After years of tech companies and police fumbling and clashing over end-to-end encryption, Meta this week brandished a new tool in its arsenal that may help the social media giant resist government pressure to change course or weaken its plan to implement end-to-end encryption across its private communication services.

On Monday, Meta published a report about the human rights impacts of end-to-end encryption produced by Business for Social Responsibility, a nonprofit focused on corporate impacts. Meta, which commissioned the independent BSR report, also published its response. In a study that took more than two years to complete, BSR found that end-to-end encryption is overwhelmingly positive and crucial for protecting human rights, but it also delved into the criminal activity and violent extremism that can find safe haven on end-to-end encrypted platforms. Crucially, the report also offers recommendations for how to potentially mitigate these negative impacts.

Since 2019, Meta has said that it will eventually bring end-to-end encryption to all of its messaging platforms. The security measure, designed to box services out of accessing their users' communications, has already long been deployed on the Meta-owned platform WhatsApp, but the initiative would bring the protection to Facebook Messenger and Instagram Direct Messenger as well. Meta has said that its delay in fully deploying end-to-end encryption on these other services largely has to do with technical challenges and interoperability issues, but the company has also faced criticism about the plan from the United States government and other countries around the world over concerns that adding the feature would make it more difficult for the company and law enforcement to counter a range of threats, like child abuse and distribution of child sexual abuse material, coordinated disinformation campaigns, viral hate speech, terrorism, and violent extremism. The US government, and the FBI specifically, has long argued that comprehensive encryption that protects user data equally protects suspects from criminal investigations, thus endangering the public and national security.

I am glad to see BSRs report affirm the crucial role that encryption plays in protecting human rights, says Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory who was not involved in the study. While its true that undesirable conduct occurs in encrypted contexts, most people arent criminals, whereas everyone needs privacy and security. Weakening encryption is not the answer.

The question for Meta and privacy advocates around the world has been how to develop mechanisms for stopping digital abuse before it starts, flagging potentially suspicious behavior without gaining access to users' actual communications, and creating mechanisms that allow users to effectively report potentially abusive behavior. Even very recent efforts to strike a balance have been met with intense criticism by privacy and encryption advocates.

For example, Apple announced plans in August to debut a feature that would scan user's data locally on their devices for child sexual abuse material. That way, the reasoning went, Apple wouldn't need to access the data directly or compile it in the cloud to check for abusive material. Researchers raised a host of concerns, though, about the potential for such a mechanism to be manipulated and abused and the risk that it wouldn't even accomplish its goal if the system produced a slew of false positives and false negatives. Within a month, Apple backed down, saying it needed time to reassess the scheme.

Here is the original post:
Meta Tries to Break the End-to-End Encryption Deadlock - WIRED

Source: Harish Jonnalagadda / iMore

WhatsApp is readying an update that will remind people why end-to-end encryption is so important to them, according to a new report. A new screen will show what end-to-end encryption means and what benefits it offers.

The new WhatsApp screen is now being tested in beta form and was first spotted by beta watchers WABetaInfo. The page will appear when people tap another new addition the end-to-end encryption indicators that we reported on recently.

As you can see in this attached screenshot, a new security page shows up that gives some information about end-to-end encryption. The new page informs the user that text and voice messages, audio and video calls (including group calls), media, location sharing, and status updates are secured by end-to-end encryption, so your conversations are always private.

End-to-end encryption ensures that all communications are private, something that is vital to WhatsApp users and one of the reasons it's one of the best iPhone apps for private communications although there are plenty of WhatsApp alternatives available in the App Store.

This latest change is currently available to those on the WhatsApp TestFlight beta although it is surely only a matter of time before it is rolled out to everyone. WhatsApp continues to tweak its app via those beta releases before making the updates available via the App Store for all users. The Meta-owned instant messaging service is also testing a change that will add an ETA to file transfers, too.

Excerpt from:
WhatsApp gets ready to remind everyone why end-to-end encryption matters - iMore

Microsoft has rolled out improved search features to Teams and a new customer "lockbox" that lets users control who has access to content.

The roughly 270 million people who frequently use Teams should notice a difference in the results when they search for things. There should be less clutter, better context in summary results, and more filters to choose from to find files, content and people across Microsoft's services, from OneDrive to Word.

Search isn't what Microsoft's is famous for, but the company has been trying to improve it in Windows 11 as forges the operating system into a more consumer-friendly product. It's also trying to make feature-heavy Teams more palatable for consumers though Windows 11 Teams chat integrations.

