Monthly Archives: July 2014

Rising Use of Encryption Foiled the Cops a Record 9 Times in 2013

Posted on by

Photo: Getty

The spread of usable encryption tools hasnt exactly made law enforcement wiretaps obsolete. But in a handful of cases over the past yearand more than ever beforeit did shut down cops attempts to eavesdrop on criminal suspects, the latest sign of a slow but steady increase in encryptions adoption by police targets over the last decade.

In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. Thats more than twice as many cases as in 2012, when police said that theyd been stymied by crypto in four casesand that was the first year theyd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero.

The cases in which cops encountered encryption at all, its worth noting, still represent just a tiny fraction of law enforcements growing overall number of surveillance targets. Feds and state police eavesdropped on U.S. suspects phone calls, text messages, and other communications at least 3,500 times in 2013, a statistic that will likely be revised upwards over the next year as law enforcements data becomes more complete. Of those thousands of cases, only 41 involved encryption at all. And in 32 cases cops were able to somehow circumvent or break suspects privacy protections to eavesdrop on their targets unimpeded. The report doesnt include details of the specific cases.

Those numbers still contradict the warnings from government agencies like the FBI for more than a decade that the free availability of encryption tools will eventually lead to a going dark problem, a dystopian future where criminals and terrorists use privacy tools to make their communications invisible to law enforcement. Last year, for instance, the Drug Enforcement Agency leaked an internal report complaining that Apples iMessage encryption was blocking their investigations of drug dealers. So the cryptapocalypse they warned us about in the 90s has come to pass, University of Pennsylvania computer science professor Matt Blaze noted drily on twitter. Strong crypto used in a whopping 0.25% of wiretaps last year.

Even so, a look back at the last ten years statistics from police reports shows that encryption use is on the rise, even if the number of cases remains small and most encryption use is still futile. As recently as 2006 and 2007, police reported that they hadnt encountered any uses of encryption at all, and only dealt with one case of a suspect using encryption in 2009, as shown in the chart below. (In Thursdays report, police also counted another 52 cases of encryption use by their targets prior to 2013, but didnt specify in which years those incidents had occurred.)

That steady trickle of encryption tools into the publics hands is a sign that Americans awareness of surveillance is rising. Edward Snowdens leaks about NSA surveillance began dropping in July of last year, and carried with them a wave of interest in new privacy technologies. Post-Snowden, both people and companies have become more sophisticated in safeguarding their communications, says Hanni Fakhoury, a surveillance-focused attorney with the Electronic Frontier Foundation. When you look at this report next year, there will no doubt be even more use of encryption.

Crypto aside, the report noted a significant drop in the cost of cops surveillance. Police reported an average of $41,119 per case in which they intercepted a suspects communications in 2013. Thats down 18 percent from the year before, and represents the cheapest snooping ever, perhaps thanks to advances in surveillance technology. In 2003, for instance, a wiretap cost an average of $62,164, almost 50 percent more than today.

That steady drop in the price of spying may be one reason why the number of total wiretap cases has steadily grown over the past decade. Although the total wiretap count for 2013 is still incomplete, it added up to 4,927 cases in 2012, more than twice the 2,136 cases in 2003.

Follow this link:
Rising Use of Encryption Foiled the Cops a Record 9 Times in 2013

The Ultra-Simple App That Lets Anyone Encrypt Anything

Posted on by

Original illustration: Getty

Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldnt figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video.

Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month hell release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.

The tagline is that this is file encryption that does more with less, says Kobeissi, a 23-year old coder, activist and security consultant. Its super simple, approachable, and its almost impossible to be confused using it.

A screenshot from an early demo of miniLock.

Kobeissis creation, which he says is in an experimental phase and shouldnt yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by WIRED, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipientin theory not even law enforcement or intelligence agenciescould unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive.

Like the older PGP, miniLock offers so-called public key encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.

Kobeissis version of public key encryption hides nearly all of that complexity. Theres no need to even register or log inevery time miniLock launches, the user enters only a passphrase, though miniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.

No logins, and no private keys to manage. Both are eliminated. Thats whats special, says Kobeissi. Users can have their identity for sending and receiving files on any computer that has miniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.

In fact, miniLock uses a flavor of encryption that had barely been developed when PGP became popular in the 1990s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that havent been possible before; PGPs public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible miniLocks feature of deriving the users keys from his or her passphrase every time its entered rather than storing them. Kobeissi says hes saving the full technical explanation of miniLocks elliptic curve feats for his HOPE conference talk.

