Group items tagged

"Apple has warned the UK government that proposals in the draft Investigatory Powers Bill to demand technology firms weaken encryption would make the data of millions of law-abiding citizens less secure and make it easier for hackers to "cause chaos"."

"Astonishingly, even as the UK government praises end-to-end encryption abroad, it is undermining it at home. The Online Safety Bill, which continues to proceed through parliament after being mentioned in the Queen's Speech, will target platforms that use end-to-end encryption by "placing a duty of care on service providers within the scope of the draft bill to moderate illegal and harmful content on their platforms, with fines and penalties for those that fail to uphold this duty". "

"One of the biggest arguments against mandating backdoors in encryption is the fact that, even if you trust the United States government never to abuse that power (and who does?), other criminal hackers and foreign governments will be able to exploit the backdoor to use it themselves. A backdoor is an inherent vulnerability that other actors will attempt to find and try to use it for their own nefarious purposes as soon as they know it exists, putting all of our cybersecurity at risk. "

"In case you're wondering what could be wrong with entrusting secret keys to the government for use "in exceptional circumstances", just ponder this: a few months ago, hackers (suspected to be Chinese) stole the personnel records of 21.5 million US federal employees, including the records of every person given a government background check for the last 15 years."

"The government is introducing some amendments in time for the report stage on 12 July, with another batch to be announced shortly after. Under one confirmed change, tech firms will be required to shield internet users from state-sponsored disinformation that poses a threat to UK society and democracy. This is a tightening of existing proposals on disinformation in the bill, which already require tech firms to take action on state-sponsored disinformation that harms individuals - such as threats to kill. Another confirmed amendment is equally incremental. A clause in the bill aimed at end-to-end encrypted services already gives Ofcom the power to require those platforms to adopt "accredited technology" to detect child sexual abuse and exploitation [CSEA] content. If that doesn't work, then they must use their "best endeavours" to develop or deploy new technology to spot and remove CSEA. This move appears to be aimed at Mark Zuckerberg's plans to introduce end-to-end encryption on Facebook Messenger and Instagram."

"But ISPs in the USA and Thailand have been caught sabotaging STARTTLS, interrupting the negotiation between mail-servers to prevent the encryption bit from being turned on, leaving millions of peoples' email liable to snooping by crooks, governments, spies and others. "

"According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their phones. The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Such a system could help the government invisibly quash the ongoing protests - or those of tomorrow - an expert who reviewed the SIAM documents told The Intercept."

""Nothing in this bill ensures the security of that data, either. Instead it turns every business providing telecommunications in or to the United Kingdom into an attack vector. The best way to guarantee the safety of user data is for it to not exist. Our national security will be significantly enhanced if we store less data, not more, and increase the use of strong cryptography, rather than reducing it.""

"The software is made by BlackBag Technologies, an American company that was bought last year by Cellebrite of Israel. Both companies also make other sophisticated tools to infiltrate locked or encrypted devices and suck out their data, including location-tracking information."

"If someone sees the police approaching, they can press a button on their phone to start recording. Footage is uploaded in real time to the cloud using military-grade encryption, so that if the phone is damaged or confiscated during an interaction with police, the footage is preserved."

"A new strain of ransomware has been targeting government agencies and educational institutions in the United States, through scam emails that pretend to be something important. The malware, dubbed as 'MarsJoke' by Proofpoint security researchers, reportedly began a large-scale email campaign which distributed the cryptomalware last week. The developers are sending out emails which seems to be masked as a message from an airline company."

"Given the government's obsession with passing cybersecurity legislation, you would think they'd be happy that Apple and Google are making it harder for foreign governments and criminals to break into people's phones or company servers to steal your data. But you'd be forgetting that the head of the FBI and his fellow fear-mongerers are still much more concerned with making sure they retain control over your privacy, rather than protecting everyone's cybersecurity."

"Silent Circle, a secure communications company founded by PGP creator Phil Zimmerman, has pre-emptively shut down its secure, encrypted email service and destroyed the servers so that it cannot be forced to reveal its customers' secrets to NSA spooks. "

"Many services retain the data they harvest indefinitely, and some have been caught storing (and losing) the data without encryption: for example, in 2017 the Greater Manchester Police were found to have lost data from victims of violent and sexual crimes, which had been stored unencrypted on DVDs and sent through the post."

"Mozilla has announced it will make the tool, called DNS-over-HTTPS, or DoH, the default for all users in the US."

"Employees worry that, should Signal fail to build policies and enforcement mechanisms to identify and remove bad actors, the fallout could bring more negative attention to encryption technologies from regulators at a time when their existence is threatened around the world. "The world needs products like Signal - but they also need Signal to be thoughtful," said Gregg Bernstein, a former user researcher who left the organization this month over his concerns. "It's not only that Signal doesn't have these policies in place. But they've been resistant to even considering what a policy might look like.""

"Telegram, a messaging app created by the reclusive Russian exile Pavel Durov, is suited to running protests for a number of reasons. It allows huge encrypted chat groups, making it easier to organise people, like a slicker version of WhatsApp. And its "channels" allow moderators to disseminate information quickly to large numbers of followers in a way that other messaging services do not; they combine the reach and immediacy of a Twitter feed, and the focus of an email newsletter. The combination of usability and privacy has made the app popular with protestors (it has been adopted by Extinction Rebellion) as well as people standing against authoritarian regimes (in Hong Kong and Iran, as well as Belarus); it is also used by terrorists and criminals. In the past five years, Telegram has grown at a remarkable speed, hitting 60 million users in 2015 and 400 million in April this year. "

"Service providers, including many ORG members, will be required to do this through the imposition of a "duty of care" - a concept awkwardly borrowed from health & safety - which will require them to monitor the integrity of their services not by objective technical standards, but by subjective "codes of practice" on both illegal and legal content. Although the framework has been drawn up with large American social media platforms in mind, it would apply to any site or service with UK users which hosts user-generated content. A blog with comments will be fair game. An app with user reviews will be fair game. "

"The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself."

"Ransomware analysts offered several possible explanations for why the master key has now appeared. It is possible Kaseya, a government entity, or a collective of victims paid the ransom. The Kremlin in Russia also might have seized the key from the criminals and handed it over through intermediaries, experts said."