This month Microsoft also rolled out a new customer "lockbox" for Teams that lets users control when others can access their content to do things on the platform. Microsoft has has the lockbox concept for Office 365 customers for several years, which helps customers ensure that even Microsoft support engineers can't access the content of customers' communications on Microsoft services.

A Microsoft support page for Customer Lockbox says it supports others' requests to access data a user's in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. The recently updated page suggests Microsoft has implemented end-to-end encryption (E2EE) for these services. Microsoft in December rolled out E2EE for customers on one-to-one Teams calls.

"Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content," Microsoft states.

The lockbox covers content in email, Sharepoint, Skype for Business, instant messages and voice conversations, all text in Teams including person-to-person chats, group chats, shared channels, private channels, and meeting chats, videos, apps and bot data in Teams chats and channels, Teams activity feeds, SQL container data, and customer generated content.

On the list of Microsoft Teams updates throughout March, Microsoft also highlights that Teams meetings also gained a feature that helps organizers automatically send invites to meetings via calendars, as well as domain customization, and the ability for for users to see scheduled meetings on the Teams iOS and Android app.

iPhone users can now answer incoming meeting nudges or invites when their video is on. It's useful for the healthcare workers who may need to attend a virtual meeting, according to Microsoft.

Live captions are available for Teams users on Azure Virtual Desktop and Windows 365 on virtual desktop infrastructure (VDI) .

Storage pain for admins from Teams meetings is also getting attention thanks to Microsoft's new automatic expiration policy .

Admins can disable auto-expiration but it is on by default. All new recordings automatically expire 60 days after they are recorded if no action is taken, Microsoft previously explained.

Read the original post:
Microsoft Teams gets better search, and an encrypted 'lockbox' to protect your data - ZDNet

Later that day odd things begin to happen. Your phone isn't working exactly as expected and you start receiving a deluge of what appears like harmless spam.

Let me set the scene for you: You're on the go and you need to stop and get a coffee. You enter the coffee shop and the aroma is the first thing to entice you. Next, you see all the lovely people sitting around making deals, writing the great American novel, chatting, and just generally enjoying themselves. You then notice a sign that states, "Free Wi-Fi."

Score!

You pull out your phone, open the network connection app and notice the wireless connection doesn't have a password.

Even better.

You connect to the wireless network and order your quad long shot grande in a venti cup half caff double cupped no sleeve salted caramel mocha latte with 2 pumps of vanilla substitute 2 pumps of white chocolate mocha for mocha and substitute 2 pumps of hazelnut for toffee nut half whole milk and half breve with no whipped cream extra hot extra foam extra caramel drizzle extra salt add a scoop of vanilla bean powder with light ice well stirred.

While the barista brews your ridiculously complicated order, you sit down and start using all that free Wi-Fi. You send email, you communicate to team members on Slack, send SMS messages to friends and family, check-in on Facebook, and tweet the single most profound statement Twitter has ever beheld.

Life is good.

You get your drink and continue on as though nothing can touch you.

Eventually, you leave and think nothing of your experience (other than how delicious the coffee was and how on point your Twitter game is).

Later that day (or maybe the next day) odd things begin to happen. Your phone isn't working exactly as expected and you start receiving a deluge of what appears like harmless spam.

Okay, fineall in a day's existence, right?

But then you get a warning from your bank.

And you start seeing reactions to things you didn't post or send.

You check in on your bank account to find your balance is at zero.

Panic sets in.

What happened? You've always been so careful with your bank account credentials and you never share that kind of information with anyone.

This can't be real, can it?

It can and it most likely all started with you connecting to a simple password-less wireless network.

The truth is, you are not safe. Your information isn't safe, your identity isn't safe, your mobile devices aren't safe. Because of this, you have to take every precaution you can, which means never (ever, ever) connecting to an insecure network.

The simple truth is when you connect to insecure Wi-Fi, you open your device to anyone who is also connected to that same wireless network. But why is that so bad? So what if other people can see my device on the network?

Let me put this in simplest terms.

Not every application you use on your mobile device encrypts your data. That means you could be submitting usernames, passwords, and even text messages in plain text. What does that mean? Simple: When you use an app that works with encryption, any data you send or receive is encrypted in such a way that it's very difficult to read. So instead of sending the plain text "password" (which you should never use), it'll send something like this instead:

That, my friends, is encryption. And unless your applications are all using it, you're sending plain text over a network that anyone can access. Once connected, a bad actor could use a sniffer to intercept your plain-text data packets and read them. And the tools used to capture those packages are readily available to anyone.

