The US is readying new encryption standards that will be so ironclad that even the nation's top code-cracking agency says it won't be able to bypass them. From a report: The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor. The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today's computers can't. But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.

Read more of this story at Slashdot.

Researchers in Beijing have set a new quantum secure direct communication (QSDC) world record of 102.2 km (64 miles), smashing the previous mark of 18 km (11 miles), The Eurasian Times reported. Engadget reports: Transmission speeds were extremely slow at 0.54 bits per second, but still good enough for text message and phone call encryption over a distance of 30 km (19 miles), wrote research lead Long Guilu in Nature. The work could eventually lead to hack-proof communication, as any eavesdropping attempt on a quantum line can be instantly detected. QSDC uses the principal of entanglement to secure networks. Quantum physics dictates that entangled particles are linked, so that if you change the property of one by measuring it, the other will instantly change, too -- effectively making hacking impossible. In theory, the particles stay linked even if they're light-years apart, so such systems should work over great distances. The same research team set the previous fiber record, and devised a "novel design of physical system with a new protocol" to achieve the longer distance. They simplified it by eliminating the "complicated active compensation subsystem" used in the previous model. "This enables an ultra-low quantum bit error rate (QBER) and the long-term stability against environmental noises." As a result, the system can withstand much more so-called channel loss that makes it impossible to decode encrypted messages. That in turn allowed them to extend the fiber from 28.3km to the record 102.2 km distance. "The experiment shows that intercity quantum secure direct communication through the fiber is feasible with present-day technology," the team wrote in Nature.

Read more of this story at Slashdot.

Arqit says its encryption system can't be broken by quantum computers, but former employees and people outside the company question the relevance of its technology. The Wall Street Journal: A U.K. cybersecurity startup rocketed to a multibillion-dollar valuation when it listed publicly last fall on the promise of making encryption technology that would protect the defense industry, corporations and consumers alike from the prying eyes of next-generation computer systems. Founder and Chief Executive David Williams told investors at the time that his company, Arqit Quantum had an "impressive backlog" of revenue and was ready "for hyperscale growth." But Arqit has given investors an overly optimistic view of its future revenue and the readiness and workability of its signature encryption system, according to former employees and other people familiar with the company, and documents viewed by The Wall Street Journal. While the company says it has a solution to a quantum-computing security challenge that U.S. intelligence last year said "could be devastating to national security systems and the nation," government cybersecurity experts in the U.S. and the U.K. have cast doubt on the utility of Arqit's system. Arqit's stock price reached its highest level to date of $38.06 on Nov. 30 and has since fallen, to $15.06 on April 14, amid a broad pullback of young tech stocks. When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to the people. The encryption technology the company hinges on -- a system to protect against next-generation quantum computers -- might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols. Arqit disputed that its encryption system was only a prototype at the company's market debut. "This was a live production software release and not a demonstration or trial," said a company representative. "It was being used by enterprise customers on that day and subsequently for testing and integration purposes, because they need to build Arqit's software into their products."

Read more of this story at Slashdot.

David Spirk, the chief data officer for America's Department of Defense, "called for the Pentagon to make urgent investments to defend against potential espionage from quantum computers" that could crack the encryption on sensitive data, Bloomberg reports: "I don't think that there's enough senior leaders getting their heads around the implications of quantum," Spirk said. "Like AI, I think that's a new wave of compute that when it arrives is going to be a pretty shocking moment to industry and government alike." "We have to pick up pace because we have competitors who are also attempting to accelerate," he added. Spirk's comments come amid warnings that U.S. adversaries, particularly China, are aggressively pursuing advanced technologies that could radically accelerate the pace of modern warfare. China is investing in AI and quantum sciences as part of its plan to become an innovation superpower, according to the Pentagon's latest annual report to Congress on China's military power. China is "at or near the lead on numerous science fields," including AI and quantum, it said. The National Security Agency, meanwhile, said last year that the adversarial use of a quantum computer "could be devastating" to the U.S. and its national security systems. The NSA said it could take 20 years or more to roll out new post-quantum cryptography that would resist such code-cracking. Tim Gorman, a spokesperson at the Pentagon, said the Department of Defense was taking post-quantum cryptography seriously and coordinating with Congress and across government agencies. He added there was "a significant effort" underway. A January presidential memo further charged agencies with establishing a timeline for transitioning to quantum resistant cryptography.

Read more of this story at Slashdot.

