"[T]he Committee is concerned that these encrypted and off-the-record communication practices, if true, run afoul of federal record-keeping requirements," Science Chairman Lamar Smith said. | Getty

Republicans in Congress and their conservative allies are demanding details about federal workers' use of encrypted messaging apps, part of a broader counterattack on employees suspected of opposing President Donald Trump's agenda.

Congressional Republicans are also pondering changes to longstanding laws that protect government workers, further stoking fears among some federal employees that the new administration's supporters are out to squash dissent.

Story Continued Below

Republicans on the House Science Committee took up the cause on Tuesday by asking EPA's inspector general to review reports that agency employees are using an app called Signal, which allows people to exchange encrypted text messages and phone calls. POLITICO reported this month that a group of fewer than a dozen EPA employees were using the app to discuss what they would do if Trump's political appointees flout the law or delete valuable scientific data.

The anti-Trump resistance has infuriated Republicans, who fear that dissenters in the government could undercut the president's policy proposals by unleashing even more embarrassing leaks. They also contend that the use of encrypted messaging circumvents federal record-keeping laws an argument Science Chairman Lamar Smith (R-Texas) echoed in Tuesday's letter.

"[T]he Committee is concerned that these encrypted and off-the-record communication practices, if true, run afoul of federal record-keeping requirements, leaving information that could be responsive to future Freedom of Information Act (FOIA) and congressional requests unattainable," wrote Smith, who organized the letter to the IG. The panel has jurisdiction over many cybersecurity issues.

Outside conservative groups have launched similar efforts.

Citing POLITICO's story, the Cause of Action Institute, a right-leaning watchdog group, filed a request under the Freedom of Information Act this month seeking EPA employees' communications using Signal. "The bottom line is: An encrypted app is basically a way to avoid transparency," Institute Assistant Vice President Henry Kerner said in an interview.

It's not just encryption that is raising eyebrows. Republican research firm America Rising filed a FOIA request this month seeking all emails sent by John O'Grady, a top union official at the EPA, that "mentions or refers to President Trump."

The FOIA request came in response to O'Grady's comments to The Washington Post that Trump's decision to firing then-acting Attorney General Sally Yates "sends kind of a chilling effect" through agencies. O'Grady did not respond to a request for comment.

"The public is entitled to know whether career federal government employees are engaged in partisan politics on the taxpayers dime," said Allan Blutstein, vice president of FOIA operations at America Rising.

EPA employees said they are not using Signal for official government business, and they raised concerns that they're being targeted because they are critical of Trump.

"I don't think anybody can dictate which apps we use on our personal time, for personal conversations," one EPA employee told POLITICO.

The debate comes as employees across the government political appointees and career officials alike are increasingly relying on encrypted messaging apps, fearing repercussions if their private conversations are made public.

National security officials have long used encrypted mobile phone software like Signal and WhatsApp to communicate with reporters and other staffers. Signal frequently comes up in articles advising people how they can communicate free of snooping from government officials or hackers, especially following the massive leaks of stolen Democratic Party emails that roiled last year's presidential election.

Trump's appointees have gotten into the act, too: The Washington Post reported this week that administration staff are using an app called Confide, which deletes messages once they are read, because they're afraid of being accused of leaking to the press.

Asked if the House Science Committee will pursue a similar probe of White House staffers use' of encrypted messaging apps, spokeswoman Kristina Baum declined to make any commitments. But she said the panel "intends to continue to monitor" cyber issues.

The growing tension across the government has some career employees worried that Republicans will try to make radical changes to laws protecting federal workers a move that could make people more fearful to speak out against Trump. Trump has already imposed a freeze on most federal hires and has promised to reduce the size of the workforce.

"Frankly, the climate has shifted rather dramatically and weve gone from a chief executive who respects civil servants to a rather bombastic, disdainful chief executive who unfortunately empowers their disparagement," Rep. Gerry Connolly (D-Va.) said in an interview.

Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight Committee, is eyeing a major overhaul of the civil service system. He has discussed phasing out pensions for new government employees, instead relying on a defined-contribution plan like a 401(k), and has advocated making it easier to fire problem workers. Chaffetz reportedly talked about some of these issues during a recent meeting with Trump.

Connolly said he's concerned that the Republican Congress could win enough support to move a bill gutting civil service protections. "It is very alarming and I think frankly very destructive in terms of the fabric of a free government and a free society," he said.

In the Senate, lawmakers are also considering changes to civil service laws, but Sen. James Lankford (R-Okla.) said he is eyeing targeted tweaks that can win bipartisan support, such as efforts to improve the hiring process.

"If we can keep it small and we can keep it targeted, I think we can move it through unanimous consent," said Lankford, who chairs the Homeland Security and Governmental Affairs Committee's panel on regulatory affairs and federal management. "We need to be better at hiring. If were better at hiring we dont have to worry about firing."

Alex Guilln contributed to this story.

Excerpt from:
Conservatives demanding details on federal workers' encryption use - Politico

Slide: 1 / of 2. Caption: Open Whisper Systems

Slide: 2 / of 2. Caption: Open Whisper Systems

Even as the encryption app Signal became the go-to private communications channel for activists, journalists, politicians, and more, its encrypted calling feature remained less than perfect. It lacks video, often drops calls, and doesnt always integrate with your phones existing features. A Signal update gradually rolling out now upgrades the calling features and adds video, toobut might require its most privacy-sensitive users to take an extra step to protect themselves.

On Tuesday, Signals creators at the non-profit Open Whisper Systems announced a beta version of the update that, in addition to video calling, adds the ability to answer calls from a locked screen, and what they promise will be better call quality. For now, anyone who receives the update can choose activate those new features in the advanced menu under Signals settings. We want Signal to be a joy to use, says Moxie Marlinspike, Open Whisper Systems founder. Were constantly focused on continuing to refine it and add features and functionality that we think people will love.

But anyone testing the beta who links their iPhone to iCloud and wants the same level of privacy Signal has always offered should consider an extra step, too: Disabling a setting that uploads a calls metadata to Apple. The beta upgrade to Signal will use CallKit, Apples framework for allowing VoIP calls like Signals, to be integrated more completely into the calling functionality of the phone. But that also means calls will be recorded in the iPhones call log and, for iCloud users, shared with Apples server. iOS treats CallKit calls like any other call, however that also means some information will be synced to iCloud if enabled, Open Whisper Systems warns. This information includes who you called and how long you talked.

For anyone who cringes at the thought of leaking that metadata, however, the new Signal beta will let you turn CallKit integration off on the same Advanced menu in the apps settings. CallKit integration will only be used if its enabled on both ends of the callif you disable it, your metadata wont be leaked by your contacts phone, either. And Open Whisper Systems is still considering whether the version of Signal it pushes out after this beta will integrate CallKit by default, or as an opt-in feature.

How we handle CallKit once this is the default experience isnt entirely resolved, Marlinspike says. He suggests that the app could mere display Signal users in the iPhones call log to protect users identities, or Signal may walk users through its settings when once installed, to help people choose their privacy preferences. There are a bunch of things we can do other than just having it on by default.

Signals popularity grew in part because it has long made certain privacy tradeoffs to make the app more usable. It integrates a phones existing contacts for convenience, for instance, but requires that a number be added to a phones contact list before it can be called. That means if the phone backs its contacts up to the cloud, some sensitive details could be leaked. And Signal has avoided a federation feature that would allow Signal users to set up their own server to communicate over, rather than use Signals more centralized system.

Aside from the CallKit change, Signal has also fully redesigned its VoIP protocol and reworked how it authenticates that bad actors arent surreptitiously impersonating users during calls. In the past, Signal has offered two unique words generated on the callers screens from their encryption keys. The callers each read out a word, and if they match, they can be sure no man-in-the-middle is eavesdropping on their call. In the new version, Signals voice and video calling will drop those word pairs and instead use the same authentication system as its text messaging feature, which depends instead on simply warning users if their contacts encryption key has suspiciously changed.

