Javascript is disabled in your browser. Some features of the site may not work as intended.

Private Internet Access uses the open source, industry standard OpenVPN to provide you with a secure VPN tunnel. OpenVPN has many options when it comes to encryption. Our users are able to choose what level of encryption they want on their VPN sessions. We try to pick the most reasonable defaults and we recommend most people stick with them. That said, we like to inform our users and give them the freedom to make their own choices.

Data encryption: AES-128

Data authentication: SHA1

Handshake: RSA-2048

Data encryption: None

Data authentication: None

Handshake: ECC-256k1

Data encryption: AES-256

Data authentication: SHA256

Handshake: RSA-4096

Data encryption: AES-128

Data authentication: None

Handshake: RSA-2048

This is the symmetric cipher algorithm with which all of your data is encrypted and decrypted. The symmetric cipher is used with an ephemeral secret key shared between you and the server. This secret key is exchanged with the Handshake Encryption.

Advanced Encryption Standard (256-bit) in CBC mode.

No Encryption. None of your data will be encrypted. Your login details will be encrypted. Your IP will still be hidden. This may be a viable option if you want the best performance possible while only hiding your IP address. This would be similar to a SOCKS proxy but with the benefit of not leaking your username and password.

This is the message authentication algorithm with which all of your data is authenticated. This is only used to protect you from active attacks. If you are not worried about active attackers you can turn off Data Authentication.

HMAC using Secure Hash Algorithm (256-bit).

No Authentication. None of your encrypted data will be authenticated. An active attacker could potentially modify or decrypt your data. This would not give any opportunities to a passive attacker.

This is the encryption used to establish a secure connection and verify you are really talking to a Private Internet Access VPN server and not being tricked into connecting to an attacker's server. We use TLS v1.2 to establish this connection. All our certificates use SHA512 for signing.

2048bit Ephemeral Diffie-Hellman (DH) key exchange and 2048-bit RSA certificate for verification that the key exchange really happened with a Private Internet Access server.

Like RSA-2048 but 3072-bit for both key exchange and certificate.

Like RSA-2048 but 4096-bit for both key exchange and certificate.

Ephemeral Elliptic Curve DH key exchange and an ECDSA certificate for verification that the key exchange really happened with a Private Internet Access server. Curve secp256k1 (256-bit) is used for both. This is the same curve that Bitcoin uses to sign its transactions.

Like ECC-256k1 but curve prime256v1 (256-bit, also known as secp256r1) is used for both key exchange and certificate.

Like ECC-256k1 but curve secp521r1 (521-bit) is used for both key exchange and certificate.

We display a warning in 3 cases:

The recent NSA revelations have raised concerns that certain or possibly all Elliptic Curves endorsed by US standards bodies may have backdoors allowing the NSA to more easily crack them. There is no proof of this for curves used with signing and key exchange and there are experts who think this to be unlikely. We therefore give users the option but display a warning anytime you select an Elliptic Curve setting. We also included the less standard curve secp256k1, which is what Bitcoin uses, was generated by Certicom (a Canadian company) instead of NIST (as the other curves were), and seems to have less places to hide a backdoor. There is strong evidence that a random number generator which uses ECC was backdoored but it was not widely used.

An active attack is one where an attacker gets "between" you and the VPN server, in a position where they can modify or inject data into your VPN session. OpenVPN was designed to be secure against active attackers as long as you are using both data encryption and data authentication.

A passive attack is one where an attacker simply records all data passing over the network but does not modify or inject any new data. An example of a passive attacker is an entity that performs the dragnet capture and storage of all network traffic but does not interfere with or modify it. As long as you are using data encryption your OpenVPN session is secure against passive attackers.

Ephemeral keys are encryption keys which are generated randomly and only used for a certain amount of time, after which they are discarded and securely erased. An ephemeral key exchange is the process by which these keys are created and exchanged. Diffie-Hellman is an algorithm used to perform this exchange. The idea behind ephemeral keys is that once you are done using them and they are thrown away, no one will ever be able to decrypt the data which they were used to encrypt, even if they eventually got full access to all the encrypted data and to both the client and the server.

The rest is here:
Private Internet Access | VPN Encryption

Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.

Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of database columns or entire application tablespaces. Its high-speed cryptographic operations make performance overhead negligible in most applications. The two-tier encryption key architecture provides easy administration of keys, enforces clear separation of keys from encrypted data, and provides assisted key rotation without having to re-encrypt data. The keystore can be managed using a convenient web console in Oracle Enterprise Manager or using a command-line. In addition, TDE integrates directly with frequently used Oracle Database tools and technologies including Oracle Advanced Compression, Automatic Storage Management (ASM), Recovery Manager (RMAN), Data Pump, GoldenGate, and more. In Oracle engineered systems, TDE gets a performance boost from hardware cryptographic acceleration provided by Intel AES-NI and Oracle SPARC T-series processors. TDE further benefits from Exadata Smart Scans, rapidly decrypting data in parallel on multiple storage cells, and from Exadata Hybrid Columnar Compression (EHCC), reducing the total number of encryption and decryption operations performed.

Transparent Data Encryption fully supports Oracle Multitenant. When moving a pluggable database (PDB) that contains encrypted data, the TDE master keys for that PDB are transferred separately from the encrypted data to maintain proper security separation during transit. TDE encryption resumes its normal operation after the PDB has been plugged in and configured.

Read the rest here:
Transparent Data Encryption (TDE) - oracle.com

by Jeff Barr | on 04 OCT 2011 | in Amazon S3 | Permalink |

A lot of technical tasks that seem simple in theory are often very complex to implement. For example, lets say that you want to encrypt all of the data that you store in Amazon S3. You need to choose an encryption algorithm, create and store keys (while keeping the keys themselves safe from prying eyes), and bottleneck your code to ensure that encryption happens as part of every PUT operation and decryption happens as part of every GET operation. You must take care to store the keys in durable fashion, lest you lose them along with access to your encrypted data.

In order to save you from going through all of this trouble (and to let you focus on your next killer app), we have implemented Server Side Encryption (SSE) for Amazon S3 to make it easier for you to store your data in encrypted form. You can now request encrypted storage when you store a new object in Amazon S3 or when you copy an existing object. We believe that this important (and often-requested) new feature will be welcomed by our enterprise customers, perhaps as part of an overall strategy to encrypt sensitive data for regulatory or compliance reasons.

Amazon S3 Server Side Encryption handles all encryption, decryption, and key management in a totally transparent fashion. When you PUT an object and request encryption (in an HTTP header supplied as part of the PUT), we generate a unique key, encrypt your data with the key, and then encrypt the key with a master key. For added protection, keys are stored in hosts that are separate and distinct from those used to store your data. Heres a diagram of the PUT process for a request that specifies SSE:

Decryption of the encrypted data requires no effort on your part. When you GET an encrypted object, we fetch and decrypt the key, and then use it to decrypt your data. We also include an extra header in the response to the GET to let you know that the data was stored in encrypted form in Amazon S3.

We encrypt your data using 256-bit AES encryption, also known as AES-256, one of the strongest block ciphers available. You can apply encryption to data stored using Amazon S3s Standard or Reduced Redundancy Storage options. The entire encryption, key management, and decryption process is inspected and verified internally on a regular basis as part of our existing audit process.

You can use Amazon S3s bucket policies to allow, mandate, or forbid encryption at the bucket or object level. You can use the AWS Management Console to upload and access encrypted objects.

To learn more, check out the Using Encryption section of the Amazon S3 Developer Guide.

Jeff;

PS Theres no additional charge for SSE.

Read more:
New Amazon S3 Server Side Encryption for Data at Rest ...

(TNS) -- Social media, encryption technology and mobile apps have set the stage for the nations first unfiltered presidency with more day-to-day details flowing from the White House than ever before.

Whether its disgruntled bureaucrats tipping off the media through secure email channels or encryption apps, or the Twitter musings of the president himself, citizens now have a front-row seat to the good, the bad and a whole lot of ugly.

The ceaseless flow of information isnt just the result of a pernicious political landscape, but also a simple function of technology: There are now more tools than ever to help guarantee anonymity for sources. Although no method is 100 percent secure (a good rule of thumb is that if it hasnt been hacked yet, it will), many media organizations now provide links to encryption messaging apps and secure email on their websites in order to encourage leakers to come forward. Whether its a detailed transcript of a foreign call with the president or a draft executive order that hasnt become official yet, its clear that government employees are taking the media up on its offer.

