A Seattle-area startup is aiming to take on giants such as Google and change the way we do email with a new physical personal email server. From a report: Helm today unveiled its $499 device that lets consumers send and receive email from their own domain, in addition to saving contacts and calendar events. It's a bold bet that aims to provide comfort at a time when privacy and security issues related to personal data hosted by big tech companies in the cloud are top of mind. The idea comes from Giri Sreenivas and Dirk Sigurdson, two entrepreneurs who already sold a security startup and raised a $4 million seed round from top venture capital firms last year.

The device is about the size of a router and looks like an upside-down book placed on a table. It connects to a home network and pairs with a mobile app that lets users create their own domain name, passwords, and recovery keys. Helm support standard protocols and works with regular email clients such as Outlook or the Mail app, with encryption protecting connection between the device and the apps.

Business communications service Slack, which has more than three million paying customers, offers a bouquet of features that has made it popular (so popular that is worth as much as $9 billion), but it lacks a crucial feature that some of its rivals don't: end-to-end encryption. It's a feature that numerous users have asked Slack to add to the service. Citing a former employee of Slack and the company's chief information security officer, news outlet Motherboard reported Tuesday that the rationale behind not including end-to-end encryption is very simple: bosses around the world don't want it. From the report: Work communication service Slack has decided against the idea of having end-to-end encryption due to the priorities of its paying customers (rather than those who use a free version of the service.) Slack is not a traditional messaging program -- it's designed for businesses and workplaces that may want or need to read employee messages -- but the decision still highlights why some platforms may not want to jump into end-to-end encryption. End-to-end is increasingly popular as it can protect communications against from interception and surveillance. "It wasn't a priority for exec [executives], because it wasn't something paying customers cared about," a former Slack employee told Motherboard earlier this year.

Apple has strongly criticized Australia's anti-encryption bill, calling it "dangerously ambiguous" and "alarming to every Australian." From a report: The Australian government's draft law -- known as the Access and Assistance Bill -- would compel tech companies operating in the country, like Apple, to provide "assistance" to law enforcement and intelligence agencies in accessing electronic data. The government claims that encrypted communications are "increasingly being used by terrorist groups and organized criminals to avoid detection and disruption," without citing evidence. But critics say that the bill's "broad authorities that would undermine cybersecurity and human rights, including the right to privacy" by forcing companies to build backdoors and hand over user data -- even when it's encrypted. Now, Apple is the latest company after Google and Facebook joined civil and digital rights groups -- including Amnesty International -- to oppose the bill, amid fears that the government will rush through the bill before the end of the year. In a seven-page letter to the Australian parliament, Apple said that it "would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat." The company adds, "We appreciate the government's outreach to Apple and other companies during the drafting of this bill. While we are pleased that some of the suggestions incorporated improve the legislation, the unfortunate fact is that the draft legislation remains dangerously ambiguous with respect to encryption and security. This is no time to weaken encryption. Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid."

Google on Tuesday unveiled the Pixel 3 and Pixel 3 XL, its latest flagship Android smartphones. "For life on the go, we designed the world's best camera and put it in the world's most helpful phone," said Google's hardware chief Rick Osterloh. From a report: The Pixel 3 starts at $799 for 64GB, with the 3 XL costing $899. Add $100 to either for the 128GB storage option. Core specs for both include a Snapdragon 845, 4GB RAM (there's no option for more), Bluetooth 5.0, and front-facing stereo speakers. Also inside is a new Titan M security chip, which Google says provides "on-device protection for login credentials, disk encryption, app data, and the integrity of the operating system." Preorders for both phones begin today, and buyers will get six months of free YouTube Music service.

