Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 203

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Ubuntu

Ask Slashdot: Ubuntu 18.04 LTS Desktop Default Application Survey 296

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.


Click through for info on how to contribute.
Encryption

Apple Flies Top Privacy Executives Into Australia To Lobby Against Proposed Encryption Laws (patentlyapple.com) 65

An anonymous reader quotes a report from Patently Apple: Last week Patently Apple posted a report titled "Australia proposed new Laws Compelling Companies like Facebook & Apple to Provide Access to Encrypted Messages." Days later, Australia's Prime Minister spoke about the encryption problem with the Australian press as noted in the video in our report. Now we're learning that Apple has flown in top executives to lobby Turnbull government on encryption laws. It sounds like a showdown is on the horizon. This is the second time this month that Apple has flown executives into Australia to lobby the government according to a Sydney publication. Apple executives met with Attorney-General George Brandis and senior staff in Prime Minister Malcolm Turnbull's office on Tuesday to discuss the company's concerns about the legal changes, which could see tech companies compelled to provide access to locked phones and third party messaging applications. Apple has argued in the meetings that as a starting point it does not want the updated laws to block tech companies from using encryption on their devices, nor for companies to have to provide decryption keys to allow access to secure communications. The company has argued that if it is compelled to provide a software "back door" into its phones to help law enforcement agencies catch criminals and terrorists, this would reduce the security for all users. It also says it has provided significant assistance to police agencies engaged in investigations, when asked. UPDATE 07/20/17: Headline has been updated to clarify that Apple is lobbying against the proposed encryption laws in Australia.
Communications

Amazon May Unveil Its Own Messaging App (engadget.com) 87

The messaging app field is as hot as ever with Apple, Facebook and Google (among others) slugging it out... and Amazon appears to want in on the action. From a report: AFTVnews claims to have customer survey info revealing that Amazon is working on Anytime, a messaging app for Android, iOS and the desktop that promises a few twists on the usual formula. It has mainstays like message encryption, video, voice and (of course) stickers, but it reportedly has a few hooks that would make it easy to sign up and participate in group chats. You would only need a name to reach out to someone, for one thing -- no WhatsApp-style dependence on phone numbers here. You only have to use Twitter-style @ mentions to bring people into conversations or share photos, and you can color-code chats to identify the most important ones. Naturally, there are app-like functions (such as group music listening and food ordering) and promises of chatting with businesses for shopping or customer service.
Australia

Crypto-Bashing Prime Minister Argues The Laws Of Mathematics Don't Apply In Australia (independent.co.uk) 329

An anonymous reader quotes the Independent:Australian Prime Minister Malcolm Turnbull has said the laws of mathematics come second to the law of the land in a row over privacy and encryption... When challenged by a technology journalist over whether it was possible to tackle the problem of criminals using encryption -- given that platform providers claim they are currently unable to break into the messages even if required to do so by law -- the Prime Minister raised eyebrows as he made his reply. "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia," he said... "The important thing is to recognise the challenge and call on the companies for assistance. I am sure they know morally they should... They have to face up to their responsibility."
Facebook has already issued a statement saying that they "appreciate the important work law enforcement does, and we understand the need to carry out investigations. That's why we already have a protocol in place to respond to any requests we can.

"At the same time, weakening encrypted systems for them would mean weakening it for everyone."
Australia

Australia To Compel Technology Firms To Provide Access To Encrypted Missives (reuters.com) 230

Australia on Friday proposed new laws to compel companies such as U.S. social media giant Facebook and device manufacturer Apple to provide security agencies access to encrypted messages. From a report: The measures will be the first in an expected wave of global legislation as pressure mounts on technology companies to provide such access after several terror suspects used encrypted applications ahead of attacks. Australia, a staunch U.S. ally, is on heightened alert for attacks by home-grown radicals since 2014 and authorities have said they have thwarted several plots, although Prime Minister Malcolm Turnbull said law enforcement needed more help. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."
DRM

