from the good-for-him dept

There are very few things in life that former NSA and CIA director Michael Hayden and I agree on. For years, he was a leading government champion for trashing the 4th Amendment and conducting widespread surveillance on Americans. He supported the CIA's torture program and (ridiculously) complained that having the US government publicly reckon with that torture program would help terrorists.

But, there is one thing that he and I agree on: putting backdoors into encryption is a horrible, dreadful, terrible idea. He surprised many people by first saying this five years ago, and he's repeated it a bunch since then -- including in a recent Bloomberg piece, entitled: Encryption Backdoors Won't Stop Crime But Will Hurt U.S. Tech. In it, he makes two great points. First, backdooring encryption will make Americans much less safe:

We must also consider how foreign governments could master and exploit built-in encryption vulnerabilities. What would Chinese, Russian and Saudi authorities do with the encrypted-data access that U.S. authorities would compel technology companies to create? How might this affect activists and journalists in those countries? Would U.S. technology companies suffer the fate of some of their Australian counterparts, which saw foreign customers abandon them after Australia passed its own encryption-busting law?

Separately, he points out that backdooring encryption won't even help law enforcement do what it thinks it wants to do with backdoors:

Proposals that law-enforcement agencies be given backdoor access to encrypted data are unlikely to achieve their goals, because even if Congress compels tech firms to comply, it will have no impact on encryption technologies offered by foreign companies or the open-source community. Users will simply migrate to privacy offerings from providers who are not following U.S. mandates.

Indeed, this is the pattern we have seen in Hong Kong over the last six months, where pro-democracy protesters have moved from domestic services to encrypted messaging platforms such as Telegram and Bridgefy, beyond the reach of Chinese authorities. Unless Washington is willing to embrace authoritarian tactics, it is difficult to see how extraordinary-access policies will prevent motivated criminals (and security-minded citizens) from simply adopting uncompromised services from abroad.

None of this is new, but it's at least good to see the former head of various intelligence agencies highlighting these points. At this point, we've seen intelligence agencies highlight the value of encryption, Homeland Security highlight the importance of encryption, the Defense Department highlight the importance of encryption. The only ones still pushing for breaking encryption are a few law enforcement groups and their fans in Congress.

Filed Under: backdoors, encryption, michael hayden

Follow this link:
Michael Hayden Ran The NSA And CIA: Now Warns That Encryption Backdoors Will Harm American Security & Tech Leadership - Techdirt

Google makes it safer to text on Android phones, but end-to-end encryption is still MIA | PCWorld ');consent.ads.queue.push(function(){ try { IDG.GPT.addDisplayedAd("gpt-superstitial", "true"); $('#gpt-superstitial').responsiveAd({screenSize:'971 1115', scriptTags: []}); IDG.GPT.log("Creating ad: gpt-superstitial [971 1115]"); }catch (exception) {console.log("Error with IDG.GPT: " + exception);} }); Verified SMS and spam protection rolling out now.

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

As part of its year-end push to bring Android Messages up to speed, Google is rolling out two new features today: Verified SMS and spam protection. Together, they will help make sure your conversations arent taken over by people you dont want to talk to.

Like the phone app, Google wont automatically filter out suspected spam messages, but it will warn you when it suspects one has arrived. Youll be able to let Google know whether it got it right and also report spam texts, all of which will be used to improve the detection engine.

In addition to flagging spam, Google will also verify whether youre indeed chatting with the brand you think youre chatting with. If so, Google will add a verification badge alongside the business name and logo in the conversation. Google says 1-800-Flowers,Banco Bradesco,Kayak,Payback, andSoFiare among the first brands to send messages with Verified SMS, with more being added daily.

While both of these features are certainly excellent additions to Android Messagesespecially on the heels of the recent launch of RCSit also underscores the biggest security safeguard thats still MIA: end-to-end encryption. While messages are indeed encrypted while being sent, theres no guarantee that theyre encrypted by the carrier, which means someone could be reading or intercepting messages along the way. Google promises that it doesnt save messages, but most providers make no such claims, making it difficult to fully trust that your messages are for-your-eyes-only.