See the original post here:
The Ultra-Simple App That Lets Anyone Encrypt Anything

Encryption scuppered US police just nine times in 2013

Posted on by

The spread of usable encryption tools hasn't exactly made law enforcement wiretaps obsolete. But in a handful of cases over the past year in the US -- and more than ever before -- it did shut down cops' attempts to eavesdrop on criminal suspects, the latest sign of a slow but steady increase in encryption's adoption by police targets over the last decade.

In nine cases in 2013, US state police were unable to break the encryption used by criminal suspects they were investigating, according to anannual report on law enforcement eavesdropping released by the US court systemon Wednesday, 2 July. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases -- and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero.

The cases in which the police encountered encryption at all, it's worth noting, still represent just a tiny fraction of law enforcement's growing overall number of surveillance targets. Feds and state police eavesdropped on US suspects' phone calls, text messages, and other communications at least 3,500 times in 2013, a statistic that will likely be revised upwards over the next year as law enforcement's data becomes more complete. Of those thousands of cases, only 41 involved encryption at all. And in 32 cases cops were able to somehow circumvent or break suspects' privacy protections to eavesdrop on their targets unimpeded. The report doesn't include details of the specific cases.

Those numbers still contradict the warnings from government agencies like the FBI for more than a decade that the free availability of encryption tools will eventually lead to a "going dark" problem, a dystopian future where criminals and terrorists use privacy tools to make their communications invisible to law enforcement. Last year, for instance, the Drug Enforcement Agency leaked aninternal report complaining that Apple's iMessage encryption was blocking their investigations of drug dealers. "So the cryptapocalypse they warned us about in the 90s has come to pass," University of Pennsylvania computer science professor Matt Blazenoted drily on Twitter. "Strong crypto used in a whopping 0.25 percent of wiretaps last year."

Even so, a look back at the last ten years' statistics from police reports shows that encryption use is on the rise, even if the number of cases remains small and most encryption use is still futile. As recently as 2006 and 2007, police reported that they hadn't encountered any uses of encryption at all, and only dealt with one case of a suspect using encryption in 2009. (In Thursday's report, police also counted another 52 cases of encryption use by their targets prior to 2013, but didn't specify in which years those incidents had occurred.)

That steady trickle of encryption tools into the public's hands is a sign that Americans' awareness of surveillance is rising. Edward Snowden's leaks about NSA surveillance began dropping in July of last year, and carried with them a wave of interest in new privacy technologies. "Post-Snowden, both people and companies have become more sophisticated in safeguarding their communications," says Hanni Fakhoury, a surveillance-focussed attorney with the Electronic Frontier Foundation. "When you look at this report next year, there will no doubt be even more use of encryption."

Crypto aside, the report noted a significant drop in the cost of police surveillance. Police reported an average of $41,119 (23,985)per case in which they intercepted a suspect's communications in 2013. That's down 18 percent from the year before, and represents the cheapest snooping ever, perhaps thanks to advances in surveillance technology. In 2003, for instance, a wiretap cost an average of $62,164 (36,259)almost 50 percent more than today.

That steady drop in the price of spying may be one reason why the number of total wiretap cases has steadily grown over the past decade. Although the total wiretap count for 2013 is still incomplete, it added up to 4,927 cases in 2012, more than twice the 2,136 cases in 2003.

In other words, privacy activists have little reason to celebrate, and police complaints about encryption foiling their investigations ring hollow. "You'll see the government prop encryption up as a bogeyman, but this is actually a very small problem for them," he says. "It's stretching it to say, 'in nine cases this was an obstacle so we need to rewrite the criminal code.' That's overkill."

This story originally appeared on Wired.com

Read the original here:
Encryption scuppered US police just nine times in 2013

IRS policy that targeted political groups also aimed at open source projects

Posted on by

Aurich Lawson

The IRS denied a proposal to grant 501(c)(3) status to Yorba, a nonprofit organization that develops open source software for the Linux desktop. In a blog post yesterday, Yorba spokesperson Jim Nelson disclosed the full text of the IRS rejection letter. He fears that IRS policy has evolved to broadly preclude nonprofit open source software developers from obtaining 501(c)(3) tax exemptions.

