Botnet

One of the Most Destructive Botnets Can Now Spread To Nearby Wi-Fi Networks (arstechnica.com) 28

The sophistication of the Emotet malware's code base and its regularly evolving methods for tricking targets into clicking on malicious links has allowed it to spread widely. "Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks," reports Ars Technica. From the report: Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," researchers from security firm Binary Defense wrote in a recently published post. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords." The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn't observe it being used in the wild until last month.

United States

The CIA Secretly Bought a Company That Sold Encryption Devices Across the World. Then, Its Spies Read Everything. (washingtonpost.com) 277

Greg Miller, reporting for Washington Post: For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software. The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages. The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project. The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations' gullibility for years, taking their money and stealing their secrets. The operation, known first by the code name "Thesaurus" and later "Rubicon," ranks among the most audacious in CIA history.

Wireless Networking

Researchers Find Some LoRaWAN Networks Vulnerable to Cyber-Attacks (zdnet.com) 6

Slashdot reader JustAnotherOldGuy quotes ZDNet: Security experts have published a report Tuesday warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption.

LoRaWAN stands for "Long Range Wide Area Network." It is a radio-based technology that works on top of the proprietary LoRa protocol. LoRaWAN takes the LoRa protocol and allows devices spread across a large geographical area to wirelessly connect to the internet via radio waves...

But broadcasting data from devices via radio waves is not a secure approach. However, the protocol's creators anticipated this issue. Since its first version, LoRaWAN has used two layers of 128-bit encryption to secure the data being broadcast from devices — with one encryption key being used to authenticate the device against the network server and the other against a company's backend application. In a 27-page report published Tuesday, security researchers from IOActive say the protocol is prone to misconfigurations and design choices that make it susceptible to hacking and cyber-attacks. The company lists several scenarios it found plausible during its analysis of this fast-rising protocol.

Some examples:
  • "Encryption keys can be extracted from devices by reverse engineering the firmware of devices that ship with a LoRaWAN module."
  • "Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more."

Encryption

Linus Torvalds Pulls WireGuard VPN into Linux 5.6 Kernel Source Tree (techradar.com) 51

"The WireGuard VPN protocol will be included into the next Linux kernel as Linus Torvalds has merged it into his source tree for version 5.6," reports TechRadar:
While there are many popular VPN protocols such as OpenVPN, WireGuard has made a name for itself by being easy to configure and deploy as SSH... The WireGuard protocol is a project from security researcher and kernel developer Jason Donenfeld who created it as an alternative to both IPsec and OpenVPN. Since the protocol consists of around just 4,000 lines of code as opposed to the 100,000 lines of code that make up OpenVPN, it is much easier for security experts to review and audit for vulnerabilities.

While WireGuard was initially released for the Linux kernel, the protocol is now cross-platform and can be deployed on Windows, macOS, BSD, iOS and Android.

Ars Technica notes that with Linus having merged WireGuard into the source tree, "the likelihood that it will disappear between now and 5.6's final release (expected sometime in May or early June) is vanishingly small." WireGuard's Jason Donenfeld is also contributing AVX crypto optimizations to the kernel outside the WireGuard project itself. Specifically, Donenfeld has optimized the Poly1305 cipher to take advantage of instruction sets present in modern CPUs. Poly1305 is used for WireGuard's own message authentication but can be used outside the project as well — for example, chacha20-poly1305 is one of the highest-performing SSH ciphers, particularly on CPUs without AES-NI hardware acceleration.

Other interesting features new to the 5.6 kernel will include USB4 support, multipath TCP, AMD and Intel power management improvements, and more.

Encryption

A New Bill Could Punish Web Platforms For Using End-To-End Encryption (theverge.com) 93

Lindsey Graham (R-SC) is working on a bill that would reduce legal protections for apps and websites, potentially jeopardizing online encryption. The Verge reports: The draft bill would form a "National Commission on Online Child Exploitation Prevention" to establish rules for finding and removing child exploitation content. If companies don't follow these rules, they could lose some protection under Section 230 of the Communications Decency Act, which largely shields companies from liability over users' posts. Reports from Bloomberg and The Information say that Sen. Lindsey Graham (R-SC) is behind the bill, currently dubbed the Eliminating Abusive and Rampant Neglect of Interactive Technologies (or EARN IT) Act. It would amend Section 230 to make companies liable for state prosecution and civil lawsuits over child abuse and exploitation-related material, unless they follow the committee's best practices. They wouldn't lose Section 230 protections for other content like defamation and threats.