EFF Officially Appeals Tim Berners-Lee Decision On DRM In HTML (techdirt.com) 149

Last week, the World Wide Web Consortium (W3C) decided to officially recommend the use of Encrypted Media Extensions (EME) for protecting copyrighted video on the internet. This will enable web surfers to watch media in a browser that requires Digital Rights Management copy protection without the need for browser-based plugins. "It moves the responsibility for interaction from plugins to the browser," the consortium states at the time. "As such, EME offers a better user experience, bringing greater interoperability, privacy, security, and accessibility to viewing encrypted video on the web." TechDirt shares an update: It's been a foregone conclusion that EME was going to get approved, but there was a smaller fight about whether or not W3C would back a covenant not to sue security and privacy researchers who would be investigating (and sometimes breaking) that encryption. Due to massive pushback from the likes of the MPAA and (unfortunately) Netflix, Tim Berners-Lee rejected this covenant proposal. In response, W3C member EFF has now filed a notice of appeal on the decision. The crux of the appeal is the claimed benefits of EME that Berners-Lee put forth won't actually be benefits without the freedom of security researchers to audit the technology -- and that the wider W3C membership should have been able to vote on the issue. This appeals process has never been used before at the W3C, even though it's officially part of its charter -- so no one's entirely sure what happens next.
Electronic Frontier Foundation

The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains (letsencrypt.org) 111

Long-time Slashdot reader jawtheshark shares an announcement from the EFF's free, automated, and open TLS certificate authority at LetsEncrypt.org: Let's Encrypt will begin issuing [free] wildcard certificates in January of 2018... A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
58% of web traffic is now encrypted, Let's Encrypt reports, crediting in part the 47 million domains they've secured since December of 2015. "Our hope is that offering wildcards will help to accelerate the Web's progress towards 100% HTTPS," explains their web page, noting that they're announcing the wild card certificates now in conjunction with a request for donations to support their work.
Encryption

The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year (vice.com) 63

An anonymous reader shares a Motherboard report: Basic decade-old encryption technology is finally coming to Pentagon email servers next year. For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as STARTTLS, isn't a cutting edge development -- it's been around since 2002. But since that time the Pentagon never implemented it. As a Motherboard investigation revealed in 2015, the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, mail.mil, which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. DISA's promise comes months after Senator Ron Wyden (D-Oregon) said he was concerned that the agency wasn't taking advantage of "a basic, widely used, easily-enabled cybersecurity technology."
Security

New Attack Can Now Decrypt Satellite Phone Calls in 'Real Time' (zdnet.com) 50

Chinese researchers have discovered a way to rapidly decrypt satellite phone communications -- within a fraction of a second in some cases. From a report on ZDNet: The paper, published this week, expands on previous research by German academics in 2012 by rapidly speeding up the attack and showing that the encryption used in popular Inmarsat satellite phones can be cracked in "real time." Satellite phones are used by those in desolate environments, including high altitudes and at sea, where traditional cell service isn't available. Modern satellite phones encrypt voice traffic to prevent eavesdropping. It's that modern GMR-2 algorithm that was the focus of the research, given that it's used in most satellite phones today. The researchers tried "to reverse the encryption procedure to deduce the encryption-key from the output keystream directly," rather than using the German researchers' method of recovering an encryption key using a known-plaintext attack. Using their proposed inversion attack thousands of time on a 3.3GHz satellite stream, the researchers were able to reduce the search space for the 64-bit encryption key, effectively making the decryption key easier to find. The end result was that encrypted data could be cracked in a fraction of a second.
Bitcoin

Petya Ransomware Authors Demand $250,000 In First Public Statement Since Attack (theverge.com) 59

An anonymous reader quotes a report from The Verge: The group responsible for last week's globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates. Crucially, the message includes a file signed with Petya's private key, which is strong evidence that the message came from the group responsible for Petya. More specifically, it proves that whoever left the message has the necessary private key to decrypt individual files infected by the virus. Because the virus deleted certain boot-level files, it's impossible to entirely recover infected systems, but individual files can still be recovered. The message also included a link to a chat room where the malware authors discussed the offer, although the room has since been deactivated.
Security

Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com) 182

Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports: Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...

Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.

A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Businesses

Despite Hacking Charges, US Tech Industry Fought To Keep Ties To Russia Spy Service (reuters.com) 69

The U.S. tech sector pushed the government to keep ties with Russia's spy agency, despite reports that Moscow meddled in the U.S. presidential election, Reuters reported Friday. The sanctions imposed on Russia by the Obama administration last December outlawed U.S. companies from having relationships with Russia's spy agency, the Federal Security Service (FSB), which presented a dilemma to Western tech companies. Reuters says, the FSB also acts as a regulator that approves the importing of technology to Russia that contains encryption, which is used in products such as cellphones and laptops. Joel Schectman, Dustin Volz and Jack Stubbs, reporting for Reuters: Worried about the sales impact, business industry groups, including the U.S.-Russia Business Council and the American Chamber of Commerce in Russia, contacted U.S. officials at the American embassy in Moscow and the Treasury, State and Commerce departments, according to five people with direct knowledge of the lobbying effort. The campaign, which began in January and proved successful in a matter of weeks, has not been previously reported. [...] The sanctions would have meant the Russian market was "dead for U.S. electronics" said Alexis Rodzianko, president of the American Chamber of Commerce in Russia, who argued against the new restrictions. "Every second Russian has an iPhone, iPad, so they would all switch to Samsungs," he said. [...] The lobbyists argued the sanction could have stopped the sale of cars, medical devices and heavy equipment, all of which also often contain encrypted software, according to a person involved in the lobbying effort. The goal of the sanctions was to sever U.S. business dealings with the FSB -- not end American technology exports to Russia entirely, the industry groups argued. "The sanction was against a government agency that has many functions, only one of them being hacking the U.S. elections," said Rodzianko.
Facebook

The Guardian Backtracks On WhatsApp 'Backdoor' Report (theguardian.com) 48

Five months after The Guardian published an investigative report, in which it found a "backdoor" in the Facebook-owned service, the publication is finally making amendments. The January report immediately stirred controversy among security experts, who began questioning The Guardian's piece. Weeks later, Zeynep Tufekci, a researcher and op-ed writer for the New York Times, published an open letter with over 70 major security researchers working at major universities and companies like Google condemning the story, and asking the publication to retract it.. Paul Chadwick, The Guardian's reader's editor, said "The Guardian was wrong to report last January that the popular messaging service WhatsApp had a security flaw so serious that it was a huge threat to freedom of speech." From his article: In a detailed review I found that misinterpretations, mistakes and misunderstandings happened at several stages of the reporting and editing process. Cumulatively they produced an article that overstated its case. The Guardian ought to have responded more effectively to the strong criticism the article generated from well-credentialled experts in the arcane field of developing and adapting end-to-end encryption for a large-scale messaging service. The original article -- now amended and associated with the conclusions of this review -- led to follow-up coverage, some of which sustained the wrong impression given at the outset. The most serious inaccuracy was a claim that WhatsApp had a "backdoor", an intentional, secret way for third parties to read supposedly private messages. This claim was withdrawn within eight hours of initial publication online, but withdrawn incompletely. The story retained material predicated on the existence of a backdoor, including strongly expressed concerns about threats to freedom, betrayal of trust and benefits for governments which surveil. In effect, having dialled back the cause for alarm, the Guardian failed to dial back expressions of alarm.
Australia

Australian Officials Want Encryption Laws To Fight 'Terrorist Messaging' (arstechnica.com) 195

