"A Swiss technology company says it has made a breakthrough by using quantum computers to uncover vulnerabilities in commonly used encryption," reports Bloomberg: Terra Quantum AG said its discovery "upends the current understanding of what constitutes unbreakable" encryption... Terra Quantum AG has a team of about 80 quantum physicists, cryptographers and mathematicians, who are based in Switzerland, Russia, Finland and the U.S. "What currently is viewed as being post-quantum secure is not post-quantum secure," said Markus Pflitsch, chief executive officer and founder of Terra Quantum, in an interview. "We can show and have proven that it isn't secure and is hackable..." The company said that its research found vulnerabilities that affect symmetric encryption ciphers, including the Advanced Encryption Standard, or AES, which is widely used to secure data transmitted over the internet and to encrypt files. Using a method known as quantum annealing, the company said its research found that even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now. Vinokur said in an interview that Terra Quantum's team made the discovery after figuring out how to invert what's called a "hash function," a mathematical algorithm that converts a message or portion of data into a numerical value. The research will show that "what was once believed unbreakable doesn't exist anymore," Vinokur said, adding that the finding "means a thousand other ways can be found soon." The company, which is backed by the Zurich-based venture capital firm Lakestar LP, has developed a new encryption protocol that it says can't be broken by quantum computers. Vinokur said the new protocol utilizes a method known as quantum key distribution. Terra Quantum is currently pursuing a patent for the new protocol. But the company will make it available for free, according to Pflitsch. "We will open up access to our protocol to make sure we have a safe and secure environment," said Pflitsch. "We feel obliged to share it with the world and the quantum community."

Read more of this story at Slashdot.

Four European apps which secure user data via end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint-statement warning over recent moves by EU institutions that they say are setting lawmakers on a dangerous path to backdooring encryption. From a report: Last month the EU Council passed a resolution on encryption that's riven with contradiction -- calling for "security through encryption and security despite encryption" -- which the four e2e app makers believe is a thinly veiled call to backdoor encryption. The European Commission has also talked about seeking "improved access" to encrypted information, writing in a wide-ranging counter-terrorism agenda also published in December that it will "work with Member States to identify possible legal, operational, and technical solutions for lawful access." Simultaneously, the Commission has said it will "promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism." And it has made it clear there will be no 'one silver bullet' as regards the e2e encryption security 'challenge.' But such caveats are doing nothing to alleviate the concerns of e2e encrypted app makers -- who are convinced proposals from the Council of the EU, which is involved in adopting the bloc's laws (though the Commission usually drafts legislation), sums to an push toward backdoors. "While it's not explicitly stated in the resolution, it's widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors," the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain. "The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn't, users have privacy or they don't," they go on. "The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Verge: WhatsApp has published a new FAQ page to its website outlining its stances on user privacy in response to widespread backlash over an upcoming privacy policy update. The core issue relates to WhatsApp's data-sharing procedures with Facebook, with many users concerned an updated privacy policy going into effect on February 8th will mandate sharing of sensitive profile information with WhatsApp's parent company. That isn't true -- the update has nothing to do with consumer chats or profile data, and instead the change is designed to outline how businesses who use WhatsApp for customer service may store logs of its chats on Facebook servers. That's something the company feels it is required to disclose in its privacy policy, which it's now doing after previewing the upcoming changes to business chats back in October. But a wave of misinformation on social media, not helped by Facebook's abysmal track record on privacy and its reputation for obfuscating changes to its various terms of service agreements, has resulted in a full-blown WhatsApp backlash that has users fleeing to competitors like Signal and Telegram. [...] WhatsApp executives, as well as Instagram chief Adam Mosseri and Facebook AR / VR head Andrew "Boz" Bosworth, are now trying to set the record straight, perhaps to little avail at this point. "We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data," the company writes on the new FAQ page. It also stresses in the FAQ that neither Facebook nor WhatsApp read users' message logs or listen to their calls, and that WhatsApp doesn't store user location data or share contact information with Facebook. (It's also worth noting that data sharing with Facebook is extremely limited for European users due to stronger user privacy protections in the EU.) WhatsApp chief Will Cathcart also took to Twitter a few days ago to post a thread (later shared by Bosworth in the tweet above) trying to cut through the confusion and explain what's actually going on. "With end-to-end encryption, we cannot see your private chats or calls and neither can Facebook. We're committed to this technology and committed to defending it globally," Cathcart wrote. "It's important for us to be clear this update describes business communication and does not change WhatsApp's data sharing practices with Facebook. It does not impact how people communicate privately with friends or family wherever they are in the world."

