An anonymous reader quotes a report from Ars Technica: Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm. [...]

On Tuesday, academic researchers unveiled new research demonstrating attacks that provide a novel way to exploit these types of side channels. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader -- or of an attached peripheral device -- during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs. Power LEDs are designed to indicate when a device is turned on. They typically cast a blue or violet light that varies in brightness and color depending on the power consumption of the device they are connected to.

There are limitations to both attacks that make them unfeasible in many (but not all) real-world scenarios (more on that later). Despite this, the published research is groundbreaking because it provides an entirely new way to facilitate side-channel attacks. Not only that, but the new method removes the biggest barrier holding back previously existing methods from exploiting side channels: the need to have instruments such as an oscilloscope, electric probes, or other objects touching or being in proximity to the device being attacked. In Minerva's case, the device hosting the smart card reader had to be compromised for researchers to collect precise-enough measurements. Hertzbleed, by contrast, didn't rely on a compromised device but instead took 18 days of constant interaction with the vulnerable device to recover the private SIKE key. To attack many other side channels, such as the one in the World War II encrypted teletype terminal, attackers must have specialized and often expensive instruments attached or near the targeted device. The video-based attacks presented on Tuesday reduce or completely eliminate such requirements. All that's required to steal the private key stored on the smart card is an Internet-connected surveillance camera that can be as far as 62 feet away from the targeted reader. The side-channel attack on the Samsung Galaxy handset can be performed by an iPhone 13 camera that's already present in the same room. Videos here and here show the video-capture process of a smart card reader and a Samsung Galaxy phone, respectively, as they perform cryptographic operations. "To the naked eye, the captured video looks unremarkable," adds Ars.

"But by analyzing the video frames for different RGB values in the green channel, an attacker can identify the start and finish of a cryptographic operation."

An anonymous reader quotes a report from The Register: The world got a first glimpse into the US government's far-reaching surveillance of American citizens' communications -- namely, their Verizon telephone calls -- 10 years ago this week when Edward Snowden's initial leaks hit the press. [...] In the decade since then, "reformers have made real progress advancing the bipartisan notion that Americans' liberty and security are not mutually exclusive," [US Senator Ron Wyden (D-OR)] said. "That has delivered tangible results: in 2015 Congress ended bulk collection of Americans' phone records by passing the USA Freedom Act." This bill sought to end the daily snooping into American's phone calls by forcing telcos to collect the records and make the Feds apply for the information.

That same month, a federal appeals court unanimously ruled that the NSA's phone-records surveillance program was unlawful. The American Civil Liberties Union (ACLU) and the New York Civil Liberties Union sued to end the secret phone spying program, which had been approved by the Foreign Intelligence Surveillance Court, just days after Snowden disclosed its existence. "Once it was pushed out into open court, and the court was able to hear from two sides and not just one, the court held that the program was illegal," Ben Wizner, director of the ACLU Speech, Privacy and Technology project, told The Register. The Freedom Act also required the federal government to declassify and release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC), and authorized the appointment of independent amici -- friends of the court intended to provide an outside perspective. The FISC was established in 1978 under the FISA -- the legislative instrument that allows warrantless snooping. And prior to the Freedom Act, this top-secret court only heard the government's perspective on things, like why the FBI and NSA should be allowed to scoop up private communications.

"To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then," Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, told The Register. Wyden also pointed to the sunsetting of the "deeply flawed surveillance law," Section 215 of the Patriot Act, as another win for privacy and civil liberties. That law expired in March 2020 after Congress did not reauthorize it. "For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them -- more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships," Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn and Andrew Crocker said. James Clapper, the former US Director of National Intelligence, "stated publicly that the Snowden disclosures accelerated by seven years the adoption of commercial encryption," Wizner said. "At the individual level, and at the corporate level, we are more secure."

"And at the corporate level, what the Snowden revelations taught big tech was that even as the government was knocking on the front door, with legal orders to turn over customer data, it was breaking in the backdoor," Wizner added. "Government was hacking those companies, finding the few points in their global networks where data passed unencrypted, and siphoning it off." "If you ask the government -- if you caught them in a room, and they were talking off the record -- they would say the biggest impact for us from the Snowden disclosures is that it made big tech companies less cooperative," he continued. "I regard that as a feature, not a bug."

