Category Archives: Encryption
The FBI Director Thinks a Law Against Encryption Is Possible Under Trump – Motherboard
In the a year after the heated battle between Apple and the FBI over the iPhone of a dead alleged terrorist, the US government war on encryption has been lying somewhat dormant. But that's not because the FBI has given up on trying to change the status quo.
On Wednesday, FBI Director James Comey left the door open for a law that would require tech manufacturers like Apple or Google to come up with a way to decrypt data for the feds.
Read more: How the Government Is Waging Crypto War 2.0
"I could imagine a world that ends up with legislation saying if you are going to make devices in the United States you figure out how to comply with court orders," Comey said during a Senate hearing. "Or maybe we don't go there."
Comey's comment came after Sen. Chuck Grassley (R-IA) asked whether the FBI director still believed that it wasn't necessary to push for a law to solve the so-called "Going Dark" probleman FBI expression that refers to the rise of unbreakable encryption and how that is stumping legitimate investigations.
"It may require a legislative solution at some point."
During his prepared statements, Comey complained that the FBI has been unable to unlock and access data on more than 3,000, or 46 percent, of all the cellphones or mobile devices they had lawful authority to search during the first half of this year.
"The shadow created by the problem called going dark continues to fall across more and more of our work," Comey said, blaming the "ubiquitous default full disk encryption on devices," while at the same time saying he doesn't want backdoors.
Full disk encryption is a technology that makes it theoretically impossible to access data stored inside cellphones like newer Android phones or iPhones unless one has the decryption key or passcode. Sometimes, like in the case of the iPhone used by the alleged terrorist who killed 14 people in San Bernardino, it's possible to get around this by hacking into the phone.
"I could imagine a world that ends up with legislation saying if you are going to make devices in the United States you figure out how to comply with court orders."
In 2014, Apple made full disk encryption on iPhones a default setting, making it virtually impossible for anyone, including the company itself, to unlock or decrypt the user's data.
So is the FBI going to push for a law to solve this "big problem" as Comey put it? Maybe.
"I don't know the answer yet. I think I saidI hope I saidlast time we talked about this, it may require a legislative solution at some point," Comey said. "The Obama administration was not in a position where they were seeking legislation. I don't know yet how President Trump intends to approach this. I know he spoke about it during the campaign, I know he cares about it, but it's premature for me to say."
Some legislators didn't seem too keen on going down that road. After Comey's remarks, Sen. Orrin Hatch (R-UT) said he was convinced there was no need for a "one-size-fits-all" legislative fix, and that it'd be better for the FBI to figure things out directly with tech companies.
While Comey's remarks areas usualsomewhat vague, they once again show that the FBI considers encryption a serious problem that's preventing agents to get access to more and more devices every day. For Comey, that needs to change somehow.
Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.
More here:
The FBI Director Thinks a Law Against Encryption Is Possible Under Trump - Motherboard
Want to recover a FileVault-encrypted drive without a recovery key? You’re out of luck – Macworld
One of the downsides of protecting your data from others is how easy it is to lose it all. Thank you
Your message has been sent.
There was an error emailing this page.
David S. writes asks about recovering a FileVault-encrypted drive. He says it was encrypted and then reformatted.
Is it possible to recover any data from this drive since it was previously encrypted with FileVault 2 and the keys were unfortunately wiped? Do you have any recommendations or suggestions how to decrypt the drive and recover the data?
I'll answer this in reverse order.
FileVault 2 (commonly called just FileVault) can be enabled via the Security & Privacy system preference pane, and uses a boot process that keeps the drive locked until you log in with an account allowed to unlock the drive.
Apple was clever in how this is set up. Instead of having you create an encryption key (or a passphrase thats cryptographically transformed into the actual key), macOS generates the actual key used. This is then wrapped into a protective envelope that can only be unlocked by users on the system that have been authorized to boot up the computer from a powered-off state (cold start).
The Recovery Disk, a special partition that first appeared with OS X Lion, manages this initial boot up. When you log into a FileVault-enabled account, the Recovery Disk OS takes your account password and uses that to unlock the encryption key that protects the startup volume. Its loaded into memory to decrypt and encrypt data on the fly. (You can also encrypt other attached drives via the Finder or through the Terminal, but that encryption key is derived from the password you set directly for the drive.)