You might think this is just a warning that can be ignored at will. To that point, you would be right. This is a warning but it's one you should heed. When you connect to insecure wireless networks, it's only a matter of time before someone intercepts your data and you fall prey to any number of nefarious doings.

The best mobile VPNs

Here's how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read More

Here are the reasons why you should never connect to an insecure wireless network:

That's really the only bullet point you need. And although I'd like to sugar-coat this for you, the truth of the matter is the longer you ignore this advice, the more at risk you are.

You might find yourself in a situation where you absolutely must connect to an insecure wireless network (maybe you're out of data and have work to do). When you find yourself in such a situation, consider the possible options:

Let's break the above done. The absolute best path you can take is to invest in an unlimited data plan. Why? With an unlimited plan, you will never have a need to connect to an insecure wireless network (especially given how fast 5G speeds are). If, however, that's not an option, I would highly suggest, at a minimum, you use a VPN every time you connect to an insecure network, work with a more secure browser and enable end-2-end encryption on your SMS apps. As you can see, other than only using your data plan, there's no 1-step solution for this problem. And even when using your carrier data, you could up your security game by following the above advice.

The same thing holds true when using a laptop and is especially true when using a Windows-based laptop. If the location you're working in only offers an insecure network, your best bet is to tether your laptop to your mobile device and use the phone's data plan for connectivity.

I know the inclination is to roll your eyes at such warnings, but this is one you should take seriously. Do not connect to insecure wireless networks. Period. End. Of. Story. If you value your privacy and the security of your data, you will follow this advice to the letter.

Follow this link:
The high price of free Wi-Fi: Here's why you never connect to an insecure network - ZDNet

Image: Cisco Talos

Quantum technology that the worlds superpowers are developing, if successful, will render many current encryption algorithms obsolete overnight. Whoever has access to this technology will be able to read almost any encrypted data or message.

Organizations need to pay attention to this emerging technology and take stock of the encryption algorithms in use, while planning to eventually upgrade these. Quantum computers already exist as proof-of-concept systems. For the moment, none are powerful enough to crack current encryption, but the private and public sectors are investing billions of dollars to create powerful systems that will revolutionize computing.

Nobody knows when a powerful quantum computer will become available, but we can predict the effects on security and prepare defenses.

Classical computers operate using bits of information. These bits exist in one of two states, either 1 or 0. Quantum computers operate in a different, but analogous way, operating with qubits. A qubit exists in a mixed state that is both partly 1 and partly 0 at the same time, only adopting a final state at the point when it is measured. This feature allows quantum computers to perform certain calculations much faster than current computers.

Quantum computers cannot solve problems for which current systems are unable to find solutions. However, some calculations take too long for practical application with current computers. With quantum computings speed, these calculations could become trivial to perform.

One example is finding the prime factors of large numbers. Any number can be expressed as multiples of prime numbers, but finding these prime numbers currently takes an incredibly long time. Public-key encryption algorithms rely on this fact to ensure the security of the data they encrypt.

It is the impractical amount of time involved, not the impossibility of the calculation, which secures public-key encryption. An approach named Shors algorithm can rapidly find such prime factors but can only be executed on a sizable quantum computer.

We know that we can break current public-key encryption by applying Shors algorithm, but we are waiting for a suitably powerful quantum computer to become available to implement this. Once someone develops a suitable quantum computer, the owner could break any system reliant on current public-key encryption.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Creating a working, sizable quantum computer is not a trivial matter.A handful of proof-of-concept quantum computing systems have been developed in the private sector. Although quantum research has been identified as a strategic priority for many countries, the path forward is less clear. Nevertheless, China has made quantum technology part of their current five-year plan and is known to have developed functional quantum systems to detect stealth aircraft and submarines, and have deployed quantum communication with satellites.

We know the difficulties in creating a sizable quantum system. What we dont know is if one of the global superpowers has overcome these and succeeded. We can expect that whoever is first to create such a system will be keen to keep it secret. Nevertheless, we can anticipate clues that will indicate a threat actor has developed a functional system.

Anyone possessing the worlds most powerful decryption computer will find it difficult to resist the temptation to put it to use. We would expect to see a threat actor seeking to collect large quantities of encrypted data in transit and data at rest, possibly by masquerading as criminal attacks.