The real issue that the Snowden leaks revealed is that America's "ordinary system of checks and balances doesn't work very well for secret national security programs," Wizner said. "Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

A new report has revealed that a government agency in the US, namely the Drug Enforcement Agency (DEA), is allegedly using a spyware called Paragon Graphite that shares similarities with the notorious Pegasus spyware. From a report: Pegasus was sold off to the government and other law firms. Moreover, we saw the firm making plenty of purchases through the likes of hackers. The software tends to give in to exploitation that can be achieved through zero clicks, all thanks to the great skill of hackers. Moreover, such software can produce its target without any interaction. [...] New reports by the Financial Times stated how the American Government makes use of this technology as it can pierce all sorts of protections linked to modern-day smart devices. Similarly, it can evade various forms of encryption for messaging applications such as WhatsApp and harvest data thanks to the likes of cloud backups. And yes, it's very similar to its counterpart Pegasus in this ordeal.

For now, the DEA is awfully hushed on the matter and not releasing any more comments on this situation. But it did reveal how its agency ended up purchasing Graphite to be used by agencies in Mexico so they could curb the drug cartel situation. "According to four [industry figures], the US Drug Enforcement and Administration Agency is among the top customers for Paragon's signature product nicknamed Graphite," reports the Financial Times. "The malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like Signal or WhatsApp, sometimes harvesting the data from cloud backups -- much like Pegasus does."

The report adds: "Congressman Adam Schiff, the chair of the House Intelligence Committee, wrote to the DEA in December asking for more details on the purchase. Mexico is among the worst abusers of NO's Pegasus which it bought nearly a decade ago.

Schiff wrote: "such use [of spyware] could have potential implications for US national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them."

An anonymous reader quotes a report from Wired: Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content. The document, a European Council survey of member countries' views on encryption regulation, offered officials' behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users' private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy -- or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED's request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy. Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain's position emerging as the most extreme. "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption," Spanish representatives said in the document. The source of the document declined to comment and requested anonymity because they were not authorized to share it.

In its response, Spain said it is "imperative that we have access to the data" and suggests that it should be possible for encrypted communications to be decrypted. Spain's interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain's Ministry of Interior, says the country's position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children's communications. Several other countries say they would give law enforcement access to people's encrypted messages and communications. "Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge," says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI) who reviewed the document. "They are seeing this law is going far beyond what DG home is claiming that it's there for."

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. From a report: "It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. "It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had "suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys. Since then, Matrosov has analyzed data that was released on the Money Message site on the dark web. To his alarm, included in the trove were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. This raises the possibility that the leaked key could push out updates that would infect a computer's most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn't have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn't provide the same kind of key revocation capabilities.

An anonymous reader quotes a report from The Guardian: An EU plan under which all WhatsApp, iMessage and Snapchat accounts could be screened for child abuse content has hit a significant obstacle after internal legal advice said it would probably be annulled by the courts for breaching users' rights. Under the proposed "chat controls" regulation, any encrypted service provider could be forced to survey billions of messages, videos and photos for "identifiers" of certain types of content where it was suspected a service was being used to disseminate harmful material. The providers issued with a so-called "detection order" by national bodies would have to alert police if they found evidence of suspected harmful content being shared or the grooming of children.

Privacy campaigners and the service providers have already warned that the proposed EU regulation and a similar online safety bill in the UK risk end-to-end encryption services such as WhatsApp disappearing from Europe. Now leaked internal EU legal advice, which was presented to diplomats from the bloc's member states on 27 April and has been seen by the Guardian, raises significant doubts about the lawfulness of the regulation unveiled by the European Commission in May last year. The legal service of the council of the EU, the decision-making body led by national ministers, has advised the proposed regulation poses a "particularly serious limitation to the rights to privacy and personal data" and that there is a "serious risk" of it falling foul of a judicial review on multiple grounds.

The EU lawyers write that the draft regulation "would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution." The legal service goes on to warn that the European court of justice has previously judged the screening of communications metadata is "proportionate only for the purpose of safeguarding national security" and therefore "it is rather unlikely that similar screening of content of communications for the purpose of combating crime of child sexual abuse would be found proportionate, let alone with regard to the conduct not constituting criminal offenses." The lawyers conclude the proposed regulation is at "serious risk of exceeding the limits of what is appropriate and necessary in order to meet the legitimate objectives pursued, and therefore of failing to comply with the principle of proportionality". The legal service is also concerned about the introduction of age verification technology and processes to popular encrypted services. "The lawyers write that this would necessarily involve the mass profiling of users, or the biometric analysis of the user's face or voice, or alternatively the use of a digital certification system they note 'would necessarily add another layer of interference with the rights and freedoms of the users,'" reports the Guardian.

"Despite the advice, it is understood that 10 EU member states -- Belgium, Bulgaria, Cyprus, Hungary, Ireland, Italy, Latvia, Lithuania, Romania and Spain -- back continuing with the regulation without amendment."