The recovery key offers a last-resort method of decrypting a FileVault drive. and you can opt to store it in iCloud.
Apple creates a recovery key for your startup disk that you can use as a last resort, such as forgetting all the passwords for all the authorized accounts, or conceivably if the Recovery Disk partition were damaged or removed. You can opt to store the recovery key in iCloud protected with your iCloud account password. If you dont store it there, and you cant find the recovery key nor can you log in through the startup process, the data is truly gone forever. Apple employs a very strong encryption algorithm that stands no chance at being broken in the lifetime of our planet at current estimates, even by an owner who has full rights for everything on the drive.
Now, as for recovering a FileVault-encrypted drive thats been reformatted so that you could, say, use a recovery key, the odds seem to be me about zero. Disk Drill 3, software Macworld awarded 4 1/2 mice to last October, notes that it only has the potential to recover an encrypted drive if you can mount a partition so that it can scan the file system.
I know this last paragraph might sound like I told you so, but you should always have complete backupspreferably two different kindsof all your data, especially data on encrypted drives that are effectively impossible to recover. The backups should be encrypted, as well, but again using different means. I recommend performing routine incremental local backups cloud-based backups using software and services that allow control of encryption with keys or passphrases you specify.
Weve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, were always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate. Mac 911 cant reply tonor publish an answer toevery question, and we dont provide direct troubleshooting advice.
See the article here:
Want to recover a FileVault-encrypted drive without a recovery key? You're out of luck - Macworld
The future of the free press is at risk: encryption is part of the solution – Huffington Post
As media leaders gather at World Press Freedom Day (WPFD), in Jakarta, Indonesia, they embark on the difficult journey of safeguarding journalists mission in an era where their freedom is increasingly at risk.
The surveillance of journalists, in particular, has profound implications for democratic institutions, including freedom of the press; it threatens their ability to confidently and confidentially collect information and opinions about important societal issues such as politics, the environment, governmental decisions, etc. Today, more than ever, journalists need to be able to research and report the news without fear of interference or surveillance.
Encryption offers a vital defense for such intrusions. All journalists, from professionals uncovering the latest national security stories to citizen reporters documenting a protest with their mobile phone, need to be aware of the risk of unencrypted communications.
Based on input by the Internet Society, the WPFD Declaration to be adopted this week should encourage the deployment of encryption to ensure trust online and to support the safety of online journalists and the confidentiality of their sources. This is an important and positive signal to the international community.
The free press is under pressure
According to Reporters Without Boarders, the overall level of media freedom constraints and violations worldwide has risen 14% in the span of five years. Just in the past year, nearly two-thirds (62.2%) of the countries measured have registered a deterioration in their situation (including in democracies), while the number of countries where the media freedom situation was good or fairly good fell by 2.3%.
This happens in a context where reporters can be victims of government orders to shut down media websites or blogs in the name of national security or public order. But the pressure on journalists can be even higher. In some countries, using encryption is a risk in itself. For example, in 2015, three journalists from Vice Magazine were imprisoned for the reported use of encryption software.
Surveillance and violations of the confidentiality of sources have contributed to the decline of media freedom worldwide. The consequences are profound, including selfcensorship in democratic societies. In the United States, a study by Pen America showed that 16 per cent of writers avoided talking about certain topics as a result of government surveillance.
Encryption is the solution
Reporters often have multiple assignments and little time. When faced with choice, they may choose convenience over investing time in technical skills to secure their communications.
Yet, the consequences for a journalist to be under surveillance or hacked can be disastrous: losing years of research; sources whose online identity got compromised; and reporters who were physically attacked because an adversary intercepted their communications and discovered the subject of their investigations.
Tech-savvy, investigative reporters or those who focus on national security stories routinely use end-to-end encryption to protect the confidentiality of their communications so that not even the company that delivers the messages can read them. Many use tools like Signal on their smart phones and/or encrypt their email. They are careful about restricting app access to geolocation data, ensuring their devices are encrypted, and deploying a whole host of tools and techniques for better security and privacy in both their professional and personal lives.
But the need for better security doesnt just apply to investigative reporters. All journalists have a responsibility to protect themselves and their sources. Even run-of-the-mill reporting could make journalists a target.