The bill doesn't lay out specific rules. But the committee -- which would be chaired by the Attorney General -- is likely to limit how companies encrypt users' data. Large web companies have moved toward end-to-end encryption (which keeps data encrypted for anyone outside a conversation, including the companies themselves) in recent years. Facebook has added end-to-end encryption to apps like Messenger and Whatsapp, for example, and it's reportedly pushing it for other services as well. U.S. Attorney General William Barr has condemned the move, saying it would prevent law enforcement from finding criminals, but Facebook isn't required to comply. Under the EARN IT Act, though, a committee could require Facebook and other companies to add a backdoor for law enforcement.

Encryption

This Sculpture Holds a Decades-Old C.I.A. Mystery. And Now, Another Clue. (nytimes.com) 20

The creator of one of the world's most famous mysteries is giving obsessive fans a new clue. From a report: Kryptos, a sculpture in a courtyard at the headquarters of the Central Intelligence Agency in Langley, Va., holds an encrypted message that has not fully yielded to attempts to crack it. It's been nearly 30 years since its tall scroll of copper with thousands of punched-through letters was set in place. Three of the four passages of the sculpture have been decrypted (the first, though unacknowledged at the time, was solved by a team from the National Security Agency). But after nearly three decades, one brief passage remains uncracked. And that has been a source of delight and consternation to thousands of people around the world. The sculptor, Jim Sanborn, has been hounded for decades by codebreaking enthusiasts. And he has twice provided clues to move the community of would-be solvers along, once in 2010 and again in 2014. Now he is offering another clue. The last one, he says. It is a word: "NORTHEAST."

Why do people care so much about a puzzle cut into a sheet of copper in a courtyard after so much time? It's not just that the piece itself has a kind of brooding, powerful beauty, or the fact that it has been referred to in novels by the thriller writer Dan Brown. It is something deeper, something that involves the nature of the human mind, said Craig Bauer, a professor of mathematics at York College of Pennsylvania and a former scholar in residence at the N.S.A.'s Center for Cryptologic History. "We have many problems that are difficult to resolve -- intimidating, perhaps even scary," he said. "It gives people great pleasure to pick up on one that they think they have a chance of solving." [...] Why now? Did we mention Mr. Sanborn is 74? Holding on to one of the world's most enticing secrets can be stressful. Some would-be codebreakers have appeared at his home. Many felt they had solved the puzzle, and wanted to check with Mr. Sanborn. Sometimes forcefully. Sometimes, in person.
NPR spoke with Sanborn (4-min).
Security

Public Wi-Fi is a Lot Safer Than You Think (eff.org) 80

Jacob Hoffman-Andrews, writing for EFF: If you follow security on the Internet, you may have seen articles warning you to "beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was. The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communications -- for instance by sniffing packets from unencrypted Wi-Fi or by being the NSA -- they could read your email. Starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of "sniffing" insecure HTTP to take over people's accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.

However, practical deployment of HTTPS across the whole web took a long time. One big obstacle was the difficulty for webmasters and site administrators of buying and installing a certificate (a small file required in order to set up HTTPS). EFF helped launch Let's Encrypt, which makes certificates available for free, and we wrote Certbot, the easiest way to get a free certificate from Let's Encrypt and install it. Meanwhile, lots of site owners were changing their software and HTML in order to make the switch to HTTPS. There's been tremendous progress, and now 92% of web page loads from the United States use HTTPS. In other countries the percentage is somewhat lower -- 80% in India, for example -- but HTTPS still protects the large majority of pages visited. [...] What about the risk of governments scooping up signals from "open" public Wi-Fi that has no password? Governments that surveill people on the Internet often do it by listening in on upstream data, at the core routers of broadband providers and mobile phone companies. If that's the case, it means the same information is commonly visible to the government whether they sniff it from the air or from the wires.