Perhaps woken by news of its next premier first-party title already looking really impressive on emulators, Nintendo has moved to take down key tools for emulating and unlocking Switch consoles, including one that lets Switch owners grab keys from their own device. From a report: Simon Aarons maintained a forked repository of Lockpick, a tool (along with Lockpick_RCM) that grabbed the encryption keys from a Nintendo Switch and allowed it to run officially licensed games. Aarons tweeted on Thursday night that Nintendo had issued DMCA takedown requests to GitHub, asking Lockpick, Lockpick_RCM, and nearly 80 forks and derivations to be taken down under section 1201 of the Digital Millennium Copyright Act, which largely makes illegal the circumvention of technological protection measures that safeguard copyrighted material.

Nintendo's takedown request (RTF file) notes that the Switch contains "multiple technological protection measures" that allow the Switch to play only "legitimate Nintendo video game files." Lockpick tools, combined with a modified Switch, let users grab the cryptographic keys from their own Switch and use them on "systems without Nintendo's Console TPMs" to play "pirated versions of Nintendo's copyright-protected game software." GitHub typically allows repositories with DMCA strikes filed against them to remain open while their maintainers argue their case. Still, it was an effective move. Seeing Nintendo's move on Lockpick, a popular Switch emulator on Android, Skyline, called it quits over the weekend, at least as a public-facing tool you can easily download to your phone. In a Discord post (since removed, along with the Discord itself), developer "Mark" wrote that "the risks associated with a potential legal case are too high for us to ignore, and we cannot continue knowing that we may be in violation of copyright law."

Google will remove the familiar lock icon that allows users to check a website's Transport Layer Security status for the connection, citing research that only a few users correctly understood its precise meaning. From a report: The lock icon has been displayed by web browsers since the 1990s, indicating that the connection to web sites is secured and authenticated with encryption. However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon. This, Google argued, is not harmless since most phishing sites also use the hyper text transfer protocol secure extension (HTTPS) and also display the lock icon. Ergo, a lock icon is not in actual fact an indicator of a site's security. [...] Starting with Chrome version 117, Google will introduce a new "tune" icon, which does not imply a site is trustworthy, and is more obviously clickable. The "tune" icon is more commonly associated with settings and other control, and Google said a more neutral indicator like that prevents the misunderstanding around site security that the lock icon is causing.

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

An anonymous reader quotes a report from ZDNet, written by Steven Vaughan-Nichols: The latest Linux kernel is out with a slew of new features -- and, for once, this release has been nice and easy. [...] Speaking of Rust, everyone's favorite memory-safe language, the new kernel comes with user-mode Linux support for Rust code. Miguel Ojeda, the Linux kernel developer, who's led the efforts to bring Rust to Linux, said the additions mean we're, "getting closer to a point where the first Rust modules can be upstreamed."

Other features in the Linux 6.3 kernel include support and enablement for upcoming and yet-to-be-released Intel and AMD CPUs and graphics hardware. While these updates will primarily benefit future hardware, several changes in this release directly impact today's users' day-to-day experience. The kernel now supports AMD's automatic Indirect Branch Restricted Speculation (IBRS) feature for Spectre mitigation, providing a less performance-intensive alternative to the retpoline speculative execution.

Linux 6.3 also includes new power management drivers for ARM and RISC-V architectures. RISC-V has gained support for accelerated string functions via the Zbb bit manipulation extension, while ARM received support for scalable matrix extension 2 instructions. For filesystems, Linux 6.3 brings AES-SHA2-based encryption support for NFS, optimizations for EXT4 direct I/O performance, low-latency decompression for EROFS, and a faster Brtfs file-system driver. Bottom line: many file operations will be a bit more secure and faster.

For gamers, the new kernel provides a native Steam Deck controller interface in HID. It also includes compatibility for the Logitech G923 Xbox edition racing wheel and improvements to the 8BitDo Pro 2 wired game controllers. Who says you can't game on Linux? Single-board computers, such as BannaPi R3, BPI-M2 Pro, and Orange Pi R1 Plus, also benefit from updated drivers in this release. There's also support for more Wi-Fi adapters and chipsets. These include: Realtek RTL8188EU Wi-Fi adapter support; Qualcomm Wi-Fi 7 wireless chipset support; and Ethernet support for NVIDIA BlueField 3 DPU. For users dealing with complex networks that have both old-school and modern networks, the new kernel can also handle multi-path TCP handling mixed flows with IPv4 and IPv6. Linux 6.3 is available from kernel.org. You can learn how to compile the Linux kernel yourself here.