There is support out there
Organisations like the Committee for the Protection of Journalists, Reporters Without Borders and the Electronic Frontier Foundation offer security toolkits and guidance on how to encrypt devices and communications.
Furthermore, following the Snowden revelations, some major Internet companies stepped up and offered encrypted services. As a result today, more than half the web is now encrypted over HTTPS, many suppliers offer device encryption, and some messaging services such as Whatsapp have adopted end-to-end encryption.
The Internet technical community is also playing an essential role in supporting encryption on the Internet for everyone. The World Wide Web Consortium (WC3) and the Internet Engineering Task Force (IETF) are working hard to make encryption the norm for web communications and for the protocols that enable information to flow on the Internet.
Some recent developments include:
Governments have a role too. We invite them to adopt the SecureTheInternet principles and to support strong encryption, not only to ensure the safety of journalists, but also as a technology that already allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and do almost everything else.
As we celebrate World Press Freedom Day, we must remember that journalists and their sources are taking enormous risks right now in making sure crucial stories get told.
In today's environment, where trust in online information is at an all-time low, we need free, safe and independent journalists more than ever. We all have a role to play, and encryption is one step to take us there.
Visit link:
The future of the free press is at risk: encryption is part of the solution - Huffington Post
Danalock V3 adds military-grade AES256 encryption – SlashGear
As homes start to get smarter, the need to protect the people and hi-tech devices inside also gets stronger. When it comes to smart home security, however, there is almost always a compromise between ease of use and strength of security. Danalock, who has been making smart locks for years now, offers a solution. The third version of its smart lock product, the Danalock V3 offers the same ease of installation, speed of reaction, and remote convenience while, at the same time, utilizing the same level of encryption used by government.
Its a fact of life that almost any device these days can be hacked. From computers to phones to even cars, nothing is sacred to less scrupulous elements of society. That fact perhaps makes having a smart door lock even more frightening. That is, unless you use the right tools for the job, as Danalock seems to suggest.
Danalock V3 uses the 256-bAdvanced Encryption Standard, more popularly known in the industry as AES256. This is the same encryption technology used by government and military to keep documents secret. Of course, AES256 is also used by many security and privacy software. In the Danalock, the AES256-protected lock code is stored in a TPM chip, ensuring that it cannot be hacked.
Despite being super hardened, the V3 still offers the conveniences of a hi-tech security system, particularly with remote access. Using Bluetooth, it can detect if the owner is approaching and can be set to automatically unlock the door. A time saver when your hands are rendered useless by groceries. In addition to Bluetooth, the new Danalock also supports Apple HomeKit, Zigbee, and Z-Wave wireless connectivity.
The Danalock V3 is now available directly from the companys website for $149 a piece. Buyers can choose from a variety of locks to match common door locks in their particular market but, other than that, the Danalock V3 installation is the same, regardless of your location.
Read the original here:
Danalock V3 adds military-grade AES256 encryption - SlashGear
Doing The Math For Better Encryption – Signal Magazine
Signal Magazine | Doing The Math For Better Encryption Signal Magazine Scientists at the University of Texas at Austin have delivered a mathematical revelation that could bring a number of benefits, but improved encryption tops the list. Cybersecurity, of course, depends on encryption, which relies on random data ... |
Here is the original post:
Doing The Math For Better Encryption - Signal Magazine
File-Based Encryption Vulnerability Reported by DeesTroy is Fixed in May’s Security Update – XDA Developers (blog)
XDA Developers (blog) | File-Based Encryption Vulnerability Reported by DeesTroy is Fixed in May's Security Update XDA Developers (blog) With the introduction of Android 7.0 Nougat, Google switched to a file-based encryption method instead of the full disk encryption that we were using in Marshmallow. There are benefits and drawbacks to each of these methods, but Google's security team ... |
Read more here:
File-Based Encryption Vulnerability Reported by DeesTroy is Fixed in May's Security Update - XDA Developers (blog)
End-to-end encryption could be key to securing future elections – The Hill (blog)
Whatever your preference of candidates might have been, one thing was clear from the 2016 U.S. presidential election: the Russian government targeted American political organizations of both parties with an aggressive wave of cyber intrusions. Bothprivate sector analystsand theU.S. Intelligence Communityagree on this point.