Privacy

India Likely To Force Facebook, WhatsApp To Comply With 'Traceability' Demand (techcrunch.com) 19

New Delhi is inching closer to recommending regulations that would require social media companies and instant messaging app providers to help law enforcement agencies identify users who have posted content -- or sent messages -- it deems questionable, TechCrunch reported Wednesday, citing people familiar with the matter. From the report: India will submit the suggested change to the local intermediary liability rules to the nation's apex court later this month. The suggested change, the conditions of which may be altered before it is finalized, currently says that law enforcement agencies will have to produce a court order before exercising such requests, sources who have been briefed on the matter said. But regardless, asking companies to comply with such a requirement would be "devastating" for international social media companies, a New Delhi-based policy advocate told TechCrunch on the condition of anonymity. WhatsApp executives have insisted in the past that they would have to compromise end-to-end encryption of every user to meet such a demand -- a move they are willing to fight over.
Encryption

Apple Dropped Plan for Encrypting Backups After FBI Complained (reuters.com) 134

Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company's iCloud service after the FBI complained that the move would harm investigations, Reuters reported on Tuesday, citing six sources familiar with the matter. From the report: The tech giant's reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers' information. The long-running tug of war between investigators' concerns about security and tech companies' desire for user privacy moved back into the public spotlight last week, as U.S. Attorney General William Barr took the rare step of publicly calling on Apple to unlock two iPhones used by a Saudi Air Force officer who shot dead three Americans at a Pensacola, Florida naval base last month.

U.S. President Donald Trump piled on, accusing Apple on Twitter of refusing to unlock phones used by "killers, drug dealers and other violent criminal elements." Republican and Democratic senators sounded a similar theme in a December hearing, threatening legislation against end-to-end encryption, citing unrecoverable evidence of crimes against children. Apple did in fact did turn over the shooter's iCloud backups in the Pensacola case, and said it rejected the characterization that it "has not provided substantive assistance." Behind the scenes, Apple has provided the U.S. Federal Bureau of Investigation with more sweeping help, not related to any specific probe.

Advertising

Facebook Won't Put Ads in WhatsApp -- For Now (newsweek.com) 29

Facebook "will no longer push through with its plans to sell ads on WhatsApp," writes Engadget, citing a report in the Wall Street Journal which says WhatsApp still "plans at some point to introduce ads to Status."

Newsweek reports: WhatsApp is the only app in Facebook's suite of products free from ads, which make up a vast amount of the parent company's revenue, bringing in the majority of its $17.65 billion during Q3 last year. Like rival apps Snapchat or TikTok, advertising features prominently in Messenger and Instagram. But what does it mean for Facebook? The impact of a delayed WhatsApp ad roll-out will not only mean a financial hit, but may also disrupt how much ad data Facebook can possibly extract from users of the app's desktop and web versions.

Currently, Facebook does not charge people for access to its products. Instead, it monetizes personal information by selling details about user preferences to companies for use in targeted ads. And there is clearly money to be made via mobile-based ads, which brought in about 94 percent of Facebook's total ad revenue during the third quarter of last year... "My assessment of this is it will be a delayed introduction of ads," social media consultant and commentator Matt Navarra told Newsweek today... "With the current climate of unrest surrounding data privacy and Facebook's plans to integrate its messaging apps backend, as well as the many legal battles they are facing, I suspect they are being cautious with yet more activity that could ruffle feathers at this time," Navarra told Newsweek. "But it's a case of when they do launch ads in WhatsApp, not if," he predicted.

The ad strategy sparked clashes between Facebook executives and WhatsApp founders Jan Koum and Brian Acton, and became a factor in their departures from the firm. Koum and Acton, pro-privacy technologists, reportedly feared the app's encryption could be put at risk.

Encryption

Exploit Fully Breaks SHA-1, Lowers the Attack Bar (threatpost.com) 47

ThreatPost reported on some big research last week: A proof-of-concept attack has been pioneered that "fully and practically" breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources.