An anonymous reader quotes a report from Engadget: The controversial EARN IT Act, first introduced in 2020, is returning to Congress after failing twice to land on the president's desk. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, (EARN IT) Act is intended to minimize the proliferation of Child Sexual Abuse Material (CSAM) throughout the web, but detractors say it goes too far and risks further eroding online privacy protections.

Here's how it would work, according to the language of the bill's reintroduction last year. Upon passing, EARN IT would create a national commission composed of politically-appointed law enforcement specialists. This body would be tasked with making a list of best practices to ostensibly curb the digital distribution of CSAM. If online service providers do not abide by these best practices, they would potentially lose blanket immunity under Section 230 of the Communications Decency Act, opening them up to all kinds of legal hurdles -- including civil lawsuits and criminal charges. [...] The full text of H.R.2732 is not publicly available yet, so it's unclear if anything has changed since last year's attempt, though when reintroduced last year it was more of the same. (We've reached out to the offices of Reps. Wagner and Garcia for a copy of the bill's text.) A member of Senator Graham's office confirmed to Engadget that the companion bill will be introduced within the next week. It also remains to be seen if and when this will come up for a vote. Both prior versions of EARN IT died in committee before ever coming to a vote. The Center for Internet and Society at Stanford Law School, the Center for Democracy and Technology, and the American Civil Liberties Union all oppose the bill.

Those defending it include the Rape, Abuse & Incest National Network (RAINN), saying that it will "incentivize technology companies to proactively search for and remove" CSAM materials. "Tech companies have the technology to detect, remove, and stop the distribution of child sexual abuse material. However, there is no incentive to do so because they are subject to no consequences for their inaction."

Proton, the company behind Proton Mail, has announced the launch of a new password manager: Proton Pass. While the service will eventually become free for everyone to use, it's currently only available as a beta to Proton's Lifetime and Visionary users for now. From a report: As is the case with Proton's other products, Proton Pass uses end-to-end encryption (E2EE) that's supposed to keep your personal information away from prying eyes, including third parties and Proton itself. In addition to letting you store your usernames, passwords, and notes, you can also add any randomly generated email aliases that you can use as a replacement for your real address. Proton's new password manager not only applies E2EE to your passwords but also the usernames, web addresses, and all the other fields associated with your login information. In a blog post explaining the service's security model, Proton notes that "all cryptographic operations, including key generation and data encryption," happen locally on your device, which Protons says it can't decrypt, even if a third party requests it.

The FBI, Interpol and the UK's National Crime Agency have accused Meta of making a "purposeful" decision to increase end-to-end encryption in a way that in effect "blindfolds" them to child sex abuse. From a report: The Virtual Global Taskforce, made up of 15 law enforcement agencies, issued a joint statement saying that plans by Facebook and Instagram-parent Meta to expand the use of end-to-end encryption on its platforms were "a purposeful design choice that degrades safety systems," including with regards to protecting children. The law enforcement agencies also warned technology companies more broadly about the need to balance safeguarding children online with protecting users' privacy. "The VGT calls for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to CSA [child sexual abuse] occurring on their platforms or reduces their capacity to identify CSA and keep children safe," the statement said.

WhatsApp, Signal and other messaging services have urged the UK government to rethink the Online Safety Bill (OSB). From a report: They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient's app and nowhere else. Ministers want the regulator to be able to ask the platforms to monitor users, to root out child abuse images. The government says it is possible to have both privacy and child safety. "We support strong encryption," a government official said, "but this cannot come at the cost of public safety. "Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms. "The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption." End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information. Even the operator of the app cannot unscramble messages as they pass across systems - they can be decrypted only by the people in the chat. "Weakening encryption, undermining privacy and introducing the mass surveillance of people's private communications is not the way forward," an open letter warns.

"What would it look like if we called time on Big Tech's failed experiment?" asks the co-editor of the Oxford-based magazine New Internationalist: A better social media would need to be decentralized... As well as avoiding a single point of failure (or censorship), this would help with other goals: community ownership, and democratic control, would be facilitated by having many smaller, perhaps more local, sites. Existing social media giants must be brought into public (and transnational) ownership — in a way that hands power to citizens, not governments. But they should also be broken up, using existing anti-monopoly rules.

It is hard to know what sort of algorithms would best promote real community until we try... But the algorithms that determine what enters peoples' social feeds must be transparent: open source, open for scrutiny, and for change. We could also adapt from sites like Wikipedia (collectively edited) and Reddit (where posts and comments' visibility is determined by user votes). Moderation policies — what content is and isn't allowed — could be decided collectively, according to groups' needs....

