Photo: Getty

The spread of usable encryption tools hasnt exactly made law enforcement wiretaps obsolete. But in a handful of cases over the past yearand more than ever beforeit did shut down cops attempts to eavesdrop on criminal suspects, the latest sign of a slow but steady increase in encryptions adoption by police targets over the last decade.

In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. Thats more than twice as many cases as in 2012, when police said that theyd been stymied by crypto in four casesand that was the first year theyd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero.

The cases in which cops encountered encryption at all, its worth noting, still represent just a tiny fraction of law enforcements growing overall number of surveillance targets. Feds and state police eavesdropped on U.S. suspects phone calls, text messages, and other communications at least 3,500 times in 2013, a statistic that will likely be revised upwards over the next year as law enforcements data becomes more complete. Of those thousands of cases, only 41 involved encryption at all. And in 32 cases cops were able to somehow circumvent or break suspects privacy protections to eavesdrop on their targets unimpeded. The report doesnt include details of the specific cases.

Those numbers still contradict the warnings from government agencies like the FBI for more than a decade that the free availability of encryption tools will eventually lead to a going dark problem, a dystopian future where criminals and terrorists use privacy tools to make their communications invisible to law enforcement. Last year, for instance, the Drug Enforcement Agency leaked an internal report complaining that Apples iMessage encryption was blocking their investigations of drug dealers. So the cryptapocalypse they warned us about in the 90s has come to pass, University of Pennsylvania computer science professor Matt Blaze noted drily on twitter. Strong crypto used in a whopping 0.25% of wiretaps last year.

Even so, a look back at the last ten years statistics from police reports shows that encryption use is on the rise, even if the number of cases remains small and most encryption use is still futile. As recently as 2006 and 2007, police reported that they hadnt encountered any uses of encryption at all, and only dealt with one case of a suspect using encryption in 2009, as shown in the chart below. (In Thursdays report, police also counted another 52 cases of encryption use by their targets prior to 2013, but didnt specify in which years those incidents had occurred.)

That steady trickle of encryption tools into the publics hands is a sign that Americans awareness of surveillance is rising. Edward Snowdens leaks about NSA surveillance began dropping in July of last year, and carried with them a wave of interest in new privacy technologies. Post-Snowden, both people and companies have become more sophisticated in safeguarding their communications, says Hanni Fakhoury, a surveillance-focused attorney with the Electronic Frontier Foundation. When you look at this report next year, there will no doubt be even more use of encryption.

Crypto aside, the report noted a significant drop in the cost of cops surveillance. Police reported an average of $41,119 per case in which they intercepted a suspects communications in 2013. Thats down 18 percent from the year before, and represents the cheapest snooping ever, perhaps thanks to advances in surveillance technology. In 2003, for instance, a wiretap cost an average of $62,164, almost 50 percent more than today.

That steady drop in the price of spying may be one reason why the number of total wiretap cases has steadily grown over the past decade. Although the total wiretap count for 2013 is still incomplete, it added up to 4,927 cases in 2012, more than twice the 2,136 cases in 2003.

Follow this link:
Rising Use of Encryption Foiled the Cops a Record 9 Times in 2013

Original illustration: Getty

Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldnt figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video.

Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month hell release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.

The tagline is that this is file encryption that does more with less, says Kobeissi, a 23-year old coder, activist and security consultant. Its super simple, approachable, and its almost impossible to be confused using it.

A screenshot from an early demo of miniLock.

Kobeissis creation, which he says is in an experimental phase and shouldnt yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by WIRED, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipientin theory not even law enforcement or intelligence agenciescould unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive.

Like the older PGP, miniLock offers so-called public key encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.

Kobeissis version of public key encryption hides nearly all of that complexity. Theres no need to even register or log inevery time miniLock launches, the user enters only a passphrase, though miniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.

No logins, and no private keys to manage. Both are eliminated. Thats whats special, says Kobeissi. Users can have their identity for sending and receiving files on any computer that has miniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.

In fact, miniLock uses a flavor of encryption that had barely been developed when PGP became popular in the 1990s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that havent been possible before; PGPs public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible miniLocks feature of deriving the users keys from his or her passphrase every time its entered rather than storing them. Kobeissi says hes saving the full technical explanation of miniLocks elliptic curve feats for his HOPE conference talk.