Currently, experts do not observe the volume of network redirection attacks that would be expected for the large-scale collection of data, nor do we see the large-scale exfiltration of stored encrypted data. This is not to say that such attacks dont happen, but they are less frequent or audacious than might be expected if a state-sponsored threat actor was collecting data at scale.

Nobody knows when current encryption techniques will become obsolete. But we can prepare by upgrading encryption algorithms to those believed to be resistant to quantum attack. NIST is preparing standards for post-quantum encryption. In the meantime, the NSA has produced guidelines that offer guidance before relevant standards are published.

Encrypted, archived data is also at risk. Organizations may wish to consider if old data is still required. Wiping obsolete data may be the best defense against having the data stolen.

Until a sizable quantum computer is built and made available for research, we cannot be certain about the capabilities of such a system. It is possible that physical constraints will mean that such a system is not practical to build. Certainly, programming quantum computers will require new software engineering practices. It is also possible that programming shortcuts will be found that allow the practical breaking of encryption with a smaller quantum computer than currently expected.

Post-quantum standards and advice from governmental entities are welcome to guide organizations in transitioning to a quantum-secure environment. However, such advice may not reflect the state-of-the-art of malicious actors.

SEE: Password breach: Why pop culture and passwords dont mix (free PDF) (TechRepublic)

At some point, many current encryption algorithms will become instantly vulnerable to attack. In anticipation of this moment, organizations should take stock of the encryption algorithms they use and the associated key lengths. Where possible, systems should migrate to use AES-256 encryption, use SHA-384 or SHA-512 for hashing, and extend key lengths beyond 3072 bits as an interim measure.

Anyone implementing encryption software should consider the algorithm life span and provide users with the ability to change encryption strength and algorithm as necessary.

Quantum computing is a major focus of research and investment. Physical constraints mean that current chip architectures are difficult to advance further. Practical quantum computer systems will bring large gains in computing power and allow new computational techniques to be applied to solve problems that are currently impractical to calculate.

One application of a new quantum computer will be breaking encryption. When such a system is developed, its existence is likely to be kept secret. However, there are likely to be indicators in the actions of sophisticated threat actors that will betray the systems operation.

Reviewing and improving encryption implementations well in advance of the deployment of a functional quantum computer is vital to ensure the continued confidentiality of information. Take stock of encryption currently in use and plan how to upgrade this if necessary.

We might not be able to predict when such a system will be deployed against us, but we can prepare in advance our response.

For more information, visit the Cisco Newsrooms Q&A with Martin.

Author Martin Lee is technical lead of security research within Talos, Ciscos threat intelligence and research organization. As a researcher within Talos, he seeks to improve the resilience of the Internet and awareness of current threats through researching system vulnerabilities and changes in the threat landscape. With 19 years of experience within the security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the universities of Bristol, Cambridge, Paris and Oxford.

See original here:
Is 2022 the year encryption is doomed? - TechRepublic

Google announced a major update to Google Meet today that includes a number of long-requested features and plenty that you didnt even know you needed. There is a long list here, but the main additions are likely in-meeting reactions to give immediate updates to the Meet companion mode, emoji-based feedback, the ability to use Meet right inside of Docs, Sheets and Slides, as well as a new picture-in-picture mode so you can more easily ignore a meeting and the ability to stream a meeting to YouTube.

Security is another highlight of todays announcement. Starting in May, Google is rolling out client-side encryption in Meet, which is currently still in beta. With this, users have full control over the encryption keys and the identity provider used to access those keys. Later this year, Google will also introduce option end-to-end encryption for all meetings. Currently, all Meet data is encrypted in transit.

Image Credits: Google

Since 2020, its become increasingly clear that human connection is crucial, said Dave Citron, Googles director of product management for Google Meet and Voice in a press briefing ahead of todays announcement. We know we need solutions that help people build connections that can bridge the gap between physical spaces and the somewhere else.

He noted that a lot of these updates today focus on collaboration equity, that is, the ability to contribute to meetings regardless of location, role, experience level, language and device preference. One example for this is companion mode, which launched earlier this year and allows users to join a video meeting on a second screen. Now, Google is updating this with personal video tiles for every participant in a hybrid meeting, even if they are in a conference room with other participants. This update will work towards making those in physical space have the same experience as those who are working remotely, Citron explained.