Gone are the days of having to meet sources in the darkest corner of a parking garage. Now you can just download a free app from the Apple App Store or Google Play, such as Signal, an encrypted messaging mobile app that is free. Signal can delete messages automatically at prescribed intervals, and while it claims not to retain any identifying information, a lot of these methods have not faced much technological scrutiny yet. Im sure thats about to change.

Then there are apps that were probably never designed for anonymous government leaks but are being employed for that nonetheless. Pidgin is a desktop-based instant messenger plug-in that The Washington Post lists on its website as a suggested method for communicating tips.

The Post as well as the U.K.s Guardian are encouraging sources to use the dark web browser Tor, which lets users surf the web anonymously. Once seen as little more than a haven for drug dealing and other unsavory activities, the Tor browser is more broadly used than ever. It is likely the browser of choice for the information vigilantes at WikiLeaks.

As for transmitting documents on Tor, the open-source software platform known as SecureDrop is commonly used by newspapers and activists. The service is as simple as downloading a file a task that any moderately computer-literate bureaucrat could easily accomplish.

Secure email is another method, but its not for those who need to remain fully anonymous. One of the most popular secure email methods is PGP encryption, an acronym which stands for Pretty Good Privacy. While PGP will obscure the content of your email, it wont protect the name of the sender or the subject line. Newspapers, including this one, employ PGP encryption.

If you need to transmit information and youre afraid of potential hackers stealing your scoop, PGP is the way to go.

Although the media had to back off the story that the Trump administration was sharply curtailing the release of information high-level approval for press releases it turns out is normal during transitions there have been rumblings of dissent in the EPA and NASA.

In addition to a myriad of document leaks, rogue Twitter accounts appear to be sprouting like weeds. Though theres no way to know whether they are legitimate, Twitter accounts claiming to be handled by disaffected NASA scientists, a group of White House staffers and the National Parks Service have popped up in recent weeks.

2017 the Boston Herald Distributed by Tribune Content Agency, LLC.

Go here to see the original:
Apps, Encryption Help Make Once-Private Documents Public - Government Technology

With an escalation in hackings over the past decade, breaches in our private data are ubiquitous meaning now, more than ever, encryption is key.

Encryption prevents unauthorised access to your data, from emails to WhatsApp messages and bank details, by keeping communication secure between the parties involved. How Google's AI taught itself to create its own encryption

This is done by 'scrambling' the information sent from one person to another into a lengthy code making it unreadable for anybody else attempting to access it.

When the data is encrypted, the sender and the receiver are the only people that can decrypt the scrambled info back to a readable condition. This is achieved via keys, which grant only the users involved access to modify the data to make it unreadable and then readable again.

On messaging app Whatsapp, for example, every message sent has its own unique lock and key and only the sender and receiver have access to these keys. This prevents prying eyes from seeing the information in messages. For the rest of the world, and even Whatsapp itself, the relayed information is unintelligible gibberish because no-one else has the key to decrypt the content. This is referred to as end-to-end encryption.

Put more simply, imagine encryption to be like translating your information into a language only you and your recipient know, and more importantly which a cybercriminal cant translate.

Most popular apps make use of encryption to retain user safety, whether thats for storing data, or for data in transit.

Tony Anscombe, senior security evangelist from Avast told WIRED that encryption in apps is imperative as it makes using safer, but at the same time, those that dont practise common sense can still fall victim to hacking.

Many apps offer encryption of data, however if a user doesnt lock the app with a password or PIN, then anyone who gets hold of the device has access to your apps and will be able to see the unencrypted data, Anscombe explained. That said, many operating systems offer encryption of everything stored on the device. This helps combat theft of the device to access the data.

When implemented properly, encrypted data could take a hacker billions of years to crack based on sheer brute force attacks. This is because encryption codes use complex mathematical algorithms and long numerical sequences that are difficult to decrypt.

A brute force attack is a method used by a hacker to try as many combinations of passwords or encryption keys until the correct one is found. It is usually carried out using software to scan through the combinations.

However, there are different types of encryption, each with varying levels of effectiveness. This is measured in bits. The higher the number of bits an encryption, the harder it is - in theory - for a hacker to crack it.