The Pixel 3 and 3 XL both feature larger screens than last year's models thanks to slimmed down bezels -- and the controversial notch in the case of the bigger phone. The 3 XL has a 6.3-inch display (up from six inches on the 2 XL), while the regular 3 has a 5.5-inch screen (up from five inches). Overall, though, the actual phones are very similar in size and handling to their direct predecessors. Google has stuck with a single rear 12.2-megapixel camera on both phones, continuing to resist the dual-camera industry trend. But it's a different story up front. Both the Pixel 3 and 3 XL have two front-facing cameras; one of them offers a wider field of view for getting more people or a greater sense of your surroundings into a selfie. [...] A new Top Shot option will select the best image from a burst series of shots. Like Samsung's Galaxy Note 9, it will weed out pictures that are blurry or snaps where someone blinked. Super Res Zoom uses multiple frames and AI to deliver a sharper final photo even without optical zoom. There's another interesting feature on the new Pixel handsets: To help you avoid calls from scammers, Google is adding Call Screen to the Pixel, a new option that appears when you receive a phone call. Whenever someone calls you, you can tap a "Screen call" button, and a robot voice will pick up. "The person you're calling is using a screening service, and will get a copy of this conversation. Go ahead and say your name, and why you're calling," the Google bot will say. As the caller responds, the digital assistant will transcribe the caller's message for you. If you need more information, you can use one of the feature's canned responses, which include, "Tell me more," and "Who is this?" There is an accept and reject call button that's on-screen, so you can hang up or take the call at any time.

An academic study published last month shows that despite years worth of research into the woeful state of network traffic inspection equipment, vendors are still having issues in shipping appliances that don't irrevocably break TLS encryption for the end user. From a report: Encrypted traffic inspection devices (also known as middleware), either special hardware or sophisticated software, have been used in enterprise networks for more than two decades. System administrators deploy such appliances to create a man-in-the-middle TLS proxy that can look inside HTTPS encrypted traffic, to scan for malware or phishing links or to comply with law enforcement or national security requirements.

[...] In the last decade, security researchers have looked closely at the issue of TLS inspection appliances that break or downgrade encryption. There has been much research on the topic, from research teams from all over the world. But despite years worth of warnings and research, some vendors still fail at keeping the proper security level of a TLS connection when relaying traffic through their equipment/software. Academic research [PDF] published at the end of September by three researchers from Concordia University in Montreal, Canada, shows that network traffic inspection appliances still break TLS security, even today.

A new encryption bill that's expected to be passed in Australia is facing strong opposition from tech heavyweights. A new group called "Alliance for a Safe and Secure Internet" has been formed by Australian industry, technology, and human rights groups to persuade the country from passing the bill, reports ZDNet. "The membership of the new alliance consists of Australian Communications Consumer Action Network, Access Now, Ai Group, Australian Information Industry Association, Amnesty International Australia, AMTA, Blueprint for Free Speech, members of Communications Alliance sans NBN, DIGI, Digital Rights Watch, Future Wise, Hack for Privacy, Human Rights Law Centre, Internet Australia, IoT Alliance Australia, and Liberty Victoria." The Guardian also notes that Google and Facebook are part of the group. From the report: The Bill is currently before the Parliamentary Joint Committee on Intelligence and Security, with a minuscule three-week window for submissions closing on Friday, October 12 and a hearing set for Friday, October 19. The proposed legislation would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content interception agencies want access to.

"This Bill stands to have a huge impact on millions of Australians, so it is crucial that lawmakers reject this proposal in its present form before we sleepwalk into a digital dystopia," said board member of Digital Rights Watch and alliance spokesperson Lizzie O'Shea. "The rushed processes coupled with the lack of transparency can only mean that expert opinions from Australia and abroad are being disregarded, and deep concerns about privacy erosion and lack of judicial review have simply been tossed aside."

An anonymous reader quotes a report from TechCrunch: U.S. government investigators have lost a case to force Facebook to wiretap calls made over its Messenger app. A joint federal and state law enforcement effort investigating the MS-13 gang had pushed a district court to hold the social networking giant in contempt of court for refusing to permit real-time listening in on voice calls. According to sources speaking to Reuters, the judge later ruled in Facebook's favor -- although, because the case remains under seal, it's not known for what reason. The case, filed in a Fresno, Calif. district court, centers on alleged gang members accused of murder and other crimes. The government had been pushing to prosecute 16 suspected gang members, but are said to have leaned on Facebook to obtain further evidence.

