rpg.pbem.online

Search

Items tagged with: encryption

Derp.

Defense Department To Congress: 'No, Wait, Encryption Is Actually Good; Don't Break It'

" As Senate Judiciary Committee Chair Lindsey Graham has continued his latest quest to undermine encryption with a hearing whose sole purpose seemed to be to misleadingly argue that encryption represents a 'risk to public safety'. The Defense Department has weighed in to say that's ridiculous. As you may recall, the DOJ and the FBI have been working overtime to demonize encryption and pretend -- against nearly all evidence -- that widespread, strong encryption somehow undermines its ability to stop criminals."

"However, it appears that other parts of the government are a bit more up to date on these things. Representative Ro Khanna has forwarded a letter to Senator Graham that he received earlier this year from the Defense Department's CIO Dana Deasy, explaining just how important encryption actually is. The letter highlights how DoD employees rely on the kind of strong encryption found on mobile devices and in VPN services to protect the data of their employees, both at rest (on the devices) and in transit (across the network)."

#encryption #surveillance #privacy #cybersecurity
 
A former general counsel for the FBI seems to understand reality:

https://www.lawfareblog.com/rethinking-encryption

#encryption
 
"Justice Department officials have long pushed for some sort of backdoor to permit warranted surveillance and searches of encrypted communications. Recently, that push has been taken international with Attorney General William Barr and his counterparts from the United Kingdom and Australia making an open plea to Facebook to delay plans to use end-to-end encryption across all the company's messaging tools."

"Now, the Department of Justice and Federal Bureau of Investigations are attempting to get an even larger international consensus on banning end-to-end encryption by way of a draft resolution authored by officials at the FBI for the International Criminal Police Organization's 37th Meeting of the INTERPOL Specialists Group on Crimes against Children. The event took place from November 12 to November 15 at INTERPOL headquarters in Lyon, France."

"A draft of the resolution viewed by Ars Technica stated that INTERPOL would 'strongly urge providers of technology services to allow for lawful access to encrypted data enabled or facilitated by their systems' in the interest of fighting child sexual exploitation. Currently, it is not clear whether Interpol will ultimately issue a statement."

#encryption #privacy #surveillance
 
"The Department of Justice wants access to encrypted consumer devices, but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement."

#cybersecurity #encryption #surveillance
 

The Encryption Debate Is Over - Dead At The Hands Of Facebook who will control the Whatsapp end-to-end encryption on your device


If either user’s device is compromised, unbreakable encryption is of little relevance. This is why surveillance operations typically focus on compromising end devices, bypassing the encryption debate entirely. If a user’s cleartext keystrokes and screen captures can be streamed off their device in real-time, it matters little that they are eventually encrypted for transmission elsewhere. Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users’ devices where it can bypass the protections of end-to-end encryption.

In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service. This allows them to intercept your messages and pass them on to any 3rd party without you knowing.

So be very wary when you hear a vendor touting end-to-end encryption. What you want to ask is two questions:
1. Am I the only one who has the encryption/decryption key, can I use my own key?
2. If I lose my password can the vendor reset it for me so I can see my messages? If the answer is yes then the veendor has a decryption key.

You either have true user-owned end-to-end encryption or you do not. There is no half-security. You're secure or you are not secure.

See https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/

#security #facebook #encryption
The Encryption Debate Is Over - Dead At The Hands Of Facebook

Image/Photo
The sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook.
Image/Photo- - - - - -

https://gadgeteer.co.za/node/3403
 

The Encryption Debate Is Over - Dead At The Hands Of Facebook who will control the Whatsapp end-to-end encryption on your device


If either user’s device is compromised, unbreakable encryption is of little relevance. This is why surveillance operations typically focus on compromising end devices, bypassing the encryption debate entirely. If a user’s cleartext keystrokes and screen captures can be streamed off their device in real-time, it matters little that they are eventually encrypted for transmission elsewhere. Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users’ devices where it can bypass the protections of end-to-end encryption.

In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service. This allows them to intercept your messages and pass them on to any 3rd party without you knowing.

So be very wary when you hear a vendor touting end-to-end encryption. What you want to ask is two questions:
1. Am I the only one who has the encryption/decryption key, can I use my own key?
2. If I lose my password can the vendor reset it for me so I can see my messages? If the answer is yes then the veendor has a decryption key.

You either have true user-owned end-to-end encryption or you do not. There is no half-security. You're secure or you are not secure.

See https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/

#security #facebook #encryption
The Encryption Debate Is Over - Dead At The Hands Of Facebook

Image/Photo
The sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook.
Image/Photo- - - - - -

https://gadgeteer.co.za/node/3403
 
Personally, I don't use WhatsApp, primarily because it is owned by Facebook (who I don't trust), but also because of this.