See the original post here:
The Ultra-Simple App That Lets Anyone Encrypt Anything

The spread of usable encryption tools hasn't exactly made law enforcement wiretaps obsolete. But in a handful of cases over the past year in the US -- and more than ever before -- it did shut down cops' attempts to eavesdrop on criminal suspects, the latest sign of a slow but steady increase in encryption's adoption by police targets over the last decade.

In nine cases in 2013, US state police were unable to break the encryption used by criminal suspects they were investigating, according to anannual report on law enforcement eavesdropping released by the US court systemon Wednesday, 2 July. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases -- and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero.

The cases in which the police encountered encryption at all, it's worth noting, still represent just a tiny fraction of law enforcement's growing overall number of surveillance targets. Feds and state police eavesdropped on US suspects' phone calls, text messages, and other communications at least 3,500 times in 2013, a statistic that will likely be revised upwards over the next year as law enforcement's data becomes more complete. Of those thousands of cases, only 41 involved encryption at all. And in 32 cases cops were able to somehow circumvent or break suspects' privacy protections to eavesdrop on their targets unimpeded. The report doesn't include details of the specific cases.

Those numbers still contradict the warnings from government agencies like the FBI for more than a decade that the free availability of encryption tools will eventually lead to a "going dark" problem, a dystopian future where criminals and terrorists use privacy tools to make their communications invisible to law enforcement. Last year, for instance, the Drug Enforcement Agency leaked aninternal report complaining that Apple's iMessage encryption was blocking their investigations of drug dealers. "So the cryptapocalypse they warned us about in the 90s has come to pass," University of Pennsylvania computer science professor Matt Blazenoted drily on Twitter. "Strong crypto used in a whopping 0.25 percent of wiretaps last year."

Even so, a look back at the last ten years' statistics from police reports shows that encryption use is on the rise, even if the number of cases remains small and most encryption use is still futile. As recently as 2006 and 2007, police reported that they hadn't encountered any uses of encryption at all, and only dealt with one case of a suspect using encryption in 2009. (In Thursday's report, police also counted another 52 cases of encryption use by their targets prior to 2013, but didn't specify in which years those incidents had occurred.)

That steady trickle of encryption tools into the public's hands is a sign that Americans' awareness of surveillance is rising. Edward Snowden's leaks about NSA surveillance began dropping in July of last year, and carried with them a wave of interest in new privacy technologies. "Post-Snowden, both people and companies have become more sophisticated in safeguarding their communications," says Hanni Fakhoury, a surveillance-focussed attorney with the Electronic Frontier Foundation. "When you look at this report next year, there will no doubt be even more use of encryption."

Crypto aside, the report noted a significant drop in the cost of police surveillance. Police reported an average of $41,119 (23,985)per case in which they intercepted a suspect's communications in 2013. That's down 18 percent from the year before, and represents the cheapest snooping ever, perhaps thanks to advances in surveillance technology. In 2003, for instance, a wiretap cost an average of $62,164 (36,259)almost 50 percent more than today.

That steady drop in the price of spying may be one reason why the number of total wiretap cases has steadily grown over the past decade. Although the total wiretap count for 2013 is still incomplete, it added up to 4,927 cases in 2012, more than twice the 2,136 cases in 2003.

In other words, privacy activists have little reason to celebrate, and police complaints about encryption foiling their investigations ring hollow. "You'll see the government prop encryption up as a bogeyman, but this is actually a very small problem for them," he says. "It's stretching it to say, 'in nine cases this was an obstacle so we need to rewrite the criminal code.' That's overkill."

This story originally appeared on Wired.com

Read the original here:
Encryption scuppered US police just nine times in 2013

July 1, 2014

Peter Suciu for redOrbit.com Your Universe Online

Last month Google Inc. called out rival email providers for not providing enough encryption for their respective users email accounts. Some of those rivals apparently took notice and quickly addressed the issue. On Tuesday Cnet reported that Microsoft unveiled tougher encryption standards for its web-based email and some cloud services.

Googles latest transparency report suggested that less than 50 percent of emails received by Google users through its Gmail service from Microsofts Hotmail, Live and MSN were in fact encrypted. Now Microsoft is implementing a series of changes that will provide better protection from potential prying eyes. Microsofts email services Outlook.com, Hotmail.com, Live.com and MSN.com are now secured via Transport Layer Security (TLS) protections, and this is meant to ensure that communications through these web-based programs are safe and secure.