An anonymous reader quotes Ars Technica: Two top Australian government officials said Sunday that they will push for "thwarting the encryption of terrorist messaging" during an upcoming meeting next week of the so-called "Five Eyes" group of English-speaking nations that routinely share intelligence... According to a statement released by Attorney General George Brandis, and Peter Dutton, the country's top immigration official, Australia will press for new laws, pressure private companies, and urge for a new international data sharing agreement amongst the quintet of countries... "Within a short number of years, effectively, 100 per cent of communications are going to use encryption," Brandis told Australian newspaper The Age recently. "This problem is going to degrade if not destroy our capacity to gather and act upon intelligence unless it's addressed"... Many experts say, however, that any method that would allow the government access even during certain situations would weaken overall security for everyone.
America's former American director of national intelligence recently urged Silicon Valley to "apply that same creativity, innovation to figuring out a way that both the interests of privacy as well as security can be guaranteed." Though he also added, "I don't know what the answer is. I'm not an IT geek, but I just don't think we're in a very good place right now."
Security

Anthem To Pay $115 Million In The Largest Data Breach Settlement Ever (cnet.com) 56

An anonymous reader quotes CNET: Anthem, the largest health insurance company in the U.S., has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million, according to lawyers for the plaintiffs. The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem, which didn't immediately respond to a request for confirmation and comment, isn't admitting any admitting any wrongdoing, according to a statement it made to CyberScoop acknowledging the settlement.

But if approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who announced the agreement Friday. The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.

The breach compromised data for 80 million people, including their social security numbers, birthdays, street addresses (and email addresses) as well as income data. The $115 million settlement averages out to $1.43 for every person who was affected.
Bug

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) 47

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."
Security

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 111

An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
Encryption

Equipment Already In Space Can Be Adapted For Extremely Secure Data Encryption (helpnetsecurity.com) 20

Orome1 quotes a report from Help Net Security: In a new study, researchers from the Max Planck Institute in Erlangen, demonstrate ground-based measurements of quantum states sent by a laser aboard a satellite 38,000 kilometers above Earth. This is the first time that quantum states have been measured so carefully from so far away. A satellite-based quantum-based encryption network would provide an extremely secure way to encrypt data sent over long distances. Developing such a system in just five years is an extremely fast timeline since most satellites require around 10 years of development. For the experiments, the researchers worked closely with satellite telecommunications company Tesat-Spacecom GmbH and the German Space Administration. The German Space Administration previously contracted with Tesat-Spacecom on behalf of the German Ministry of Economics and Energy to develop an optical communications technology for satellites. This technology is now being used commercially in space by laser communication terminals onboard Copernicus -- the European Union's Earth Observation Program -- and by SpaceDataHighway, the European data relay satellite system. It turned out that this satellite optical communications technology works much like the quantum key distribution method developed at the Max Planck Institute. Thus, the researchers decided to see if it was possible to measure quantum states encoded in a laser beam sent from one of the satellites already in space. In 2015 and the beginning of 2016, the team made these measurements from a ground-based station at the Teide Observatory in Tenerife, Spain. They created quantum states in a range where the satellite normally does not operate and were able to make quantum-limited measurements from the ground. The findings have been published in the journal Optica.
Encryption

Microsoft, Accenture Team Up On Blockchain-based Digital ID Network (reuters.com) 53

Accenture and Microsoft are teaming up to build a digital ID network using blockchain technology, as part of a United Nations-supported project to provide legal identification to 1.1 billion people worldwide with no official documents. From a report: The companies unveiled a prototype of the network on Monday at the UN headquarters in New York during the second summit of ID2020, a public-private consortium promoting the UN 2030 Sustainable Development Goal of providing legal identity for everyone on the planet. The project aims to help individuals such as refugees prove who they are in order to gain access to basic services such as education and healthcare. Blockchain, first developed as a public ledger of all transactions in the digital currency bitcoin, is increasingly being used to securely track data in other fields.

Slashdot Top Deals