Brian Acton, a founder of WhatsApp, which he (along with the other founder) sold to Facebook for $19 billion four years ago, has grown tired of the social juggernaut. He left the company a year ago, and earlier this year, he surprised many when he tweeted "#DeleteFacebook", offering his support to what many described as a movement. He had started despising working at Facebook so much, that he left the company abruptly, leaving a cool $850M in unvested stock. He has also invested $50 million in encrypted chat app Signal. In an interview with Forbes, published Wednesday, Acton talked about his rationale behind leaving the company and what he thinks of Facebook now. From the story: Under pressure from Mark Zuckerberg and Sheryl Sandberg to monetize WhatsApp, he pushed back as Facebook questioned the encryption he'd helped build and laid the groundwork to show targeted ads and facilitate commercial messaging. Acton also walked away from Facebook a year before his final tranche of stock grants vested. "It was like, okay, well, you want to do these things I don't want to do," Acton says. "It's better if I get out of your way. And I did." It was perhaps the most expensive moral stand in history. Acton took a screenshot of the stock price on his way out the door -- the decision cost him $850 million.

He's following a similar moral code now. He clearly doesn't relish the spotlight this story will bring and is quick to underscore that Facebook "isn't the bad guy." ("I think of them as just very good businesspeople.") But he paid dearly for the right to speak his mind. "As part of a proposed settlement at the end, [Facebook management] tried to put a nondisclosure agreement in place," Acton says. "That was part of the reason that I got sort of cold feet in terms of trying to settle with these guys."

It's also a story any idealistic entrepreneur can identify with: What happens when you build something incredible and then sell it to someone with far different plans for your baby? "At the end of the day, I sold my company," Acton says. "I sold my users' privacy to a larger benefit. I made a choice and a compromise. And I live with that every day."

Facebook, Acton says, had decided to pursue two ways of making money from WhatsApp. First, by showing targeted ads in WhatsApp's new Status feature, which Acton felt broke a social compact with its users. "Targeted advertising is what makes me unhappy," he says. His motto at WhatsApp had been "No ads, no games, no gimmicks" -- a direct contrast with a parent company that derived 98% of its revenue from advertising. Another motto had been "Take the time to get it right," a stark contrast to "Move fast and break things." Elsewhere in the story, Acton has also suggested he was used by Facebook to help get its 2014 acquisition of WhatsApp past EU regulators that had been concerned it might be able to link accounts -- as it subsequently did.

Update: Facebook Executive Hits Back at WhatsApp Co-founder Brian Acton: 'A Whole New Standard of Low-Class'.

An anonymous reader quotes Softpedia: Purism announced Thursday that its highly anticipated Librem Key security key is now available for purchase as the first and only OpenPGP-based smart card to offer a Heads-firmware-integrated tamper-evident boot process for laptops. Developed in partnership with Nitrokey, a company known for manufacturing open-source USB keys that enable secure encryption and signing of data for laptops, Purism's Librem Key is dedicated to Librem laptop users, allowing them to store up to 4096-bit RSA keys and up to 512-bit ECC keys on the security key, as well as to securely generate new keys directly on the device. Librem Key integrates with the secure boot process of the latest Librem 13 and 15 laptops...

Designed to let Librem laptop users see if someone has tampered with the software on their computers when it boots, Librem Key leverages the Heads-enabled TPM (Trusted Platform Module) chip in new Librem 13 and Librem 15 laptops. According to Purism, when inserted, the security key will blink green to show users that the laptop hasn't been tampered with, so they can continue from where they left off, and blinks red when tampering has occurred.
Purism's web site explains: With so many attacks on password logins, most security experts these days recommend adding a second form of authentication (often referred to as "2FA" or "multi-factor authentication") in addition to your password so that if your password gets compromised the attacker still has to compromise your second factor.