Furthermore, FBI Director James Comey recently told a congressional committee that theyll be back in 2020they may be back in 2018. The head of the NSA, Admiral Mike Rogers, concurred, saying that he fully expect[s] they will maintain this level of activity.
Faced with a potential onslaught from persistent and technically advanced adversaries, political organizations should use end-to-end encrypted email and file-sharing applications that are easy to use. These applications must have three characteristics:
First, they must encrypt every message and file end-to-end. This means that even if an adversary successfully breaches an organizations server, as in the case of the Democratic National Committee (DNC), doing so will not reveal any information.
Second, these applications should not allow privileged super-users. By exploiting the vulnerability of super-user accounts in the DNC network, hackers were able to steal and leak thousands of internal communications.
Third, these applications must not use passwords, which are themselves major security vulnerabilities. People often create passwords that are easy to guess, and they divulge them too readily.
How end-to-end encryption protects user data even if a server is hacked
When messages areencrypted end-to-end, the information stored on the server is secure even if the server is hacked. Each message should beautomaticallyencrypted with auniquekey before it leaves the users deviceand onlydecrypted when it reaches its recipient.
If attackers breach the walls protecting the server such as traditional password portals and firewalls all they will find is encrypted, useless gibberish. This was not the case at the DNC,nor is it standard practicefor most major communications providers, which store their customers information on their servers unencrypted.
The DNC Breach and The Risk of Super Users
In lead up to the 2016 elections, two independent and advanced cyber actors targeted the DNCs computer servers. The first one to strike, known asAdvanced Persistent Threat (APT) 29orCOZY BEAR, was an unidentified Russian grouppossibly affiliatedwith the countrys internal security service.
The second one, known asFANCY BEARorAPT 28in cybersecurity circles, was probably a component of Russias military. The former groupsent a stringofspear phishingemails to people working at American government and nonprofit organizations in the summer of 2015, likely including someone with legitimate access to the DNC network.
The latter one waged a massive campaign in parallel; from October 2015 to May 2016, itsent almost 9,000spear phishing emails with malicious links to nearly 4,000 similar targets. As the two attackers didnot appear to be working together, one or more people at the DNC clicked on embedded links from each group, giving the Russiansaccessto the network.
One of the attackers eventually gained control of aprivileged administrator account, and was able to steal tens of thousands of sensitive emails. Instead of giving administrators super-user privileges to access vast amounts of information, new encrypted email applications use the concept of Approval Groups. With this paradigm, only a predetermined combination of trusted individuals can retrieve the decryption keys for messages on the server.Instead of giving administrators super user privileges to view vast amounts of information one of the reasons the DNC attackers were able to steal so much material a model that allows only a predetermined combination of trusted individuals to recreate the decryption keys of other users should be used.
This restriction, which gives cryptographic shards of keys to certain individuals, prevents a single hijacked administrator from wreaking havoc on an organizations information technology systems. It would also require attackers to gain control of the individual devices of approval group members, which is far more difficult.
Furthermore, messages that areencrypted end-to-endare secure even if the server they are sitting on is hacked. If attackers breach the walls protecting the server such as traditional password portals and firewalls all they will find is encrypted, useless gibberish. This is because with end-to-end encryption, you are the sole owner of the keys needed to decrypt the information.
This was not the case at the DNC,nor is it standard practicefor most major communications providers, which store their customers information on their servers unencrypted.
Finally, in the DNC hack, FANCY BEAR/APT 28 tookadvanced counter-forensic measuressuch as corrupting and deleting internal server logs to obscure its presence. Logs of all communications should be encrypted to prevent exactly this from happening.
Whether Democrat, Republican, or Independent, everyone should understand that systems that leave sensitive data unencrypted while at rest, as well as those that allow for super users, are vulnerable to advanced cyber intrusions like the one the DNC suffered.
Why passwords make systems vulnerable
While they were attacking the DNCs servers, members of FANCY BEAR/APT 28 were also busy at work attempting to breach other systems, namely the personal email accounts of Democratic Party officials and staff members.
Perhaps the most attractive target was then-candidate Hillary ClintonHillary Rodham ClintonOvernight Cybersecurity: Comey testifies on Clinton probe, surveillance | Officials grilled over financial aid breach | Massive phishing attack hits Gmail users Budowsky: A fascist-friendly POTUS When will Hillary Clinton grow up and take responsibility? MOREs campaign manager John Podesta. Like many busy and important people, he did not have time to remember a slew of different passwords for every web site he used. He occasionally asked his aides toremind himof his passwords via email and probablyre-used themamong multiple different applications.
