Amazon-owned Ring allowed employees to access customers' live camera feeds, according to a report from The Intercept. "Ring's engineers and executives have 'highly privileged access' to live camera feeds from customers' devices," reports 9to5Google. "This includes both doorbells facing the outside world, as well as cameras inside a person's home. A team tasked with annotating video to aid in object recognition captured 'people kissing, firing guns, and stealing.'" From the report: U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed "unfiltered, round-the-clock live feeds from some customer cameras." What's surprising is how this support tool was apparently not restricted to only employees that dealt with customers. The Intercept notes that only a Ring customer's email address was required to access any live feed.

According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access." In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."

With signs that the New York trial of notorious Mexican drug lord and alleged mass murderer Joaquin "El Chapo" Guzman is entering its end phase, prosecutors on Tuesday played copies of what they said were audio recordings of Guzman the FBI obtained "after they infiltrated his encrypted messaging system" with the help of Colombian and former cartel systems engineer Cristian Rodriguez, Reuters reported. Gizmodo reports: As has been previously reported by Vice, Colombian drug lord Jorge Cifuentes testified that Rodriguez had forgot to renew a license key critical to the communications network of Guzman's Sinaloa Cartel in September 2010, forcing cartel leaders to temporarily rely on conventional cell phones. Cifuentes told the court he considered Rodriguez "an irresponsible person" who had compromised their security, with a terse phone call played by prosecutors showing Cifuentes warned the subordinate he was in "charge of the system always working."

But on Tuesday it was revealed that the FBI had lured Rodriguez into a meeting with an agent posing as a potential customer much earlier, in February 2010, according to a report in the New York Times. Later, they flipped Rodriguez, having him transfer servers from Canada to the Netherlands in a move masked as an upgrade. During that process, Rodriguez slipped investigators the network's encryption keys. The communications system ran over Voice over Internet Protocol (VoIP), with only cartel members able to access it. Getting through its encryption gave authorities access to roughly 1,500 of Guzman's and other cartel members' calls from April 2011 to January 2012, the Times wrote, with FBI agents able to identify ones placed by the drug lord by "comparing the high-pitched, nasal voice on the calls with other recordings of the kingpin, including a video interview he gave to Rolling Stone in October 2015."

hmckee writes: OSNews was offline for a few days for upgrades. It is now back up with a message that indicates they encountered a data breach and considered going offline for good due to maintenance and financial difficulties. "Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site's content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database," writes Publisher David Adams. "Your email addresses were in there, and the encryption on the passwords wasn't up to modern standards (unsalted SHA1). [...] Other than potential spam, though, we're not aware of any other nefarious use of your data, we don't store much beyond email addresses and passwords..."

David goes on to cite poor advertising revenues and a lack of time for reasons to throw in the towel and go offline permanently.

For years, Mozilla has largely neglected development of Thunderbird, an email client it owns. But the company, which grew its team to eight staff last year, says it plans to address most of the issues that users have complained about and add six more people to Thunderbird staff this year, it said in a blog post. In the blog post Wednesday, the company said: Our hires are already addressing technical debt and doing a fair bit of plumbing when it comes to Thunderbird's codebase. Our new hires will also be addressing UI-slowness and general performance issues across the application. This is an area where I think we will see some of the best improvements in Thunderbird for 2019, as we look into methods for testing and measuring slowness -- and then put our engineers on architecting solutions to these pain points. Beyond that, we will be looking into leveraging new, faster technologies in rewriting parts of Thunderbird as well as working toward a multi-process Thunderbird.

[...] For instance, one area of usability that we are planning on addressing in 2019 is integration improvements in various areas. One of those in better Gmail support, as one of the biggest email providers it makes sense to focus some resources on this area. We are looking at addressing Gmail label support and ensuring that other features specific to the Gmail experience translate well into Thunderbird. We are looking at improving notifications in Thunderbird, by better integrating with each operating system's built-in notification system. By working on this feature Thunderbird will feel more "native" on each desktop and will make managing notifications from the app easier.

