Category Archives: Encryption
Google helps put aging SHA-1 encryption out to pasture – Engadget
Breaking SHA-1 has been a goal of security users for quite a while, so it's quite a feather in Google's cap to be first. (It's possible, though, that the NSA, Russians or others have had one that they've kept under wraps.) The team said that the collision "is one of the largest computations ever completed," so Google's cloud infrastructure was an indispensable part of that.
There's no great danger for users. Google Chrome, Microsoft's Edge, Firefox and all other major browsers flag HTTPS sites that use SHA-1 as insecure with a big red warning -- so very few use it for verifying digital content. The team won't release the attack (Dad-jokingly called "SHAttered") for 90 days, in order to give affected sites time to deal with it.
Also, even though Google has made it 100,000 times faster to crack an SHA-1 certificate, it would still require some serious computing horsepower to do so. Google says it requires 12 million GPUs a full year to brute force a certificate, while the SHA-1 "Shattered" attack takes just 110 GPUs. For now, however, you'd still need a supercomputer or server farm (or a bot farm) to crack one in a reasonable amount of time.
As a proof of concept, Google is hosting two PDFs with the different content but the same hash, and has supplied the public with a free detection app. It had a lot of motivation to be first with a collision. It led the movement to deprecate SHA-1 because it's advertising business relies heavily on secure sites and ad platforms -- making the discovery a giant "I told you so" of sorts.
Continued here:
Google helps put aging SHA-1 encryption out to pasture - Engadget
What It Means to Have an ‘Adult’ Conversation on Encryption – Pacific Standard
In 2017, we need to move past the debate over backdoors.
By Kevin Bankston
Since last summer, Federal Bureau of Investigation Director James Comey has been signaling his intent to make 2017 the year we have an adult conversation about encryption technologys impact on law enforcement investigations. Hes probably going to get his wish, but if a new report from leaders in Congress is any indication, its not going to be the conversation he wants. Rather, as that new report from the House working group investigating the encryption issue recognizes, having the adult conversation about encryption means talking about how law enforcement can adapt to a world where encryption is more common, rather than wrongheadedly forcing the technology to adapt to law enforcements needs.
To Comey, being adult about encryption apparently means agreeing with his conclusion that the existence of unbreakable encryptionfor example, the full-disk encryption that protects your iPhone against anyone who doesnt have your passcode, or the end-to-end encryption that protects your iMessages and Whatsapp texts as they cross the Internetposes an unacceptable threat to law and order. Being an adult, to Comey, means accepting the argument that technology companies should design their products to ensure that the government can access any data it needs in an investigation, whether by building (in the words of his opponents) a backdoor into strongly encrypted products, or by not deploying that encryption in the first place. Being an adult, to Comey, means supporting efforts to legally require tech companies to ensure government access, if they wont do it voluntarily.
When Comey insists that we havent yet had the adult conversation on this issue, hes insulting everyone who has disagreed with himwhich is almost everyone whos voiced an opinion on the subject, that disagreement flowing in an endless stream of expert white papers (issued by adult institutions like the Massachusetts Institute of Technology and Harvard University), editorials, coalition letters, Congressional testimony, National Academies of Sciences proceedings, and more.
Ever since this latest debate over encryption was first sparked in the fall of 2014, when Apple announced that new iPhones would be completely encrypted by defaulta debate that peaked with last years court fight between Apple and the FBI over the locked iPhone of one of the San Bernardino shootersthe clear consensus among experts has been that any kind of mandate on companies to weaken their products security to ensure government access to encrypted data would be devastating to cybersecurity and to the international competitiveness of United States tech companies. It would also be futile, since U.S. companies dont have a monopoly on the technology, making it trivial for bad guys to obtain strong encryption products, no matter what Congress does. It is these exact same arguments that won the day in the Crypto Wars of the 90s when a similar policy debate over encryption arose.