Passwords can be a security liability as well as a hassle for users, which is why politicians, candidates and their political aids should use strong cryptographic keys instead. These keys, which are dozens of digits long, can be automatically created and stored on users computers and phones. The keys are so complex that it would take all the supercomputers on earth billions of years to guess.
Unfortunately, Podestas Gmail account used passwords to decrypt his emails instead of cryptographic keys stored locally.Receiving anemail alert probably from the Russians warning him that an unauthorized user was trying to access his Gmail account, he or one of his staff members reached out to the campaigns information technology support team. After getting someconfusing advice, either Podesta or one of his assistantsclicked on an embedded malicious linkto a fake password reset portal. He fell for the ruse and entered his credentials, giving them to the attackers.
The FANCY BEAR/APT 28 actors were then able to access and download nearlyten years worth of private communications. The Russians later used the stolen materials to create another October Surprise for the campaign by againproviding the information to WikiLeaks.
It is unfortunate that, in retrospect, using end-to-end encryption with strong cryptographic keys could have prevented all of this. By keeping encryption keys only on a users device, there is no need for passwords to access ones communications. Not having to remember and type them in all the time makes it impossible toaccidentally give them to hackerstoo.
Get ready for 2018 by securing your systems today
Although the 2016 election is in the books, the cybersecurity lessons we can learn from it are critical for future cycles. We know that at least one foreign country will take active measures, like hacking political organizations and campaigns, to support itspreferred candidate. Regardless of whom you support, every American should be able to agree that sensitive internal communications like campaign emails must remain private and secure. With an end-to-end encrypted messaging protocol, political organizations of every stripe can do just that.
Walter Haydock works forPreVeil, a Boston based cybersecurity companywhere he interfaces with political campaigns, think tanks, and other government-facing clients.Previously, he served as a staff member for the House of Representatives as well as an officer in the Marine Corps. The views expressed in this article do not necessarily reflect the official policy or position of the United States government.
The views expressed by contributors are their own and are not the views of The Hill.
See original here:
End-to-end encryption could be key to securing future elections - The Hill (blog)
Israeli encrypted communications start-up Elsight heads for the ASX – The Australian Financial Review
Elsight co-founders Roee Kashi and Nir Gabay are taking the company public on the ASX.
The flood of Israeli-based start-ups listing on the ASX is showing no signs of abating, with secure communications technology company Elsight the latest planning to go public on the exchange.
The company is raising $6.5 million at 20? a share and a valuation of $18.17 million. It has met with a range of institutional investors and family offices on a roadshow in Australia this month.
It joins the likes of Israeli firmsVotiro CybersecandCyberGymwhich are also listing on the ASX this year.
Chief executive and co-founder Nir Gabay toldThe Australian Financial Reviewthe stock market in Israel was "weak", so firms had started looking for other options.
"The next option was the NASDAQ, but you need to be a $1 billion company to list there, then you look at Hong Kong, but even then you need to be a $150 million company," he said.
"But there is a good relationship between the ASX and Israel, so that was the best option for us."
As part of the listing, Elsight has created a new Elsight Limited Australia company which will acquire the assets of Elsight Israel. The Israeli company is already profitable, having made a net profit of $US98,000 ($131,000) for the full year to December 31 and $US932,000 in revenue.
Elsight's technology is designed for in-the-field communications and allows video and other data streams to be sent securely over multiple networks simultaneously, increasing bandwidth and allowing video to be streamed from the other side of the world in almost real time.
It works by splitting the data into packages, encrypting these and then transmitting them via multiple sim cards, WiFi, LAN or radio networks and then reassembling it at the other end.
The company was founded in 2009 by Mr Gabay and Roee Kashi, with the men having come from the Israeli special forces and military intelligence.
Until recently Elsight had been prevented from selling internationally by the Israeli government.
"On a battlefield people's lives totally depend on the absolute performance of their technological equipment with zero tolerance of failure. Being a leading military technology country, the Israeli government restricts the sale of Israeli high-tech military products that are developed within its borders outside of the country," Mr Gabay said.