The UX/UI around encryption and settings will get an overhaul in the coming year, whether or not all this work makes it into the next release is an open question â" but as we grow our team this will be a focus. It is our hope to make encrypting Email and ensuring your private communication easier in upcoming releases, we've even hired an engineer who will be focused primarily on security and privacy.

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

India's government wants to make it mandatory for platforms like Facebook, WhatsApp, Twitter, and Google, to remove content it deems "unlawful" within 24 hours of notice, and create "automated tools" to "proactively identify and remove" such material. From a report: It also wants tech companies to build in a way to trace the source of the content, which would require platforms like WhatsApp to break end-to-end encryption. India's Ministry of Electronics and Information Technology (MeitY) published [PDF] the proposed rules on its website following a report on Monday by The Indian Express revealing the government's proposal to modify the country's primary IT law to work them in. The report comes days after India's government seemingly authorized 10 federal agencies to snoop into every computer in the country last week. The proposed measures have provoked concerns from privacy activists who claim they would threaten free speech and enable mass surveillance.

[...] If India does work these rules into its IT law, it would have precedent: Earlier this month, Australia passed a controversial encryption bill that would require technology companies to give law enforcement agencies access to encrypted communications, saying that it was essential to stop terrorists and criminals who rely on secure messaging apps to communicate.

President Donald Trump last week signed legislation ramping up quantum computing research and development. From a report: The National Quantum Initiative Act (H.R. 6227) authorizes $1.2 billion over five years for federal activities aimed at boosting investment in quantum information science, or QIS, and supporting a quantum-smart workforce. The law also establishes a National Quantum Coordination Office, calls for the development of a five-year strategic plan and establishes an advisory committee to advise the White House on issues relating to quantum computing. "This next great technological revolution has far-reaching implications for job creation, economic growth and national security," Michael Kratsios, deputy assistant to the president for technology policy, said in a White House statement. "We look forward to building upon efforts to support the quantum-smart workforce of the future and engage with government, academic and private-sector leaders to advance QIS."

[...] Earlier this month, a report from the National Academies of Science said there is an urgent need to develop "post-quantum" encryption protocols in order to protect commerce and national security. QIS research could also produce new types of quantum processors, sensors, navigation tools and security systems. The challenges could bring about "new approaches to understanding materials, chemistry and even gravity through quantum information theory," according to a White House strategy paper issued in September.

Tim May, co-founder of the influential Cypherpunks mailing list and a significant influence on both bitcoin and WikiLeaks, passed away in mid-December at his home in Corralitos, California. The news was announced last Saturday on a Facebook post written by his friend Lucky Green. Long-time Slashdot reader SonicSpike quotes Reason: In his influential 1988 essay, "The Crypto Anarchist Manifesto," May predicted that advances in computer technology would eventually allow "individuals and groups to communicate and interact with each other" anonymously and without government intrusion. "These developments will alter completely the nature of government regulation [and] the ability to tax and control economic interactions," he wrote... Running 497 words, it was his most influential piece of writing... May became convinced that public-key cryptography combined with networked computing would break apart social power structures...

In September 1992, May and his friends Eric Hughes and Hugh Daniels came up with the idea of setting up an online mailing list to discuss their ideas. Within a few days of its launch, a hundred people had signed up for the Cypherpunks mailing list. (The group's name was coined by Hughes' girlfriend as a play on the "cyberpunk" genre of fiction.) By 1997, it averaged 30 messages daily with about 2,000 subscribers. May was its most prolific contributor. May and Hughes, along with free speech activist John Gilmore, wore masks on the cover of the second issue of Wired magazine accompanying a profile by journalist Steven Levy, who described the Cypherpunks as "more a gathering of those who share a predilection for codes, a passion for privacy, and the gumption to do something about it...."

WikiLeaks founder Julian Assange was an active reader and participant on the list, contributing his first posts in 1995 under the name "Proff."
The article notes that May "recently expressed disgust with the current state of the cryptocurrency community, citing its overpriced conferences and the advent of 'bitcoin exchanges that have draconian rules about KYC, AML, passports, freezes on accounts and laws about reporting 'suspicious activity' to the local secret police.'"