USB security tokens work well as this second factor because they are "something you have" instead of "something you know" like a password is, and because they are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

A number of Slashdot users have shared a leaked Google video from Breitbart, revealing the candid reactions of company executives to Donald Trump's unexpected victory in 2016. The Guardian summarizes: In an hour-long conversation, Google co-founders Sergey Brin and Larry Page, chief executive Sundar Pichai, and executives Kent Walker, Ruth Porat and Eileen Noughton offered their reflections on the election, sought to reassure employees about issues such as immigration status and benefits for same-sex partners, and answered questions on topics ranging from filter bubbles and political polarization to encryption and net neutrality. The executives' reactions ranged from the emotional to the philosophical to the purely pragmatic. Porat appeared near tears in discussing her open support for Hillary Clinton and her father, who was a refugee. Walker discussed global political trends toward nationalism, populism and xenophobia. Pichai noted that the company was already "thoughtfully engaging" with Trump's transition team. While Breitbart argues the video shows evidence of Google's inherent bias against Republicans, Google says the executives are simply sharing their "personal views" and that it has no political bias. It does beg the question, should politics be discussed in the workplace? Longtime Slashdot reader emil writes in response to the video: [...] Disregarding the completely inappropriate expression of partisan views in the workplace, the video claims that "history is our side." These executives appear to have forgotten the incredible tumult in the distant past of the U.S. The last election was not an electoral tie that was thrown into the house of representatives (as was the election of 1800). The last election did not open a civil war as happened in 1861 when Lincoln took office. The last election did not open war with Great Britain, and will likely not precipitate a new set of proposed constitutional amendments to curb presidential power as did either of James Madison's terms in office (War of 1812, Hartford Convention). There may be a time for tears, and a time for hugs, but that time cannot be in the workplace. Most Fortune 500 employees took the news of the latest president elect with quiet perseverance in their professional settings regardless of their leanings, and it is time for Google to encourage the same. "At a regularly scheduled all-hands meeting, some Google employees and executives expressed their own personal views in the aftermath of a long and divisive election season," Google said in a statement. "For over 20 years, everyone at Google has been able to freely express their opinions at these meetings. Nothing was said at that meeting, or any other meeting, to suggest that any political bias ever influences the way we build or operate our products. To the contrary, our products are built for everyone, and we design them with extraordinary care to be a trustworthy source of information for everyone, without regard to political viewpoint."

An anonymous reader quotes a report from The Verge: Researchers at KU Leuven have figured out a way to spoof Tesla's key fob system, as first reported by Wired. The result would let an attacker steal a Tesla simply by walking past the owner and cloning his key. The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. This particular attack seems to have only worked on Model S units shipped before June, and in an update last week, Tesla pushed out an update that strengthened the encryption for the remaining vehicles. More importantly, the company added the option to require a PIN password before the car will start, effectively adding two-factor to your car. Tesla owners can add the PIN by disabling Passive Entry in the "Doors & Locks" section of "Settings."

The attack itself is fairly involved. Because of the back-and-forth protocol, attackers would first have to sniff out the car's Radio ID (broadcast from the car at all times), then relay that ID broadcast to a victim's key fob and listen for the response, typically from within three feet of the fob. If they can do that back-and-forth twice, the research team found they can work back to the secret key powering the fob's responses, letting them unlock the car and start the engine.

An anonymous reader writes: "A team of security researchers has raised the alarm about some cryptography-related issues with the newly released WebAuthn passwordless authentication protocol," reports ZDNet. "The new WebAuthn protocol will allow users of a device -- such as a computer or a smartphone -- to authenticate on a website using a USB security key, a biometric solution, or his computer or smartphone's password." But researchers say that because WebAuthn uses weak algorithms for the operations of registering a new device, they can pull off some attacks against it.

"If converted into a practical exploit, the ECDAA attacks discussed in the article would allow attackers to steal the key from a [server's] TPM, which would allow attackers to effectively clone the user's hardware security token remotely," Arciszewski, one of the researchers, told ZDNet. "The scenarios that follow depend on how much trust was placed into the hardware security token," he added. "At minimum, I imagine it would enable 2FA bypasses and re-enable phishing attacks. However, if companies elected to use hardware security tokens to obviate passwords, it would allow direct user impersonation by attackers." Attacks aren't practical, and experts say the root cause relies in badly written documentation that may fool some implementers into supporting the old algorithms instead of newer and more solid ones. The FIDO Alliance was notified and has started work on updating its docs so it won't look like it's recommending ECDAA or RSASSA-PKCS1-v1_5. "PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States," Arciszewski said.

