Messenger has fully rolled out end-to-end encryption (E2EE) to everyone, with toggles to encrypt text messages as well as group chats and calls. As The Verge notes, Messenger first added E2EE in 2016 back when it was still called Facebook Messenger and Meta was still Facebook. "Meta has discussed switching to E2EE as a default, but that may not happen until next year at the earliest, as some regulators claim this would harm public safety," adds The Verge. From the report: There are two ways Messenger users can opt in to the secure chats, either via vanish mode, by swiping up on an existing chat to enter one where messages automatically disappear when the window is closed or the original version that was introduced in 2016 as Secret Conversations. You can turn that on by toggling the lock icon when you start a new chat. In addition to a full rollout of the feature, Messenger has some new features to enable as well. Now, in end-to-end encrypted chats, you can use GIFs, stickers, reactions, and long-press to reply or forward messages. The encrypted chats also now support verified badges so that people can identify authentic accounts. You can also save media exchanged in the chats, and there's a Snapchat-style screenshot notification that will be rolling out over the next few weeks.

Read more of this story at Slashdot.

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. From the report: One key objective: mobilizing public opinion against Facebook's decision to encrypt its Messenger app. The Home Office has hired the M&C Saatchi advertising agency -- a spin-off of Saatchi and Saatchi, which made the "Labour Isn't Working" election posters, among the most famous in UK political history -- to plan the campaign, using public funds. According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt -- placing an adult and child (both actors) in a glass box, with the adult looking "knowingly" at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.

Read more of this story at Slashdot.

JoeyRox shares a report from CNBC: Federal investigators claimed to access encrypted Signal messages used to help charge the leader of the Oath Keepers, an extremist far-right militia group, and other defendants in a seditious plot on Jan. 6, 2021. It's not clear how investigators gained access to the messages. One possibility is that another recipient with access to the messages handed them over to investigators. The complaint references group messages run on the app, so it's possible another participant in those chats cooperated.

Read more of this story at Slashdot.

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...." Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message. There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity. The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so. "Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Record: A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. The document, obtained earlier this month following a FOIA request filed by Property of the People, a US nonprofit dedicated to government transparency, appears to contain training advice for what kind of data agents can obtain from the operators of encrypted messaging services and the legal processes they have to go through. Dated to January 7, 2021, the document doesn't include any new information but does a good job at providing an up-to-date summary of what type of information the FBI can currently obtain from each of the listed services. [...] While the document confirms that the FBI can't gain access to encrypted messages sent through some services, the other type of information they can glean from providers might still help authorities in other aspects of their investigations. The content of the document, which may be hard to read due to some font rendering issues, is also available in the table [embedded in the article]. Of note, the table above does not include details about Keybase, a recent end-to-end encrypted (E2EE) service that has been gaining in popularity. The service was acquired by video conferencing software maker Zoom in May 2020.

Read more of this story at Slashdot.

The owner of Facebook and Instagram is delaying plans to encrypt users' messages until 2023 amid warnings from child safety campaigners that its proposals would shield abusers from detection. From a report: Mark Zuckerberg's social media empire has been under pressure to abandon its encryption plans, which the UK home secretary, Priti Patel, has described as "simply not acceptable." The National Society for the Prevention of Cruelty to Children (NSPCC) has said private messaging is the "frontline of child sexual abuse online" because it prevents law enforcement, and tech platforms, from seeing messages by ensuring that only the sender and recipient can view their content -- a process known as end-to-end encryption. The head of safety at Facebook and Instagram's parent company, Meta, announced that the encryption process would take place in 2023. The company had previously said the change would happen in 2022 at the earliest. "We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023," Antigone Davis wrote in the Sunday Telegraph. "As a company that connects billions of people around the world and has built industry-leading technology, we're determined to protect people's private communications and keep people safe online." Meta already uses end-to-end encryption on its WhatsApp messaging service and had been planning to extend that to its Messenger and Instagram apps in 2022. It has already encrypted voice and video calls on Messenger. Announcing the privacy drive in 2019, Zuckerberg, said: "People expect their private communications to be secure and to only be seen by the people they've sent them to -- not hackers, criminals, over-reaching governments or even the people operating the services they're using."