Importantly, its not just privacy advocates and privacy-minded tech experts making these arguments. Opposition to backdoors has been voiced by leaders from the national security and law enforcement establishmentall of them indisputably adults!such as former NSA director and Director of National Intelligence Mike McConnell, former NSA and CIA Director Michael Hayden, former DHS secretary Michael Chertoff, andin agreement with his fellow members in President Obamas handpicked Review Group on Intelligence and Communications Technologiesformer CIA Director Michael Morrell. And thats just the Michaels! The list of expert adults that have disagreed with Comey at this point is staggeringly long.
Despite that broad consensus, Senators Richard Burr and Dianne Feinstein floated draft legislation last year that would broadly require any provider of any encrypted product or service to be able to produce any encrypted data on demand. Although that bill was almost universally panned at the time, Comey is probably hoping that similar legislation will have a better chance this yearespecially if he has the support of a new Attorney General and a new President that appear to share his views, rather than being held back by an Obama administration that chose not to pursue a legislative solution. (Notably, the fact that the Trump administration seems likely to support backdoors is all the more ironic and hypocritical considering this weeks report that high-level Trump aidesalong with key staff for Hillary Clinton, Barack Obama, and many other political figuresare now using the end-to-end encrypted messaging app Signal for fear of being hacked.)
Still, Comey likely will not get his wish, because the long list of people who disagree with him just got longer: As Congress was preparing to depart for its winter holiday, a House Congressional working group tasked with examining the issue of encryption technologys impact on law enforcement issued a year-end report that signaled a major shift in the crypto debate. The working group, established in May as a collaboration between members of the House Judiciary Committee and the House Energy & Commerce Committee, had spent many months meeting with law enforcement, the intelligence community, privacy advocates, security experts, and tech companies, to help guide its bipartisan investigation. The report, signed off on by ten House members including the top Republican and top Democrat on each of the two investigating committees, came to an unequivocal conclusion: Congress should not weaken this vital technology because doing so works against the national interest, but should instead work to help law enforcement find new ways to adapt to the changing technological landscape.
In particular, the reports authors arrived at four observations, echoing the arguments of Comeys prior opponents: Weakening encryption goes against the national interest because it would damage cybersecurity and the tech economy; encryption is widely available and often open source, such that U.S. legislation would not prevent bad actors from using the technology; there is no one-size-fits-all fix for the challenges that encryption poses for law enforcement; and that greater cooperation and communication between companies and law enforcement will be important going forward and should be encouraged. As next steps, they suggest further investigation into avenues other than backdoors that can help address the challenges that encryption poses to government investigators, including working to ensure that all levels of law enforcement have the information and technical capacity they need to make full use of the wide variety of data that is available to them even without backdoors.
In other words, the key committees in the House that have jurisdiction over the encryption issue have sent a clear signal to Comey, and to his allies in the Senate like Feinstein and Burr: Sorry, but the House is definitely not interested in legislating to require backdoors. How else can we help you? Though news of the report was somewhat buried due to the holiday timing, that signal has now been heard loud and clear across Washington, DC. The House does not want to waste any more time on childish bickering over backdoors that essentially everyone but the FBI agrees are a bad idea. In 2017, it wants to have the adult conversation that moves beyond backdoors.
Lets hope Comey is listening.
Read the rest here:
What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard
Confide in me! Encryption app leaks sensitive info from Washington DC – SC Magazine UK
Encryption app leaks sensitive info
An encrypted messaging app called Confide is being used in Washington DC by White House staffers to leak embarrassing or sensitive information.
Since US President Donald Trump's inauguration, a steady stream of leaks have been provided by the White House including reports of national security adviser Michael Flynn's unauthorised talks with Russia.
On Thursday, US President Donald Trump vowed to prosecute leakers. We are looking into this very seriously. It's a criminal act, Trump said. He has reportedly ordered an internal investigation to identify how sensitive information about his calls with foreign leaders and national security matters made their way to the press.
Messages sent via the Confide app are automatically deleted, leaving virtually no paper trail.
According to Jon Brod, cofounder and president of Confide, once messages are read, they vanish without a trace. The message is gone forever, it's deleted from our servers, you can't archive, print it, save it, cut and paste it. Again, just like the spoken word, it disappears, Brod said.
The message self-destructs so I can't go back in and try to piece together a number of screenshots into the actual message, and it notifies both the sender and the recipient that a screenshot was attempted, Brod continued.