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware. Krebs On Security reports: Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy's site and for mobile phone data collected by mSpy's software. The database required no authentication. Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said. In addition, the database included the Apple iCloud username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files. Anyone who stumbled upon this database also would have been able to browse the Whatsapp and Facebook messages uploaded from mobile devices equipped with mSpy. Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs -- including the browser and Internet address information of people visiting the mSpy Web site.

The Five Eyes, the intelligence alliance between the U.S., U.K., Canada, Australia, and New Zealand, issued a statement warning they believe "privacy is not absolute" and tech companies must give law enforcement access to encrypted data or face "technological, enforcement, legislative or other measures to achieve lawful access solutions." Slashdot reader Bismillah shares a report: The governments of Australia, United States, United Kingdom, Canada and New Zealand have made the strongest statement yet that they intend to force technology providers to provide lawful access to users' encrypted communications. At the Five Country Ministerial meeting on the Gold Coast last week, security and immigration ministers put forward a range of proposals to combat terrorism and crime, with a particular emphasis on the internet. As part of that, the countries that share intelligence with each other under the Five-Eyes umbrella agreement, intend to "encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services." Such solutions will apply to products and services operated in the Five-Eyes countries which could legislate to compel their implementation. "Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions," the Five-Eyes joint statement on encryption said.

Last July, in Google's Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard, Forbes reported Monday. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions. From the report: When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.

Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they're properly protected. He was intrigued and digging deeper discovered a "hardcoded" encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect. Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. "Once I had my findings it became a priority. It was pretty bad," he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.

According to Bloomberg, citing people with knowledge of the deal, Google purchased "a stockpile of Mastercard transactions" that allowed Google advertisers to see whether the ads they ran online led to a sale at a physical store in the U.S. This arrangement was never shared with the public. From the report: Alphabet's Google and Mastercard brokered a business partnership during about four years of negotiations. The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant's strategy to fortify its primary business against onslaughts from Amazon and others. But the deal, which has not been previously reported, could raise broader privacy concerns about how much consumer data technology companies like Google quietly absorb.

Google paid Mastercard millions of dollars for the data [...] and the companies discussed sharing a portion of the ad revenue. A spokeswoman for Google said there is no revenue sharing agreement with its partners. A Google spokeswoman declined to comment on the partnership with Mastercard, but addressed the ads tool. "Before we launched this beta product last year, we built a new, double-blind encryption technology that prevents both Google and our partners from viewing our respective users' personally identifiable information," the company said in a statement. "We do not have access to any personal information from our partners' credit and debit cards, nor do we share any personal information with our partners." The company said people can opt out of ad tracking using Google's "Web and App Activity" online console. Inside Google, multiple people raised objections that the service did not have a more obvious way for cardholders to opt out of the tracking.

On November 12th, WhatsApp users on Android will be able to back up their messages to Google Drive for free and it won't count towards Google Drive storage quotas. But, as WhatsApp warns, those messages will no longer be protected by end-to-end encryption. ZDNet reports: While Apple iOS users may elect to use iCloud backup storage options, Android users store theirs through Google Drive -- but alongside the changes, WhatsApp has reminded users that once communication, chat, and media is transferred away from the app, end-to-end encryption is no longer in place.

Some users may think that backup services will have the same level of protection as the app. However, this is not the case and the reminder is important for those interested in protecting their privacy. In WhatsApp support documents, this separation is now explicitly mentioned. "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive," WhatsApp says.

Will Townsend, a senior analyst at Moor Insights & Strategy research firm, writes: As it relates to networking, the Linux Foundation is currently focused on a number of projects that are bringing top networking vendors, operators, service providers, and users together. Among the top initiatives are the Open Network Automation Platform (ONAP) and Data Plane Development Kit (DPDK). In this article, I would like to dive into both of these initiatives and share my perspective on how each is transforming the nature of networking [Editor's note: the website may have auto-playing videos; an alternative link was not available].