Corin Faife writes via The Verge: On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company -- defined as having a market capitalization of more than 75 billion euros or a user base of more than 45 million people in the EU -- create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption. The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild. The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand. Researcher Hanno Bock said that the vulnerable SafeZone library doesn't sufficiently randomize the two prime numbers it used to generate RSA keys. (These keys can be used to secure Web traffic, shells, and other online connections.) Instead, after the SafeZone tool selects one prime number, it chooses a prime in close proximity as the second one needed to form the key. "The problem is that both primes are too similar," Bock said in an interview. "So the difference between the two primes is really small." The SafeZone vulnerability is tracked as CVE-2022-26320. Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart. The security of RSA keys depends on the difficulty of factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q). When P and Q are known publicly, the key they make up is broken, meaning anyone can decrypt data protected by the key or use the key to authenticate messages. So far, Bock has identified only a handful of keys in the wild that are vulnerable to the factorization attack. Some of the keys belong to printers originally branded as Fuji Xerox and now belonging to Canon. Printer users can use the keys to generate a Certificate Signing Request. The creation date for the keys was 2020 or later. The weak Canon keys are tracked as CVE-2022-26351. Bock also found four vulnerable PGP keys, typically used to encrypt email, on SKS PGP key servers. A user ID tied to the keys implied they were created for testing, so he doesn't believe they're in active use. Bock said he believes all the keys he found were generated using software or methods not connected to the SafeZone library. If true, other software that generates keys might be easily broken using the Fermat algorithm. It's plausible also that the keys were generated manually, "possibly by people aware of this attack creating test data." The researcher found the keys by searching through billions of public keys that he either had access to, were shared with him by other researchers, or that were available through certificate transparency programs. UPDATE: The headline incorrectly stated that a "600-Year-Old Algorithm" was used. It's been changed to "379-Year-Old-Algorithm" to reflect the updated headline on Ars.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild. The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand. Researcher Hanno Bock said that the vulnerable SafeZone library doesn't sufficiently randomize the two prime numbers it used to generate RSA keys. (These keys can be used to secure Web traffic, shells, and other online connections.) Instead, after the SafeZone tool selects one prime number, it chooses a prime in close proximity as the second one needed to form the key. "The problem is that both primes are too similar," Bock said in an interview. "So the difference between the two primes is really small." The SafeZone vulnerability is tracked as CVE-2022-26320. Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart. The security of RSA keys depends on the difficulty of factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q). When P and Q are known publicly, the key they make up is broken, meaning anyone can decrypt data protected by the key or use the key to authenticate messages. So far, Bock has identified only a handful of keys in the wild that are vulnerable to the factorization attack. Some of the keys belong to printers originally branded as Fuji Xerox and now belonging to Canon. Printer users can use the keys to generate a Certificate Signing Request. The creation date for the keys was 2020 or later. The weak Canon keys are tracked as CVE-2022-26351. Bock also found four vulnerable PGP keys, typically used to encrypt email, on SKS PGP key servers. A user ID tied to the keys implied they were created for testing, so he doesn't believe they're in active use. Bock said he believes all the keys he found were generated using software or methods not connected to the SafeZone library. If true, other software that generates keys might be easily broken using the Fermat algorithm. It's plausible also that the keys were generated manually, "possibly by people aware of this attack creating test data." The researcher found the keys by searching through billions of public keys that he either had access to, were shared with him by other researchers, or that were available through certificate transparency programs. UPDATE: The headline incorrectly stated that a "600-Year-Old Algorithm" was used. It's been changed to "379-Year-Old-Algorithm" to reflect the updated headline on Ars.

Read more of this story at Slashdot.

Messenger has fully rolled out end-to-end encryption (E2EE) to everyone, with toggles to encrypt text messages as well as group chats and calls. As The Verge notes, Messenger first added E2EE in 2016 back when it was still called Facebook Messenger and Meta was still Facebook. "Meta has discussed switching to E2EE as a default, but that may not happen until next year at the earliest, as some regulators claim this would harm public safety," adds The Verge. From the report: There are two ways Messenger users can opt in to the secure chats, either via vanish mode, by swiping up on an existing chat to enter one where messages automatically disappear when the window is closed or the original version that was introduced in 2016 as Secret Conversations. You can turn that on by toggling the lock icon when you start a new chat. In addition to a full rollout of the feature, Messenger has some new features to enable as well. Now, in end-to-end encrypted chats, you can use GIFs, stickers, reactions, and long-press to reply or forward messages. The encrypted chats also now support verified badges so that people can identify authentic accounts. You can also save media exchanged in the chats, and there's a Snapchat-style screenshot notification that will be rolling out over the next few weeks.