But at least youll know that theyre coming from verified sources, which is a step in the right direction. Verified SMS is rolling out in nine countries, , starting in the U.S., India, Mexico, Brazil, the UK, France, Philippines, Spain and Canada, while spam protection is rolling out in the U.S. following a broader launch earlier this year.

Michael Simon covers all things mobile for PCWorld and Macworld. You can usually find him with his nose buried in a screen. The best way to yell at him is on Twitter.

Go here to read the rest:
Google makes it safer to text on Android phones, but end-to-end encryption is still MIA - PCWorld

CLEVELAND, Ohio U.S. Attorney Justin Herdman is entering the fray on a national debate over law enforcements ability to access encrypted devices and messaging apps, trying to rebuff the sentiments of many tech companies that say such access could leave them vulnerable for exploitation by hackers.

Some experts consider his ideas problematic.

Herdman, in an op-ed published Wednesday on cleveland.com, mostly echoed statements made in recent years by Justice Department officials about the need for law enforcement and tech companies to work together so investigations dont stall. Calling on the need for public safety, he said agents inability to get into the devices hinders investigations into drug dealers, terrorists and sex traffickers.

The piece was directed not only at the public but at companies such as Facebook and Apple, which have spoken about the privacy needs of its customers and the rights they feel their users should enjoy to shield their messages.

Thus far, several tech companies have expressed an unwillingness to provide law enforcement a way to access either encrypted devices or messaging app systems such as WhatsApp and Signal. Other concerns raised involve defendants Fourth and Fifth Amendment rights.

Former American Civil Liberties Union attorney Alex Abdo, whose work at the organization involved issues surrounding tech and security, said many people in Silicon Valley argue that it is almost impossible to build a backdoor system for law enforcement that could not be accessed by hackers or, say, authoritarian governments in other countries that would seek information through their own legal systems on dissidents.

Still, Herdman said in an interview from Washington, D.C., that Im not convinced, nor is the department convinced, that theres not a technological solution to this. He also said that law enforcement accesses these devices for narrow purposes approved by a judge.

The U.S. attorney wrote in the op-ed that the companies are within their rights to offer privacy and cybersecurity to prospective customers as well they should, because these are important values.

But they shouldnt do so at the expense of public safety, Herdman continued. And these same industry professionals certainly know that warrant-proof encryption is protecting the criminals amongst us.

He took it a step farther in the interview, saying officials are committed to working with the companies but that forcing them to grant access could happen through the courts or new laws.

We cannot live in a world where pedophiles and drug traffickers and terrorists are able to communicate freely without law enforcement being able to lawfully intervene, he said.

The encryption issue was spotlighted in 2016, when the FBI sought Apples help to unlock an encrypted iPhone used by an extremist shooter who, along with another shooter, gunned down 14 people and injured 22 others in San Bernardino, California. Apple refused to help, citing privacy concerns.

The FBI sought outside help and was able to open the phone.

Herdmans op-ed was published two days after executives at Facebook wrote a letter snubbing overtures made by Attorney General William Barr to give law enforcement backdoor access to their systems. Facebook plans to enable end-to-end encryption on all of its messaging platforms, a system that locks messages so that not even the company can read them, according to The Associated Press.

Barr and other Justice Department officials have made statements directed toward tech companies to allow access. He said in a speech Tuesday that the encryption fight was one of our highest priorities and described an increasing number of horror stories about how people are dying, or being molested or whatever, but we cannot get in, the AP reported.

Herdman, in his op-ed, cited two examples from Ohio to support his argument that law enforcement needs more access.

He said agents were unable to get into the cellphone of a 25-year-old man arrested in a hotel outside Canton this summer on suspicion of trafficking a 16-year-old girl for sex. Agents have a search warrant but additional information that could build a case against the man is locked away because the phones manufacturer wont provide a way to get in the phone, the U.S. attorney said.