It makes sense that ONAP's releases are named after global cities, considering the platform's growing global footprint. ONAP is aimed at bringing real-time automation and orchestration to both physical and virtualized network functions. The first release in the fall of 2017, named Amsterdam, delivered a unified architecture for providing closed-loop networking automation. The underlying framework ensured a level of modularity to facilitate future functionality as well as standards harmonization and critical upstream partner collaboration. Initial use cases centered on Voice Over LTE (VoLTE) services as well as Virtualized Consumer Premise Equipment (vCPE). Both are extremely cost disruptive from a deployment and management perspective and deliver enhanced service provider agility. What I find extremely compelling is that Amsterdam was only an eight-month development cycle from start to release. That's an amazing feat even in the fast-paced technology industry.

[...] DPDK was an effort initially led by Intel at its inception nearly eight years ago, but became a part of the Linux Foundation back in 2017. At a high level, the technology accelerates packet processing workloads running on a variety of CPU architectures. DPDK is aimed at improving overall network performance, delivering enhanced encryption for improved security and optimizing lower latency applications that require lightning-fast response time. The transformative power of 5G networks lies in their potential to deliver low latency for applications such as augmented/virtual reality and self-driving cars -- DPDK will further extend that performance for next-generation wireless wide area networks. I had the opportunity recently to speak to project chair Jim St. Leger after the fifth DPDK release, and I was impressed with the depth and breadth of the open source project. Over 25 companies and 160 technologists are involved in advancing the effort. With the proliferation of data, cord cutting at home, and growing consumption of video over wired and wireless networks, high-quality compression techniques will dramatically improve performance and reliability. DPDK appears to be poised to contribute significantly to that effort.

An anonymous reader shares a report: Within the detailed federal allegations against former Trump lawyer Michael Cohen, who pleaded guilty earlier this week to eight charges including campaign finance violations, are multiple references to texts sent by Cohen and even a call made "through an encrypted telephone application." Cohen was apparently a fan of encrypted communications apps like WhatsApp and Signal, but those tools failed to keep his messages and calls out of sight from investigators. In June, prosecutors said in a court filing the FBI had obtained 731 pages of messages and call logs from those apps from Cohen's phones. Investigators also managed to reconstruct at least 16 pages of physically shredded documents. Those logs, judging by the charging document, appear to have helped document at least Cohen's communications with officials at the National Enquirer about allegations from porn actress Stormy Daniels -- whom Cohen allegedly paid on behalf of Trump, violating campaign finance law. It's unclear if the FBI actually broke through any layers of encryption to get the data. It's possible that Cohen, who apparently at times taped conversations, stored the conversation logs in a less-than-secure way.

An anonymous reader quotes the Sophos security blog: The Australian government wants to force companies to help it get at suspected criminals' data. If they can't, it would jail people for up to a decade if they refuse to unlock their phones. The country's Assistance and Access Bill, introduced this week for public consultation, strengthens the penalties for people who refuse to unlock their phones for the police. Under Australia's existing Crimes Act, judges could jail a person for two years for not handing over their data. The proposed Bill extends that to up to ten years, arguing that the existing penalty wasn't strong enough...

[C]ompanies would be subject to two kinds of government order that would compel them to help retrieve a suspect's information. The first of these is a "technical assistance notice" that requires telcos to hand over any decryption keys they hold. This notice would help the government in end-to-end encryption cases where the target lets a service provider hold their own encryption keys. But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target's information where possible. In short, the government asks companies whether they can access the data. If they can't, then the second order asks them to figure out a way....

The government's explanatory note says that the Bill could force a manufacturer to hand over detailed specs of a device, install government software on it, help agencies develop their own "systems and capabilities", and notify agencies of major changes to their systems.
"[T]he proposed legislation also creates a new class of access warrant that lets police officers get evidence from devices in secret before the device encrypts it, including intercepting communications and using other computers to access the data. It also amends existing search and seizure warrants, allowing the cops to access data remotely, including online accounts."