White House staffers, and possibly other government officials and business executives, worried about being caught leaking information to the media have adopted this app.
They are likely violating the law if they are revealing that information through any means, whether it's through an email or through a disappearing chat app, said Carrie Cordero, a former national security lawyer at the Justice Department.
Confide's privacy features won't totally protect leakers since it still requires them to register their identities.
Sometimes these apps give users a false confidence that they will never be able to be traced, said Cordero. And although the communication in this particular app might disappear, that doesn't mean that the user is necessarily not able to be traced in any way.
Some security researchers are doubtful about Confide's cryptography since the app is not open-source and may use old protocols. Confide's encryption is closed source and proprietary, so no one outside the company knows what's going on within the app. The encryption protocol is based on the PGP standard and the app's network connection security relies on recommended best practices.
One key is always, do you make code publicly available that's been audited where features have been inspected by the security community so that it can arrive at some consensus, says Electronic Frontier Foundation legal fellow Aaron Mackey. My understanding with Confide, at least right now, is that it's not clear whether that's occurred.
Since its inception in 2013, Confide has seen a spike in usage after key security events took place such as the Celebgate scandal, the Sony Pictures hack in 2014, the Russian group leak of thousands of emails belonging to the DNC in 2016 and, of course, the 2016 US presidential election.
Using an encrypted messaging app such as Confide can pose legal concerns. It is the user's responsibility to make sure they abide by the law and use the app strictly for personal communications.
See the original post here:
Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK
World Wide Web Creator Calls for Internet Decentralization & Encryption – The Data Center Journal
When World Wide Web was created in 1989 by Tim Berners-Lee, its purpose was for the web technology to be available to everyone, always, without any patents or royalties. Recently, as the Internet becomes more and more centralized, the creator of the Internet and other people at its heart start calling for a revolution in order to rethink the way that Internet works.
A lot has happened in the years of Internets existence, but the pattern is clear: the tool that was meant to bring profound advance for liberty is too often used by governments and corporations as a means of control. Russia and UK, for example, have passed new intrusive surveillance laws, and China and Vietnam block major websites from their citizens; users are being tracked by corporations and advertisers, and their data is being sold to third parties; Internet giants like Google and Facebook yield big power over the data of all the global Internet users.
Tim Berners-Lee publically speaks against such invasive surveillance laws as UKs Snoopers Charter. According to him and other web activists, the only way to give Internet its original purpose is decentralization and encryption. Some of the so-called Web 3.0 projects are already attracting investors with their idea of more privacy and security.
Blockstack is a startup that is working on open-source software to create a kind of parallel webone powered by the bitcoin blockchain. It hopes to give users more control of their data by avoiding storage with any third-parties. Later this year, Blockstack is planning to release software that will allow surfing this alternative Internet with a regular browser. Its users will generate data by using various services, but the data will not be stored in any of those service databases.
Another example of initiatives aimed at decentralizing the web is MaidSafe, a startup which has spent a decade building a decentralized p2p network, and now allows to create safe websites, store data, host websites and more.
Web 3.0, which could be defined as a platform for decentralized apps, might be the future of the Internet, since decentralization idea is gaining popularity among mainstream developer community. Till then, Internet users must be careful about their Internet privacy, and take initiative to implement available encryption tools.
There already are many existing ways to encrypt ones Internet activities: secure email service providers, such as ProtonMail, or encrypted messaging apps, such as Signal.
One of the must-have encryption services is a VPN (Virtual Private Network). A VPN encrypts all data between a users computer and a VPN server into a secure tunnel. It is important to choose a VPN like NordVPN that doesnt keep any customer logs, offers secure encryption protocols and advanced security solutions like DoubleVPN. A VPN hides a users IP address, disguising the real location, thus giving the user a great layer of protection online from unwanted security threats and/ or surveillance.
At the moment, encryptionbe it via encrypted email, messaging or VPN technologyremains the most secure tool available to protect ones online privacy and security.
For more information, please visit http://www.nordvpn.com.