'Five Eyes' nations discuss backdoor access to WhatsApp

"British, American and other intelligence agencies from English-speaking countries have concluded a two-day meeting in London amid calls for spies and police officers to be given special, backdoor access to WhatsApp and other encrypted communications."

"The meeting of the 'Five Eyes' nations – the UK, US, Australia, Canada and New Zealand – was hosted by new home secretary, Priti Patel, in an effort to coordinate efforts to combat terrorism and child abuse."

"Dealing with the challenge faced by increasingly effective encryption was one of the main topics at the summit, officials said, at a time when technology companies want to make their services more secure after a range of security breaches."

"The meetings, however, were held in private with no agenda being made public, making it difficult to conclude exactly what had been discussed by the ministers, officials and intelligence agencies from the countries involved."

#WhatsApp #encryption #subversion #cybersecurity #privacy #surveillance
 
I work in mobile app development and the technology out there to spy on you is pretty insane. There is a whole industry for snooping and reselling data. Here are some examples.

There are several SDKs (software development kits) that offer fingerprinting identity services. Meaning, when someone opens your app, it checks their device ID, IP address, GPS location, email address, etc. and makes a match to an identity. You then use this SDK to track their behavior in your app, such as purchases, interests, demographics, preferences, etc. This data is stored along with all the other apps that use the SDK. Now as an upsell, I can buy all of your behavior data from every other app that uses the same service. From the moment you install the app I know everything about you.

There are SDKs that don’t even offer a service, they just straight up pay the app maker to let their agent sit and collect data and send it up to their servers. Mostly location data.

My favorite is there’s an SDK that actually records the screen while you use the app, and the video gets sent up to the server for the app maker to see how you use their app in real time. It also tracks all of your views, swipes, and button presses tied to the video for analytics.

Basically, you should assume that every moment you are using an internet connected device, you are being observed, scrutinized, and analyzed so that someone can sell you more shit.

They are really good at this, and getting better every year. You think Facebook is listening to your microphone to serve you ads at the moment you are discussing a product? They don’t need to. They know you that well.

Edit: A lot of people are asking for specific examples of this monitoring tech. There are a ton of small players. So an example of location tracking is Tamoco. An example of behavior tracking is Branch.io (they don't advertise the data mining, but it's a back-end deal). And session monitoring is AppSee or HotJar. There are many more that I haven't heard of.

There are a ton of data resellers out there. They're typically small startups who buy and sell data, and they compete on having the most comprehensive and clean data sets. We get approached by a data reseller maybe once a month, either trying to buy our data or sell us data.

Edit: A lot of people are flippant about this idea because you "don't click on ads" or you "don't buy anything". There are people who aren't interested in just selling you products. How about voting for a particular political candidate, or for/against a ballot measure? How about selling you a particular world view? Propaganda is just like advertising, they're just selling you an idea instead of a product.
#android #ios #programming #development #app #apps #phone #smartphone #sdk #hotjar #facebook #appsee #branch.io #tamoco #surveillance #privacy #encryption
 
I agree with Ron Wyden.

US attorney general William Barr says Americans should accept security risks of encryption backdoors

"In a rebuttal, Sen. Ron Wyden (D-OR) said the attorney general’s remarks were 'outrageous, wrongheaded and dangerous'."

"'If we give this attorney general and this president the unprecedented power to break encryption across the board burrow into the most intimate details of every American’s life – they will abuse those powers', the senator said."

#encryption #surveillance #privacy #fourthamendment
US attorney general William Barr says Americans should accept security risks of encryption backdoors
 
Quote of the day:

"It's been said before, but this is not a debate. There is no debate. There is no "on the one hand, on the other hand." There is no "privacy v. security." This is "no privacy and weakened security v. actual privacy and actual security." There's literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe."

Via Here We Go Again: Trump Administration Considers Outlawing Encryption

#encryption #privacy #cybersecurity #surveillance
 

White House weighs encryption crackdown


HN Discussion: https://news.ycombinator.com/item?id=20305176
Posted by traderjane (karma: 406)
Post stats: Points: 115 - Comments: 137 - 2019-06-28T15:19:15Z

\#HackerNews #crackdown #encryption #house #weighs #white
HackerNewsBot debug: Calculated post rank: 122 - Loop: 112 - Rank min: 100 - Author rank: 63
 
"Tech giants, civil society groups and Ivy League security experts have condemned a proposal from Britain’s eavesdropping agency as a 'serious threat' to digital security and fundamental human rights."

"In an open letter to GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp have jointly urged the U.K. cybersecurity agency to abandon its plans for a so-called 'ghost protocol'."