Read more of this story at Slashdot.

According to founder and CEO Pavel Durov, Telegram gained 25 million new users in the last 72 hours as it smashed past the 500 million active monthly user mark. Android Police reports: For comparison, the app averaged around 1.5 million new users per day in 2020, which was impressive enough already. Durvov says that this is down to his company's simple privacy and security promise, above all else. The bulk of the new users are coming from Asia (38%), Europe (27%), and Latin America (21%), with around 8% signing up from the MENA region (Middle East and North Africa). Although not explicitly noted in Durov's post, there is likely a good number of Parler orphans joining Telegram -- although there are differences between the functions of the two apps, there's talk that former Parler users are heading to encrypted messaging apps in search of a more private platform. Signal has seen a similar rise in popularity for the same reason.

Read more of this story at Slashdot.

Signal, an encrypted messaging app that competes with other services including Facebook's WhatsApp, said Thursday that verification codes used to create new accounts were delayed because of a flood of new users. From a report: "We are working with carriers to resolve this as quickly as possible," the non-profit foundation said in a tweet. "Hang in there." The surge came just hours after Elon Musk endorsed the service and amid reported changes to WhatsApp's terms of service.

Read more of this story at Slashdot.

Signal, in a blog post: Yesterday, the BBC ran a story with the factually untrue headline, "Cellebrite claimed to have cracked chat app's encryption." This is false. Not only can Cellebrite not break Signal encryption, but Cellebrite never even claimed to be able to. Since we weren't actually given the opportunity to comment in that story, we're posting this to help to clarify things for anyone who may have seen the headline. Last week, Cellebrite posted a pretty embarrassing (for them) technical article to their blog documenting the "advanced techniques" they use to parse Signal on an Android device they physically have with the screen unlocked. This is a situation where someone is holding an unlocked phone in their hands and could simply open the app to look at the messages in it. Their post was about doing the same thing programmatically (which is equally simple), but they wrote an entire article about the "challenges" they overcame, and concluded that "...it required extensive research on many different fronts to create new capabilities from scratch." [...] What really happened: If you have your device, Cellebrite is not your concern. It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less "break the encryption" of that communication. They don't do live surveillance of any kind. Cellebrite is not magic. Imagine that someone is physically holding your device, with the screen unlocked, in their hands. If they wanted to create a record of what's on your device right then, they could simply open each app on your device and take screenshots of what's there. This is what Cellebrite Physical Analyser does. It automates the process of creating that record. However, because it's automated, it has to know how each app is structured, so it's actually less reliable than if someone were to simply open the apps and manually take the screenshots. It is not magic, it is mediocre enterprise software. Cellebrite did not "accidentally reveal" their secrets. This article, and others, were written based on a poor interpretation of a Cellebrite blog post about adding Signal support to Cellebrite Physical Analyzer. Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail. This is not because they "revealed" anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad.

Read more of this story at Slashdot.