World Wide Web Creator Calls for Internet Decentralization & Encryption was last modified: February 21st, 2017 by Press Release
Read the original:
World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal
Encryption Apps Help White House Staffers Leakand Maybe Break the Law – WIRED
Slide: 1 / of 1. Caption: Confide
In the four tumultuous weeks since President Donald Trumps inauguration, the White House has provided a steady stream of leaks. Some are mostly innocuous, like how Trump spends his solitary hours. Others, including reports of national security adviser Michael Flynns unauthorized talks with Russia, have proven devastating. In response, Trump has launched an investigation, and expressed his displeasure in a tweet: Why are there so many illegal leaks coming out of Washington?
The answer may have to do with uncertainty and unrest inside the administration, as well as the presidents ongoing attacks against the intelligence community. But it doesnt hurt that every White House and Congressional staffer has tools to facilitate secure communication in their pocket or bag. Specifically, multiple reports indicate that Republican operatives and White House staffers are using the end-to-end encrypted messaging app Confide, which touts disappearing messages and anti-screenshot features, to chat privately without a trace.
The ability to communicate without fear of reprisal may have helped illuminate the Trump administrations darkest corners. But that same time, anonymity rings alarms for transparency advocates. The same technology that exposes secrets also enables them, a tension thats not easy to resolve.
Confide launched in 2013 as a secure app for executives looking to trade gossip and talk shop without creating a digital trail. The service uses a proprietary encryption protocol, what the company describes as military-grade end-to-end encryption. Its marquee feature, self-destructing messages, appears on similar services like Snapchat, but Confides appeal lies in its promise of more robust protections.
Its worth noting, though, that unlike other secure messaging apps, like standard-bearer Signal, Confides encryption is closed source and proprietary, meaning no one outside the company knows whats going on under the hood of the app. Company president Jon Brod says that Confide bases its encryption protocol on the widely used PGP standard, and that the apps network connection security relies on recommended best practices like Transport Socket Layer (TLS). Brod did not respond to questions, though, about whether Confide has ever opened its code base to be independently audited by a third party.
One key is always, do you make code publicly available thats been audited where features have been inspected by the security community so that it can arrive at some consensus, says Electronic Frontier Foundation legal fellow Aaron Mackey. My understanding with Confide, at least right now, is that its not clear whether thats occurred.
Confides also not the only option in play; EPA workers have reportedly turned to Signal to discuss how to cope with an antagonistic Trump administration, to the agitation of Republican representatives.
No matter what the method, though, encrypted chat appears to have become a staple among political operativeswhich happens to raise a whole host of legal questions.
Using an app like Confide for personal communications, like keeping in touch with family members or coordinating gym trips with coworkers, is within bounds. It also, according to a recent Washington Post report, has enabled vital leaks to the media.
At this point its still possible that politicos are legitimately using Confide for personal purposes. I know people who use [Confide], but I dont know anyone whos using it who shouldnt be using it, says Scott Tranter, a founder of the political data consultancy Optimus. The people who I know use it because its secure messaging.
Its sometimes not easy, though, to separate personal conversations from those that are work-related. Where those lines blur, legal concerns arise.
If these apps are being used by White House staff, it raises very disturbing questions about compliance with the Presidential Records Act specifically, and more broadly the Federal Records Act, says David Vladeck, a communications and technology law researcher at Georgetown Law School. The whole point of these statutes is to assure that our nations history is neither lost nor manufactured, and the kinds of apps that obliterate the messages are completely incompatible with that and at odds with the law.
Confide puts the onus on its users to walk a legal line. We expect people to use Confide in a way that complies with any regulation that may be relevant to their particular situation, says Brod.
Encryption itself isnt the issue. End-to-end encrypted communication can coexist with the goals of public disclosure laws, so long as someone retains the decryption key. Using strong security for sensitive government communications makes sense and is appropriate if the parties sending and receiving the communications can still archive them.
But disappearing messages are definitionally communications that are difficult, if not impossible, to record. Plus, its hard to assess how people are using a communication service like Confide if theres no record of anything they ever sent. Since Confide is explicitly designed to eliminate a paper trail, its use creates at least the appearance of misconduct, if not the reality, says Allison Stanger, a cybersecurity fellow at the New America Foundation. Those who wanted to lock up Hillary Clinton for the use of a private email server should be very concerned about this practice.