We are in the midst of a comprehensive engineering effort to strengthen encryption across our networks and services, Matt Thomlinson, vice president for trustworthy computing security at Microsoft, wrote in a blog post on Tuesday. Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.

Thomlinson noted that the TLS encryption will be provided to both inbound and outbound email; and it will be encrypted and better protected as the email travels between Microsoft and other email providers.

There is a catch, however.

Of course, this requires their email service provider to also have TLS support, Thomlinson added.

Cnets Seth Rosenblatt reported that Comcast and Microsoft are already in the process of implementing TLS for their webmail services.

Outlook.com users will further get an extra level of security, as Microsoft announced that it has also enabled Perfect Forward Secrecy (PFS) encryption support for both sending and receiving of email between providers. This also utilizes a different encryption key for every connection, which the software giant claimed would make it more difficult for attackers to decrypt connections.

See more here:
Microsoft Reveals Tougher Email Encryption After Google Remarks

Microsoft has boosted encryption for Outlook.com and OneDrive.

Several months after pledging to beef up encryption across its services, Microsoft today announced some new security protections for Outlook.com and OneDrive.

Redmond has rolled out Transport Layer Security (TLS) on Outlook.com for inbound and outbound email. "This means that when you send an email to someone, your email is encrypted and thus better protected as it travels between Microsoft and other email providers," Microsoft said, provided the recipient's email service also has TLS support.

Microsoft said it coordinated with several international providers - like Deutsche Telekom, Yandex, and Mail.Ru - over the last six months to make sure its solution worked.

The company is also rolling out Perfect Forward Secrecy (PFS) for Outlook.com and OneDrive. "Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections," said Matt Thomlinson, vice president of Trustworthy Computing Security at Microsoft.

PFS, which Twitter rolled out last year, will be on by default for those who access OneDrive via onedrive.live.com, the OneDrive app, and Microsoft's sync clients.

Other security upgrades made over the past few months, meanwhile, include enhanced message encryption in Office 365 and ExpressRoute for Azure, which enables businesses to create private connections between Azure data centers and infrastructure on their premises or in a co-location environment.

Microsoft's push for enhanced security came in the wake of the Edward Snowden leaks, and accusations that the National Security Agency (NSA) was spying on data traveling between the data centers of top companies like Google and Yahoo, which has also rolled out more robust encryption.

See the article here:
Microsoft Boosts Outlook.com, OneDrive Encryption

Do you throw your credit card statements in the trash? How about documents that include your phone number, social security number, address, and date of birth? No, you shred the papers first, to make it difficult for others to read.

The same goes for sensitive information stored on a computer. It needs protection. Data encryption means youve essentially shredded it. No one can read it. But luckily with computers, we can unshred our data back to its original state, and then shred it again. We can do this as many times as we like. And unlike paper, your shredded data cant be pieced together, at least not without knowing the proper key or password.

So why does anyone need file encryption software? Information that is private can be embarrassing if released to the public, hence the word private. In addition, losing personal information to the wrong person (stolen laptop) could result in identity theft. Lots of worry, lots of stress, and none of it necessary, should we always choose to protect our sensitive data.

On this site, you'll find articles on encryption software, and comprehensive reviews to help you make an informed decision on which package is right for you. At TopTenREVIEWS We Do the Research So You Don't Have To.

It must be easy to use and provide 100% reliability of data. Below are the criteria TopTenREVIEWS used to evaluate the software:

Ease of Use It should be easy to install, and easy to use. If it is built correctly, the user will rarely need to consult the help file, or look for support on the companys website. This is a true indication that the application was created with the customer in mind.

Data Security It should have the following security features at a minimum: A strong encryption elgorithm (at least 256 bit AES or equivalent), shredding of original files after encryption, 100% reliability of data after encryption/decryption and a password strength meter to insure a strong password.

Feature Set The saying You get what you pay for is quite often true. In many cases, however, the average user probably only needs a few features to fulfill his needs. The more bells and whistles means the more youll pay for that extra unneeded bloat, i.e., do you really need biometric ID verification? At a minimum, when looking for encryption software, the following features should be included: An uncrippled trial version so that you can fully test the program using your configurations, speedy encryption/decryption of files and folders, context menu options - ability to right click on any file folder and encrypt/decrypt and portability can you encrypt/decrypt your files on the go, without needing the main program?