Matthew Green, a cryptographer and professor at Johns Hopkins University, shares in a series of tweets: My students Max and Tushar Jois spent most of the summer going through every piece of public documentation, forensics report, and legal document we could find to figure out how police were "breaking phone encryption." This was prompted by a claim from someone knowledgeable, who claimed that forensics companies no longer had the ability to break the Apple Secure Enclave Processor, which would make it very hard to crack the password of a locked, recent iPhone. We wrote an enormous report -- a draft of which you can read here (PDF) about what we found, which we'll release after the holidays. The TL;DR is kind of depressing: Authorities don't need to break phone encryption in most cases, because modern phone encryption sort of sucks. I'll focus on Apple here but Android is very similar. The top-level is that, to break encryption on an Apple phone you need to get the encryption keys. Since these are derived from the user's passcode, you either need to guess that -- or you need the user to have entered it. Guessing the password is hard on recent iPhones because there's (at most) a 10-guess limit enforced by the Secure Enclave Processor (SEP). There's good evidence that at one point in 2018 a company called GrayKey had a SEP exploit that did this for the X. See photo. There is really no solid evidence that this exploit still works on recent-model iPhones, after 2018. If anything, the evidence is against it. So if they can't crack the passcode, how is law enforcement still breaking into iPhones (because they definitely are)? The boring answer very likely is that police aren't guessing suspects' passcodes. They're relying on the fact that the owner probably typed it in. Not after the phone is seized, in most cases. Beforehand. The full thread on Twitter here.

Read more of this story at Slashdot.

Last Thursday, Israeli phone-hacking firm Cellebrite said in a blog post that it can now break into Signal, an encrypted app considered safe from external snooping. Haaretz reports: Cellebrite's flagship product is the UFED (Universal Forensic Extraction Device), a system that allows authorities to unlock and access the data of any phone in their possession. Another product it offers is the Physical Analyzer, which helps organize and process data lifted from the phone. Last Thursday, the company announced that the analyzer has now been updated with a new capability, developed by the firm, that allows clients to decode information and data from Signal. Signal, owned by the Signal Technology Foundation, uses a special open source encryption system called Signal Protocol, which was thought to make it nigh-on impossible for a third party to break into a conversation or access data being shared on the platform. It does so by employing what's called "end-to-end encryption." According to Cellebrite's announcement last week, "Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data. "Criminals are using this application to communicate, send attachments, and making [sic] illegal deals that they want to keep discrete [sic] and out of sight from law enforcement," the blog post added. Despite support for the app's encryption capabilities, Cellebrite noted that "Signal is an encrypted communication application designed to keep sent messages and attachments as safe as possible from 3rd-party programs. "Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives." In an earlier, now deleted, version of the blog post, the company went as far as to say: "Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch. At Cellebrite, however, finding new ways to help those who make our world a safer place is what we're dedicated to doing every day." The initial post, which was stored on the Internet Archive, also included a detailed explanation of how Cellebrite "cracked the code" by reviewing Signal's own open source protocol and using it against it. The company noted in the deleted blog post that "because [Signal] encrypts virtually all its metadata to protect its users, efforts have been put forward by legal authorities to require developers of encrypted software to enable a 'backdoor' that makes it possible for them to access people's data. Until such agreements are reached, Cellebrite continues to work diligently with law enforcement to enable agencies to decrypt and decode data from the Signal app."

Read more of this story at Slashdot.

After two long, complicated years, every Android user worldwide (outside China) now has access to the next-gen texting standard that is replacing SMS. Google is directly offering RCS chat services through its Android Messages app to anybody who installs it and uses it as their default texting app, which partly bypasses a carrier rollout that, at times, has ranged from sluggish to incoherent to broken. From a report Just as importantly, Google has announced that it's finally beginning to enable a key privacy feature: end-to-end encryption. For Android users who use Android Messages, one-on-one chats will eventually be end-to-end encrypted by default, meaning neither carriers nor Google will be able to read the content of those messages. Even though encryption is only beginning to roll out to people who sign up for the public beta for Android Messages, turning on encryption for RCS is a very big deal. It's a massive privacy win, as it could mean that the de facto replacement for SMS will, by default, be private on the smartphone platform used by the vast majority of people worldwide. As for the people who use that other smartphone platform -- the iPhone -- we have no word on whether Apple intends to adopt the RCS standard. But as every carrier worldwide gets on board, and now that there is a clearer path to ensuring private communication with RCS, the pressure on Apple to participate is likely to build. Unfortunately, SMS becoming fully deprecated and replaced by RCS will only happen if all goes to plan for Google. Since initially announcing plans to transition to RCS as the primary texting platform for Android, the standard's rollout has been mired in confusion. In attempting to be neutral and make Android's texting a standard shared by carriers worldwide, Google set itself up with the job of herding multibillion-dollar cats -- with sadly predictable results.