In his last published interview he told CoinDesk "I think Satoshi would barf."

Several readers have shared a report: The Indian government has authorized 10 central agencies to intercept, monitor, and decrypt data on any computer, sending a shock wave through citizens and privacy watchdogs. Narendra Modi's government late Thursday broadened the scope of Section 69 of the nation's IT Act, 2000 to require a subscriber, service provider, or any person in charge of a computer to "extend all facilities and technical assistance to the agencies." Failure to comply with the agencies could result in seven years of imprisonment and an unspecified fine. In a clarification posted today, the Ministry of Home Affairs said each case of interception, monitoring, and decryption is to be approved by the competent authority, which is the Union Home Secretary.

Explaining the rationale behind the order, India's IT minister, Ravi Shankar Prasad, said that the measure was undertaken in the interests of national security. He added that some form of "tapping" has already been going on in the country for a number of years and that the new order would help bring structure to that process. "Always remember one thing," he said in a televised interview. "Even in the case of a particular individual, the interception order shall not be effective unless affirmed by the Home Secretary."

The Internet Freedom Foundation, a nonprofit organization that protects the online rights of citizens in India, cautioned that the order goes beyond telephone tapping. It includes looking at content streams and might even involve breaking encryption in some cases. "Imagine your search queries on Google over [a number of] years being demanded -- mixed with your WhatsApp metadata, who you talk to, when, and how much [and add] layers of data streams from emails + Facebook," it said. "To us this order is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar Judgement," it asserted.

Videos and pictures of children being subjected to sexual abuse are being openly shared on Facebook's WhatsApp on a vast scale, with the encrypted messaging service failing to curb the problem despite banning thousands of accounts every day. From a report: Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp's automated systems. A report reviewed by TechCrunch from two Israeli NGOs details how third-party apps for discovering WhatsApp groups include "Adult" sections that offer invite links to join rings of users trading images of child exploitation. TechCrunch has reviewed materials showing many of these groups are currently active.

TechCrunch's investigation shows that Facebook could do more to police WhatsApp and remove this kind of content. Even without technical solutions that would require a weakening of encryption, WhatsApp's moderators should have been able to find these groups and put a stop to them. Groups with names like "child porn only no adv" and "child porn xvideos" found on the group discovery app "Group Links For Whats" by Lisa Studio don't even attempt to hide their nature.

Better manual investigation of these group discovery apps and WhatsApp itself should have immediately led these groups to be deleted and their members banned. While Facebook doubled its moderation staff from 10,000 to 20,000 in 2018 to crack down on election interference, bullying, and other policy violations, that staff does not moderate WhatsApp content. With just 300 employees, WhatsApp runs semi-independently, and the company confirms it handles its own moderation efforts. That's proving inadequate for policing at 1.5 billion user community. It's a similar problem that WhatsApp, used by more than a billion users, is facing in developing markets where its service is being used to spread false information.

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

An anonymous reader shares a report: The quantum internet is starting small, but growing. Researchers have created a network that lets four users communicate simultaneously through channels secured by the laws of quantum physics, and they say it could easily be scaled up. Soren Wengerowsky at the University of Vienna and his colleagues devised a network that uses quantum key distribution (QKD) to keep messages secure [the link is paywalled]. The general principle of QKD is that two photons are entangled, meaning their quantum properties are linked. Further reading: Nature.

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process."

The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

An anonymous reader quotes a report from MIT Technology Review: The world relies on encryption to protect everything from credit card transactions to databases holding health records and other sensitive information. A new report from the U.S. National Academies of Sciences, Engineering, and Medicine says we need to speed up preparations for the time when super-powerful quantum computers can crack conventional cryptographic defenses. The experts who produced the report, which was released today, say widespread adoption of quantum-resistant cryptography "will be a long and difficult process" that "probably cannot be completed in less than 20 years." It's possible that highly capable quantum machines will appear before then, and if hackers get their hands on them, the result could be a security and privacy nightmare.

Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems. But computers that harness quantum bits, or qubits, promise to deliver exponential leaps in processing power that could break today's best encryption. The report cites an example of encryption that protects the process of swapping identical digital keys between two parties, who use them to decrypt secure messages sent to one another. A powerful quantum computer could crack RSA-1024, a popular algorithmic defense for this process, in less than a day. The U.S., Israel and others are working to develop standards for quantum-proof cryptographic algorithms, but they may not be ready or widely adopted by the time quantum computers arrive.

"[I]t will take at least a couple of decades to get quantum-safe cryptography broadly in place," the report says in closing. "If that holds, we're going have to hope it somehow takes even longer before a powerful quantum computer ends up in a malicious hacker's hands."

Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data.

Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.

An anonymous reader quotes a report from Ars Technica: Earlier this year, a federal judge in Fresno, California, denied prosecutors' efforts to compel Facebook to help it wiretap Messenger voice calls. But the precise legal arguments that the government made, and that the judge ultimately rejected, are still sealed. On Wednesday, the American Civil Liberties Union formally asked the judge to unseal court dockets and related rulings associated with this ongoing case involving alleged MS-13 gang members. ACLU lawyers argue that such a little-charted area of the law must be made public so that tech companies and the public can fully know what's going on.

In their new filing, ACLU lawyers pointed out that "neither the government's legal arguments nor the judge's legal basis for rejecting the government motion has ever been made public." The attorneys continued, citing a "strong public interest in knowing which law has been interpreted" and referencing an op-ed published on Ars on October 2 as an example. The ACLU argued that the case is reminiscent of the so-called "FBI v. Apple" legal showdown -- whose docket and related filings were public -- where the government made novel arguments in an attempt to crack the encryption on a seized iPhone. Those legal questions were never resolved, as the government said the day before a scheduled hearing that it had found a company to assist in its efforts. "Moreover, the sealing of the docket sheet in this case impermissibly prevents the public from knowing anything about the actions of both the judiciary and the executive in navigating a novel legal issue, which has the potential to reoccur in the future," the ACLU's attorneys continued.

"The case involves the executive branch's attempt to force a private corporation to break the encryption and other security mechanisms on a product relied upon by the public to have private conversations. The government is not just seeking information held by a third party; rather, it appears to be attempting to get this Court to force a communications platform to redesign its product to thwart efforts to secure communications between users."

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

"The HTTP-over-QUIC experimental protocol will be renamed to HTTP/3 and is expected to become the third official version of the HTTP protocol, officials at the Internet Engineering Task Force (IETF) have revealed," writes Catalin Cimpanu via ZDNet. "This will become the second Google-developed experimental technology to become an official HTTP protocol upgrade after Google's SPDY technology became the base of HTTP/2." From the report: HTTP-over-QUIC is a rewrite of the HTTP protocol that uses Google's QUIC instead of TCP (Transmission Control Protocol) as its base technology. QUIC stands for "Quick UDP Internet Connections" and is, itself, Google's attempt at rewriting the TCP protocol as an improved technology that combines HTTP/2, TCP, UDP, and TLS (for encryption), among many other things. Google wants QUIC to slowly replace both TCP and UDP as the new protocol of choice for moving binary data across the Internet, and for good reasons, as test have proven that QUIC is both faster and more secure because of its encrypted-by-default implementation (current HTTP-over-QUIC protocol draft uses the newly released TLS 1.3 protocol).

In a mailing list discussion last month, Mark Nottingham, Chair of the IETF HTTP and QUIC Working Group, made the official request to rename HTTP-over-QUIC as HTTP/3, and pass it's development from the QUIC Working Group to the HTTP Working Group. In the subsequent discussions that followed and stretched over several days, Nottingham's proposal was accepted by fellow IETF members, who gave their official seal of approval that HTTP-over-QUIC become HTTP/3, the next major iteration of the HTTP protocol, the technology that underpins today's World Wide Web.

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.