Group items tagged

Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones. Though Comey seized on Apple’s and Google’s decisions to encrypt their devices by default, his concerns are primarily related to end-to-end encryption, which protects communications that are in transit. Vance’s proposal, on the other hand, is only concerned with device encryption, which protects data stored on phones. It is still unclear whether encryption played any role in the Paris attacks, though we do know that the attackers were using unencrypted SMS text messages on the night of the attack, and that some of them were even known to intelligence agencies and had previously been under surveillance. But regardless of whether encryption was used at some point during the planning of the attacks, as I lay out below, prohibiting companies from selling encrypted devices would not prevent criminals or terrorists from being able to access unbreakable encryption. Vance’s primary complaint is that Apple’s and Google’s decisions to provide their customers with more secure devices through encryption interferes with criminal investigations. He claims encryption prevents law enforcement from accessing stored data like iMessages, photos and videos, Internet search histories, and third party app data. He makes several arguments to justify his proposal to build backdoors into encrypted smartphones, but none of them hold water.

Before addressing the major privacy, security, and implementation concerns that his proposal raises, it is worth noting that while an increase in use of fully encrypted devices could interfere with some law enforcement investigations, it will help prevent far more crimes — especially smartphone theft, and the consequent potential for identity theft. According to Consumer Reports, in 2014 there were more than two million victims of smartphone theft, and nearly two-thirds of all smartphone users either took no steps to secure their phones or their data or failed to implement passcode access for their phones. Default encryption could reduce instances of theft because perpetrators would no longer be able to break into the phone to steal the data.

Vance argues that creating a weakness in encryption to allow law enforcement to access data stored on devices does not raise serious concerns for security and privacy, since in order to exploit the vulnerability one would need access to the actual device. He considers this an acceptable risk, claiming it would not be the same as creating a widespread vulnerability in encryption protecting communications in transit (like emails), and that it would be cheap and easy for companies to implement. But Vance seems to be underestimating the risks involved with his plan. It is increasingly important that smartphones and other devices are protected by the strongest encryption possible. Our devices and the apps on them contain astonishing amounts of personal information, so much that an unprecedented level of harm could be caused if a smartphone or device with an exploitable vulnerability is stolen, not least in the forms of identity fraud and credit card theft. We bank on our phones, and have access to credit card payments with services like Apple Pay. Our contact lists are stored on our phones, including phone numbers, emails, social media accounts, and addresses. Passwords are often stored on people’s phones. And phones and apps are often full of personal details about their lives, from food diaries to logs of favorite places to personal photographs. Symantec conducted a study, where the company spread 50 “lost” phones in public to see what people who picked up the phones would do with them. The company found that 95 percent of those people tried to access the phone, and while nearly 90 percent tried to access private information stored on the phone or in other private accounts such as banking services and email, only 50 percent attempted contacting the owner.

The National Security Agency and its UK counterpart GCHQ have been developing capabilities to take advantage of "leaky" smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information across the internet, according to top secret documents.The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users' most sensitive information such as sexual orientation – and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger.Many smartphone owners will be unaware of the full extent this information is being shared across the internet, and even the most sophisticated would be unlikely to realise that all of it is available for the spy agencies to collect

Dozens of classified documents, provided to the Guardian by whistleblower Edward Snowden and reported in partnership with the New York Times and ProPublica, detail the NSA and GCHQ efforts to piggyback on this commercial data collection for their own purposes.Scooping up information the apps are sending about their users allows the agencies to collect large quantities of mobile phone data from their existing mass surveillance tools – such as cable taps, or from international mobile networks – rather than solely from hacking into individual mobile handsets. Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones. The NSA has cumulatively spent more than $1bn in its phone targeting efforts.The disclosures also reveal how much the shift towards smartphone browsing could benefit spy agencies' collection efforts.

Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, marital status – options included "single", "married", "divorced", "swinger" and more – income, ethnicity, sexual orientation, education level, and number of children.The agencies also made use of their mobile interception capabilities to collect location information in bulk, from Google and other mapping apps. One basic effort by GCHQ and the NSA was to build a database geolocating every mobile phone mast in the world – meaning that just by taking tower ID from a handset, location information could be gleaned.A more sophisticated effort, though, relied on intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.So successful was this effort that one 2008 document noted that "[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden. The document, included in a trove of Snowden material released by Der Spiegel on January 17, outlines a secret program run by the intelligence agencies called BADASS. The German newsweekly did not write about the BADASS document, attaching it to a broader article on cyberwarfare. According to The Intercept‘s analysis of the document, intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies.