Read more of this story at Slashdot.

Cryptographers are upset that "crypto" sometimes now refers to cryptocurrency, reports the Guardian: This lexical shift has weighed heavily on cryptographers, who, over the past few years, have repeated the rallying cry "Crypto means cryptography" on social media. T-shirts and hoodies trumpet the phrase and variations on it; there's a website dedicated solely to clarifying the issue. "'Crypto' for decades has been used as shorthand and as a prefix for things related to cryptography," said Amie Stepanovich, executive director of Silicon Flatirons Center at the University of Colorado Law School and creator of the pro-cryptography T-shirts, which have become a hit at conferences. "In fact, in the term cryptocurrency, the prefix crypto refers back to cryptography...." [T]here remains an internecine feud among the tech savvy about the word. As Parker Higgins of the Freedom of the Press Foundation, who has spent years involved in cryptography activism, pointed out, the cryptography crowd is by nature deeply invested in precision — after all, designing and cracking codes is an endeavor in which, if you get things "a little wrong, it can blow the whole thing up...." "Strong cryptography is a cornerstone of the way that people talk about privacy and security, and it has been under attack for decades" by governments, law enforcement, and "all sorts of bad actors", Higgins said. For its defenders, confusion over terminology creates yet another challenge. Stepanovich acknowledged the challenge of opposing the trend, but said the weight of history is on her side. "The study of crypto has been around for ever," she said. "The most famous code is known as the Caesar cipher, referring to Julius Caesar. This is not new." Cryptocurrency, on the other hand, is a relatively recent development, and she is not ready to concede to "a concept that may or may not survive government regulation".

Read more of this story at Slashdot.

"If current progress continues, quantum computers will be able to crack public key cryptography," writes CNET, "potentially creating a serious threat to the crypto world, where some currencies are valued at hundreds of billions of dollars." If encryption is broken, attackers can impersonate the legitimate owners of cryptocurrency, NFTs or other such digital assets. "Once quantum computing becomes powerful enough, then essentially all the security guarantees will go out of the window," Dawn Song, a computer security entrepreneur and professor at the University of California, Berkeley, told the Collective[i] Forecast forum in October. "When public key cryptography is broken, users could be losing their funds and the whole system will break...." "We expect that within a few years, sufficiently powerful computers will be available" for cracking blockchains open, said Nir Minerbi, CEO of quantum software maker Classiq Technologies. The good news for cryptocurrency fans is the quantum computing problem can be fixed by adopting the same post-quantum cryptography technology that the computing industry already has begun developing. The U.S. government's National Institute of Standards and Technology, trying to get ahead of the problem, is several years into a careful process to find quantum-proof cryptography algorithms with involvement from researchers around the globe. Indeed, several cryptocurrency and blockchain efforts are actively working on quantum resistant software... A problem with the post-quantum cryptography algorithms under consideration so far, though, is that they generally need longer numeric encryption keys and longer processing times, says Peter Chapman, CEO of quantum computer maker IonQ. That could substantially increase the amount of computing horsepower needed to house blockchains... The real quantum test for cryptocurrencies will be governance structures, not technologies, says Hunter Jensen, chief technology officer of Permission.io, a company using cryptocurrency for a targeted advertising system... "It will be the truly decentralized currencies which will get hit if their communities are too slow and disorganized to act," said Andersen Cheng, chief executive at Post Quantum, a London based company that sells post-quantum encryption technology.

Read more of this story at Slashdot.

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now. Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...]. As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

Read more of this story at Slashdot.

Hive, a ransomware group that has hit over 30 organizations since June 2021, now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. BleepingComputer reports: However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path. It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files. The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.

Read more of this story at Slashdot.