Read more of this story at Slashdot.

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. From the report: One key objective: mobilizing public opinion against Facebook's decision to encrypt its Messenger app. The Home Office has hired the M&C Saatchi advertising agency -- a spin-off of Saatchi and Saatchi, which made the "Labour Isn't Working" election posters, among the most famous in UK political history -- to plan the campaign, using public funds. According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt -- placing an adult and child (both actors) in a glass box, with the adult looking "knowingly" at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.

Read more of this story at Slashdot.

JoeyRox shares a report from CNBC: Federal investigators claimed to access encrypted Signal messages used to help charge the leader of the Oath Keepers, an extremist far-right militia group, and other defendants in a seditious plot on Jan. 6, 2021. It's not clear how investigators gained access to the messages. One possibility is that another recipient with access to the messages handed them over to investigators. The complaint references group messages run on the app, so it's possible another participant in those chats cooperated.

Read more of this story at Slashdot.

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...." Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message. There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity. The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so. "Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Record: A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. The document, obtained earlier this month following a FOIA request filed by Property of the People, a US nonprofit dedicated to government transparency, appears to contain training advice for what kind of data agents can obtain from the operators of encrypted messaging services and the legal processes they have to go through. Dated to January 7, 2021, the document doesn't include any new information but does a good job at providing an up-to-date summary of what type of information the FBI can currently obtain from each of the listed services. [...] While the document confirms that the FBI can't gain access to encrypted messages sent through some services, the other type of information they can glean from providers might still help authorities in other aspects of their investigations. The content of the document, which may be hard to read due to some font rendering issues, is also available in the table [embedded in the article]. Of note, the table above does not include details about Keybase, a recent end-to-end encrypted (E2EE) service that has been gaining in popularity. The service was acquired by video conferencing software maker Zoom in May 2020.

Read more of this story at Slashdot.

The owner of Facebook and Instagram is delaying plans to encrypt users' messages until 2023 amid warnings from child safety campaigners that its proposals would shield abusers from detection. From a report: Mark Zuckerberg's social media empire has been under pressure to abandon its encryption plans, which the UK home secretary, Priti Patel, has described as "simply not acceptable." The National Society for the Prevention of Cruelty to Children (NSPCC) has said private messaging is the "frontline of child sexual abuse online" because it prevents law enforcement, and tech platforms, from seeing messages by ensuring that only the sender and recipient can view their content -- a process known as end-to-end encryption. The head of safety at Facebook and Instagram's parent company, Meta, announced that the encryption process would take place in 2023. The company had previously said the change would happen in 2022 at the earliest. "We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023," Antigone Davis wrote in the Sunday Telegraph. "As a company that connects billions of people around the world and has built industry-leading technology, we're determined to protect people's private communications and keep people safe online." Meta already uses end-to-end encryption on its WhatsApp messaging service and had been planning to extend that to its Messenger and Instagram apps in 2022. It has already encrypted voice and video calls on Messenger. Announcing the privacy drive in 2019, Zuckerberg, said: "People expect their private communications to be secure and to only be seen by the people they've sent them to -- not hackers, criminals, over-reaching governments or even the people operating the services they're using."

Read more of this story at Slashdot.

Cryptographers are upset that "crypto" sometimes now refers to cryptocurrency, reports the Guardian: This lexical shift has weighed heavily on cryptographers, who, over the past few years, have repeated the rallying cry "Crypto means cryptography" on social media. T-shirts and hoodies trumpet the phrase and variations on it; there's a website dedicated solely to clarifying the issue. "'Crypto' for decades has been used as shorthand and as a prefix for things related to cryptography," said Amie Stepanovich, executive director of Silicon Flatirons Center at the University of Colorado Law School and creator of the pro-cryptography T-shirts, which have become a hit at conferences. "In fact, in the term cryptocurrency, the prefix crypto refers back to cryptography...." [T]here remains an internecine feud among the tech savvy about the word. As Parker Higgins of the Freedom of the Press Foundation, who has spent years involved in cryptography activism, pointed out, the cryptography crowd is by nature deeply invested in precision — after all, designing and cracking codes is an endeavor in which, if you get things "a little wrong, it can blow the whole thing up...." "Strong cryptography is a cornerstone of the way that people talk about privacy and security, and it has been under attack for decades" by governments, law enforcement, and "all sorts of bad actors", Higgins said. For its defenders, confusion over terminology creates yet another challenge. Stepanovich acknowledged the challenge of opposing the trend, but said the weight of history is on her side. "The study of crypto has been around for ever," she said. "The most famous code is known as the Caesar cipher, referring to Julius Caesar. This is not new." Cryptocurrency, on the other hand, is a relatively recent development, and she is not ready to concede to "a concept that may or may not survive government regulation".