Read more of this story at Slashdot.

The U.S. National Security Agency is rebuffing efforts by a leading Congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, in a controversial practice that critics say damages both U.S. industry and national security. Reuters reports: The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications. The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines. The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws. "At NSA, it's common practice to constantly assess processes to identify and determine best practices," said Anne Neuberger, who heads NSA's year-old Cybersecurity Directorate. "We don't share specific processes and procedures." Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries.

Read more of this story at Slashdot.

At least 2,000 law enforcement agencies have tools to get into encrypted smartphones, according to new research, and they are using them far more than previously known. From a report: In a new Apple ad, a man on a city bus announces he has just shopped for divorce lawyers. Then a woman recites her credit card number through a megaphone in a park. "Some things shouldn't be shared," the ad says, "iPhone helps keep it that way." Apple has built complex encryption into iPhones and made the devices' security central to its marketing pitch. That, in turn, has angered law enforcement. Officials from the F.B.I. director to rural sheriffs have argued that encrypted phones stifle their work to catch and convict dangerous criminals. They have tried to force Apple and Google to unlock suspects' phones, but the companies say they can't. In response, the authorities have put their own marketing spin on the problem. Law enforcement, they say, is "going dark." Yet new data reveals a twist to the encryption debate that undercuts both sides: Law enforcement officials across the nation regularly break into encrypted smartphones. That is because at least 2,000 law enforcement agencies in all 50 states now have tools to get into locked, encrypted phones and extract their data, according to years of public records collected in a report by Upturn, a Washington nonprofit that investigates how the police use technology. At least 49 of the 50 largest U.S. police departments have the tools, according to the records, as do the police and sheriffs in small towns and counties across the country, including Buckeye, Ariz.; Shaker Heights, Ohio; and Walla Walla, Wash. And local law enforcement agencies that don't have such tools can often send a locked phone to a state or federal crime lab that does. With more tools in their arsenal, the authorities have used them in an increasing range of cases, from homicides and rapes to drugs and shoplifting, according to the records, which were reviewed by The New York Times. Upturn researchers said the records suggested that U.S. authorities had searched hundreds of thousands of phones over the past five years. While the existence of such tools has been known for some time, the records show that the authorities break into phones far more than previously understood -- and that smartphones, with their vast troves of personal data, are not as impenetrable as Apple and Google have advertised. While many in law enforcement have argued that smartphones are often a roadblock to investigations, the findings indicate that they are instead one of the most important tools for prosecutions.

Read more of this story at Slashdot.

Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week. From a report: E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings. Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level. This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept. Further reading: Zoom Adds Ability To Open Apps Like Dropbox And Slack, Event-Hosting Tools As Part Of Push Beyond Video Meetings.

Read more of this story at Slashdot.

Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published a statement over the weekend calling on tech companies to come up with a solution for law enforcement to access end-to-end encrypted communications. From a report: The statement is the alliance's latest effort to get tech companies to agree to encryption backdoors. The Five Eyes alliance, comprised of the US, the UK, Canada, Australia, and New Zealand, have made similar calls to tech giants in 2018 and 2019, respectively. Just like before, government officials claim tech companies have put themselves in a corner by incorporating end-to-end encryption (E2EE) into their products. If properly implemented, E2EE lets users have secure conversations -- may them be chat, audio, or video -- without sharing the encryption key with the tech companies. Representatives from the seven governments argue that the way E2EE encryption is currently supported on today's major tech platforms prohibits law enforcement from investigating crime rings, but also the tech platforms themselves from enforcing their own terms of service. Signatories argue that "particular implementations of encryption technology" are currently posing challenges to law enforcement investigations, as the tech platforms themselves can't access some communications and provide needed data to investigators.

Read more of this story at Slashdot.