Messaging app Telegram gained over 70 million new users during Monday's Facebook outage, its founder Pavel Durov said on Tuesday, as people worldwide were left without key messaging services for nearly six hours. Reuters reports: Facebook blamed its outage, which kept its 3.5 billion users from accessing services such as WhatsApp, Instagram and Messenger, on a faulty configuration change. "The daily growth rate of Telegram exceeded the norm by an order of magnitude, and we welcomed over 70 million refugees from other platforms in one day," Durov wrote on his Telegram channel. Durov said some users in the Americas may have experienced slower speeds as millions rushed to sign up at the same time, but that the service worked as usual for the majority.

Read more of this story at Slashdot.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development. No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever. Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections. From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode. With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition. The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

Read more of this story at Slashdot.

The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public. As a consequence of the attack, the Department of Justice and Constitutional Development said that child maintenance payments are now on hold until systems are back online. BleepingComputer reports: The incident happened on September 6 and the department activated the contingency plan for such events to ensure the continuation of some activity in the country. Last week, [Steve Mahlangu, spokesperson for the Department of Justice and Constitutional Development] said that court sittings continued after a switch into manual mode for recording the hearings. A manual process has also been adopted for issuing various legal documents. However, the ransomware attack impacted monthly child maintenance payments, which have been delayed until the systems are restored. The department is still in the process of returning to regular operations but it is cannot say when the activity will become normal again. Part of this effort was setting up a new email system, to which some staff has already migrated. Coupled with the long time needed for network restoration, this is a sign that the hackers did not get paid. It is unclear who is behind this attack. Many ransomware gangs also steal data before encrypting it, to force the victim into paying the ransom under the pressure of a public leak. Mahlangu said last week that the Department's IT experts have found "no indication of data compromise." Until now, the attack has not been claimed by any of the gangs with a data leak site.

Read more of this story at Slashdot.

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised. From a report: The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud -- iCloud on iPhones and Google Drive on Android -- in an unencrypted format. [...] Now WhatsApp says it is patching this weak link in the system. The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional. In the "coming weeks," users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based "backup key vault" that WhatsApp has developed.

Read more of this story at Slashdot.

The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services. The Register reports: Prominent in details briefed to the news media this week (including The Register) were accusations that Facebook harbours paedophiles, terrorists, and mobsters and that British police forces would effectively be blinded to the scale of criminality on the social networking platform, save for cases where crimes are reported. It's a difficult and nuanced topic made no simpler or easier by the fact that government officials seem hellbent on painting it in black and white. Government and law enforcement officials who briefed the press on condition of anonymity earlier this week* sought to paint a picture of the internet going dark if Facebook's plans for end-to-end encryption (E2EE) went forward, in terms familiar to anyone who remembers how Western nation states defended themselves from public upset after former NSA sysadmin Edward Snowden's 2013 revelations of illegal mass surveillance. The US National Centre for Missing and Exploited Children (NCMEC) generates around 20 million reports of child sexual abuse material (CSAM) every year, of which 70 per cent would be "lost" if E2E encryption were put in place, claimed British officials. The government's long-signaled push to deter Facebook from implementing E2EE comes, inevitably, at a significant cost to taxpayers: London ad agency M&C Saatchi has been hired at an undisclosed cost by the Home Office to tell the public that Facebook (and WhatsApp) harbours criminals. The ad campaign will run online, in newspapers and on radio stations with the aim of turning public opinion against E2EE -- and, presumably, driving home the message that encryption itself is something inherently bad. Other announcements due this week, from notoriously anti-encryption Home Secretary Priti Patel and intergovernmental meetings, will explicitly condemn Facebook's contemplated rollout of E2EE.

Read more of this story at Slashdot.

America's National Security Agency "isn't really sure when or even if quantum computers will be able to crack public key cryptography," writes TechRadar. They report that the NSA "has expressed its reservations about the potential of quantum computing" in a new FAQ titled Quantum Computing and Post-Quantum Cryptography. "NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist," said the security agency in response to whether it is worried about the potential of adversarial use of quantum computing. In the FAQ, the NSA describes a Cryptographically Relevant Quantum Computer (CRQC) as a quantum computer that's capable of actually attacking real world cryptographic systems, something that's currently infeasible. While it agrees that such a computer would be "devastating" to the digital security infrastructure, it seems to suggest that it doesn't believe such a CRQC would ever materialize. However, the growing research in quantum computing has moved the agency to also support the development of post-quantum cryptographic standards, along with plans for eventual transition to such standards.