Read more of this story at Slashdot.

"If current progress continues, quantum computers will be able to crack public key cryptography," writes CNET, "potentially creating a serious threat to the crypto world, where some currencies are valued at hundreds of billions of dollars." If encryption is broken, attackers can impersonate the legitimate owners of cryptocurrency, NFTs or other such digital assets. "Once quantum computing becomes powerful enough, then essentially all the security guarantees will go out of the window," Dawn Song, a computer security entrepreneur and professor at the University of California, Berkeley, told the Collective[i] Forecast forum in October. "When public key cryptography is broken, users could be losing their funds and the whole system will break...." "We expect that within a few years, sufficiently powerful computers will be available" for cracking blockchains open, said Nir Minerbi, CEO of quantum software maker Classiq Technologies. The good news for cryptocurrency fans is the quantum computing problem can be fixed by adopting the same post-quantum cryptography technology that the computing industry already has begun developing. The U.S. government's National Institute of Standards and Technology, trying to get ahead of the problem, is several years into a careful process to find quantum-proof cryptography algorithms with involvement from researchers around the globe. Indeed, several cryptocurrency and blockchain efforts are actively working on quantum resistant software... A problem with the post-quantum cryptography algorithms under consideration so far, though, is that they generally need longer numeric encryption keys and longer processing times, says Peter Chapman, CEO of quantum computer maker IonQ. That could substantially increase the amount of computing horsepower needed to house blockchains... The real quantum test for cryptocurrencies will be governance structures, not technologies, says Hunter Jensen, chief technology officer of Permission.io, a company using cryptocurrency for a targeted advertising system... "It will be the truly decentralized currencies which will get hit if their communities are too slow and disorganized to act," said Andersen Cheng, chief executive at Post Quantum, a London based company that sells post-quantum encryption technology.

Read more of this story at Slashdot.

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now. Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...]. As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

Read more of this story at Slashdot.

Hive, a ransomware group that has hit over 30 organizations since June 2021, now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. BleepingComputer reports: However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path. It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files. The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.

Read more of this story at Slashdot.

Messaging app Telegram gained over 70 million new users during Monday's Facebook outage, its founder Pavel Durov said on Tuesday, as people worldwide were left without key messaging services for nearly six hours. Reuters reports: Facebook blamed its outage, which kept its 3.5 billion users from accessing services such as WhatsApp, Instagram and Messenger, on a faulty configuration change. "The daily growth rate of Telegram exceeded the norm by an order of magnitude, and we welcomed over 70 million refugees from other platforms in one day," Durov wrote on his Telegram channel. Durov said some users in the Americas may have experienced slower speeds as millions rushed to sign up at the same time, but that the service worked as usual for the majority.

Read more of this story at Slashdot.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development. No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever. Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections. From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode. With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition. The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

Read more of this story at Slashdot.

The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public. As a consequence of the attack, the Department of Justice and Constitutional Development said that child maintenance payments are now on hold until systems are back online. BleepingComputer reports: The incident happened on September 6 and the department activated the contingency plan for such events to ensure the continuation of some activity in the country. Last week, [Steve Mahlangu, spokesperson for the Department of Justice and Constitutional Development] said that court sittings continued after a switch into manual mode for recording the hearings. A manual process has also been adopted for issuing various legal documents. However, the ransomware attack impacted monthly child maintenance payments, which have been delayed until the systems are restored. The department is still in the process of returning to regular operations but it is cannot say when the activity will become normal again. Part of this effort was setting up a new email system, to which some staff has already migrated. Coupled with the long time needed for network restoration, this is a sign that the hackers did not get paid. It is unclear who is behind this attack. Many ransomware gangs also steal data before encrypting it, to force the victim into paying the ransom under the pressure of a public leak. Mahlangu said last week that the Department's IT experts have found "no indication of data compromise." Until now, the attack has not been claimed by any of the gangs with a data leak site.

Read more of this story at Slashdot.