Marshall Sutherland
  
Deputy Attorney General Rosenstein’s “Responsible Encryption” Demand is Bad and He Should Feel Bad

Deputy Attorney General Rod Rosenstein delivered a speech on Tuesday about what he calls “responsible encryption” today. It misses the mark, by far.
 crypto
Marshall Sutherland
  
Android getting "DNS over TLS" support to stop ISPs from knowing what websites you visit

DNS over TLS is a new method of making DNS requests, stopping even your ISP from seeing the sites you visit. It's now coming to Android, maybe Android 8.1.
Marshall Sutherland
  
Humble Book Bundle: Cybersecurity presented by Wiley

Image/photo


Pay what you want for cybersecurity ebooks and support charity!
Marshall Sutherland
  
Milestone: 100 Million Certificates Issued - Let's Encrypt - Free SSL/TLS Certificates

Image/photo


Let’s Encrypt has reached a milestone: we’ve now issued more than 100,000,000 certificates.
Haakon Meland Eriksen (Parlementum)
  
It would be interesting to know the number of unique owners of these certificates.
Marshall Sutherland
  
They do have short lifespans. I'm on my 3rd set now.
Haakon Meland Eriksen (Parlementum)
  
Short lifespans, multiple certs per owner - still impressive. :-)
Marshall Sutherland
  
At death’s door for years, widely used SHA1 function is now dead

Image/photo

Algorithm underpinning Internet security falls to first-known collision attack.
 crypto
Mike Macgirvin
  
Trying to assess our vulnerability here. Looks like we'll need yet another phpmailer update, update a couple of XMPP plugin libs, and we probably need to retire OAuth1. Could have been much worse.
Marshall Sutherland
  
WhatsApp vulnerability allows snooping on encrypted messages

A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a “huge threat to freedom of speech” and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.
Marshall Sutherland
  
'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy

Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on.

The bill, the “Compliance with Court Orders Act of 2016,” requires that all companies providing any kind communications or data service be able to give information to the government in an “intelligible format.” If the company made the data unintelligible, it must provide “technical assistance” to undo it. In case there is any question about the aim, the bill defines intelligible as “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
Marshall Sutherland
  
DownsizeDC just started a new campaign for this: https://downsizedc.org/etp/private-encryption/
Marshall Sutherland
  
I don't use WhatsApp myself, but this is great

Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People

This morning, WhatsApp made the scope of the Apple-FBI encryption battle look kinda small.
Mike Macgirvin
  
It's now illegal for me to discuss this topic with non-Australian people. I don't have anything to discuss really, just mentioning for the record that it is now illegal for me to discuss such things.
Marshall Sutherland
  
WhatsApp or encryption? I'd go search, but it may be illegal for Australian media outlets to let me find out what you (and presumably they) can't discuss with the rest of us.
Marshall Sutherland
  
New video: Gen. Michael Hayden on Apple, the FBI, and data encryption
Why is former NSA and CIA director Michael Hayden coming out on the side of Apple in the battle over data encryption? I sat down with General Hayden to explore the implications of this fight between the tech giant and the government.
Marshall Sutherland
  
DOJ threatened to seize iOS source code unless Apple complies with court order in FBI case
The United States Department of Justice (DoJ) has slid a disturbing footnote in its court filing against Apple that could be interpreted as a threat to seize the iOS source code unless Apple complies with a court order in the FBI case.

The DoJ is demanding that Apple create a special version of iOS with removed security features that would permit the FBI to run brute-force passcode attempts on the San Bernardino shooter’s iPhone 5c.

Meanwhile, President Barack Obama has made public where he stands on the Apple vs. FBI case, which has quickly become a heated national debate.

In the court papers, DoJ calls Apple’s rhetoric in the San Bernardino standoff as “false” and “corrosive” because the Cupertino firm dared suggest that the FBI’s court order could lead to a “police state.”
Marshall Sutherland
  
At least it wasn't designed security through obscurity (as far as I know).
Marshall Sutherland
  
Possible Government Demand for WhatsApp Backdoor - Schneier on Security

The New York Times is reporting that WhatsApp, and its parent company Facebook, may be headed to court over encrypted chat data that the FBI can't decrypt.
Marshall Sutherland
  
Customer Letter - Apple

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
Mike Macgirvin
  
From what I know about these things based on information we've pieced together from previous high profile investigations and the rare legal challenges, they would not be able to divulge the content of terrorism related court orders related to information requests. They would be ordered to comply and there would be no room for negotiation and public disclosure prohibited by threat of imprisonment. This is what has traditionally happened in this type of case and led to the now somewhat common industry standard "canary warning". So the question is why they are being allowed to even mention this to their customers(?).  My guess is that we're talking about something past tense. e.g. somebody discovered the back door and threatened to go public and they're in damage control mode and got special permission from the feds to try and cover their ass and save their business. I realise that's a pretty wild accusation. But the circumstances described in the letter from Tim Cook don't fit any known pattern of how the feds operate, so I'm suggesting that we don't have anything approaching the full story.
Jake Moomaw
  last edited: Thu, 18 Feb 2016 07:24:47 -0500  
I agree that we're not getting even close to the whole picture, but the public nature of this doesn't seem too odd.  The gag orders that lead to the canary warnings are part of a National Security Letter, which can only be generated by a member of the executive branch (FBI, NSA, CIA, etc) while this order was generated by a federal court using the All Writs Act.  Given NSA Director Mike Rogers' renewed, and very public, insistence that the Paris attacks could not have occurred without encryption (despite the fact that they were using SMS to communicate), I see this as simply another push by the feds to get people to conflate encryption with terrorism.  Besides that, if the writ is judged to be legitimate, Congress doesn't have to go through the trouble of banning strong encryption since the courts would have already ruled that any manufacturer needs to be able to provide a back door if one is demanded by a judge.
Marshall Sutherland
  
Image/photo
 crypto
Marshall Sutherland
  
InfoSec Handlers Diary Blog - Virtual Bitlocker Containers

With this method, you can easily exchange Bitlocker containers with peers, you can create multiple containers for multiple projects and you can create containers on USB disks without having to reserve the entire space for this purpose!
Marshall Sutherland
  
A long, but interesting, read.

Rogaway – Moral Character of Cryptographic Work
Abstract: Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension. The Snowden revelations motivate a reassessment of the political and moral positioning of cryptography. They lead one to ask if our inability to effectively address mass surveillance constitutes a failure of our field. I believe that it does. I call for a community-wide effort to develop more effective means to resist mass surveillance. I plea for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work.