In the United States, the 501(c)(3) classification is typically granted to a certain class of nonprofit organizations that are engaged in activity that can be considered charitable, religious, scientific, literary, or educational. Many prominent open source software organizations hold 501(c)(3) status, including the Apache Foundation, the GNOME Foundation, the Mozilla Foundation, the Free Software Foundation, and the Wikimedia Foundation.

The IRS was at the center of a major controversy last year following the release of internal memosrevealing that the agency systematically applied a disproportionately aggressive standard of review to organizations that matched certain keywords. Targeted organizations faced greater difficulty obtaining 501(c)(3) status. Interest in the scandal has largely centered on the question of whether prominent political groups were unfairly treated, but the same internal IRS memos that defined the policy also oddly singled out open source software.

IRS personnel responsible for reviewing 501(c)(3) applications were instructed to elevate cases involving open source software to their supervisors, resulting in extensive delays in the review process and frequent rejections. In the wake of the controversy, a New York Times report highlighted how nonprofit organizations that develop open source software may, in fact, receive harsher treatment than many of the other targeted categories.

Luis Villa, a lawyer and well-known open source community member who currently serves as deputy general counsel at the Wikimedia Foundation, told the Timesabout two nonprofit open source software organizations that were denied tax-exempt status because their use of a targeted keyword triggered a harsh response from the agency.

As soon as you say the words open source, like other organizations that use Tea Party or Occupy, it gets you red-flagged, he told the Times. None of the groups have been able to find the magic words to get over the hurdle.

In theory, it might make sense for the IRS to closely review applications from organizations that develop open source software in order to make sure that they arent actually for-profit companies that sell commercial support or monetize their software with other services. If that werethe standard of review, there would be no cause for concern. Unfortunately, it looks like the IRS is applying a much more dubious standard.

The Yorba Foundation was originally founded by former Google employees who wanted to give back to the open source software community. The organization makes open source software applications for the Linux desktop, including a photo management application called Shotwell and a mail client called Geary.

Yorba develops its applications completely in the open, with community participation. The software is distributed under the terms of the relatively permissive LGPL. Yorba doesnt sell any services or monetize its software; it relies largely on donations in order to fund its operations.

Go here to see the original:
IRS policy that targeted political groups also aimed at open source projects

Apache open source enhancements for Dutch government

Posted on by

Sosnoski Software delivers Apache open source enhancements for Dutch government

Auckland consulting company Sosnoski Software Associates Limited is please to announce the completion of enhancements to ApacheTM CXFTM open source software as commissioned by the government of the Netherlands. These enhancements have fixed several errors in the Apache CXF implementation of Web Services Reliable Messaging (WSRM), brought it into compliance with the latest WSRM 1.2 version, and also corrected long-standing problems in how the Apache CXF implementation combines WS-Security with WSRM. The changes provide greatly enhanced interoperability for exchanging messages with other software packages.

Interoperability is the whole point of web services, so compliance with standards is crucial for every web services implementation stack, said Dennis Sosnoski, Director of Sosnoski Software Associates. Apache CXF is one of the most widely used stacks for Java software development, making it crucial that its support be top-notch. We're very pleased to have been able to contribute major improvements to CXF in this area.

Enterprise open source software is usually developed by in-house staff at companies with a direct stake in the software. It's great when other organizations can help fund independent work on features matching their needs and have the results benefit the whole community.

Dutch government shares e-development

Users of the Dutch government Digikoppeling electronic messaging standards had pointed out the importance of adapting Apache CXF software for WSRM 1.2. The government information systems use Digikoppeling to exchange messages; WSRM enables them to exchange messages in a reliable way.

This is why Logius, the digital government service, commissioned one of the developers of Apache CXF, Sosnoski Software Associates, to adapt the software. Logius is financed by communal funds.

It is therefore important that these funds are spent for the benefit of the community, said Tom Peelen, lead architect at Logius. By releasing the software under an open-source license it can be used freely by other parties.

Good for Dutch and European e-government and for businesses

The support of WSRM 1.2 is good news for European projects, such as the large-scale Peppol project in which the European Union member states develop computerized procurement systems based on Apache CXF and WSRM 1.2. Businesses in and outside Europe also benefit for their widespread use of Apache CXF and WSRM. I really encourage this type of co-creation project, said Dennis Sosnoski. It's great to show how high-value and widely useable software can be developed as an open-source solution with extremely low costs, compared to very expensive commercial alternatives.