A low-bit key is one with fewer combinations, so would be fairly easy to crack for a hacker with dedicated computer resources. The larger the key, the harder this becomes, exponentially. For example, a 5-bit key has 32 possible combinations, a 6-bit key has 64 combinations, a 7-bit key has 128 combinations, and so forth. A 10-bit key has a thousand combinations, a 20-bit key has a million combinations, a 30-bit key has a billion combinations. The quantum clock is ticking on encryption and your data is under threat

The more complex the encryption, the more difficult it becomes for a cybercriminal to reverse engineer the encryption key and access the data. This doesnt mean the codes are uncrackable, but that the time taken to find the right combination would be far too long to ever be feasible in one lifetime, even with the help of powerful supercomputers.

Let's say a hacker has a computer that can test a billion keys per second, trying to brute force all combinations. That means they can break a 30-bit key in just one second. At that speed, though, it will take you a billion seconds (or 34 years) to break a 60-bit key because every 30 bits added makes it a billion times more difficult. A spy agency like the NSA can crack 60-bit keys using supercomputers, but a 90-bit key is a billion times more difficult to crack, and a 120-bit key would be a further billion times more difficult to crack than that.

Considering most Android, Apple and Windows apps have at least 128-bit Advanced Encryption Standard (AES) - the standard US Government encryption algorithm for data encryption - you can imagine that a 128-bit key, which has more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations, is exceptionally safe. Same goes for 192 or 256-bit AES encryption keys that the US Government requires for highly sensitive data.

Bharat Mistry, cybersecurity consultant at Trend Micro puts this into perspective. It would take fifty supercomputers an estimated 3.4 x 1,038 years to break the commonly used 256-bit encryption key, he told WIRED. As you can imagine, most hackers will be hard pressed to find time for that.

That doesnt mean all encryption is of the highest standard as it is still prone to human error. Poorly developed encryption is not hackerproof; if it is hard and complex to develop, mistakes in the coding can easily lead to users believing they are secure when they're not. For example, homegrown encryption methods have rarely been vetted to the extent supported standards have.

If a hacker has the right level of time and resources, its difficult to say that any encryption is completely immune, Mistry explained.

Shutterstock

The challenge in keeping encryption as tight as possible is therefore checking it is properly implemented and kept secure over time.

Human error, insider attacks and poor implementations are the challenges that IT teams have to face in developing increasingly sophisticated encryption technology.

The biggest problem with encryption is that the key itself needs to be shared between the sender and the recipients, added Mistry. Although this is hard to locate within the information, it could still pose a potential problem.

Security research is currently focused on techniques that do not require the key to shipped or sent to all parties, otherwise known as zero knowledge proof protocol. It isnt widely used now, but we expect it to grow. For the more distant future, some researchers are even looking at ways to hide data within DNA.

Read more:
What is encryption? WIRED explains how apps keep our private data safe - Wired.co.uk

WhatsApp proved itself to be the most YOLO-crypto company of 2016 when it turned on end-to-end encryption by default last April for its more than 1billion users. (Facebook, WhatsApps parent company, took a more cautious approach when it added opt-in encryption to Messenger.) But WhatsApps all-in approach has come at a cost the companys executives werearrested and its service wastemporarily shut down in Brazil when local courts demanded that WhatsApp turn over the contents of encrypted messages.

Rolling out end-to-end encryptionraised not just political concerns, but practical ones. If WhatsApp couldnt read the contents of its users messages anymore, how would it detect and fight spam on the platform? WhatsApp could have become a haven for scammers pushingpills and get-rich-quick schemes, which would have driven users off the platform and harmed its business even more than short-term court-ordered shutdowns.

Instead, WhatsApp developed approaches to detecting spam that dont rely on content at all, says WhatsApp engineer Matt Jones. Instead of looking at message content, WhatsApp analyzes behavior for indications that a user might be spamming. The approach is working surprisingly well. Jones says that WhatsApp slashed spam by 75 percent after launching end-to-end encryption.

If you have well-instrumented behavioral features, its totally possible to detect spam without any access to message content in an end-to-end encrypted world, Jones said at the USENIX Enigma security conference yesterday.

