Australia vs Encryption, Google+ Bugs Hasten its Demise
— Australia’s recently passed anti-encryption legislation
— Details of a couple more mega-breaches including a bit of Marriott follow-up
— A welcome call for legislation from Microsoft — A new twist on online advertising click fraud
— The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin
— The changing landscape of TOR funding
— An entirely foreseeable disaster with a new Internet IoT-oriented protocol
— Google finds bugs in Google+ and acts responsibly — again — what that suggests for everyone else
We invite you to read our show notes.
Reinventing Microsoft, Amazon’s push into healthcare, new Apple Maps, and more.
–Apple vs Samsung settled: our long international nightmare is over.
–A proposed US law has patent trolls jumping for joy.
–Amazon jumps into the healthcare business by buying online pharmacy PillPack.
–Foxcon’s new Wisconsin plant breaks ground.
–Yet another Facebook security breach, but this time a bug bounty program catches the leak.
–Twitter’s new Ad Transparency Center opens new avenues for journalists.
–The sky is falling in Fortnite.
–WPA3 could make Wi-Fi a lot more secure.
–California follows Europe down the data privacy road.
–Christina Warren knows all the Andromeda secrets, but she’s not talking.
–AOL Instant Messenger is reborn! –StumbleUpon is not. 🙁
DOJ suggests that phone encryption kills people. Facebook wants to see you naked. Apple gets ready for its best holiday ever. Twitter gets 50 character names to go with its 280 character tweets. XBox One X is the best game system out there. Bill Gates will build his own city. Car ownership will be a thing of the past in 5 years. Intel and AMD team up. Alibaba sells $25 billion worth of stuff in one day while America’s retail sector is tanking.
Megan Morrone talks to Iain Thomson about a possible fix for those infected with the Wannacry ransomware. Researchers have found a fix to unlock affected computers. The tool called wannakiwi allows you to avoid paying the bitcoin ransom, but only if you’re running Windows XP, Windows 7, and Windows 2003 AND if you haven’t rebooted your PC since the attack. The key is not magic, its math that works by finding all the prime numbers that are stored in the ransomware’s code. A different tool called WannaKey was released yesterday but only worked on Windows XP and required a second app.
Savvy Android users know that Apple’s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn’t give specifics on how Google would deal with this situation if it were in Apple’s shoes.
That’s because if Syed Rizwan Farook, the San Bernardino shooter, had been using an older Android smartphone, we probably wouldn’t be having this discussion.
Encryption has so far lost out to openness in the Android ecosystem. It’s actually been supported since version 4.0 (KitKat), and the latest iterations of Google’s own Nexus devices have encryption on by default, but the rest of Android has been slower on the uptake, especially internationally.
“Android is different because the entire ecosystem is fragmented,” explained Mike Murray, VP of security research at Lookout. “The version of Android that Samsung installs on their phone is different than the version that Google installs on their phone and it’s way different than the third party aftermarket vendor who’s building low-end phones in India or China.”
It’s those smaller manufacturers making budget devices that have especially stymied Google. They fear that onboarding mandatory encryption will hamper their phones’ performance—for example, lower-end processors can struggle with the encrypt-and-decrypt process. But as standards for processors improve, there’s little reason why encryption could not become the norm when you got a new smartphone.
So many Android phones, so little encryption
Google tried again, making encryption mandatory across the board late last year with Android 6.0 Marshmallow. But there’s another flaw in this plan: Only 4.6% of the Android landscape is running Marshmallow (as of this writing), and the compulsory encryption rule applies only to new phones running 6.0, not older phones that have been upgraded (it’s optional in that case). Once again, Android is a patchwork.
On-by-default makes a huge difference in how a person uses a device or an app. Typically, people don’t change the settings much unless they have something specific in mind. By having encryption off by default, a large number of users likely remain unencrypted and oblivious of their vulnerability.
“Every company manufacturing devices that store sensitive data should be using full disk encryption by default,” said Evan Greer, campaign director Fight for the Future, which staged rallies in support of Apple. She added that corporations need to shoulder more of the responsibility in encrypting devices. “We need to build a movement to hold companies accountable and demand that they do everything technologically possible to protect our private information from hackers, and from illegal government surveillance.”
Google’s commitment to privacy is regularly challenged, whether it’s in the company’s expansive use of user data, or more specifically in a Manhattan DA report that claimed Google could remotely access most Android phones.