But last year the company decided that to expand its reach, it would shift its focus from military to civil products and split the encryption component of its technology from the main product, so that the main product was deemed to have a lower encryption level than that sold to the Israeli military.
This resulted in the company being granted an exemption to the technology export limitations seven months ago.
"At the same time as reducing the original product's standard encryption level, we added a feature to allow our clients to add their own encryption software ... the global product's level of encryption is [also] still unbreakable by conventional means," Mr Gabay said.
Elsight currently has customers in Israel, South Africa, Singapore, Vietnam and Malaysia. The capital raised through the listing will go towards research and development, as well as marketing, as it expands into other industries such as logistics, transport and media.
For journalists, Mr Gabay said the technology could be used to send high-definition footage from locations back to the office without needing much of the equipment that is used today.
"We can put our technology in a backpack and every journalist will be able to connect their camera to the backpack and live stream from the field ... We could also do partnerships with businesses like Panasonic to have our technology in-built in the camera," he said.
"Another example of what we'll be targeting is autonomous and connected cars. We believe these vehicles will require high bandwidth and a high-resolution camera."
Here is the original post:
Israeli encrypted communications start-up Elsight heads for the ASX - The Australian Financial Review
RPost Predicts European Regulators have Forever Transformed the … – Yahoo Finance
RPost Predicts European Regulators have Forever Transformed the Market for Email Encryption
The European General Data Protection Regulation`s Steep Fines are Predicted to Change the Email Encryption Market to be Centered on "Auditable Proof" of Encrypted Transmission
LONDON, UNITED KINGDOM--(Marketwired - April 27, 2017) -RPost, a leader in the email encryption market, predicts that The European General Data Protection Regulation (GDPR) will forever transform the email encryption market in Europe, in that businesses will be compelled not only to transmit information securely, but also to retain auditable proof of compliant, secure email delivery. For many businesses, the latter driver will require them to change email encryption services altogether.
Auditable proof of encryption compliancewill be what is needed to deal with the potential of accusations of data breach; particularly when the fines prove to be as steep as the regulators have declared they will be.
"Sending email encrypted or through secure transmissions will soon become the norm in Europe -- but for those businesses dealing in consumer information that make a lot of money, a `claim` that a message was sent securely may not be enough to mitigate risk of huge fines," states RPost`s CEO Zafar Khan. The General Data Protection Regulation (GDPR) Regulation ((EU) 2016/679) calls for penalties of up to 4% of global turnover or 20 million Euros, whichever is higher. "Considering the potential of a fine tied to a percentage of global turnover, risk managers should begin to appreciate a record of `proof of data privacy compliance`; better yet, proof on a message by message basis. For a decade, our RMail service has been providing not only simple-to-use email encryption, but also has been focused on encrypting for compliance -- providing auditable proof of fact of data privacy compliance with a returned Registered Receipt(TM) evidentiary record for every encrypted message sent."
RPostpredicts the market will shift from one of encrypting to protect strategic secrets to one of encrypting for business compliance. With such a shift, organizations will gravitate towards encryption providers that can meet this key area of need -- auditable proof of compliant, secure email delivery.
The United States has had heightened awareness of data privacy regulations for several years, and as a result, a higher percentage of business users encrypt for compliance in the US market (79%) versus solely to protect strategic secrets (19%). In the United Kingdom market, the reasons to encrypt are different -- those that encrypt to protect strategic secrets (43%) and for privacy compliance (56%) are about even. (Data is based on RPost`s 2017 end user survey respondents filtered for the US and UK markets).
RPost predicts growth in the market for encryption for business compliance and a corresponding focus on retaining auditable proof of compliance such as that provided by RMail`s Registered Receipt(TM) record.
About RPost
The global leader in secure and certified electronic communications, RPost has helped businesses enhance their security, compliance, and productivity for more than a decade. RPost is the creator of the patented Registered Email(TM) technology, which provides email senders with Legal Proof evidence of delivery, time of delivery, and exact message content in the form of a Registered Receipt(TM) email record. Since inventing Registered Email technology in 2000, RPost has successfully commercialized four software platforms --RMail,RSign, RForms, and RPostal -- used by more than 25 million people throughout the world for email tracking, certified e-delivery proof, email encryption, e-signatures, and more.