Programmers frequently embed code from a handful of such companies into their smartphone apps because it helps them answer a variety of questions: How often does a particular user open the app, and at what time of day? Where does the user live? Where does the user work? Where is the user right now? What’s the phone’s unique identifier? What version of Android or iOS is the device running? What’s the user’s IP address? Answers to those questions guide app upgrades and help target advertisements, benefits that help explain why tracking users is not only routine in the tech industry but also considered a best practice. For users, however, the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in apps.

ne new email service promising "end-to-end" encryption launched on Friday, and others are being developed while major services such as Google Gmail and Yahoo Mail have stepped up security measures.A major catalyst for email encryption were revelations about widespread online surveillance in documents leaked by Edward Snowden, the former National Security Agency contractor."A lot of people were upset with those revelations, and that coalesced into this effort," said Jason Stockman, a co-developer of ProtonMail, a new encrypted email service which launched Friday with collaboration of scientists from Harvard, the Massachusetts Institute of Technology and the European research lab CERN.Stockman said ProtonMail aims to be as user-friendly as the major commercial services, but with extra security, and with its servers located in Switzerland to make it more difficult for US law enforcement to access.

"Our vision is to make encryption and privacy mainstream by making it easy to use," Stockman told AFP. "There's no installation. Everything happens behind the scenes automatically."Even though email encryption using special codes or keys, a system known as PGP, has been around for two decades, "it was so complicated," and did not gain widespread adoption, Stockman said.After testing over the past few months, ProtonMail went public Friday using a "freemium" model a basic account will be free with some added features for a paid account.

By locating in Switzerland, ProtonMail hopes to avoid the legal woes of services like Lavabit widely believed to be used by Snowden which shut down rather than hand over data to the US government, and which now faces a contempt of court order.Even if a Swiss court ordered data to be turned over, Stockman said, "we would hand over piles of encrypted data. We don't have a key. We never see the password."

The NSA’s spying on everyone’s metadata can tell them just about everything about us … and it violates our Constitutional right to freedom of association. But people are getting distracted from the big picture by focusing on metadata. As security expert Bruce Schneier wrote yesterday: What frustrates me about all of this — [the Privacy and Civil Liberties Oversight Board] report, the president’s speech, and so many other things — is that they focus on the bulk collection of cell phone call records. There’s so much more bulk collection going on — phone calls, e-mails, address books, buddy lists, text messages, cell phone location data, financial documents, calendars, [smartphone apps] etc. — and we really need legislation and court opinions on it all. But because cell phone call records were the first disclosure, they’re what gets the attention. Indeed, Schneier confirmed last October what we’ve been saying for years … don’t get too distracted by the details, because the government is spying on everything:

Honestly, I think the details matter less and less. We have to assume that the NSA has EVERYONE who uses electronic communications under CONSTANT surveillance. New details about hows and whys will continue to emerge …but the big picture will remain the same. He’s right. As just one example, there is substantial evidence from top NSA and FBI whistleblowers that the government is recording the content of our calls and emails … word-for-word. So what should we make of the government’s denials that it records content? Given that the government has been caught lying about spying again and again, I’m not sure how much weight we should give to such denials. NSA whistleblower Russ Tice notes: They’re collecting content … word-for-word. *** You can’t trust these people. They lie, and they lie a lot.

Spy agencies in Britain will be given the explicit right to hack into smartphones and computers as part of a new law being introduced by the Conservative government. Security services MI5, MI6 and GCHQ can already access electronic devices by exploiting software security vulnerabilities, but the legal foundation for the practice is under scrutiny.New powers laid out in the Investigatory Powers Bill, due to be introduced in Parliament next month, will give spies a solid legal basis for hacking into computer systems, according to the Times.The revelation has sparked criticism from human rights group Liberty, which accuses the government of giving spy agencies “unlimited potential” to act against citizens.The bill, which was announced in the Queens’ Speech following the general election, is likely to include the new Snooper’s Charter, according to privacy campaigners at the Open Rights Group.