Android security boss Adrian Ludwig fired back, saying Google cannot access any device protected with a PIN, password, or fingerprint. “Google also does not have any mechanism to facilitate access to devices that have been encrypted,” he said.
Shut the back door
But could Ludwig’s claim be put to the test sooner rather than later? We know the San Bernardino case was never about just one iPhone or Apple. As Fight for the Future’s Greer reminds us, it’s about the FBI’s desire to set a “dangerous precedent” that would be felt for years to come. Enabling end-to-end encryption for all users is just one way of ensuring this doesn’t happen.
“Assuming Android improves their security and become harder to hack, it’s not a question of if the US or other governments will try to force them to weaken that security,” said Greer. “It’s a question of when.”
For comprehensive coverage of the Android ecosystem, visit Greenbot.com.
There are rare occasions when a consumer outcry can cause a company to reverse an unpopular decision it has made, and it seems Amazon is the latest firm to bow to public pressure. Only one day after an update removed local encryption in its Fire range of products, Amazon has decided to restore the feature.
Amazon said it removed the encryption, which it referred to as “enterprise features,” because customers weren’t using it. One of the features in question allowed owners to encrypt their device with a pin which, if entered incorrectly 30 times in a row, deleted all the data stored on it.
Fire OS 5 was originally released in the fall of last year, but the issue came to light earlier this month when Amazon released an over-the-air update for its older Fire devices to upgrade from OS 4.
The e-commerce giant’s move was particularly surprising when you consider that Amazon is one of the big tech companies filing a court brief supporting Apple in its battle with the Department of Justice. The outcome of the San Bernardino shooter iPhone case could have a profound effect on how firms implement encryption in their products, and whether they should include a backdoor to grant authorities access.
As you would expect, Amazon’s decision wasn’t well received, and the company decided that returning the encryption features would be in everyone’s best interests.
“We will return the option for full disk encryption with a Fire OS update coming this spring,” a spokesperson said. Amazon didn’t state what prompted the company to change its mind, but the amount of negative publicity it received, coupled with the attention from the Apple case, doubtlessly played a big part.
The U.S. administration will not seek legislation at this point to counter the encryption of communications by many technology services and product vendors, but will work on a compromise with industry, a senior U.S. official said Thursday.
“The administration is not seeking legislation at this time,” Federal Bureau of Investigation Director James Comey said in a statement before a Senate Committee on Homeland Security and Governmental Affairs.
In his testimony, he said that the government is “actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”
Civil rights groups and the tech industry have asked President Barack Obama to take a stand against any dilution of encryption, including mandating the creation of backdoors for law enforcement, citing the right of individuals to use encryption for their privacy and security.
In a recent letter to Obama, Ed Black, president and CEO of industry body Computer & Communications Industry Association wrote that he was aware of an ongoing discussion within the administration regarding the growing availability of strong encryption in consumer products and communications systems, and its implications for criminal and counter-terrorism investigations.
“Technical and legislative policy proposals, from mandates to incentives, are being debated by a variety of stakeholders,” Black wrote.
The latest version of Firefox has a new security feature that aims to put a band-aid over unencrypted website connections. Firefox 37 rolled out earlier this week with support for opportunistic encryption, or OE. You can consider OE sort of halfway point between no encryption (known as clear text) and full HTTPS encryption that’s simpler to implement.
For users, this means you get at least a modicum of protection from passive surveillance (such as NSA-style data slurping) when sites support OE. It will not, however, protect you against an active man-in-the-middle attack as HTTPS does, according to Mozilla developer Patrick McManus, who explained Firefox’s OE rollout on his personal blog.
Unlike HTTPS, OE uses an unauthenticated encrypted connection. In other words, the site doesn’t need a signed security certificate from a trusted issuer as you do with HTTPS. Signed security certificates are a key component of the security scheme with HTTPS and are what browsers use to trust that they are connecting to the right website.
The impact on you: Firefox support is only half of the equation for opportunistic encryption. Websites will still have to enable support on their end for the feature to work. Site owners can get up and running with OE in just two steps, according to McManus. But that will still require enabling an HTTP/2 or SPDY server, which, as Ars Technica points out, may not be so simple. So while OE support in Firefox is a good step for users it will only start to matter when site owners begin to support it.
More than OE
Beyond support for OE, the latest build of Firefox also adds an improved way to protect against bad security certificates. The new feature called OneCRL lets Mozilla push lists of revoked certificates to the browser instead of depending on an online database.