CONTACT INFORMATION
Elizabeth Kopple ekopple@rpost.com
This announcement is distributed by NASDAQ OMX Corporate Solutions on behalf of NASDAQ OMX Corporate Solutions clients.
The issuer of this announcement warrants that they are solely responsible for the content, accuracy and originality of the information contained therein. Source: RPost via GlobeNewswire HUG#2099451
View post:
RPost Predicts European Regulators have Forever Transformed the ... - Yahoo Finance
As Journalists Seek Encryption, SecureDrop Proves a Challenge – Folio Magazine
A look inside the anonymizing software protecting sources across the magazine industry.
If you want to reach Thomas Fox-Brewster, you'dbest be prepared to download new software. In his Twitter bio, Fox-Brewster a security reporter forForbes lists a series of codeswhich will allow anyone with a tip to covertly reach out through an encrypted channel.It might seem inconveniently picky, even a potential obstacle to reaching sources, but Fox-Brewster is among the growing ranks of journalists who have ditched insecurecommunication techniquesin favor of toolslikeSignal and Ricochet.
Encryption has become increasingly commonfor journalists hoping to get the next big story by ensuring sources that their identities stay secret while their secrets go public.There are many options to choose from, some open source and others proprietary, with no consensus on any standard. This leavesnewsrooms to fend for themselves as they try to protect people with secrets without making it too difficult for such whistleblowers to come forward.
Last Thursday,Wiredbecame the latest magazine to publicize its use of SecureDrop, which allows whistleblowers and leakers to anonymously send documents and messages to media organizations without identifying or traceable information. This comes one month afterForbesadopted the program, and four years afterThe New Yorkertook the technology public.
Compared toapplications like Signal and Ricochet, which are used in conjunction with smart phones and personal computers,SecureDrop might be the most secure way to leak documents. But its set up is complex and its yield so far has been low a steep consideration as some news organizations spend up to $3,000 in new hardware, and $10,000 in support contracts with the Freedom of the Press Foundation, which manages the SecureDrop project.
"SecureDrop can be a little bit intensive,"Harlo Holmes, director of newsroom digital security at the Freedom of the Press Foundation, tellsFolio:.Source protection is really difficult to begin withThis is one way that is addressing that problem head on.
THE MOTHER OF INVENTION
SecureDrop was first conceived in 2011 byfamed programmerand activist Aaron Swartz at the request of Kevin Poulsen, an editor atWired.
"Theres a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalists source,"Poulsenwrotein 2013."With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards."
The tool has seen a resurgence since the election of President Donald Trump, who has publiclythreatenedto prosecutegovernment employees who leak documents to the press. However, the origins of SecureDrop harken back to WikiLeaks and Obama-erastrong-armingby the Department of Justice to get journalists to identify confidential sources.
With SecureDrop, theres nothing to identify. Journalists are as ignorant of their sources as the Department of Justice itself. While this creates its own issues in terms of authentication, it frees up reporters from external pressure to reveal sources. This is in contrast to a phone call, which can be tapped or traced through phone companies, or apps like Facebook Messenger;Facebookis explicit in its willingness to reveal the content of messageswhen faced with a valid search warrant.
In an age of pervasive internet surveillance, traditional tools like email and phone calls are no longer enough to safely link reporters and their contacts. The most sensitive sources need a more secure channel, one thats encrypted and anonymous by default, senior writerAndy Greenberg wrotein last week'sannouncementaboutWiredadopting SecureDrop.
A SLOW START
The New Yorkerwas the first magazine to publicize its use of the system in 2013, then under the name Strongbox. Its since been followed byThe Intercept,ProPublica, andThe New York Times publications known for their extensive investigative reporting.The Nationwill alsojoinlater this year.
While many publications embrace the publicity as a means of coaxing tipsters, others prefer to keep their use, well, anonymous. The perils of an open inbox might include an influx of bizarre messages, or in the case ofThe New Yorker, endless poetry and cartoon submissions, according to Holmes.
Michael Luo, editor of NewYorker.com and a former investigative editor atThe New York Times, says that while hes a big fan of the system, it has yet to pay off. Eric Lach, the sites deputy news editor, checks the system every few days, but it hasnt led to any stories.