Some of WhatsApps behavioral detection systems will sound familiar to anti-spam experts. For instance, WhatsApp looks at how many messages a user is sending and will flag as spam if the user is sending an unusually high number of messages per minute, a common anti-spam strategy. But WhatsApp also uses a number of other signals to determine the probability that a message contains spam.

The simplest approach is to look at the reputation of the things an actor is using, Jones explained.WhatsApp examines data related to the internet service provider (ISP), the phone number, and the phone network being used, and compares that to previous spam reports. If the ISP data or the phone prefix (the first several digits of a phone number) have been previously associated with spammers, its likely that messages associated with that data are still spam. WhatsApp will also take notice if, for example, a phone with a Canadian country code connects via a cell network in Thailand and assess the probability that the user is a spammer or a traveller on vacation.

Once a spammer is reported, WhatsApp will also go back and look at the spammers actions on the platform for clues about why he wasnt caught, then feed that information into its model. Every message they sent before was an opportunity to prevent spam that we failed to take, Jones said.

WhatsApp bans users based on these probabilistic models, and if the company makes a mistake, users can appeal the ban. Jones said that WhatsApp has also cut back on mistaken bans through its enhanced spam detection. We cut spam by three quarters and the number of incorrect bans by half, he said.

The goal is to drive up the cost for attackers, Jones added. Eventually were going to catch all spammers. If you send spam, youre going to be reported and if youre reported, youre going to be banned.

However, this approach relies heavily on the analysis of metadata (the non-content information associated with transmitting a message), and WhatsApp has been criticized for hanging on to users metadata and sharing it with Facebook. End-to-end encryption only guarantees the privacy of message content, not metadata, but many non-technical users might not understand the difference and maybe surprised to learn how WhatsApp collects and analyzes their information.

Open Whisper Systems, the maker ofthe encrypted chat app Signal and the Signal Protocol (on which WhatsApps encryption is based) recently released its first subpoena and its response. The documents showed that OWS doesnt keep metadata on its users all that the company could hand over was the account creation date and the last log-in time.

Harvesting metadata is a trade-off. As OWS grows, it may find itself struggling with a spam problem. And WhatsApp will have to balance users expectations of privacy with their demand for a spam-free experience. Jones told TechCrunch that its a balance he thinks about often. He said the company has chosen to dump certain categories of metadata that proved unhelpful for spam prevention so as not to unnecessarily retain user info.

Some firms are hesitant to implement end-to-end encryption because they worry it will prevent them from fighting spam or rolling out new features, but the spam-prevention success that Jones described might encourage other communications companies to take the encryption plunge.

See the original post:
How WhatsApp is fighting spam after its encryption rollout ... - TechCrunch

WhatsApp has been solely fighting spam on its own for years. Even after its end to end encryption update, WhatsApp is giving a tough fight to spam. Now, this feature ensures that no one except the recipient, not even WhatsApp can read the recipients messages. If so, then how do they plan on spam detection? Apparently, they have the answer, and WhatsApp has been doing this for the longest time.

Suppose someone is sending you a forwarded message about a cheap weight loss promotion and they do so by spamming you endlessly. Then there is a friend of yours who keeps sending you good morning texts. Without reading the two messages how will WhatsApp figure out which one is spam and which one is not?

Further so, how will it stop the spam messages without reading it in the first place? In reality, we actually havent seen this as a big problem, says WhatsApp software engineer Matt Jones. We actually reduced spam by about 75 percent from around the time that we launched end-to-end encryption.

He explained that Spam detection is done by noticing suspicious behavior users indulge in. For example, it will see how long ago the user registered on the app. It will also see how many messages it has sent out in the last 30 seconds. So it can quickly identify if a person was sending out floods of messages to others. These are telltale signs of spam and its a smart move to determine potential threats.

Also Read: WhatsApp Real-Time Location Sharing Being Tested in Beta Version

After so many spam detections and blockages, WhatsApp is trying to identify a pattern. Is there a particular mobile provider or data provider whose services are used? It will examine the network and check out if it has routinely blocked out numbers from a particular target or not.

WhatsApp has a key advantage over other providers in fighting spam. It registers the mobile number, and therefore it has access to the network providers details as well.

If we make things expensive for [the spammers], their business model wont work, Jones said.

During Spam detection, the regular users can also be targeted because WhatsApp will detect unusual behavior like a US number suddenly sending connecting to an Indian network. This will set off alarms, and if WhatsApp suspects you are the spammer, it will immediately block you instead of deleting your spam messages.