The new Firefox also adds HTTPS to Bing when you use Microsoft’s search engine from the browser’s built-in search window.
The Chinese government has introduced plans for a far-reaching counter-terrorism law that would require tech companies to hand over encryption keys and source code — even “backdoors” to give Chinese authorities surveillance access, according to Reuters.
The draft law, on its second reading in the state’s parliament, is expected to be passed in a matter of weeks.
In an interview with the news agency, President Obama said he has brought up the issue with the Chinese premier.
“We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States,” the president said.
Except that’s not exactly what’s going on here. It’s U.S. tech companies that want to do business with China, thanks to its massive population, burgeoning economy, and its considerable potential financial returns. It’s where some of the big global powerhouses are. It would be absurd to no longer do business in the economic and manufacturing heart of the world.
China’s rules are broad and borderline terrifying for companies and countries wanting to do business with the Communist state. Making matters worse, tech companies can’t possibly comply with the proposed rules. It’s not surprising that China, with a history of stealing intellectual property, state-sponsored hacking, and shutting out businesses it doesn’t like from state procurement rules, is not trusted by the West.
But Beijing, which sees the rules as vital in protecting state and business secrets, is the one holding the cards. Beijing doesn’t trust Silicon Valley in the wake of the National Security Agency surveillance disclosures.
Open-source legend TrueCrypt may be gone, but the usefulness of full disk encryption carries on. So what’s a crypto fan to do now for their encryption needs?
Well, you could continue to use older versions of TrueCrypt if you already have it installed. While the security community was shocked earlier this week when the anonymous team behind the open source encryption tool seemingly shut down the project, leaving a neutered version 7.2 build of the tool that’s only good for decrypting existing TrueCrypt volumes, a public audit of the TrueCrypt source code for version 7.1 was already underway and that effort will continue, according to the Open Crypto Audit Project.
The first phase of the TrueCrypt audit found no serious problems with the Windows build of TrueCrypt. If TrueCrypt 7.1 gets a clean bill of health it would continue to be a viable encryption option, though it’s not clear if the encryption tool’s development can or will continue under new management.
But if the brouhaha has you feeling skittish, or if you want to move on to encryption software that’s actively being developed, options abound. As popular as it is (was?), TrueCrypt is far from the only encryption tool around. In fact, many mainstream operating systems already come with an encryption tool built-in.
Here’s a look at a few full disk encryption options that can take the sting out of TrueCrypt’s sudden disappearance.
Windows encryption tools
BitLocker is built into select versions of Windows.
The most obvious alternative for Windows users is Microsoft’s built-in utility, BitLocker. The encryption program is included in Windows 8 and 8.1 Pro editions, which means anyone who switched to Windows 8 during the $40 upgrade deal has BitLocker on their PC. BitLocker is also available on Windows Vista and 7 PCs running the Ultimate or Enterprise editions.
Check out our tutorial on BitLocker to get started with Microsoft’s encryption tool.
If you don’t have the right flavor of Windows, another choice is Symantec Drive Encryption. While this program is just as closed-source as BitLocker, it implements PGP, a well known encryption method.
If you need further reassurances, security expert Bruce Schneier recently told The Register that Symantec’s tool is what he’s going to use post-TrueCrypt. That’s good enough for me. SDE costs $110 for a single user license.
TrueCrypt was free and worked with all flavors of Windows, though. If you’re looking for an encryption tool that can match those prerequisites, check out DiskCryptor. We have a review of the free software and a guide to locking down your files with DiskCryptor available, as well.
Mac encryption options
For OS X users, Apple provides FileVault.
OS X also has its own built-in encryption tool called FileVault 2 for users of OS X 10.7 (Lion) or later. Apple’s solution is another closed source program, but we do know it uses the XTS-AES 128-bit cipher—and the National Security Agency recommends using it for their own employees using Macs. So unless you’re really into conspiracy theories, FileVault is probably a good choice.
For more tips on how the NSA locks down its OS X machines check out “How the NSA snoop-proofs its Macs.”
Linux encryption options
For Linux users, the best choice is to use a distribution with a built-in Linux Unified Key Setup (LUKS) implementation. Ubuntu uses LUKS, and the various distributions based on Ubuntu should all have full disk encryption options available during installation. Here’s how to get started with Ubuntu’s full-disk encryption, courtesy of Ubuntu’s community help documentation.
It’s a sad day if TrueCrypt has truly disappeared, but at least there are a number of alternatives open to users who need or want to continue encrypting their stuff.