Top FBI lawyer: You win, we’ve given up on encryption backdoors

BY KIEREN MCCARTHY THE REGISTER
After spending months pressuring tech companies to add backdoors into their encryption software, the FBI says it has given up on the idea. Speaking at a conference in Boston on Wednesday, the bureau’s general counsel James Baker even used the term that has been repeatedly used to undermine the FBI’s argument: magical thinking. “It’s tempting to try to engage in magical thinking and hope that the amazing technology sector we have in the United States can come up with some solution,” he told attendees at the Advanced Cyber Security Center (ACSC) annual conference. “Maybe that’s just a bridge too far. Maybe that is scientifically and mathematically not possible.”

How to Protect Yourself from NSA Attacks on 1024-bit DH

BY JOSEPH BONNEAU EFF
In a post on Wednesday, researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Earlier in the year, they were part of a research group that published a study of the Logjam attack, which leveraged overlooked and outdated code to enforce “export-grade” (downgraded, 512-bit) parameters for Diffie-Hellman. By performing a cost analysis of the algorithm with stronger 1024-bit parameters and comparing that with what we know of the NSA “black budget” (and reading between the lines of several leaked documents about NSA interception capabilities) they concluded that it’s likely NSA has been breaking 1024-bit Diffie-Hellman for some time now. The good news is, in the time since this research was originally published, the major browser vendors (IE, Chrome, and Firefox) have removed support for 512-bit Diffie-Hellman, addressing the biggest vulnerability. However, 1024-bit Diffie-Hellman remains supported for the forseeable future despite its vulnerability to NSA surveillance.

Forcing suspects to reveal phone passwords is unconstitutional, court says

BY DAVID KRAVETS
ARS TECHNICA

The Fifth Amendment right against compelled self-incrimination would be breached if two insider trading suspects were forced to turn over the passcodes of their locked mobile phones to the Securities and Exchange Commission, a federal judge ruled Wednesday.

“We find, as the SEC is not seeking business records but Defendants’ personal thought processes, Defendants may properly invoke their Fifth Amendment right,” US District Judge Mark Kearney of Pennsylvania wrote.

The decision comes amid a growing global debate about encryption and whether the tech sector should build backdoors into their wares to grant the authorities access to locked devices.

Why the fear over ubiquitous data encryption is overblown

BY MIKE MCCONNELL (NSA), MICHAEL CHERTOFF (HOMELAND SECURITY), WILLIAM LYNN (DEFENSE) WASHINGTON POST
More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation’s well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation. In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption — that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes. The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications.

Tech firms, activists press US over encryption ‘backdoors’

WASHINGTON THE STRAITS TIMES
Some 140 tech companies, civil liberties and privacy activists urged the White House on Tuesday to pull back efforts to weaken encryption or include law enforcement “backdoors” on technology products. The effort marked the latest turn of events in a dispute between Silicon Valley firms and the US government, which is seeking ways to access encrypted phones and other devices to root out criminals and terrorists. In a letter to President Barack Obama, the signatories urged the administration “to reject any proposal that US companies deliberately weaken the security of their products.” “Strong encryption is the cornerstone of the modern information economy’s security,” the letter said. “Encryption protects billions of people every day against countless threats – be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.”

Germany pushes for widespread end-to-end email encryption

BY DAVID MEYER GIGAOM
The biggest webmail providers in Germany will soon encourage their customers to use full-blown end-to-end email encryption. The providers, including Deutsche Telekom and United Internet, will next month roll out a browser plugin that’s supposed to make traditionally laborious PGP technology easier to use – and in the process, they’re addressing a key concern about the existing “De-Mail” system. The De-Mail initiative dates back to 2011, when the German government decided to push for trusted email both as an e-government tool and as a way to cut down on official and corporate paper mail. De-Mail addresses are provided by the likes of Deutsche Telekom and United Internet’s Web.de, and those signing up for them need to show a form of official identification to do so. Receiving emails on a De-Mail address is free but sending them costs money.

Passphrases That You Can Memorize — But That Even the NSA Can’t Guess

BY MICAH LEE THE INTERCEPT
It’s getting easier to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you don’t know how to come up with a good passphrase. A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize.

Reengineering privacy, post-Snowden

BY CAROLINE PERRY
HARVARD UNIVERSITY

Privacy isn’t what it used to be. Post-Sony, post-Snowden, we know our digital world is insecure, yet most of us continue to share a vast amount of personal information over networks. Balancing anxiety with convenience, autonomy with value, we negotiate a new definition of privacy every time we download a new app. “It’s not the right to be left alone anymore,” said Lee Rainie ’73, the Pew Research Center’s Director of Internet, Science, and Technology Research, speaking at Harvard on January 23. “It’s the right to be in control of what people understand about you, … what kind of sharing is done, who has access to your data, and if you can correct mistakes that others make about you.”

But, he said, it’s not really working.

What we can learn from Lenovo’s Superfish and the government’s SIM card heist

ACCESS TEAM
ACCESSNOW.ORG

This week two important news stories broke about digital security. The first related to the installation of adware on Lenovo laptops that used a very insecure method of tracking the web browsing habits of users. The adware, which is called Superfish, exposed users to malicious man-in-the-middle attacks by hackers. The tool represents the worst form of privacy abuse; rather than inviting customers to opt-in to the tool, which few people would willingly have done, Lenovo’s Snapfish operated at such a fundamental level that it was nearly impossible to opt-out. The Intercept reported the second news story, which detailed how U.S. and UK intelligence operatives infiltrated one of the world’s largest SIM card manufacturers to steal the encryption keys of the chips used in cell phones.

Kim Dotcom Launches Skype Competitor MegaChat

BY CATHERINE SHU
TECHCRUNCH

Kim Dotcom, the infamous entrepreneur behind Megaupload, has released his latest product. Currently in beta, MegaChat is a browser-based encrypted video calling and file-sharing platform that is being positioned as a Skype competitor. MegaChat is being rolled out feature-by-feature today and there are still a few kinks left to sort out. When I tested the service with my TechCrunch co-worker Jon Russell, we had problems connecting a few times. Despite enabling them, neither of us got pop-up notifications for incoming calls.