Image Credits: Google

Like too many features Google announces these days, these updates will roll out later this year. This also means youll have to wait until next month to regale your co-workers with emojis during a meeting to help teams celebrate wins, offer support and share the love, as a Google spokesperson called it.

Picture-in-picture mode will also roll out next month, while automatic noise cancellation on Google Meet hardware is now rolling out to all users on Meet-enabled Logitech, Acer and Asus hardware.

The ability to stream to YouTube, which most companies will probably use for webinars and similar outward-facing meetings, is coming later this year.

Google also today announced a couple of updates to Spaces, but youre probably using Slack, so you can find more information about those here.

Image Credits: Google

Read the original here:
Google Meet gets in-meeting reactions, PiP, end-to-end encryption and more - TechCrunch

Cyber threats against healthcare organizations have been ramping up in the past few years, with highly publicized ransomware attacks leading to weeks-long network shutdowns at some institutions.

Experts warn that the situation may only worsen as bad actors become more sophisticated and as some get a boost from state-sponsored entities.

Anurag Lal, CEO of NetSfere which provides companies with security and message-delivery capabilities caught up with Healthcare IT News to discuss what he sees as the most pressing cyber threat, how organizations can protect themselves and how his experience as director of the U.S. National Broadband Task Force helped shape his perspective on these issues.

Q. Why are healthcare organizations particularly vulnerable to attacks?

A. Healthcare organizations are more at risk for cyber threats for a number of reasons. One, their systems are typically outdated and slower, and less secure as a result. Additionally, the pandemic accelerated the digitization of the healthcare industry, and an estimated 93% of healthcare organizations experienced some sort of data breach over the past two years.

These rushed transformation processes and outdated systems, combined with less centralized workplaces due to remote and hybrid work, create a large amount of risk for attacks.

Another reason healthcare organizations are more vulnerable is because their data is extremely valuable to hackers. Medical records and billing info create a huge target on the back of healthcare systems. Stolen health records may sell [for] up to 10 times more than credit card information on the dark web.

Q. What steps can organizations take to protect themselves?

A. Communicating efficiently and securely to protect patient and company data should remain a top priority as healthcare organizations become more digital. When deploying new communication channels, both internally between employees and with patients and providers, encryption is key.

Not all encryption is the same, though. End-to-end encryption is the gold standard when it comes to safe communications, verifying that messages are protected through every step of the process.

Its also important to educate employees on the dangers of phishing scams, as the majority of security breaches are a result of human error.

Q. On a related note, how can an organization be cognizant of protecting its communications with providers and patients?

A. Similarly to protecting themselves, healthcare organizations can protect their communications with providers and patients by modernizing communication channels and ensuring compliance. Regulations like the Health Insurance Portability and Accountability Act require healthcare organizations to follow specific (and stringent) standards for Protected Health Information, including sensitive patient information like medical histories and test results.

At the end of the day, the patient and their information are the priority and should be protected as such.

Q. What actions should the federal government be taking to address this threat?

A. The government should proactively implement safeguards to protect U.S. institutions from an inevitable cyberattack attempt.

One example is encouraging organizations to require Zero Trust Security and end-to-end-encryption [E2EE]. The idea behind the Zero Trust Security model is to "never trust, always verify"to protect data and intellectual property most securely. All resources are continuously authenticated, verified and authorized.

As I mentioned earlier, with E2EE, data is encrypted on the sender's system or device, and only the intended recipient is able to decrypt and read the message. Ensuring that business communication is locked down in this way applies zero-trust principles to mobile messaging and collaboration.

Q. You were director of the U.S. National Broadband Task Force under the Obama administration. How did that experience help shape your perspective on these issues?

A. During my time working on the Task Force, I saw in real time the very serious threats that exist and saw how cyberattacks affected other governments. For example, [bad actors linked to the] Russian government hacked the Ukrainian power grid, resulting in nationwide outages. Later, [they] installed malware on Ukraines accounting software, causing billions of dollars in damages.

Q. Do you have any predictions for the next few years in the cybersecurity sector?

A. I predict that cyberattacks will become more technologically advanced, so our ability to protect organizations and governments will need to become more advanced alongside them. This is evidenced by skyrocketing cyberattacks with 1,862publicly reported breachesin the U.S. in 2021, up more than 68% from 2020.

Kat Jercich is senior editor of Healthcare IT News.Twitter: @kjercichEmail: kjercich@himss.orgHealthcare IT News is a HIMSS Media publication.