All of that means Signal is making the process of an encrypted call feel far more like making a normal one. The next time youre foiling the eavesdroppers trying to listen in on your secret conversations, in other words, you may not even notice.

Continue reading here:
The Best Encrypted Chat App Now Does Video Calls Too - WIRED

Security

Common Sense Education has made its encryption-checking tools available as open source so that anybody can check out the security settings of education technology products.

The release of its security scanning scripts follows on a project to check over the encryption practices of technology commonly used within schools. That effort, undertaken in October 2016, found that a "significant number" of companies don't provide even the most basic support for encryption.

Encryption is the process of converting data into a form that's unreadable by anybody but the user who holds the code needed to reverse the encryption. Transport Layer Security (TLS), sometimes referred to as Secure Socket Layer (SSL), is a set of technologies that protect the security and privacy of internet communications; and it uses encryption to prevent information from being read on the network by unauthorized viewers. For example, if a student is working on homework at a WiFi hotspot, anything sent without encryption such as a user name or password could be captured through snooping and freely read by others on the same network.

For the testing process, the non-profit ran automated tests on 1,221 logins used by 1,128 vendors that have products in schools all over the country. The testing excluded sites that don't require a login, that are no longer in business or that for "whatever technical reason" didn't load properly. Slightly more than half of the resulting companies (52 percent) require encryption; 25 percent don't support it at all; and another 20 percent don't require an encrypted connection.

Interestingly, Common Sense Education found that one well known vendor enables encryption in districts in states where laws require "reasonable security" and avoids it in some districts in other states where the laws aren't as rigorous. Another product intended to be used by students of all ages supports encryption in some product offerings and not in others. And "multiple" companies take a request for an encryption connection and redirect it to an unencrypted connection.

Currently, the company hasn't released a list of the vendors tested or their individual results, preferring to keep the findings in aggregate to give companies a chance to improve their encryption practices. However, the organization has stated that it will rerun the survey with the hope of seeing an increased use of encryption.

Even then, though, Common Sense would also like people to be able to run the tests themselves. That's why the testing code has been made available as an open source project. As Bill Fitzgerald, director of its privacy initiatives, wrote in a blog article, "It's not complicated." The GitHub repository where the code is available includes documentation that describes how to check individual URLs and even "batch-process hundreds or thousands of URLs."

As Fitzgerald recommended, "If you're a vendor, we strongly recommend that you use this script to check the login URLs of your products. If you're in a school or district, use this script as part of a quick triage when you're evaluating technology."

About the Author

Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at dian@dischaffhauser.com or on Twitter @schaffhauser.

More here:
Free Tool Lets Schools Test Encryption of Ed Tech Software - T.H.E. Journal

Seagate announced today that its lineup of HDDs and SSDs meant for use in federal agencies would be enhanced with support for Fornetix Key Orchestration services and products.

The products in question are part of Seagates Government Solutions portfolio, which are compliant with the Federal Information Processing Standard Publication 140-2 (FIPS PUB 140-2). This is a US government standard for computer security which is in place for the approval of cryptographic modules.

By partnering with Fornetix, Seagate aims to strengthen cybersecurity and simplify management of digital keys that help secure data from HDDs and SSDs.

This move provides yet another layer of security, meeting the strict needs of federal agencies and helping them more efficiently deal with external and internal cybersecurity threats. Beyond that, the partnership will offer an easier way to ensure and manage data encryption.

At the RSA Cybersecurity Conference this week, Jack Wright, chief operating officer and acting chief executive officer of Fornetix LLC stated that:

Our secure key management, coupled with Seagates experience securely managing data from the drive to the systems level, provides users with a set of technology tools that make data encryption more affordable, secure and easier to manage

The products provided by the two companies are part of the Multilevel Security (MLS) Ecosystem, "a joint effort in collaboration with multiple organizations to address data-security requirements for the federal government. "

This system is also meant to accommodate various levels of security clearance from one storage platform.

Source: Seagate

Excerpt from:
Seagate aims to strengthen cybersecurity with new data encryption capabilities - Neowin