Help and Documentation Encrypting your files and folders neednt be difficult. The internals of the software that convert your data to unintelligible 1s and 0s do all the hard work. Other than that, the interface should give you simple choices to make, and be self explanatory. But sometimes we need help. At a minimum, any software package should have these help options: A built in help file with lots of graphics, easy to read instructions, the ability to search and so on; built-in or online tutorials; a knowledge base or a Frequently Asked Questions (FAQ) page and email support.

So lets not delay any further. Your data needs protecting. And what better way than with Folder Lock.

Read more:
TopTenREVIEWS - Encryption Software Review 2014 | Best ...

Microsoft has added encryption safeguards to the Outlook.com webmail service and to the OneDrive cloud storage service, in part to better protect these consumer products from government snoops.

Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data, Matt Thomlinson, vice president, Trustworthy Computing Security, at Microsoft wrote in a blog post.

The move follows similar ones from other cloud computing providers. For example, Google announced end-to-end encryption for Gmail in April, including protection for email messages while they travel among Google data centers. It recently announced similar encryption for its Google Drive cloud storage service.

Its not clear from Microsofts announcement whether the encryption protection it announced covers Outlook.com messages and OneDrive files as they travel within Microsoft data centers. Its also not clear what, if any, encryption OneDrive and Outlook.com have had until now. Microsoft didnt immediately respond to a request for comment.

Cloud computing providers like Microsoft, Google, Amazon and many others have been rattled by disclosures from former National Security Agency contractor Edward Snowden regarding government snooping into online communications, due to the effect on their consumer and business customers.

As a result, these companies have been busy boosting encryption on their systems, while also lobbying the U.S. government to stop the stealthy and widespread monitoring of Internet services.

In December, Microsoft announced it would roll out in the coming 12 months sweeping improvements in encryption across its consumer and enterprise cloud services, including Outlook.com, its Azure platform, Office 365 and other products. Tuesdays announcement is part of that ongoing effort.

Brad Smith, Microsofts general counsel, wrote then that we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measuresand in our view, legal processes and protectionsin order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collectionwithout search warrants or legal subpoenasof customer data as it travels between customers and servers or between company data centers in our industry.

Smith went on to say that, if true, the situation threatens to seriously undermine the security and privacy of online communications, turning government snooping into an advanced persistent threat alongside sophisticated malware and cyber attacks.

The company said Tuesday that inbound and outbound mail from Outlook.com is now protected with Transport Layer Security (TLS) encryption as it travels to and from Microsoft email systems. A caveat is that if theres another email service provider involved in the exchange it must also have implemented TLS on its end. Microsoft has been working with other large, international email service providers on efforts to get TLS more broadly adopted.

See original here:
Microsoft boosts anti-snooping protection in Outlook.com, OneDrive

Microsoft has pulled back the curtain on its implementation of tougher encryption standards for Web-based email and some cloud services, the company announced Tuesday.

In the works for more than six months, Microsoft has now activated Transport Layer Security encryption (TLS) for its webmail services at Outlook.com, Hotmail.com, Live.com, and MSN.com. This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS.

Matt Thomlinson, vice president of Microsoft's Trustworthy Computing division, said that this work is part of a "comprehensive engineering effort to strengthen encryption."

"This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data," he said.

Although Thomlinson didn't specify the origins of this work, Microsoft's heightened encryption efforts follow an October 2013 report that the NSA had been spying on Internet giants in a program called Muscular. The report was based on documents leaked by one-time National Security Agency contractor Edward Snowden.

Microsoft's move also comes just a few weeks after a well-publicized Google webmail report that painted Redmond in less than flattering colors. Google scored Microsoft, along with Comcast and Apple, as webmail providers with inadequate levels of encryption to protect their users' email.

Comcast and Microsoft representatives told CNET at the time of Google's report that their companies were in the process of implementing TLS for their webmail services. Apple did not return a request for comment.

Microsoft also has activated Perfect Forward Secrecy encryption (PFS) for its cloud storage service OneDrive. The OneDrive website, OneDrive mobile apps, and OneDrive syncing tools will now all use the tougher PFS encryption standard, which protects user confidentiality even when an third-party is eavesdropping on the network.

Finally, Microsoft has opened a "transparency center" at its headquarters in Redmond, Wash., where governments can review Microsoft source code for "key products" to confirm that no hidden backdoors have been added to the software. Microsoft has not revealed which of its products will be available for review.

