LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

Google has announced that two of its latest privacy-enhancing technologies (PETs), including one that blurs objects in a video, will be provided to anyone for free via open source. From a report: The new tools are part of Google's Protected Computing initiative designed to transform "how, when and where data is processed to technically ensure its privacy and safety," the company said. The first is an internal project called Magritte, now out on Github, which uses machine learning to detect objects and apply a blur as soon as they appear on screen. It can disguise arbitrary objects like license plates, tattoos and more.

The other with the unwieldy name "Fully Homomorphic Encryption (FHE) Transpiler, allows developers to perform computations on encrypted data without being able to access personally identifiable information. Google says it can help industries like financial services, healthcare and government, "where a robust security guarantee around the processing of sensitive data is of highest importance." Google notes that PETs are starting to enter the mainstream after being mostly an academic exercise. The White House recently touted the technology, saying "it will allow researchers, physicians, and others permitted access to gain insights from sensitive data without ever having access to the data itself."

Google Workspace is rolling out a new security update on Gmail, adding end-to-end encryption that aims to provide an added layer of security when sending emails and attachments on the web. From a report: The update is still in the beta stages, but eligible Workspace customers with Enterprise Plus, Education Standard, and Education Plus accounts can fill out an application to test the program through Google's support center. Once the encryption update has been completed, Gmail Workspace customers will find that any sensitive information or data delivered cannot be decrypted by Google's servers.

According to the support center, the application window will be open until January 20, 2023, and once users have accessed the feature, they will be able to choose to turn on the additional encryption by selecting the padlock button when drafting their email. But once activated, some features will be disabled, including emojis, signatures, and Smart Compose. The encryption feature will be monitored and managed by users' administrators and comes after Google started working to add more encryption features to Gmail. The report notes that client-side encryption, or CSE, "is already available for Google Drive, including in apps like Google Docs, Sheets, and Slides. It's also in Google Meet, and is in the beta stage for Google Calendar."

An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

WankerWeasel writes: Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple's highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

Elon Musk's SpaceX is expanding its Starlink satellite technology into military applications with a new business line called Starshield. CNBC reports: "While Starlink is designed for consumer and commercial use, Starshield is designed for government use," the company wrote on its website. Few details are available about the intended scope and capabilities of Starshield. The company hasn't previously announced tests or work on Starshield technology.

On its website, SpaceX said the system will have "an initial focus" on three areas: Imagery, communications and "hosted payloads" -- the third of which effectively offers government customers the company's satellite bus (the body of the spacecraft) as a flexible platform. The company also markets Starshield as the center of an "end-to-end" offering for national security: SpaceX would build everything from the ground antennas to the satellites, launch the latter with its rockets, and operate the network in space.

SpaceX notes that Starshield uses "additional high-assurance cryptographic capability to host classified payloads and process data securely," building upon the data encryption it uses with its Starlink system. Another key feature: the "inter-satellite laser communications" links, which the company currently has connecting its Starlink spacecraft. It notes that the terminals can be added to "partner satellites," so as to connect other companies' government systems "into the Starshield network."

Axios reports: "Although a quantum computer isn't expected until 2030, at the earliest, updating current encryption standards will take just as long," writes Axios, "creating a high-stakes race filled with unanswerable questions for national security and cybersecurity officials alike." As scientists, academics and international policymakers attended the first-ever Quantum World Congress conference in Washington this week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world. "We don't even know what we don't know about what quantum can do," said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress....

Some governments are believed to have already started stealing enemies' encrypted secrets now, so they can unlock them as soon as quantum computing is available. "It's the single-largest economic national-security issue we have ever faced as a Western society," said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week's conference. "We don't know what happens if they actually decrypt, operationalize and monetize all the data that they already have."

An anonymous reader quotes a report from TechCrunch: Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users. "In a blog post published today, Boxcryptor founders Andrea Pfundmeier and Robert Freudenreich say that their 'new mission' will be to embed Boxcryptor's technology into Dropbox," adds TechCrunch. "And after today, nobody will be able to create an account or buy any licenses from Boxcryptor -- it's effectively closing to new customers."

"But there are reasons why the news is being packaged the way it has. The company is continuing to support existing customers through the duration of their current contracts."

Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. From a report: Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.

This month Road & Track looked at "increased cybersecurity measures" automakers are adding to car systems — and how it's affecting the vendors of "aftermarket" enhancements: As our vehicles start to integrate more complex systems such as Advanced Driver Assist Systems and over-the-air updates, automakers are growing wary of what potential bad actors could gain access to by way of hacking. Whether those hacks come in an attempt to retrieve personal customer data, or to take control of certain aspects of these integrated vehicles, automakers want to leave no part of that equation unchecked. "I think there are very specific reasons why the OEMs are taking encryption more seriously," HP Tuners director of marketing Eddie Xu told R&T. "There's personal identifiable data on vehicles, there's more considerations now than just engine control modules controlling the engine. It's everything involved."

In order to prevent this from becoming a potential safety or legal issue, companies like Ford have moved to heavily encrypt their vehicle's software. S650 Mustang chief engineer Ed Krenz specifically noted that the new FNV architecture can detect when someone attempts to modify any of the vehicle's coding, and that it can respond by shutting down an individual vehicle system or the vehicle entirely if that's what is required.

That sort of total lockout presents an interesting challenge for [car performance] tuners who rely on access to things like engine and transmission control modules to create their products.
Last month Ford acknowledged tuners would find the S650 Mustang "much more difficult," the article points out. And they add that Dodge also "intends to lock down the Engine Control Units of its upcoming electric muscle car offerings, though it will offer performance upgrades via its own over-the-air network."

"We don't want to lock the cars and say you can't modify them," Dodge CEO Kuniskis told Carscoops. "We just want to lock them and say modify them through us so that we know it's done right."

Thanks to long-time Slashdot reader schwit1 for submitting the article.

A new analysis has claimed that Apple's device analytics contain information that can directly link information about how a device is used, its performance, features, and more, directly to a specific user, despite Apple's claims otherwise. MacRumors reports: On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apple's device analytics data includes an ID called "dsId," which stands for Directory Services Identifier. The analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.

On Apple's device analytics and privacy legal page, the company says no information collected from a device for analytics purposes is traceable back to a specific user. "iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications. None of the collected information identifies you personally," the company claims. In one possible differentiator, Apple says that if a user agrees to send analytics information from multiple devices logged onto the same iCloud account, it may "correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption." Even in doing so, however, Apple says the user remains unidentifiable to Apple. We've reached out to Apple for comment.

An anonymous reader shares a report: A little more than a year ago, Amazon, specifically Amazon Web Services, flashed its stacks of cash as it announced it was buying up the end-to-end encrypted messaging app Wickr. AWS users could suddenly use Wickr's services, and some reporters speculated Amazon could have been trying to make a move in the increasingly crowded encrypted messaging space. That's much more unlikely now as Amazon announced Monday it was nixing its secure messaging app Wickr Me.

The tech giant said that Wickr would instead be focused on business and public sector communications, specifically through AWS Wickr and Wickr Enterprise. The company will no longer allow registrations for Wickr Me after Dec. 31, and a year later, at the tail end of 2023, the app will be but a puff of smoke and a memory. Wickr was worth in the ballpark of $60 million when it was purchased, but just a few years ago Wickr was spouting off about its features that encrypted conference calls, which was a major evolution in the encrypted messaging space. Amazon's other messaging app, Chime, does videoconferencing without encryption. In September, Amazon finally added end-to-end encryption for the data sent to users through its Ring doorbells.

VMware today announced the launch of Fusion 13, the latest major update to the Fusion virtualization software. MacRumors reports: For those unfamiliar with Fusion, it is designed to allow Mac users to operate virtual machines to run non-macOS operating systems like Windows 11. Fusion 13 Pro and Fusion 13 Player are compatible with both Intel Macs and Apple silicon Macs equipped with M-series chips, offering native support. VMware has been testing Apple silicon support for several months now ahead of the launch of the latest version of Fusion.