Read more from the original source:
Apache open source enhancements for Dutch government

MegaCryption 6.4.1 Excels With Additions to Utilities, Algorithms, Key Management, and PGP Encryption Options

Posted on by

Naples, FL (PRWEB) July 01, 2014

Advanced Software Products Group (ASPG) has announced the latest release of MegaCryption, its robust encryption solution for z/OS, UNIX, LINUX, and Windows platforms. MegaCryption 6.4.1 developments include increased key storage and creation options, accelerated speed for OpenPGP decryption, enhancements to ISPF, as well as additional JCL procedures. With these enhancements, data centers are presented with an array of dynamic features to increase encryption/decryption speed, key management options, and accessibility of cryptographic approaches.

MegaCryption offers a comprehensive, easy-to-use key management structure to allow for a complete life cycle management of keys. With the release of 6.4.1, MegaCryption provides greater flexibility for sites storing their cryptographic keys in the RACF database through the ability to specify a CLASS other than FACILITY in MegaCryptions key management started task. MegaCryption 6.4.1 also allows users the option to generate up to 3072-bit DSA keys, supporting the largest proposed key size for DSA/DSS digital signatures.

An additional key management feature now available is MegaCryptions CSA symmetric algorithm abbreviation. CSA implements AES encryption and decryption when the symmetric key is stored securely in ICSFs CKDS. Similar to MegaCryptions existing CSF algorithm support (for DES/TripleDES), users may now use ICSF-managed AES-128 and AES-256 keys securely with MegaCryptions batch utilities.

With respect to the goal of ensuring MegaCryption programs are both secure and easy to use, a new sample JCL procedure library has been introduced in v6.4.1. These examples have been created with the goal of providing a familiar PGP-style JCL procedure for experienced operators of PGP command-syntax products on z/OS or distributed platforms. The new sample JCLs provide users flexibility in the complexity level of encryption processes they choose to utilize within MegaCryption, benefitting novice and experienced cryptographers alike.

Also featured in the release are enhancements to MegaCryption's OpenPGP encryption and decryption utilities. MegaCryption 6.4.1 provides a significant performance improvement when using algorithms AES, AES2, 3EDE, DES, and AUTO in conjunction with OpenPGP encryption and decryption. Further cryptography enhancements include additional algorithms and options via MegaCryptions Cryptography Wizard.

Another beneficial feature of MegaCryption 6.4.1 is the signature-validation utility. When signature validation is as important to your cryptography policy as the confidentiality of data, you may now escalate signature validation failures from the default "warning" status to become an "error" by including this new DD statement in your job step.

Aside from the improved cryptography algorithm support, and enhanced interoperability with other key management systems, MegaCryption also features a robust API for users to write their own subroutines; the direct implementation of cryptographic functions into databases, online transactions, applications and batch programs; the creation of self-decrypting archives for Windows users; VSAM and flat-file encryption; DB2 field-level encryption; and many other tools designed to meet all of an enterprises cryptography needs. Interested parties may read more about MegaCryption on the ASPG web site. Free trials of the software are also available.

ABOUT ADVANCED SOFTWARE PRODUCTS GROUP ASPG is an industry-leading software development company with IBM partnerships and Microsoft certifications, and for over 25 years has been producing award-winning software for data centers and mainframes, specializing in data security, storage administration, and systems productivity, providing solutions for a majority of the GLOBAL 1000 data centers.

For more information about ASPG, please contact our Sales Team by phone at 800-662-6090 (Toll-Free) or 239-649-1548 (US/International), 239-649-6391 (fax) or email at aspgsales@aspg.com. You can also visit the ASPG website at http://www.aspg.com.

More:
MegaCryption 6.4.1 Excels With Additions to Utilities, Algorithms, Key Management, and PGP Encryption Options

United States v. Manning – Wikipedia, the free encyclopedia

Posted on by

United States v. Manning

Official photograph of Manning from the United States Army

United States v. Manning was the court-martial of former United States Army Private First Class Bradley E. Manning[1] (known after the trial as Chelsea Manning).[2]

