An anonymous reader quotes a report from the Associated Press: Uber will allow passengers and drivers in Brazil and Mexico to record audio of their rides as it attempts to improve its safety record and image, and eventually it hopes to launch the feature into other markets including the United States. The ride-hailing company plans to pilot the feature in cities in both countries in December, although it has no timeline for possible expansion in the US and other markets.

The feature will allow customers to opt into recording all or select trips. Recordings will be stored on the rider or driver's phone and encrypted to protect privacy, and users will not be able to listen to them. They can later share a recording with Uber, which will have an encryption key, if they want to report a problem. Whether the recording feature will deter violent behavior to help riders and drivers is unknown. But Uber stands to benefit because the recordings could help the company mitigate losses and rein in liability for incidents that flare up between drivers and passengers.

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

Google is announcing that today, a year and a half after it first unveiled RCS chat as Android's primary texting platform, it is actually making RCS chat Android's primary texting platform. That's because it is rolling out availability to any Android user in the US who wants to use it, starting today. From a report: RCS stands for "rich communication services," and it's the successor to SMS. Like other texting services, it supports read receipts, typing indicators, improved group chats, and high-quality images. Unlike several texting apps, like iMessage or Signal, it does not offer end-to-end encryption as an option. RCS is based on your phone number, so when you are texting with somebody who also has it, it should just turn on automatically in your chat. To get RCS, you simply need to use Android Messages as your default texting app on your Android phone. Many Android phones do that already by default, but Samsung users will need to head to the Google Play Store to download it and then switch to it as their default. Further reading: The Four Major Carriers Finally Agree To Replace SMS With a New RCS Standard.

Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.

An anonymous reader quotes a report from The New York Times: Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved. But that wasn't entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found. It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.

The public message from Intel was "everything is fixed," said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. "And we knew that was not accurate." While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues. Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process. Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued on Tuesday still doesn't fix another flaw they provided Intel in May. The Intel flaws, like other high-profile vulnerabilities the computer security community has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers. Intel says the patches "greatly reduce" the risk of attack, but don't completely fix everything the researchers submitted.

The company's spokeswoman Leigh Rosenwald said Intel was publishing a timeline with Tuesday's patch for the sake of transparency. "This is not something that is normal practice of ours, but we realized this is a complicated issue. We definitely want to be transparent about that," she said. "While we may not agree with some of the assertions made by the researchers, those disagreements aside, we value our relationship with them."

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing's networks, email system, and website. "[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security," writes JM Porup for CSO online.

The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware.

For its part, Boeing says that the vulnerabilities Kubecka reported are "common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day" and that the company has "no indication of a compromise in any aviation system or product that Boeing produces." What Porup's reporting and Kubecka's research clearly shows, however, is how poor information security practices can become aviation security risks.

Freshly Exhumed shares a report from Securelist: Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).

The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. One of the methods Titanium uses to infect its targets and spread is via a local intranet that has already been compromised with malware. Another is via an SFX archive containing a Windows task installation script. A third is shellcode that gets injected into the winlogon.exe process (it's still unknown how this happens).

An anonymous reader quotes a report from Ars Technica: Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome. The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.

An anonymous reader quotes a report from TechCrunch: An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities. The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist's computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig's computer display.

Daley Borda, a security researcher and bug bounty hunter, stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display. "You can see details of calls coming in -- their name, address, and injury," he told TechCrunch. TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services. One message said a 98-year-old man had fallen at his home address. A few moments later, another message said a 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents and medical emergencies, often including their home addresses. "The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust," adds TechCrunch. These devices remain a fixture in UK hospitals and "allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network."

While the NHS still uses about 130,000 pagers, according to the UK government, it's not clear how many trusts are exposing medical information -- if at all.