The result: Evil prevails and innocent children are still being victimized, Herdman wrote. First Assistant U.S. Attorney Bridget Brennan later declined to identify the man.

The other involved a wiretap that went cold when the target of an investigation, who was talking to a drug supplier in Mexico, switched to using an encrypted messaging app and the agents could not access the messages.

Brennan identified the target as Ismael Acosta, a Cleveland Heights man now serving a prison sentence of more than 15 years for trafficking drugs and money laundering following an investigation into a large operation by the Drug Enforcement Administration.

Herdman, who has been U.S. attorney since 2017, said in the interview that its very common for law enforcement to come across encryption. Such technology emerged near the end of his first stint at the U.S. Attorneys Office between 2006 and 2013, and he recalls discussions about it in meetings when he was in the offices national security unit.

Case Western Reserve University criminal law instructor Michael Benza said that having third parties, i.e. big tech companies, give access to apps or devices poses problems. If an agent gets a warrant to search a house, and they get someone else to kick in the door for them, thats unacceptable, he said.

Its not as simple as this is a bad guy, we know its a bad guy, so give us the access,'" Benza said.

Abdo, now the litigation director at the Knight First Amendment Institute at Columbia University, also said the government, even in the absence of encrypted information, has more information about people than ever before, because there are digital traces left every time someone uses a device or accesses the internet.

The existence of that information has caused some to say were living in a golden age of surveillance, he said.

To Herdman, such privacy concerns are vastly outweighed by the need for safety.

I dont think theres a really coherent argument on the tech side to not offering law enforcement access to devices and communications, he said.

Read more:

Child predators must not be able to hide behind warrant-proof encryption: Justin Herdman

Twenty charged in multi-state drug ring that brought heroin, fentanyl, cocaine to Cleveland

FBI works with outside party to unlock iPhone; hearing with Apple canceled

Continued here:
U.S. Attorney Justin Herdman of Ohio says agents need access encrypted devices, apps for the sake of public s - cleveland.com

Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.

Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.

Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the Make searches and browsing better option in Chrome.

The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. Theres also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.

The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Googles next move, in which it folded the feature directly into Chromes password manager. The service still didnt check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords youd stored in the password manager service periodically to see if it found a match.

The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so its been pretty clever about how it performs the check. It wants to be clear that it doesnt get to see your login credentials.

When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.

Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.

This double encryption is part of a technique called private set intersection with blinding. It tries to match the login credentials you entered against Googles database of hacked usernames and passwords.

For your privacy, Google doesnt do this matching itself. Instead, it sends a small part of its encrypted hacked credentials database back to Chrome, along with your double-encrypted login credentials (which youll remember have now been encrypted twice). Chrome removes the encryption it applied to your login credentials using your own key, leaving only Googles encryption in place. It then tries to match those hashed encrypted credentials against the small subset of the database that it received from Google. If it finds one, then your credentials have been hacked.

Google knows which small subset of the database to send back because your browser also creates a hash of the username you tried to enter into the website. It sends part of that hash to Google along with the other data. Google uses that snippet of your hashed username to select the part of its database including the same snippet in the index.

Its an ingenious system, and as long as you feel you can trust the encryption (and Google), then it looks like a good way to automate hacked password detection. It will alert you that your credentials have been pwned at the point in time when youre most likely to do something about it when youre trying to log into the site.

As with all password breaches, you should change your password if Chrome does discover a match, and turn on multi-factor authentication if the hacked site makes it available, to prevent a possible attack. You should also avoid reusing passwords across multiple sites so that attackers wont be able to unlock your other accounts with a hacked password. You can make that easier by using a password manager with a built-in password generator.

Read more from the original source:
Chrome 79 includes anti-phishing and hacked password protection - Naked Security

With help from Eric Geller, Martin Matishak and Bryan Bender

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services at http://www.politicopro.com.

Story Continued Below

Encryption and corporate cybersecurity are on the congressional calendar this week, both on Tuesday, one a hearing and one a markup.