Manning was arrested in May 2010 in Iraq, where she had been stationed since October 2009, after Adrian Lamo, a computer hacker in the United States, provided information to Army Counterintelligence that Manning had acknowledged passing classified material to the whistleblower website, WikiLeaks.[3][4] Manning was ultimately charged with 22 specified offenses, including communicating national defense information to an unauthorized source, and the most serious of the charges, aiding the enemy.[1] Other charges included violations of the Espionage Act, stealing U.S. government property, charges under the Computer Fraud and Abuse Act and charges related to the failure to obey lawful general orders under Article 92 of the Uniform Code of Military Justice. She entered guilty pleas to 10 of 22 specified offenses in February 2013.[5]

The trial began on June 3, 2013.[6] It went to the judge on July 26, 2013, and findings were rendered on July 30.[7][8] Manning was acquitted of the most serious charge, that of aiding the enemy, for giving secrets to WikiLeaks. In addition to five[9][10][11] or six[12][13][14] espionage counts, she was also found guilty of five theft specifications, two computer fraud specifications and multiple military infractions. Manning had previously admitted guilt on some of the specified charges before the trial.[15]

On August 21, 2013, Manning was sentenced to 35 years' imprisonment, reduction in rank from Private First Class to Private, forfeiture of all pay and allowances, and a dishonorable discharge.[16] She may be eligible for parole after serving one third of the sentence, and together with credits for time served and good behavior could be released after eight years.[17][18][19]

The material in question includes 251,287 United States diplomatic cables, over 400,000 classified army reports from the Iraq War (the Iraq War logs), and approximately 90,000 army reports from the war in Afghanistan (the Afghan War logs). WikiLeaks also received two videos. One was of the July 12, 2007 Baghdad airstrike (dubbed the "Collateral Murder" video); the second, which was never published, was of the May 2009 Granai airstrike in Afghanistan.[20]

Manning was charged on July 5, 2010, with violations of Articles 92 and 134 of the Uniform Code of Military Justice, which were alleged to have taken place between November 19, 2009, and May 27, 2010.[21] These were replaced on March 1, 2011, with 22 specifications, including aiding the enemy, wrongfully causing intelligence to be published on the Internet knowing that it was accessible to the enemy, theft of public property or records, and transmitting defense information. Manning was found not guilty for the most serious of the charges, aiding the enemy, for which Manning could have faced life in prison.[22]

A panel of experts ruled in April 2011 that Manning was fit to stand trial.[23] An Article 32 hearing, presided over by Lieutenant Colonel Paul Almanza, was convened on December 16, 2011, at Fort Meade, Maryland, to determine whether to proceed to a court martial. The army was represented by Captains Ashden Fein, Joe Morrow, and Angel Overgaard. Manning was represented by military attorneys Major Matthew Kemkes and Captain Paul Bouchard, and by civilian attorney David Coombs.

The hearing resulted in Almanza recommending that Manning be referred to a general court-martial, and on February 3, 2012, the convening authority, Major General Michael Linnington, commander of the Military District of Washington,[24] ordered Manning to stand trial on all 22 specified charges, including aiding the enemy. Manning was formally charged (arraigned) on February 23, and declined to enter a plea.[25]

Read more here:
United States v. Manning - Wikipedia, the free encyclopedia

Report finds spooks too far under the radar

Posted on by

Spies must be less secretive if they are to win back public trust, a new report says.

Leaks from US security whistleblowers Edward Snowden and Bradley Manning have led to "adverse commentary" and media attention is "mostly negative", a review commissioned by the State Services Commission says.

Overseas agencies in Australia and Britain are "much more transparent and active in the media".

It recommends the Government Communications Security Bureau and the Security Intelligence Service should talk publicly about threat detection and security risks.

The full report is classified "top secret". But the agencies appear to be heeding advice - a source said they requested that the unclassified summary of the report be released.

"Public knowledge and experience of the security and intelligence sector in New Zealand is very low," the report says. "This is not surprising given the secret nature of the work and the sector's deliberately low profile over many years . . . a much more transparent approach could be possible in other areas . . . greater pro-activity would have potentially high gains."

The performance improvement framework (PIF) review into the Intelligence Community - made up of GCSB, SIS, Intelligence Coordination Group of the Department of Prime Minister and Cabinet, and the National Assessments Bureau - was carried out in late 2013 and published yesterday.

It follows the damning Kitteridge report on the GCSB last year.

The review makes references to funding problems, saying a "high tempo operational focus" leads to employees "pitching in to make the most of scare resources".

Much of its electronic equipment and hardware have a "short life-cycle". An asset stocktake will get under way this year.

View post:
Report finds spooks too far under the radar