Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.
Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.
”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.
After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.
The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.
Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”
Good to see Zoom do this.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news including a new ransomware attack and some alternative DNS options.
IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.
While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.
In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”
If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.
We have a deal on a 2-year subscription to HideMyAss, a VPN featuring 256-bit AES encryption and a strict no logging policy. The subscription is good for unlimited installs with up to 5 connections at once, and 2-years is $79.99 through our deal.
Recently released for customers, the new Cryptomator 1.5.0 update gives us a redesigned user interface, dark mode, and a new code structure.
Researchers found that Zoom uses its own encryption scheme, sometimes using keys issued by China.
Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key “was sent to one of the participants over TLS from a Zoom server apparently located in Beijing,” according to the report.
I don’t have further commentary on Zoom, other than asking, “How will this end?”
Along with recent news that Zoom sent your data to Facebook (although it stopped) now we learn that its video calls don’t use end-to-end encryption, despite the company marketing it as such.
…But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.
It just keeps getting worse for Zoom. It’s unfortunate the company has chosen such tactics, because it really is one of the better video calling apps out there.
Andrew found seven Apple alternatives to use if you don’t want your data shared with the FBI, including Bitwarden, Cryptomator, and more.
A flaw found in Intel chips lets attackers decrypt your hard drive, among other things. It can’t be fixed, only mitigated with patches.
Introduced by Senators Lindsey Graham and Richard Blumenthal, the EARN It act would force companies to “earn” protection from Section 230 to fight online child exploitation.
Though it seems wholly focused on reducing child exploitation, the EARN IT Act has definite implications for encryption. If it became law, companies might not be able to earn their liability exemption while offering end-to-end encrypted services. This would put them in the position of either having to accept liability or remove encryption protections altogether.
My linked teaser from yesterday was separate from the EARN It act, but now it shows that companies are being coerced on two fronts.
Let’s Encrypt announced on Saturday, February 29 that it discovered a bug in its Certification Authority Authorization (CAA) code.
Sir Andrew Parker is the head of MI5, the UK’s domestic security service. He wants tech firms to provide “exceptional access” to encrypted messages.
In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it “increasingly mystifying” that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.
Bah, this is smoke and mirrors. As the head of a security agency he knows that restricting backdoors to the good guys is impossible.
Starting today, Firefox will begin rolling out support for encrypted DNS over HTTPS for U.S.-based users.
We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear.
You can choose between Cloudflare and NextDNS. As I mentioned in my roundup of DNS services, I’ve been using NextDNS for the past couple weeks and I love it.
Andrew Orr joins host Kelly Guimont for Security Friday, discussing a new data breach and keeping your ISP from selling your web history.
Two phrases that you’ll often hear in security are “bank-level security” and “military-grade encryption.” But what do they mean?
In certain areas of the U.S. some AT&T users found they couldn’t access their inboxes in encrypted email app Tutanota.
Starting on January 25th 2020, we have had constant complaints from AT&T mobile users who were unable to access their encrypted Tutanota mailbox. While AT&T seemed willing to fix this when we reached out to them, the issue is still not solved and reports from users keep coming in.
While some AT&T users confirmed the block, others said that they were able to access Tutanota. As AT&T has not fixed the issue after more than two weeks, we are reaching out publicly in the hope of getting the attention of the right people at AT&T.
Signal creator Moxie Marlinspike is growing the Signal Foundation and adding new features to the app thanks to money from WhatsApp cofounder Brian Acton.
Since then, Marlinspike’s nonprofit has put Acton’s millions—and his experience building an app with billions of users—to work. After years of scraping by with just three overworked full-time staffers, the Signal Foundation now has 20 employees. For years a bare-bones texting and calling app, Signal has increasingly become a fully featured, mainstream communications platform. With its new coding muscle, it has rolled out features at a breakneck speed…
I wish I could use Signal but none of my friends use it.
Four years ago a federal judge held Francis Rawls in contempt when he refused to decrypt hard drives for police.
The practical result is that, at least in federal court, someone can only be imprisoned for 18 months for refusing to open an encrypted device. That’s probably a harsh-enough penalty to induce most people to comply with decryption orders. But suspects in child-pornography cases might be tempted to “forget” the passwords on their encrypted device if doing so could save them from a conviction and a much longer prison term.
What an interesting case, and I remember reading about it four years ago. I wonder if the court was trying to set a precedent for passwords and the Fifth Amendment.