Read more of this story at Slashdot.

According to an exclusive report from Reuters, Apple's move to scan U.S. customer phones and computers for child sex abuse images has resulted in employees speaking out internally, "a notable turn in a company famed for its secretive culture." From the report: Apple employees have flooded an Apple internal Slack channel with more than 800 messages on the plan announced a week ago, workers who asked not to be identified told Reuters. Many expressed worries that the feature could be exploited by repressive governments looking to find other material for censorship or arrests, according to workers who saw the days-long thread. Past security changes at Apple have also prompted concern among employees, but the volume and duration of the new debate is surprising, the workers said. Some posters worried that Apple is damaging its leading reputation for protecting privacy. In the Slack thread devoted to the photo-scanning feature, some employees have pushed back against criticism, while others said Slack wasn't the proper forum for such discussions. Core security employees did not appear to be major complainants in the posts, and some of them said that they thought Apple's solution was a reasonable response to pressure to crack down on illegal material. Other employees said they hoped that the scanning is a step toward fully encrypting iCloud for customers who want it, which would reverse Apple's direction on the issue a second time. Apple has said it will refuse requests from governments to use the system to check phones for anything other than illegal child sexual abuse material.

Read more of this story at Slashdot.

Facebook's WhatsApp messaging unit blasted Apple's plan to monitor sexually exploitative images of children on iPhones as bad for privacy, opening a new front in the battle between two of the world's biggest tech companies. From a report: "This approach introduces something very concerning into the world," Will Cathcart, the head of WhatsApp, said Friday. "We will not adopt it at WhatsApp." Apple a day earlier said it planned to release an update for U.S. users later this year designed to identify and report collections of sexually exploitative images of children, as part of a series of changes it is preparing for the iPhone to protect children from sexual predators. WhatsApp's position deepens the battle between Facebook and Apple about data. Facebook Chief Executive Mark Zuckerberg has long bemoaned what he sees as too much power Apple has over the social-media giant's business. Apple has made the protection of user information on the iPhones and some other devices a key part of its pitch to consumers and taken shots at Facebook for its data-collection practices. Tensions have intensified in recent months as Apple rolled out a new privacy feature for the iPhone that restricts Facebook's ability to collect data. Mr. Zuckerberg said Apple was using its platform to interfere with how Facebook apps work. At the heart of the latest dispute is the question of whether tech companies can insert software that identifies inappropriate or illegal content without compromising privacy. Apple claims to have found a way to do this. WhatsApp, and Apple's critics, liken this software to a surveillance system.

Read more of this story at Slashdot.

Apple intends to install software on American iPhones to scan for child abuse imagery, Financial Times is reporting citing people briefed on the plans, raising alarm among security researchers who warn that it could open the door to surveillance of millions of people's personal devices. From the report: Apple detailed its proposed system -- known as "neuralMatch" -- to some US academics earlier this week, according to two security researchers briefed on the virtual meeting. The plans could be publicised more widely as soon as this week, they said. The automated system would proactively alert a team of human reviewers if it believes illegal imagery is detected, who would then contact law enforcement if the material can be verified. The scheme will initially roll out only in the US. The proposals are Apple's attempt to find a compromise between its own promise to protect customers' privacy and ongoing demands from governments, law enforcement agencies and child safety campaigners for more assistance in criminal investigations, including terrorism and child pornography. [...] "This will break the dam -- governments will demand it from everyone," said Matthew Green, a security professor at Johns Hopkins University, who is believed to be the first researcher to post a tweet about the issue. Alec Muffett, a security researcher and privacy campaigner who formerly worked at Facebook and Deliveroo, said Apple's move was "tectonic" and a "huge and regressive step for individual privacy. Apple are walking back privacy to enable 1984," he said.

Read more of this story at Slashdot.