"This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function," the researchers wrote. "Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks."

Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger.

Long-time Slashdot reader shanen writes, "I guess the main lesson is that you can never be too sure how long any form of security will remain secure."
Wireless Networking

Bruce Schneier on 5G Security (schneier.com) 33

Bruce Schneier comments on the issues surrounding 5G security: [...] Keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards, the protocols and software for 5G, ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security. To be sure, there are significant security improvements in 5G over 4G in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren't enough. The 5G security problems are threefold.

First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it. Second, there's so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems. Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

Encryption

The FBI Can Unlock Florida Terrorist's iPhones Without Apple (bloomberg.com) 121

The FBI is pressing Apple to help it break into a terrorist's iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics. From a report: Investigators can exploit a range of security vulnerabilities -- available directly or through providers such as Cellebrite and Grayshift -- to break into the phones, the security experts said. Mohammed Saeed Alshamrani, the perpetrator of a Dec. 6 terrorist attack at a Navy base in Florida, had an iPhone 5 and iPhone 7, models that were first released in 2012 and 2016, respectively. Alshamrani died and the handsets were locked, leaving the FBI looking for ways to hack into the devices. "A 5 and a 7? You can absolutely get into that," said Will Strafach, a well-known iPhone hacker who now runs the security company Guardian Firewall. "I wouldn't call it child's play, but it's not super difficult." That counters the U.S. government's stance. Attorney General William Barr slammed Apple on Monday, saying the company hasn't done enough to help the FBI break into the iPhones.

"We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements," President Donald Trump wrote on Twitter Tuesday. The comments add to pressure on Apple to create special ways for the authorities to access iPhones. Apple has refused to build such backdoors, saying they would be used by bad actors, too. Indeed, Strafach and other security experts said Apple wouldn't need to create a backdoor for the FBI to access the iPhones that belonged to Alshamrani.
Further reading: The FBI Got Data From A Locked iPhone 11 Pro Max -- So Why Is It Demanding Apple Unlock Older Phones?
Privacy

Verizon Media Launches OneSearch, a Privacy-Focused Search Engine (venturebeat.com) 58

An anonymous reader quotes a report from VentureBeat: Verizon Media, the media and digital offshoot of telecommunications giant Verizon, has launched a "privacy-focused" search engine called OneSearch. With OneSearch, Verizon promises there will be no cookie tracking, no ad personalization, no profiling, no data-storing, and no data-sharing with advertisers.

With its default dark mode, OneSearch lets you know that Advanced Privacy Mode is activated. You can manually toggle this mode to the "off" position which returns a brighter interface, but with this setting deactivated you won't have access to privacy features such as search-term encryption. With Advanced Privacy Mode on, links to search results will only be shareable for an hour, after which time they will "self-destruct" and return an error to anyone who clicks on it. More broadly, the OneSearch interface is clean and fairly familiar to anyone who has used a search engine before. But at its core, it promises to show the same search results to everyone given that it's not tailored to the individual.
In the OneSearch privacy policy, Verizon says it it will store a user's IP address, search query, and user agent on different servers so that it can't draw correlations between a user's specific location and the query that they've made.

"Verizon said that it will monetize its new search engine through advertising; however, the advertising won't be based on browsing history or data that personally identifies the individual -- it will only serve contextual advertisements based on each individual search," reports VentureBeat. OneSearch is currently available on desktop and mobile web, with mobile apps coming later this month.
Security

Microsoft Patches Major Windows 10 Vulnerability After NSA Warning (cnbc.com) 42

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

Encryption

Apple Responds To AG Barr Over Unlocking Pensacola Shooter's Phone: 'No.' (inputmag.com) 234