"It comes after intelligence officials at GCHQ proposed a way in which they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users."

#UK #cybersecurity #surveillance #privacy #humanrights #encryption
 

It is unlikely that built-in email encryption will ever be available in Gmail


Gmail once promised that it will become end-to-end encrypted by default. Unfortunately, this is not going to happen. While it is possible to encrypt certain emails in Gmail with PGP, Google can still…
Article word count: 683

HN Discussion: https://news.ycombinator.com/item?id=19440336
Posted by wil_I_am_27 (karma: 311)
Post stats: Points: 129 - Comments: 42 - 2019-03-20T09:23:14Z

\#HackerNews #available #built-in #email #encryption #ever #gmail #that #unlikely #will
Article content:




Two years ago, [1]Google has silently handed the project E2EMail which was started to enable easy end-to-end encryption in Gmail via a browser extension to "the open source community". Since then the [2]GitHub project is literally dead.

Three years earlier, Google had announced that they are building an end-to-end encrypted Chrome plugin to automatically encrypt emails between Gmail users.

Promise to add email encryption tool to Gmail was marketing move

Five years later, we can conclude that promising easy email encryption in Gmail to millions of users was only a marketing move after the Snowden revelations in 2013. While the E2EMail project would have been a great tool for millions of people to automatically adapt end-to-end encryption, it has been buried by Google when they did not see its marketing benefits anymore.

"The real message is that they’re not actively developing this as a Google project anymore,” said cryptography expert Matthew Green [3]to Wired. "It’s definitely a bit of a disappointment, given how much hype Google generated around this project at one point, to see that they’re not pursuing this as a core feature of Gmail," Green says.

Making email encryption easy is hard

Google officially said that they had not abandoned their move towards encryption. However, they explained that developing easy email encryption is much harder than one might think.

It is difficult to make encrypted emails interoperable with different clients as well as to design the key exchange in an easy-to-use fashion. Issues that are already known to any PGP user, and that didnʼt disappear when Google wanted to add a PGP-based plugin to Chrome.

Nevertheless, ending a project that would have brought end-to-end encrypted emails to Gmail users around the world shows where Googleʼs real interests are: Not in protecting their usersʼ private data, but in harvesting it for their own benefit.

No automatic email encryption in Gmail

Google leaves the question on how to encrypt an email to the user. However, adding an option for email encryption to Gmail remains as complicated as with any other email service: Users need to enable PGP support in their email clients, must generate and mange their own keys and make sure that these keys are kept safe on their devices. Even then, mobile email encryption is basically impossible.

Google wants to leave the final decision about whether or not to make use of encryption to the user, but cryptography expert [4]Matthew Green criticizes this harshly via Twitter, calling it a "self-serving decision":
Google in 2007: HTTPS? That should be the userʼs choice. 

 Google in 2017: End-to-end encryption? Really ought to be the userʼs choice.

While easy email encryption is a must to make sure no-one can read your personal information, this option will never become available to Gmail users.

The more people use email encryption, the better

We at Tutanota are disappointed that E2EMail is dead. We believe in our right to privacy and fight for it with automatic email encryption ourselves. If Gmail had adopted automatic end-to-end encryption, this would have made a huge difference to todayʼs level of security online. It would have made the Internet so much more secure to millions of users and would have made illegal mass surveillance online impossible.

Unfortunately, Googleʼs move to abandon E2EMail shows us once again that we should not trust large organizations with our private information. Maybe it was illusional from the start to believe that a company so focused on mining user data and posting targeted ads would suddenly start protecting its usersʼ right to privacy with built-in end-to-end encryption in Gmail.

If we want to really protect our privacy, we have to take matters into our own hands. And this is exactly what we have been doing at Tutanota these past couple of years: Building easy-to-use end-to-end encrypted email, free for anyone. In Tutanota your entire mailbox is encrypted so that no-one - not even our developers - can read your personal emails.

Stop waiting for Google, [5]start using encrypted mail now!

If you want to take back your privacy completely, read our recommendations on [6]how to leave Google behind.

References

Visible links
1. https://security.googleblog.com/2017/02/e2email-research-project-has-left-nest_24.html
2. https://github.com/e2email-org/e2email
3. https://www.wired.com/2017/02/3-years-gmails-end-end-encryption-still-vapor
4. https://twitter.com/matthew_d_green/status/836657565794721792/photo/1
5. https://mail.tutanota.com/signup
6. https://tutanota.com/blog/posts/how-to-leave-google-gmail

HackerNewsBot debug: Calculated post rank: 100 - Loop: 100 - Rank min: 100 - Author rank: 44
 
Later posts Earlier posts