Read more here:
Microsoft flips switch on new webmail encryption

6 hours ago Jul. 1, 2014 - 8:09 AM PDT

Microsoftis nowencrypting messages flowing between its own Outlook.com mail service and third-party mail providers using Transport Layer Security, and has also enabledPerfect Forward Security in Outlook.com and OneDrive file storage. Perfect Forward Secrecy usesa different encryption key for each connection, according to a Microsoft Technet blog.

TLS support means that mail flowing into and out of Outlook.com accounts is encrypted and thus better protected as it travels between Microsoft and other email providers, as long as those other email vendorsalso support TLS, wrote Matt Thomlinson, VP of Microsofts trustworthy computing security group.

Microsoft rival Google last month called for other email providerstomake use of Perfect Forward Secrecy technology so that messages areprotected from theirpoint of creation to theirdestination.

Thomlinson also said Microsoft worked withinternational mail providers including Deutsche Telekom, Yandex and Mail.Ru to test and help ensure that mail stays encrypted in transit to and from each email service.

Ever since Edward Snowdens disclosures about the U.S. National Security Agencysnooping on cloud customer data, U.S. cloud providers have been falling all over themselves to prove they are good stewards of customer information.

Microsofts general counsel Brad Smith, who spoke on the topic at Gigaomsrecent Structure Conference, has been in the forefront of that fight.

These companiessayunchecked (and secretive) government data gathering is bad for their businesses and argue that its also bad for the U.S. in general. The NSA disclosures have given non-U.S.-basedcloud providers a powerful marketing tool to argue that German citizens (or companies) should stick to German providers for their cloud computing needs; ditto France, and so on.

NowU.S. tech powers likeMicrosoft, Hewlett-Packard, Google and so on have to showthat they are prepared to fight even fight the U.S. government, if need be to protect customer data.

At Structure, HP EVP Bill Veghtesaid NSA-gate had hurt cloud adoption in China, which is building infrastructure like gangbusters while U.S. vendors have to deal with spying concerns. Its just a bummer, he said.

Read more from the original source:
Encryption race continues as Microsoft bulks up protection for email and file storage

Microsoft announced this morning that it has bolstered the security of several of its digital products, bringing stronger encryption tools to its OneDrive and Outlook.com services.

In the wake of revelations that the United States government was tapping the core fiber cables of the Internet, snooping on traffic between the data centers of large technology companies, and working to weaken encryption, a loose, industry wide effort has been undertaken to build digital dikes to keep prying eyes out of customer data.

As weve noted, this is an interesting moment when user well-being and the profit motive of corporations find common cause: Less government, more privacy. (The cause-effect pull here is mildly tautological, but lets move on.)

According to a blog post that it released this morning, Microsoft has addedTransport Layer Security encryption to Outlook.com, allowing email sent by users of the service to remain encrypted while in transit. Microsoft cited several email providers, includingYandex and Mail.Ru as partners in the effort the receiving email service must supportTransport Layer Security encryption or it doesnt work.

Outlook.com, along with OneDrive also now both sport Perfect Forward Secrecy encryption.

Google, Yahoo, and others have also made strides to tighten their security. Yahoo encrypted information moving between its data centers, and promised an encrypted version of its messaging product. Google has made similar efforts.

All quite reasonable, right? Not to some in our government. Congressman Mike Rogers recently had sharp words for technology companies who are in favor of stronger protections against government surveillance:

While Im on my soapbox, we should bereally madat Google and Facebook and Microsoft, because theyre doing a very interesting, and I think, very dangerous thing. Theyve decided to come out and say we oppose this new FISA bill, because it doesnt go far enough. And when you peel that onion back a bit and say Why are you doing this? This is a good bill, its safe, its bi-partisan, its rational. It meets all the requirements for 4th Amendment protections and privacy protection and allowing the system to work.

And they say, Well, we have to do this because were trying to make sure we dont lose our European business. I dont know about the rest of you but that offends me from the words European business. Think about what theyre doing. Theyre willing to, in their mind, justify the importance of their next quarters earnings in Europe versus the national security of the United States. Everybody on those boards should be embarrassed and their CEOs should be embarrassed and their stockholders should be embarrassed. That one quarter cannot be worth the national security of the United States for the next ten generations.

The bill that Rep. Rogers is riffing on attracted ire. Around half of its co-sponsors voted against the laws final form when it was unceremoniously rammed through the lower chamber of Congress after what Ive heard was strong lobbying from the Executive Branch.

Link:
Microsoft Bolsters Encryption For OneDrive And Outlook.com