Read the rest here:
Encryption is key to data protection, but not all strategies look alike - Healthcare IT News

On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company defined as having a market capitalization of more than 75 billion and a user base of more than 45 million people in the EU create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed gatekeepers, defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to break open some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols.

But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldnt be affected by the DMA provisions, but WhatsApp which uses the Signal protocol and is owned by Meta certainly would be. The result could be that some, if not all, of WhatsApps end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging.

Given the need for precise implementation of cryptographic standards, experts say that theres no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

Trying to reconcile two different cryptographic architectures simply cant be done; one side or the other will have to make major changes, Bellovin said. A design that works only when both parties are online will look very different than one that works with stored messages .... How do you make those two systems interoperate?

Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that the encryption be dropped.

Alternatively, the DMA suggests another approach equally unsatisfactory to privacy advocates in which messages sent between two platforms with incompatible encryption schemes are decrypted and re-encrypted when passed between them, breaking the chain of end-to-end encryption and creating a point of vulnerability for interception by a bad actor.

Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.

If you went into a McDonalds and said, In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order, they would rightly just stare at you, Muffett said. What happens when the requested sushi arrives by courier at McDonalds from the ostensibly requested sushi restaurant? Can and should McDonalds serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?

Currently, every messaging service takes responsibility for its own security and Muffett and others have argued that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another. In the end, overall security is only as strong as the weakest link.

Another point of concern raised by security experts is the problem of maintaining a coherent namespace, the set of identifiers that are used to designate different devices in any networked system. A basic principle of encryption is that messages are encoded in a way that is unique to a known cryptographic identity, so doing a good job of identity management is fundamental to maintaining security.

How do you tell your phone who you want to talk to, and how does the phone find that person? said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management... If the goal is for all of the messaging systems to treat each others users exactly the same, then this is a privacy and security nightmare.

Not all security experts have responded so negatively to the DMA. Some of the objections shared previously by Muffett and Stamos have been addressed in a blog post from Matrix, a project geared around the development of an open-source, secure communications standard.

The post, written by Matrix co-founder Matthew Hodgson, acknowledges the challenges that come with mandated interoperability but argues that they are outweighed by benefits that will come from challenging the tech giants insistence on closed messaging ecosystems.

In the past, gatekeepers dismissed the effort of [interoperability] as not being worthwhile, Hodgson told The Verge. After all, the default course of action is to build a walled garden, and having built one, the temptation is to try to trap as many users as possible.

But with users generally happy to centralize trust and a social graph in one app, its unclear whether the top-down imposition of cross-platform messaging is mirrored by demand from below.

iMessage already has interop: its called SMS, and users really dislike it, said Alex Stamos. And it has really bad security properties that arent explained by green bubbles.

See the rest here:
Security experts fear the DMA will break WhatsApp encryption - The Verge

Six months after launching its end-to-end encrypted document editor, Skiff has bagged another $10.5 million in fresh funding to build out private and collaborative workspaces for its burgeoning customer base.

We wrote about Skiff last year ahead of its launch: Skiff is a web app that has much of the same document-writing and sharing capabilities as Google Docs but is built on a foundation of end-to-end encryption, so Skiff does not have access to users documents like Google does. The startup already has more than 20,000 people using its platform, leaps ahead of the 8,000 waitlisted users it had when we first spoke to the company last May.

But its the end-to-end encryption platform that Skiff relies on that holds the keys to the companys future. Now with $10.5 million in Series A funding in the bank, Skiffs co-founders Andrew Milich and Jason Ginsberg tell TechCrunch that the company is working toward becoming the application layer for the decentralized web.

A core part of the companys efforts have been on decentralization, a process that allows its users to take ownership of their data. Over the past year Skiff has partnered with Protocol Labs to offer decentralized storage, known as IPFS, or the Interplanetary File System, which allows Skiff to encrypt their documents and scatter them across a network of storage hosts, as well as integrating MetaMask, letting users sign in to Skiff using a portable crypto wallet instead of an email address.

The way we look at it is Web 2.0 is really about moving information around and web3 is about moving value around, said Ginsberg, Skiffs CTO, in a call. Data is the most valuable thing on the internet, and our goal is that you really should own your own data.

Ginsberg said the company is focused on growing its product offering, such as communication, and allowing users to share more kinds of data on its platform.

