Oh for fuck's sake, not this fucking bullshit again (cryptography edition)


America, Canada, New Zealand, the UK and Australia are in a surveillance alliance called The Five Eyes, through which they share much of their illegally harvested surveillance data.

In a recently released Statement of Principles on Access to Evidence and Encryption, the Five Eyes powers have demanded, again, that strong cryptography be abolished and replaced with defective cryptography so that they can spy on bad guys.

They defend this by saying "Privacy is not absolute."

But of course, working crypto isn't just how we stay private from governments (though god knows all five of the Five Eyes have, in very recent times, proven themselves to be catastrophically unsuited to collect, analyze and act on all of our private and most intimate conversations). It's how we make sure that no one can break into the data from our voting machines, or push lethal fake firmware updates to our pacemakers, or steal all the money from all of the banks, or steal all of the kompromat on all 22,000,000 US military and government employees and contractors who've sought security clearance.

Also, this is bullshit.

Because it won't work.

Here's the text of my go-to post about why this is so fucking stupid. I just can't be bothered anymore. Jesus fucking christ. Seriously? Are we still fucking talking about this? Seriously? Come on, SERIOUSLY?
Cops Around the Country Can Now Unlock iPhones, Records Show

A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors.
They're back! 'Feds only' encryption backdoors prepped in US by Dems

US lawmakers are yet again trying to force backdoors into tech products, allowing Uncle Sam, and anyone else with the necessary skills, to rifle through people's private encrypted information.
Deputy Attorney General Rosenstein’s “Responsible Encryption” Demand is Bad and He Should Feel Bad

Deputy Attorney General Rod Rosenstein delivered a speech on Tuesday about what he calls “responsible encryption” today. It misses the mark, by far.
Android getting "DNS over TLS" support to stop ISPs from knowing what websites you visit

DNS over TLS is a new method of making DNS requests, stopping even your ISP from seeing the sites you visit. It's now coming to Android, maybe Android 8.1.
Humble Book Bundle: Cybersecurity presented by Wiley


Pay what you want for cybersecurity ebooks and support charity!
Milestone: 100 Million Certificates Issued - Let's Encrypt - Free SSL/TLS Certificates


Let’s Encrypt has reached a milestone: we’ve now issued more than 100,000,000 certificates.
It would be interesting to know the number of unique owners of these certificates.
They do have short lifespans. I'm on my 3rd set now.
Short lifespans, multiple certs per owner - still impressive. :-)
At death’s door for years, widely used SHA1 function is now dead


Algorithm underpinning Internet security falls to first-known collision attack.
Trying to assess our vulnerability here. Looks like we'll need yet another phpmailer update, update a couple of XMPP plugin libs, and we probably need to retire OAuth1. Could have been much worse.
WhatsApp vulnerability allows snooping on encrypted messages

A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a “huge threat to freedom of speech” and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.
'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy

Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on.

The bill, the “Compliance with Court Orders Act of 2016,” requires that all companies providing any kind communications or data service be able to give information to the government in an “intelligible format.” If the company made the data unintelligible, it must provide “technical assistance” to undo it. In case there is any question about the aim, the bill defines intelligible as “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
DownsizeDC just started a new campaign for this: https://downsizedc.org/etp/private-encryption/
I don't use WhatsApp myself, but this is great

Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People

This morning, WhatsApp made the scope of the Apple-FBI encryption battle look kinda small.
It's now illegal for me to discuss this topic with non-Australian people. I don't have anything to discuss really, just mentioning for the record that it is now illegal for me to discuss such things.
WhatsApp or encryption? I'd go search, but it may be illegal for Australian media outlets to let me find out what you (and presumably they) can't discuss with the rest of us.
New video: Gen. Michael Hayden on Apple, the FBI, and data encryption
Why is former NSA and CIA director Michael Hayden coming out on the side of Apple in the battle over data encryption? I sat down with General Hayden to explore the implications of this fight between the tech giant and the government.
DOJ threatened to seize iOS source code unless Apple complies with court order in FBI case
The United States Department of Justice (DoJ) has slid a disturbing footnote in its court filing against Apple that could be interpreted as a threat to seize the iOS source code unless Apple complies with a court order in the FBI case.

The DoJ is demanding that Apple create a special version of iOS with removed security features that would permit the FBI to run brute-force passcode attempts on the San Bernardino shooter’s iPhone 5c.

Meanwhile, President Barack Obama has made public where he stands on the Apple vs. FBI case, which has quickly become a heated national debate.

In the court papers, DoJ calls Apple’s rhetoric in the San Bernardino standoff as “false” and “corrosive” because the Cupertino firm dared suggest that the FBI’s court order could lead to a “police state.”
At least it wasn't designed security through obscurity (as far as I know).
Possible Government Demand for WhatsApp Backdoor - Schneier on Security

The New York Times is reporting that WhatsApp, and its parent company Facebook, may be headed to court over encrypted chat data that the FBI can't decrypt.
Customer Letter - Apple

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
From what I know about these things based on information we've pieced together from previous high profile investigations and the rare legal challenges, they would not be able to divulge the content of terrorism related court orders related to information requests. They would be ordered to comply and there would be no room for negotiation and public disclosure prohibited by threat of imprisonment. This is what has traditionally happened in this type of case and led to the now somewhat common industry standard "canary warning". So the question is why they are being allowed to even mention this to their customers(?).  My guess is that we're talking about something past tense. e.g. somebody discovered the back door and threatened to go public and they're in damage control mode and got special permission from the feds to try and cover their ass and save their business. I realise that's a pretty wild accusation. But the circumstances described in the letter from Tim Cook don't fit any known pattern of how the feds operate, so I'm suggesting that we don't have anything approaching the full story.
  last edited: Thu, 18 Feb 2016 07:24:47 -0500  
I agree that we're not getting even close to the whole picture, but the public nature of this doesn't seem too odd.  The gag orders that lead to the canary warnings are part of a National Security Letter, which can only be generated by a member of the executive branch (FBI, NSA, CIA, etc) while this order was generated by a federal court using the All Writs Act.  Given NSA Director Mike Rogers' renewed, and very public, insistence that the Paris attacks could not have occurred without encryption (despite the fact that they were using SMS to communicate), I see this as simply another push by the feds to get people to conflate encryption with terrorism.  Besides that, if the writ is judged to be legitimate, Congress doesn't have to go through the trouble of banning strong encryption since the courts would have already ruled that any manufacturer needs to be able to provide a back door if one is demanded by a judge.
InfoSec Handlers Diary Blog - Virtual Bitlocker Containers

With this method, you can easily exchange Bitlocker containers with peers, you can create multiple containers for multiple projects and you can create containers on USB disks without having to reserve the entire space for this purpose!
A long, but interesting, read.

Rogaway – Moral Character of Cryptographic Work
Abstract: Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension. The Snowden revelations motivate a reassessment of the political and moral positioning of cryptography. They lead one to ask if our inability to effectively address mass surveillance constitutes a failure of our field. I believe that it does. I call for a community-wide effort to develop more effective means to resist mass surveillance. I plea for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work.