Its a tough act to balance. Encryption-enabled leaks help hold administrations accountable, a clear public good. The challenge is preserving that level of secrecy without creating black holes where public records should be.
Read more here:
Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED
WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature – 9 to 5 Mac
WhatsApp is introducing a new feature in its app called Status that uses a similar format to Snapchat Stories,TechCrunch reports. Like messaging through WhatsApp, however, Status will bring encryption to the popular format.
WhatsApp describes the new status feature as easy to use and secure:
We are excited to announce that, coinciding with WhatsApps 8th birthday on February 24, we are reinventing the status feature. Starting today, we are rolling out an update to status, which allows you to share photos and videos with your friends and contacts on WhatsApp in an easy and secure way. Yes, even your status updates are end-to-end encrypted.
Previously, WhatsApps status feature was simply text-based like older chat clients. The new version uses rich media and annotations much like Snapchat Stories. WhatsApp is owned by social network giant Facebook which similarly introduced a Snapchat Stories clone last year through Instagram.
While the new status feature is billed as secure, last monththe security of WhatsApps encryption was called into question however. WhatsApp denied reports that a backdoor was built-in for governments to access chat logs.
Earlier this month, WhatsApp took steps to improve account security with the roll out of two-step verification for users.
WhatsApp is rolling out the new featurenow. WhatsApp for iOS is a free download on the App Store.
Read the original here:
WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac
GOP demands inquiry into EPA use of encrypted messaging apps – CNET
The Signal app uses data encryption to send messages only readable by the designated receiver.
Some members of Congress are demanding an investigation into the Environmental Protection Agency's use of texting and encrypted chat apps like Signal.
Encryption scrambles data and only lets a person with the correct passcode have access. Tech firms and privacy advocates argue that encryption is essential to secure personal information and communications. The government and law enforcement officials counter that encryption hurts their ability to investigate criminal and terrorist activity.
Federal employees with concerns about the impact of President Donald Trump's administration have turned to encrypted messaging apps, new email addresses and other ways to coordinate their defense strategies, according to a report earlier this month from Politico.
That article and others prompted Rep. Darin LaHood, a Republican from Illinois, and Rep. Lamar Smith, a Republican from Texas, to send a letter to EPA Inspector General Arthur A. Elkins, Jr. asking him to "determine whether it's appropriate to launch a full-scale review" of EPA workers' use of encrypted apps. Smith serves as chairman of the Committee on Science, Space and Technology, while LaHood is vice chairman of the subcommittee on oversight on the Science, Space and Tech committee.
"Over the past few years, we have seen several examples of federal officials' circumventing Federal Records Act requirements and transparency generally," they wrote. "In this instance, the Committee is concerned that these encrypted and off-the-record communication practices, if true, run afoul of federal record-keeping requirements, leaving information that could be responsive to future Freedom of Information Act (FOIA) and congressional requests unattainable."
The letter requested a response from the Inspector General by February 28. The letter doesn't mean he is required to conduct a full investigation.
"The EPA OIG leadership is carefully reviewing yesterday's request from House Science Chairman Lamar Smith and Subcommittee Chairman Darin LaHood that the OIG review EPA employees' use of encrypted messaging applications to conduct official business," said the press office for the EPA Office of the Inspector General.
The EPA didn't immediately respond to CNET's request for comment.
Encryption gained a lot of scrutiny a year ago during Apple's public battle with the FBI over a request to help unlock an encrypted iPhone used in a terrorist attack. And after Democratic Party emails were hacked, Hillary Clinton and others working on her presidential campaign adopted Signal.
The letter on Wednesday cited a recent review from the EPA inspector general that found between July 1, 2014 and June 30, 2015, only 86 of the 3.1 million text messages sent or received on government-issued devices were preserved and archived as a federal record.
"Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using encrypted messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements," the letter said.
Update at 3:20 p.m. PT: Adds comment from EPA Office of the Inspector General.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it?
Follow this link:
GOP demands inquiry into EPA use of encrypted messaging apps - CNET