On Monday, Attorney General William Barr called on Apple to unlock the alleged phone of the Pensacola shooter -- a man who murdered three people and injured eight others on a Naval base in Florida in December. Apple has responded by essentially saying: "no." From a report: "We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said. "It was not until January 8th that we received a subpoena for information related to the second iPhone, which we responded to within hours," Apple added, countering Barr's characterization of the company being slow in its approach to the FBI's needs. However, it ends the statement in no uncertain terms: "We have always maintained there is no such thing as a backdoor just for the good guys." Despite pressure from the government, Apple has long held that giving anyone the keys to users' data or a backdoor to their phones -- even in cases where terrorism or violence was involved -- would compromise every user. The company is clearly standing by those principles.
Encryption

Barr Asks Apple To Unlock iPhones of Pensacola Gunman (nytimes.com) 195

Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman. From a report: Mr. Barr's appeal was an escalation of an ongoing fight between the Justice Department and Apple pitting personal privacy against public safety. "This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence," Mr. Barr said, calling on Apple and other technology companies to find a solution and complaining that Apple has provided no "substantive assistance."

Apple has given investigators materials from the iCloud account of the gunman, Second Lt. Mohammed Saeed Alshamrani, a member of the Saudi air force training with the American military, who killed three sailors and wounded eight others on Dec. 6. But the company has refused to help the F.B.I. open the phones themselves, which would undermine its claims that its phones are secure.

Encryption

A Quick Look At the Fight Against Encryption (linuxsecurity.com) 87

b-dayyy shared this overview from the Linux Security site: Strong encryption is imperative to securing sensitive data and protecting individuals' privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies... This fear of strong, unbroken encryption is not only unfounded -- it is dangerous. Encryption with built-in backdoors which provide special access for select groups not only has the potential to be abused by law enforcement and government agencies by allowing them to eavesdrop on potentially any digital conversation, it could also be easily exploited by threat actors and criminals.

U.S. Attorney General William Barr and U.S. senators are currently pushing for legislation that would force technology companies to build backdoors into their products, but technology companies are fighting back full force. Apple and Facebook have spoken out against the introduction of encryption backdoors, warning that it would introduce massive security and privacy threats and would serve as an incentive for users to choose devices from overseas. Apple's user privacy manager Erik Neuenschwander states, "We've been unable to identify any way to create a backdoor that would work only for the good guys." Facebook has taken a more defiant stance on the issue, adamantly saying that it would not provide access to encrypted messages in Facebook and WhatsApp.

Senator Lindsey Graham has responded to this resistance authoritatively, advising the technology giants to "get on with it", and stating that the Senate will ultimately "impose its will" on privacy advocates and technologists. However, Graham's statement appears unrealistic, and several lawmakers have indicated that Congress won't make much progress on this front in 2020...

Encryption is an essential component of digital security that should be embraced, not feared. In any scenario, unencrypted data is subject to prying eyes. Strong, unbroken encryption is vital in protecting privacy and securing data both in transit and in storage, and backdoors would leave sensitive data vulnerable to tampering and theft.

Encryption

Over Two Dozen Encryption Experts Call on India To Rethink Changes To Its Intermediary Liability Rules (techcrunch.com) 36

Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules. From a report: In an open letter to India's IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet. The Indian government proposed a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.

The originally proposed rules say that intermediaries -- which the government defines as those services that facilitate communication between two or more users and have five million or more users in India -- will have to proactively monitor and filter their users' content and be able to trace the originator of questionable content to avoid assuming full liability for their users' actions. "By tying intermediaries' protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures," the experts wrote in the letter, coordinated by the Internet Society

Encryption

FBI Asks Apple To Help Unlock Two iPhones (nytimes.com) 134

An anonymous reader quotes a report from The New York Times: The encryption debate between Apple and the F.B.I. might have found its new test case. The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement's access to smartphones. Dana Boente, the F.B.I.'s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. The F.B.I. has a search warrant for the devices and is seeking Apple's assistance executing it, the people said.

Apple said in a statement that it had given the F.B.I. all the data "in our possession" related to the Pensacola case when it was asked a month ago. "We will continue to support them with the data we have available," the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone. Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices -- but they did not, according to one of the people familiar with the investigation.
"The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government," the report adds. "Instead, the government is seeking the data that is on the two phones, the official said."

"Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity." Apple did not comment on the request.

Slashdot Top Deals