Were certainly getting tips, but nothing incredibly useful, Luo tellsFolio:.Why is that? I guess I feel like, at this point,The New Yorkeris not necessarily the front-of-mind outlet for those kinds of leaked documents and data, in the way thatThe TimesandProPublica, for example, are.
Elsewhere in the mediasphere, however, stories are trickling in. Last week, Vices Motherboardpublished a storyabout people who spy on their loved ones, informed by data obtained through SecureDrop. In February, Gizmodopublished a recordingof Trump discussing trade tariffs with Wilbur Ross, a then-nominee for Secretary of Commerce.
The proposals came during an apparent phone conversation that was captured on video and provided to Gizmodo via SecureDrop, a portal permitting whistleblowers and sources to reach us while remaining anonymous, the article reads.
INSIDE THE MACHINE
One of the difficulties withSecureDrop is that it requires more work on behalf of the source than just downloading an app, or picking up a phone.
To discreetly share documents or messages with a participating newsroom, tipsters must download Tor, a software program which allows users to circumvent existing tracing mechanisms that reveal location and other information. Tor is best known as an entry port for the Dark Web a difficult-to-access set of websites which sometimes facilitate illegal activities, such as the hiring of hitmen.
Not everyone seeking anonymity is a murderer, however. Tor is often seen as the best bet for sources inside the government or corporations who wish to share information which is of public interest, but puts the source at risk in their personal or professional lives.
Sources are given a random code name which acts as a passcode. They can use this name to reaccess messages at a later date. This code name is different than the name that appears for the journalists on the other side.
For the newsroom, however, things aremore difficult to set up. The Foundation combats this flaw with a sliding pay scale for technical support and training. We know that not every news organization that wants to support public interest journalism is going to be as well funded asThe Washington Post,says Holmes.
For-profit institutions are asked to pay $10,000 for a year of support, which covers installation performed in office by Freedom of the Press Foundation staff the training of journalists and IT, and the set up of a SecureDrop landing page, in accordance with the Foundations best practices. This contract also covers ongoing support.Media organizationsare expected to pay the Foundation's travel expenses as well.
Since SecureDrop is open source (and therefore free), newsrooms can conceiveably set up the system themselves, even using repurposed hardware. For these companies, the Foundation offers a year of support and training for $5000.
While it doesnt matter which specific hardware is used, the Foundation provides recommendations in the range of $2000$3000 per set up.
A fully functioning newsroom setup requires a server to run the application itself; a server to monitor the health of the first server; a dedicated firewall to keep SecureDrop separate from the rest of the newsrooms traffic; computers with the operating system Tails, on which the reporters can view the documents securely; a separate computer generally well-guarded which hosts a user interface on which a specific set of editors (usually only one or two) can review submissions; and USB sticks to transfer the documents from the well-guarded computer to the viewing station, and from the viewing station to a normal computer, where the journalist eventually prepares the documents for publication.
SecureDrop is notoriously challenging to use and takes dedication within a newsroom to check it diligently and respond. But its pretty good now for what weve got, and its only going to get better, Holmes says.
Though SecureDrop was built by and for the magazine industry, several other pieces of software are popular with journalists due to their differing levels of security and ease of use.
Signal
Signal is a secure call and messaging app, run by volunteers and grant-funded programmers under the moniker Open Whisper Systems. Its open source and free to use.
Signal is like WhatsApp for the fearful. Users download an app, which then uses the phones existing number and contact book. All messages are encrypted on both sides, which means that Open Whisper Systems cant see your messages, though communication is not anonymous between users. The good news is, with end-to-end encryption, Open Whisper Systems has nothing to share with law enforcement should they request message transcripts.
Ricochet
Ricochet is a machine-specific instant messaging system which operates through Tor. The free and open-source software isencrypted end-to-end, and anonymized, which means your computer does not know where the messages are coming from.
Contacts are added through a specific serial code which is visible and shareable with other users. However, contact relationships are device specific and dont run through servers or networks.
Open PGP
Open PGP (Pretty Good Privacy) is a non-proprietary email encryption software which can be used in conjunction with Windows, Mac and Android mailbox tools, as well as many others. Like the other services, Open PGP uses end-to-end encryption, which makes it difficult for emails to be read if they are intercepted.
Read the original:
As Journalists Seek Encryption, SecureDrop Proves a Challenge - Folio Magazine