British spies will be able to hack into a person’s “property” through backdoors in the software. Once inside, intelligence agents can install software that allows them operate microphones to eavesdrop on conversations and even control the camera to take photographs of targets.The government admitted in February that MI5, MI6 and GCHQ were hacking into computers, servers, routers and mobile phones using the Intelligence Services Act 1994, which does not give explicit authorization for such practices.Independent reviewer of terrorism legislation Dave Anderson QC recommended in June that new legislation be introduced to clarify give intrusive hacking a firm legal basis.Anderson said that hacking presents a “dizzying array of possibilities to the security and intelligence agencies.”While some methods are appropriate, “many are of the view that there are others which are so intrusive that they would require exceptional safeguards for their use to be legal … A debate is clearly needed,” he said.

The investigatory powers bill will give agents explicit powers to interfere with “property” once they have obtained a warrant from the home secretary.Digital evidence expert Peter Sommer said the powers circumvented encryption technology.“Increasingly, [intelligence agents] can’t read communications sent over the internet because of encryption, so their ability to get information from interception is rapidly diminishing. The best way around this is to get inside someone’s computer. This is an increasingly important avenue for them,” he told the Times.

When homeowners or businesses install solar panels, state laws ensure utility companies pay for unused electricity that is routed back into the power grid - a practice known as net metering.

Currently, 43 states and the District of Columbia have implemented net metering policies, some of which are more favorable than others, but all of which turn the power grid into a two-way street. More like this Rooftop solar electricity on pace to beat coal, oil Solar industry jobs are growing at 20 times the national rate U.S. utilities face up to $48B revenue loss from solar, efficiency on IDG Answers How well do solar smartphone chargers work? The cost of rooftop solar-powered electricity will be on par with prices for common fossil-fuel power generation in just two years, and the technology to produce it will only get cheaper, according to Deutsche Bank's leading solar industry analyst, Vishal Shah. As Americans have warmed to solar power and its ability to reduce electricity bills, utilities are suffering revenue losses and have been seeking ways to recoup that money. Over the past several years, state utility commissions and legislatures have pursued policies that reduce the benefits of adopting distributed solar power systems for homeonwers and businesses.

For example, Hawaiian Electric Co. Inc. this year asked the state's Public Utilities Commission to abolish its net metering policy because customers with photovoltaic panels aren't paying their fair share of maintenance costs. Indiana legislators are pushing bills to make it more costly for consumers there to go with solar by reducing tax credits awarded for it. Legislation, such as HB1320, introduced by Indiana state Rep. Eric Koch, a Republican, would compel fixed charges on customer bills and reduce tax credits. The bill comes as the solar industry is fighting to get on its feet in the Hoosier state. Koch, has said the bill's purpose is "to promote and grow net metering." Democratic state Rep. Matt Pierce said the bill "would effectively end net metering" by eliminating the incentive to deploy solar power.

Montreal (AFP) - A Canadian charged for refusing to give border agents his smartphone passcode was expected Thursday to become the first to test whether border inspections can include information stored on devices.Alain Philippon, 38, risks up to a year in prison and a fine of up to Can$25,000 (US$20,000) if convicted of obstruction.He told local media that he refused to provide the passcode because he considered information on his smartphone to be "personal."Philippon was transiting through the port city of Halifax on his way home from a Caribbean vacation on Monday when he was selected for an in-depth exam.

"Philippon refused to divulge the passcode for his cell phone, preventing border services officers from their duties," Canada Border Services Agency said in an email.The agency insists that the Customs Act authorizes its officers to examine "all goods and conveyances including electronic devices, such as cell phones and laptops."But, according to legal experts, the issue of whether a traveler must reveal the password for an electronic device at a border crossing has not been tested in court. "(It's) one thing for them to inspect it, another thing for them to compel you to help them," Rob Currie, director of the Law and Technology Institute at Dalhousie University, told public broadcaster CBC.Philippon is scheduled to appear in court on May 12.