We see hundreds of millions of people choosing privacy products not really meeting the needs of working together remotely, and so thats really where we see Skiff coming in. Theres tons of different products that we could do along those lines. Were most interested right now in exploring products that not just deal with the document side of things, but also the communication side, said Ginsberg.

Milich, the startups chief executive, said the round led by Sequoia as a returning investor will help the company build out those new products that also rely on end-to-end encryption, like communication. Skiff currently has a team of 15 employees dotted across the globe, Milich said. The Series A brings Skiffs total funding to about $14 million.

Skiff is building an amazing team and visionary products to lead this moment, said Konstantine Buhler, a partner at Sequoia. We couldnt be more excited to double down.

Read more:
Skiff lands $10.5M to build out its end-to-end encrypted workspaces - TechCrunch

IT professionals have spoken out against a government-backed campaign to limit end-to-end encryption, arguing that it will not make the world safer and is likely to cause more harm than good.

In a survey carried out by BCS, The Chartered Institute for IT, 78% of industry professionals said they did not believe restricting the use of end-to-end encryption (E2EE) in messaging would protect users.

The poll of 1,000 IT professionals was launched in response to the UK government-backed No Place to Hide campaign, which warns that further roll-out of end-to-end encryption would make it more difficult to police child sexual abuse.

The Home Office-backed campaign claims that social media sites are willfully blindfolding themselves to child sexual abuse by introducing end-to-end encryption on messaging services.

Meta, the owner of Facebook, has come in for particular criticism over its plans to introduce end-to-end encryption to its Instagram and Facebook messenger services.

End-to-end encryption is already widely available in messaging apps such as Signal, Telegram, Wickr and Metas WhatsApp, which offer varying degrees of security, depending on how they are configured.

A steering group of charities, led by Barnardos, the Lucy Faithful Foundation, the Marie Collins Foundation and SafeToNet, are driving the work. Police forces, including the National Crime Agency (NCA), are also backing the campaign.

Rolling out end-to-end encryption without safety measures in place would be like turning the lights off on the ability to identify child sex abusers online. These plans will mean that social media companies can no longer see the abuse that happens on their platforms, the campaign groups said in January.

BCS director of policy Bill Mitchell said: Whilst we can appreciate the governments aim is to make the internet a safer place, a balance has to be struck when it comes to end-to-end encryption.

Now is not the time to weaken technology that is so fundamentally important to our security. There should be more exploration of the alternatives before we go down the road of rolling back E2EE, especially in this time of war, when secure messaging is a vital tool for truth-telling across the world.

According to the poll, 66% of specialists said restricting end-to-end encryption would have a negative impact on protecting society at large.

Encrypted messaging has since become increasingly important to the people of Ukraine, with a large rise in usage being reported, including by journalists, the BCS said.

Some 70% of IT professionals were not confident it was possible to have both truly secure encryption and the ability to check encrypted messages for criminal material.

Many industry experts said they were worried about the possibility of increased surveillance from governments, police and the technology companies that run the online platforms. Other concerns were around the protection of financial data from hackers if end-to-end encryption was undermined.

There were concerns that wider sharing of secret keys, or centralised management of encryption processes, would significantly increase the risk of compromising the confidentiality they are meant to preserve.

BCSs Mitchell said: Its odd that so much focus has been on a magical backdoor when other investigative tools arent being talked about. Alternatives should be looked at before limiting the basic security that underpins everyones privacy and global free speech.

Government and intelligence officials are advocating, among other ways of monitoring encrypted material, technology known as client-side scanning (CSS) that is capable of analysing text messages on phone handsets and computers before they are sent by the user.

Proposals by Apple to compel iPhone users to accept updates that would automatically and covertly search shared images for possible abuse material and send reports to Apple or law enforcement agencies were condemned by 14 top computer scientists and cryptographers in October last year.

They concluded in a research paper, Bugs in our pockets: The risks of client-side scanning, published by Columbia University, that the plans were unworkable, vulnerable to abuse, and a threat to safety and security, citing more than 15 ways in which states or malicious actors, and even targeted abusers, could turn the technology around to cause harm to others or society.

The No Place to Hide campaign states: We are not opposed to end-to-encryption in principle and fully support the importance of strong user privacy. Instead, our campaign is calling for social media companies to work with us to find a solution that protects privacy, without putting children at even greater risk.

Read the rest here:
IT professionals wary of government campaign to limit end-to-end encryption - ComputerWeekly.com