With Fusion 13, Intel and Apple silicon Mac users can access Windows 11 virtual machines. Intel Macs offer full support for Windows 11, while on Apple silicon, VMware says there is a first round of features for Windows 11 on Arm. Users who need to run traditional win32 and x64 apps can do so through built-in emulation. Fusion 13 also includes a TPM 2.0 virtual device that can be added to any VM, storing contents in an encrypted section of the virtual machine files and offering hardware-tpm functionality parity. To support this feature, Fusion 13 uses a fast encryption type that encrypts only the parts of the VM necessary to support the TPM device for performance and security. The software supports OpenGL 4.3 in Windows and Linux VMs on Intel and in Linux VMs on Apple silicon.

Brian Krebs writes via KrebsOnSecurity: Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder -- Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.

Fearing the possibility of encryption-cracking quantum computers, Quanta magazine reports that researchers are "scrambling to produce new,'post-quantum' encryption scheme." Earlier this year, the National Institute of Standards and Technology revealed four finalists in its search for a post-quantum cryptography standard. Three of them use "lattice cryptography" — a scheme inspired by lattices, regular arrangements of dots in space.

Lattice cryptography and other post-quantum possibilities differ from current standards in crucial ways. But they all rely on mathematical asymmetry. The security of many current cryptography systems is based on multiplication and factoring: Any computer can quickly multiply two numbers, but it could take centuries to factor a cryptographically large number into its prime constituents. That asymmetry makes secrets easy to encode but hard to decode.... A quirk of factoring makes it vulnerable to attack by quantum computers.... Originally developed in the 1990s, [lattice cryptography] relies on the difficulty of reverse-engineering sums of points...

Of course, it's always possible that someone will find a fatal flaw in lattice cryptography... Cryptography works until it's cracked. Indeed, earlier this summer one promising post-quantum cryptography scheme was cracked using not a quantum computer, but an ordinary laptop.
At a recent panel discussion on post-quantum cryptography, Adi Shamir (the S in RSA), expressed concern that NIST's proposed solutions are predominantly based on lattice cryptography. "In some sense, we are putting all eggs in the same basket, but that is the best we have....

"The best advice for young researchers is to stay away from lattice-based post-quantum crypto," Shamir added. "What we really lack are entirely different ideas which will turn out to be secure. So any great idea for a new basis for public-key cryptography which is not using lattices will be greatly appreciated."

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.
"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.

At its Zoomtopia conference, the company announced a bunch of features that are coming to its platform, including two key ones for productivity: email and calendars. Engadget reports: You can connect third-party email and calendar services to Zoom and access them through the desktop app. The company says that can help save you time instead of having to switch between apps and perhaps needing to hunt for the right tab in your browser. Those on the Zoom One Pro or Zoom Standard Pro plans will be able to set up email accounts through the platform, and folks with certain plans have the option to use custom domains. You'll get up to 100GB of storage included. The key selling point is that messages sent directly between Zoom Mail Service users (i.e. those who use Zoom's email hosting services) will have end-to-end encryption. You'll also be able to send external emails that can expire and contain access-restricted links.

As for Zoom Calendar, there will be options to see which of your contacts has joined a meeting, and you can schedule Zoom voice and video calls in the app. Zoom's own calendar service will include the ability to book appointments. On the way in 2023 is a feature called Zoom Spots. The company describes this as a virtual coworking space where colleagues can stay more connected during the workday via video-first conversations. While the company didn't reveal too much detail about Zoom Spots in its blog post, there may be a downside as the feature could enable bosses to keep a closer eye on what their employees are doing.

Businesses will soon be able to employ Zoom Virtual Agent, a conversational AI and chatbot designed to help customers resolve issues. That tool will be available in early 2023. Other things in the pipeline include a way for developers to make money from the Zoom Apps Marketplace and a virtual coach to help sellers perfect their pitches. As for the core functions people know Zoom for, there's a feature on the way that connects team chats with in-meeting chats. You'll be able to carry the conversation from one to the other and back again to keep things flowing. The company is also looking to roll out translation options for team chats in 2023. In the near future, you'll be able to schedule a chat message to send at a later time.