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

But while the interviewer focused on the Skype revelation, I thought the most interesting part was the other claim, “that the National Security Agency already had pre-encryption stage access to email on Outlook.”  Say what??  They can see the plaintext on my computer before I encrypt it? That defeats any/all encryption methods. How could they do that? Bypass Encryption While most outside observers think the NSA’s job is cracking encrypted messages, as the Prism disclosures have shown, the actual mission is simply to read all communications. Cracking codes is a last resort.

The NSA has a history of figuring out how to get to messages before or after they are encrypted. Whether it was by putting keyloggers on keyboards and recording the keystrokes or detecting the images of the characters as they were being drawn on a CRT. Today every desktop and laptop computer has another way for the NSA to get inside. Intel Inside It’s inevitable that complex microprocessors have bugs in them when they ship. When the first microprocessors shipped the only thing you could hope is that the bug didn’t crash your computer. The only way the chip vendor could fix the problem was to physically revise the chip and put out a new version. But computer manufacturers and users were stuck if you had an old chip. After a particularly embarrassing math bug in 1994 that cost Intel $475 million, the company decided to fix the problem by allowing it’s microprocessors to load fixes automatically when your computer starts.

Starting in 1996 with the Intel P6 (Pentium Pro) to today’s P7 chips (Core i7) these processors contain instructions that are reprogrammable in what is called microcode. Intel can fix bugs on the chips by reprogramming a microprocessors microcode with a patch. This patch, called a microcode update, can be loaded into a processor by using special CPU instructions reserved for this purpose. These updates are not permanent, which means each time you turn the computer on, its microprocessor is reset to its built-in microcode, and the update needs to be applied again (through a computer’s BIOS.). Since 2000, Intel has put out 29 microcode updates to their processors. The microcode is distributed by 1) Intel or by 2) Microsoft integrated into a BIOS or 3) as part of a Windows update. Unfortunately, the microcode update format is undocumented and the code is encrypted. This allows Intel to make sure that 3rd parties can’t make unauthorized add-ons to their chips. But it also means that no one can look inside to understand the microcode, which makes it is impossible to know whether anyone is loading a backdoor into your computer.

According to documents viewed by SPIEGEL, America'a NSA intelligence agency put considerable efforts into spying on Chinese politicians and firms. One major target was Huawei, a company that is fast becoming a major Internet player.

The American government conducted a major intelligence offensive against China, with targets including the Chinese government and networking company Huawei, according to documents from former NSA worker Edward Snowden that have been viewed by SPIEGEL. Among the American intelligence service's targets were former Chinese President Hu Jintao, the Chinese Trade Ministry, banks, as well as telecommunications companies. But the NSA made a special effort to target Huawei. With 150,000 employees and €28 billion ($38.6 billion) in annual revenues, the company is the world's second largest network equipment supplier. At the beginning of 2009, the NSA began an extensive operation, referred to internally as "Shotgiant," against the company, which is considered a major competitor to US-based Cisco. The company produces smartphones and tablets, but also mobile phone infrastructure, WLAN routers and fiber optic cable -- the kind of technology that is decisive in the NSA's battle for data supremacy. A special unit with the US intelligence agency succeeded in infiltrating Huwaei's network and copied a list of 1,400 customers as well as internal documents providing training to engineers on the use of Huwaei products, among other things.

According to a top secret NSA presentation, NSA workers not only succeeded in accessing the email archive, but also the secret source code of individual Huwaei products. Software source code is the holy grail of computer companies. Because Huawei directed all mail traffic from its employees through a central office in Shenzhen, where the NSA had infiltrated the network, the Americans were able to read a large share of the email sent by company workers beginning in January 2009, including messages from company CEO Ren Zhengfei and Chairwoman Sun Yafang. "We currently have good access and so much data that we don't know what to do with it," states one internal document. As justification for targeting the company, an NSA document claims that "many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products." The agency also states concern that "Huawei's widespread infrastructure will provide the PRC (People's Republic of China) with SIGINT capabilities." SIGINT is agency jargon for signals intelligence. The documents do not state whether the agency found information indicating that to be the case.