An important step towards a decentralized social network would be interoperability, and data portability. Different sites need to be able to talk to each other (or 'federate'), just as email providers or mobile operators are required to. There's no point being on a site if your friends aren't, but if your server can relay messages to theirs there is less of a barrier. Meanwhile encryption will be vital for privacy.

One particularly intriguing idea is that of artist and software developer Darius Kazemi, who suggests every public library — there are 2.7 million worldwide — could host its own federated social media server. As well as providing local accountability and access, and boosting increasingly defunded neighbourhood assets, these servers would benefit from librarians' expertise in curating information.

An anonymous reader quotes a report from Ars Technica: When you first start messing with the command line, it can feel like there's an impermeable wall between the local space you're messing around in and the greater Internet. On your side, you've got your commands and files, and beyond the wall, there are servers, images, APIs, webpages, and more bits of useful, ever-changing data. One of the most popular ways through that wall has been cURL, or "client URL," which turns 25 this month.

The cURL tool started as a way for programmer Daniel Stenberg to let Internet Chat Relay users quickly fetch currency exchange rates while still inside their chat window. As detailed in an archived history of the project, it was originally built off an existing command-line tool, httpget, built by Rafael Sagula. A 1.0 version was released in 1997, then changed names to urlget by 2.0, as it had added in GOPHER, FTP, and other protocols. By 1998, the tool could upload as well as download, and so version 4.0 was named cURL. Over the next few years, cURL grew to encompass nearly every Internet protocol, work with certificates and encryption, offer bindings for more than 50 languages, and be included in most Linux distributions and other systems. The cURL project now encompasses both the command-line command itself and the libcurl library. In 2020, the project's history estimated the command and library had been installed in more than 10 billion instances worldwide.

How do you celebrate a piece of indispensable Internet architecture turning 25? Stenberg plans to host a "Zoom birthday party" at 17:00 UTC time on March 20. Double-check that time in your area: "It is within this weird period between [when] the US has switched to daylight saving time while Europe has not yet switched," Stenberg writes on his blog. Stenberg plans to sip on a 25-year Bowmore Islay single-malt Scotch, while presenting the project's history and future plans while taking questions. (A link to the Zoom call will be added to Stenberg's blog post closer to March 20.)

An anonymous reader quotes a report from The Guardian: WhatsApp would refuse to comply with requirements in the online safety bill that attempted to outlaw end-to-end encryption, the chat app's boss has said, casting the future of the service in the UK in doubt. Speaking during a UK visit in which he will meet legislators to discuss the government's flagship internet regulation, Will Cathcart, Meta's head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world.

He said: "It's a remarkable thing to think about. There isn't a way to change it in just one part of the world. Some countries have chosen to block it: that's the reality of shipping a secure product. We've recently been blocked in Iran, for example. But we've never seen a liberal democracy do that. "The reality is, our users all around the world want security," said Cathcart. "Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users."

The UK government already has the power to demand the removal of encryption thanks to the 2016 investigatory powers act, but WhatsApp has never received a legal demand to do so, Cathcart said. The online safety bill is a concerning expansion of that power, because of the "grey area" in the legislation. Under the bill, the government or Ofcom could require WhatsApp to apply content moderation policies that would be impossible to comply with without removing end-to-end encryption. If the company refused to do, it could face fines of up to 4% of its parent company Meta's annual turnover -- unless it pulled out of the UK market entirely.

schwit1 shares an excerpt from a Substack article, written by former cybersecurity reporter Catalin Cimpanu: The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal -- which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site."

Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."

Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.

The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.

Gmail client-side encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. BleepingComputer reports: The feature was first introduced in Gmail on the web as a beta test in December 2022, after being available in Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (in beta) since last year. Once enabled, Gmail CSE ensures that any sensitive data sent as part of the email's body and attachments (including inline images) will be unreadable and encrypted before reaching Google's servers. It's also important to note that the email header (including subject, timestamps, and recipients lists) will not be encrypted. "Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control over their encryption keys -- and thus complete control over all access to their data," Googled explained.

"Starting today, users can send and receive emails or create meeting events with internal colleagues and external parties, knowing that their sensitive data (including inline images and attachments) has been encrypted before it reaches Google servers. As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities."

wiredmikey shares a report from SecurityWeek: Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. LastPass on Monday fessed up a "second attack" where an unnamed threat actor combined data stolen from an August breach with information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. [...]

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer's home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee's personal computer. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," the company said. "The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups," LastPass confirmed. LastPass originally disclosed the breach in August 2022 and warned that "some source code and technical information were stolen."

SecurityWeek adds: "In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information."