Zoom Phone is coming to the web, which should be handy for many folks. A progressive web app will be available for ChromeOS too. Meanwhile, users will be able to use a one-click chat message as a response when they can't answer a call. As for Zoom Rooms, there will be a way for folks in one of those to join a Google Meet room and vice versa. Last, but by no means least, Zoom revealed a string of updates for meetings. The Smart Recordings feature uses AI to generate summaries, next steps and chapters to make archived meetings more digestible and help you get to the part you're looking for. There will be meeting templates that can automatically configure the right settings and a way to record videos with narration and screensharing that you can send to colleagues. On top of that, you'll have more avatar options, including the ability to use a Meta avatar.

The Intercept reports that protesters in Iran "have often been left wondering how the government was able to track down their locations or gain access to their private communications — tactics that are frighteningly pervasive but whose mechanisms are virtually unknown."

But The Intercept now has evidence of a new possibility: While disconnecting broad swaths of the population from the web remains a favored blunt instrument of Iranian state censorship, the government has far more precise, sophisticated tools available as well. Part of Iran's data clampdown may be explained through the use of a system called "SIAM," a web program for remotely manipulating cellular connections made available to the Iranian Communications Regulatory Authority. The existence of SIAM and details of how the system works, reported here for the first time, are laid out in a series of internal documents from an Iranian cellular carrier that were obtained by The Intercept.

According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their phones. The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Such a system could help the government invisibly quash the ongoing protests — or those of tomorrow — an expert who reviewed the SIAM documents told The Intercept.

"SIAM can control if, where, when, and how users can communicate," explained Gary Miller, a mobile security researcher and fellow at the University of Toronto's Citizen Lab. "In this respect, this is not a surveillance system but rather a repression and control system to limit the capability of users to dissent or protest."
Thanks to long-time Slashdot reader mspohr for submitting the article.

Here's the Guardian's report on new cryptographic techniques where "you can share data while keeping that data private" — known by the umbrella term "privacy-enhancing technologies" (or "Pets). They offer opportunities for data holders to pool their data in new and useful ways. In the health sector, for example, strict rules prohibit hospitals from sharing patients' medical data. Yet if hospitals were able to combine their data into larger datasets, doctors would have more information, which would enable them to make better decisions on treatments. Indeed, a project in Switzerland using Pets has since June allowed medical researchers at four independent teaching hospitals to conduct analysis on their combined data of about 250,000 patients, with no loss of privacy between institutions. Juan Troncoso, co-founder and CEO of Tune Insight, which runs the project, says: "The dream of personalised medicine relies on larger and higher-quality datasets. Pets can make this dream come true while complying with regulations and protecting people's privacy rights. This technology will be transformative for precision medicine and beyond."

The past couple of years have seen the emergence of dozens of Pet startups in advertising, insurance, marketing, machine learning, cybersecurity, fintech and cryptocurrencies. According to research firm Everest Group, the market for Pets was $2bn last year and will grow to more than $50bn in 2026. Governments are also getting interested. Last year, the United Nations launched its "Pet Lab", which was nothing to do with the welfare of domestic animals, but instead a forum for national statistical offices to find ways to share their data across borders while protecting the privacy of their citizens.

Jack Fitzsimons, founder of the UN Pet Lab, says: "Pets are one of the most important technologies of our generation. They have fundamentally changed the game, because they offer the promise that private data is only used for its intended purposes...." The emergence of applications has driven the theory, which is now sufficiently well developed to be commercially viable. Microsoft, for example, uses fully homomorphic encryption when you register a new password: the password is encrypted and then sent to a server who checks whether or not that password is in a list of passwords that have been discovered in data breaches, without the server being able to identify your password. Meta, Google and Apple have also over the last year or so been introducing similar tools to some of their products.
The article offers quick explanations of zero-knowledge proofs, secure multiparty computation, and fully homomorphic encryption (which allows the performance of analytics on data by a second party who never reads the data or learns the result).

And "In addition to new cryptographic techniques, Pets also include advances in computational statistics such as 'differential privacy', an idea from 2006 in which noise is added to results in order to preserve the privacy of individuals."

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from "significant national security risks." TechCrunch reports: Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the "highest-risk" devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.

The initiative, described by White House officials as "Energy Star for cyber," will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will "keep things simple." The labels, which will be "globally recognized" and debut on devices such as routers and home cameras, will take the form of a "barcode" that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.