Customers of Silent Circle’s encrypted mail service got an unfortunate surprise on Friday: all their messages had been deleted. The management  of Silent Circle, an encryption firm that specializes in smartphone communication, abruptly shut down their e-mail service yesterday, saying they were pre-empting the U.S. government from forcing them to hand over customer data. While they were confident they could protect text messages, voice calls and video calls, e-mail had always been less secure because it relied on standard Internet protocols. Yesterday’s catalyst was a competitor, Lavabit, whose founder announced he was shutting his email-hosting company down due to an apparent government investigation, and told Forbes on Friday: “If you knew what I knew about e-mail, you might not use it.” Edward Snowden had been a Lavabit user.

In conversations with The Washington Post over Barton Gellman and Ashkan Soltani's recent story on cellphone location tracking, an intelligence agency lawyer told Gellman, "obviously there is no Fourth Amendment expectation in communications metadata.” But some experts say it's far from obvious that the 1979 Supreme Court case on which the administration bases this view gives the government unfettered power to scoop up Americans' cellphone location data.

And there's some reason to believe that a majority of the current Supreme Court justices might agree with her on the location data aspect of metadata. The most recent Supreme Court case involving location tracking, United States v. Jones was settled on narrow trespassing grounds in 2012. But five Supreme Court justices signed on to concurring opinions that questioned whether Smith v. Maryland holds up in the face of modern technology.  An opinion concurring in judgment with the Jones decision written by Justice Samuel Alito, and joined by Justices Ruth Bader Ginsburg, Stephen Breyer and Elena Kagan specifically noted the prevalence of smartphones and argued that "the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy."

A separate concurring opinion from a fifth justice, Sonia Sotomayor made many of the same arguments, saying "fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties" -- and even went further by arguing that "awareness that the Government may be watching chills associational and expressive freedoms."

We just published a report on the state of adoption of Office 2013 And Productivity Suite Alternatives based on a survey of 155 Forrester clients with responsibility for those investments. The sample does not fully represent the market, but lets us draw comparisons to the results of our previous survey in 2011. Some key takeaways from the data:   One in five firms uses email in the cloud. Another quarter plans to move at some point. More are using Office 365 (14%) than Google Apps (9%).  Just 22% of respondents are on Office 2013. Another 36% have plans to be on it. Office 2013's uptake will be slower than Office 2010 because fewer firms plan to combine the rollout of Office 2013 with Windows 8 as they combined Office 2010 with Windows 7. Alternatives to Microsoft Office show little traction. In 2011, 13% of respondents supported open source alternatives to Office. This year the number is just 5%. Google Docs has slightly higher adoption and is in use at 13% of companies. 

Some time on Tuesday afternoon, about 50,000 Comcast Internet customers in Houston will become part of a massive public Wi-Fi hotspot network, a number that will swell to 150,000 by the end of June. Comcast will begin activating a feature in its Arris Touchstone Telephony Wireless Gateway Modems that sets up a public Wi-Fi hotspot alongside a residential Internet customer’s private home network. Other Comcast customers will be able to log in to the hotspots for free using a computer, smartphone or other mobile device. And once they log into one, they’ll be automatically logged in to others when their devices “see” them. Comcast says the hotspot – which appears as “xfinitywifi” to those searching for a Wi-Fi connection – is completely separate from the home network. Someone accessing the Net through the hotspot can’t get to the computers, printers, mobile devices, streaming boxes and more sitting on the host network. Comcast officials also say that people using the Internet via the hotspot won’t slow down Internet access on the home network. Additional capacity is allotted to handle the bandwidth. You can read more about Comcast’s reason for doing this in my report on HoustonChronicle.com.

What’s interesting about this move is that, by default, the feature is being turned on without its subscribers’ prior consent. It’s an opt-out system – you have to take action to not participate. Comcast spokesman Michael Bybee said on Monday that notices about the hotspot feature were mailed to customers a few weeks ago, and email notifications will go out after it’s turned on. But it’s a good bet that this will take many Comcast customers by surprise. If you have one of these routers and don’t want to host a public Wi-Fi hotspot, here’s how to turn it off.

The additional capacity for public hotspot users is provided through a separate channel on the modem called a “service flow,” according to Comcast. But the speed of the connection reflects the tier of the subscriber hosting the hotspot. For example, if you connect to a hotspot hosted by a home user with a 25-Mbps connection, it will be slower than if you connect to a host system on the 50-Mbps tier.