A top intelligence official with some cybersecurity responsibilities is leaving, part of a broader exodus.

How much is the White House doing on election security? Two officials, one current and one recently departed, offered their viewpoints in recent days.

HAPPY MONDAY and welcome to Morning Cybersecurity! Your MC hosts inbox hasnt been flooded with best of 2019 music stuff as requested, but I discovered this one elsewhere. Pleasant little track, that one. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

CLOSED, OPEN The Senate Judiciary Committee this week explores the pros and cons of encryption, the first time Congress has dipped into the subject in a long time. While the panel hasnt announced Tuesdays witness list yet, the hearing comes two months after Attorney General William Barr joined British and Australian officials to initiate a big push against warrant-proof encryption centered on fighting child exploitation.

Senate Judiciary Chairman Lindsey Graham (R-S.C.) is worth watching: From 2015 to 2016, he said he underwent a change of heart, evolving from an end-to-end encryption critic to someone who saw the wisdom of it, but since then hes also become a staunch ally of the president.

Also Tuesday, the House Financial Services Committee is scheduled to mark up legislation (H.R. 1731) that would require the SEC to issue a rule requiring publicly traded companies to disclose cybersecurity expertise on their boards of directors. The legislation, sponsored by Rep. Jim Himes (D-Conn.), would require that, in the event a board had no cyber expertise, the company must explain why.

WE NEVER SLEEP One of the Pentagons top intelligence officials will step down next month, our Defense colleague Connor OBrien and Martin scooped on Saturday. Kari Bingen, who as principal deputy undersecretary of Defense for intelligence, helps oversee the NSA and other organizations within the so-called Defense Intelligence Enterprise, will leave DoD on Jan. 10. She sat down with Martin earlier this year on the sidelines of the 2019 GEOINT Symposium and chatted about a host of topics, including cybersecurity.

Her departure marks yet another departure of a senior intelligence official in recent months. Former Director of National Intelligence Dan Coats and his deputy, Sue Gordon, stepped down in August. Joseph Maguire has served as the nations spy chief on an acting basis ever since. Last month, ODNI announced that Andrew Hallman, who most recently served as the Deputy Director of CIA for Digital Innovation, is the I.C.'s new "principal executive" who will serve as the country's No. 2 intel official.

MORE PERSONNEL NEWS Bryan Ware is the pick to take the job of assistant director for cybersecurity at CISA, one of the top cyber gigs in the federal government, CyberScoop reported Sunday evening. He would replace Jeanette Manfra in the DHS vacancy, with Manfra set to head to the private sector at years end. Ware is the current assistant secretary for cyber, infrastructure and resilience policy, and is a former tech entrepreneur. His selection is still pending White House approval, according to CyberScoop. DHS officials that MC reached out to Sunday night did not confirm the news.

NIAC WANTS CYBER COMMAND CENTER A federal advisory council made some unsurprising recommendations to President Donald Trump for improving public-private cybersecurity partnerships in a newly published draft report.

The president should create a command center to improve intelligence information sharing, protect companies from lawsuits stemming from their decision to blacklist risky vendors and create an independent commission to mitigate catastrophic cyber risks to critical infrastructure that have potential national security impacts, the National Infrastructure Advisory Council said in the report. The council, a collection of industry executives and local government officials, also said the Justice Department should determine whether existing legal authorities permit the feds to order companies to implement certain defensive measures.

The report is the result of a tasking from the National Security Council, which asked the NIAC in September to examine how the federal government and private industry can collaborate seamlessly to manage urgent cyber risks in the most critical and highly targeted private infrastructures. It cites increasing nation-state cyber capabilities, along with digital strikes such as the Ukrainian grid outages and the NotPetya malware outbreak, to argue that the need to act is urgent.

The report recommends a two-tiered approach, coupling urgent action with longer-term comprehensive policies, and it says that all work should adhere to six principles, including that regulation should be a last resort. The draft is dated Dec. 12, making it likely that the NIAC will deliver it to Trump this week.