An anonymous reader quotes MediaPost: Faced with a new controversy related to online privacy, Comcast said this week that it doesn't draw on information about the sites broadband users visit for advertising or targeting. The company said Thursday that it deletes information every 24 hours about the domain names people navigate to online. "Millions of Comcast customers look up billions of addresses online every day," Chief Privacy Officer Christin McMeley wrote on the company's blog. "We've never used that data for any sort of marketing or advertising -- and we have never sold it to anyone."

The company's statement came one day after the publication Motherboard reported on Comcast's efforts to rally opposition on Capitol Hill to Google's plan to encrypt domain names... "While cloaked as enhancing user privacy, Google's DNS encryption will in fact vastly expand Google's control over and use of customer data, and will result in the complete commercialization of DNS data for Google's own ends," [Comcast's] presentation states. Google has said its plans were mischaracterized by broadband organizations, and that it has no intention of centralizing the web, or changing people's existing DNS providers to Google by default. "Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate," a company spokesperson said last month...

One day after Motherboard posted the material reportedly prepared by Comcast, the cable provider touted its privacy policies in a blog post. "Where you go on the Internet is your business, not ours," McMeley wrote. "As your Internet Service Provider, we do not track the websites you visit or apps you use through your broadband connection. Because we don't track that information, we don't use it to build a profile about you and we have never sold that information to anyone."

Several years ago, Comcast opposed Federal Communications Commission privacy regulations that would have required broadband providers to obtain consumers' opt-in consent before drawing on their web-browsing activity for advertising. The FCC passed those rules in 2016, but the regulations were revoked by Congress the following year.

An anonymous reader writes: Mozilla said today that "no money is being exchanged to route DNS requests to Cloudflare" as part of the DNS-over-HTTPS (DoH) feature that is currently being gradually enabled for Firefox users in the US. The browser maker has been coming under heavy criticism lately for its partnership with Cloudflare. Many detractors say that by using Cloudflare as the default DoH resolver for Firefox, Mozilla will help centralize a large chunk of DNS traffic on Cloudflare's service. Critics of this decision include regular users, but also ISP-backed lobby groups, according to a recent report citing leaked documents. But according to Mozilla, they're not getting paid for this, and are only doing it for Firefox user privacy.

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. ZDNet reports: On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. Some of the records were logs for U.S. Army generals visiting Russia and Israel, the report says. In total, the AWS-hosted database contained over 179GB of data.

Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, Motherboard reported Wednesday, citing a lobbying presentation. From the report: The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.

Mozilla, which makes Firefox, is also planning a version of this encryption. "The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck. "We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.

Google said on Wednesday that it had achieved a long-sought breakthrough called "quantum supremacy," which could allow new kinds of computers to do calculations at speeds that are inconceivable with today's technology. From a report: In a paper published in the science journal Nature, Google said its research lab in Santa Barbara, Calif., had reached a milestone that scientists had been working toward since the 1980s: Its quantum computer performed a task that isn't possible with current technology. In this case, a mathematical calculation that the largest supercomputers could not complete in under 10,000 years was done in 3 minutes 20 seconds, Google said in its paper. Scientists likened Google's announcement to the Wright brothers' first plane flight in 1903 -- proof that something is really possible even though it may be years before it can fulfill its potential. "The original Wright flyer was not a useful airplane," said Scott Aaronson, a computer scientist at the University of Texas at Austin who reviewed Google's paper before publication. "But it was designed to prove a point. And it proved the point."

A quantum machine, the result of more than a century's worth of research into a type of physics called quantum mechanics, operates in a completely different manner from regular computers. It relies on the mind-bending ways some objects act at the subatomic level or when exposed to extreme cold, like the metal chilled to nearly 460 degrees below zero inside Google's machine. One day, researchers believe, these devices could power advances in artificial intelligence or easily overwhelm the encryption that protects computers vital to national security. Because of that, the governments of the United States and China consider quantum computing a national security priority. Further reading: Interview of Google CEO Sundar Pichai, who explains why quantum computing could be as important for Google as AI.