THE OTHER NSA ON ELECTION SECURITY A White House often accused of neglecting the subject of election interference considers it a big priority, national security adviser Robert OBrien told reporters at a roundtable this weekend. That's something we're concerned about. It's something we watch and it's something we're working on very, very hard, he said. And there are people across the U.S. government and across state governments that are working on these issues. It's a priority. It's important. We're monitoring very closely.

OBrien touted the NSCs resilience group, and mentioned four countries that present a particular threat given their cyber capabilities: China, Iran, North Korea and Russia, the last of which Trump has faced particular criticism over for downplaying its 2016 meddling.

WAIT, HOLD UP ON THAT A recently retired senior CIA operations officer on Friday wrote that the president poses a real threat to federal efforts to fend off Russian election interference. In response to 2016 meddling, the CIA published a call to arms for its workforce to counter the Kremlin, Marc Polymeropoulos wrote for Just Security. The idea was for the entire government to think creatively and offensively about what to do about Russia, he wrote. There was widespread interagency support for the idea.

The wild card was sitting in the Oval Office, wrote Polymeropoulos. With President Donald Trumps puzzling admiration for Russian President Vladimir Putin, it was not clear that he had accepted and internalized the Intelligence Communitys conclusions of Kremlin malfeasance and incessant desire to harm the United States. If anything, the president repeatedly questioned the findings of the IC, preferring instead to accept Putins denials. Former national security advisers H.R. McMaster and John Bolton helped keep the agenda moving forward, however.

Since retiring in June, though, two things swayed Polymeropoulos toward doubt for the future. My fear stems primarily from the president, who has, in a matter of several months, quite overtly set back the overall U.S. government effort with his unfortunate meddling in Ukraine, as well as the pullback of U.S. troops from Syria, he wrote. Trump has provided Putin a massive gift on both fronts. Its not all a lost cause, but it will likely take congressional action to stay the course, he asserted.

BYENET Two members of a Romanian cybercrime gang earned lengthy prison sentences on Friday from a federal judge for their role in overseeing a botnet that prosecutors say infected 400,000 computers primarily in the United States. Romanians Bogdan Nicolescu and Radu Miclaus, both 37, received 20 years and 18 years, respectively. The Bayrob Group schemes origins date back to 2007, when it developed proprietary malware distributing malicious emails purportedly from the likes of the IRS, Norton AntiVirus and Western Union, according to DOJ. In April, a federal jury in Ohio convicted them of all 21 charges.

TWEET OF THE WEEKEND Thats two needs, and counting.

RECENTLY ON PRO CYBERSECURITY Reddit said it uncovered a suspected Russian disinformation campaign targeting the U.K. election. Republican senators are deepening their pursuit of evidence of Ukrainian election interference, despite intel officials saying theres none to be found. Cambridge Analytica engaged in deception in a couple different ways, the FTC said. Rep. Pramila Jayapal (D-Wash.) pressed Google executives about the company's data sharing deal with health system Ascension in a letter today amid sharpening concern over the use of big health data among patient and privacy advocates. European Commission Vice President Vra Jourov said social media companies need to do more to counter manipulation campaigns.

One of the accused Evil Corp leaders is the son of a former Russian mayor. Meduza

British cybersecurity officials are investigating whether leaked U.S.-U.K. trade papers were hacked. Reuters

Industry groups want more time to give feedback on the information and communications technology supply chain rule. Inside Cybersecurity

The head of the FBI Criminal, Cyber, Response, and Services Branch is headed to Louisville for a job as chief of public services. CyberScoop

More than 100 dental offices were affected by a ransomware attack on a Colorado IT provider. Krebs on Security

The election security fights continue in Pennsylvania. The Wall Street Journal

Morning Consult sought to analyze the congressional districts most vulnerable to Facebook misinformation.

Thats all for today.

Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).

Continued here:
Encryption back on the congressional agenda - Politico