So a lot of innocent users could come under the radar and face extreme measures. However, the legitimate users can file an appeal immediately. Meanwhile, WhatsApp is working on making spam detection more error-free.

Now with video calling feature intact, there is just one thing that WhatsApp seems to lack

February 6, 2017

It turns out that the WhatsApp update rumors were true after-all! Worlds number one messag

February 6, 2017

We are always looking for a secure messaging app not realizing that safety is complicated.

February 6, 2017

Load More Related Articles

Read the original:
WhatsApp Spam Detection Works Even After Encryption - Tech News Inc

Federal employees worried that President Donald Trump will gut their agencies are creating new email addresses, signing up for encrypted messaging apps and looking for other, protected ways to push back against the new administrations agenda.

Whether inside the Environmental Protection Agency, within the Foreign Service, on the edges of the Labor Department or beyond, employees are using new technology as well as more old-fashioned approaches such as private face-to-face meetings to organize letters, talk strategy, or contact media outlets and other groups to express their dissent.

Story Continued Below

The goal is to get their message across while not violating any rules covering workplace communications, which can be monitored by the government and could potentially get them fired.

At the EPA, a small group of career employees numbering less than a dozen so far are using an encrypted messaging app to discuss what to do if Trumps political appointees undermine their agencys mission to protect public health and the environment, flout the law, or delete valuable scientific data that the agency has been collecting for years, sources told POLITICO.

Fearing for their jobs, the employees began communicating incognito using the app Signal shortly after Trumps inauguration. Signal, like WhatsApp and other mobile phone software, encrypts all communications, making it more difficult for hackers to gain access to them.

One EPA employee even got a new, more secure cellphone, and another joked about getting a burner phone.

I have no idea where this is going to go. I think were all just taking it one day at a time and respond in a way that seems appropriate and right, said one of the EPA employees involved in the clandestine effort, who, like others quoted in this story, was granted anonymity to talk about the sensitive discussions.

The employee added that the goal is to create a network across the agency of people who will raise red flags if Trumps appointees do anything unlawful.

The White House did not immediately respond to a request for comment.

While many workers across the federal government are still in wait-and-see mode, the first two weeks of the Trump administration with its flurry of executive orders that have in some cases upended lives have sent a sobering message to others who believe they must act now.

In recent days, career employees at the State Department gathered nearly 1,000 signatures for whats known as a Dissent Channel memo, in which they express their anger over a Trump executive order that bars immigrants from seven Muslim-majority countries and halts refugee admissions to the country. The number of signatures was extraordinarily high, even though the letter was submitted after White House spokesman Sean Spicer essentially warned the dissenting diplomats they were risking their jobs.

The executive order on immigration and refugees caused widespread panic at airports, spurring protests and outrage around the world.

It also led to what has been the most high-profile act of defiance yet from a Trump administration official: Acting Attorney General Sally Yates on Monday ordered the Department of Justices lawyers not to defend the order in court. Yates was fired that same night.

Current and former employees of the Labor Department, meanwhile, are using their private email accounts to send around a link to a letter asking senators to oppose the nomination of Andrew Puzder for secretary of their agency. The employees may sign on to the letter using Google Docs. The letter will not be submitted to the Senate HELP Committee, and the signatures will not be made public, unless 200 current employees sign on.

A federal worker familiar with the letters circulation said that its being signed by hundreds of current and former DOL employees.

According to a draft of the letter obtained by POLITICO, the employees write that they have "serious concerns" about the fast-food magnates willingness to protect the rights of workers given some of his past comments and actions.

The draft of the letter criticizes Puzder's comments about women, and cites his restaurants advertisements, some of which feature women in bikinis eating burgers. Puzder has defended the ads.

"One of us once heard a colleague ask, quite seriously, whether it would violate workplace rules of civility and prohibitions against sexual harassment to view Mr. Puzders ads on a government computer," the letter says. "We think the question is a good one."

The federal employees interviewed for this story stressed that they see themselves as nonpartisan stewards of the government. But several also said they believe they have a duty to speak out if they feel a policy is undermining their mission.

Drafts of the Dissent Channel memo signed by the State Department employees insist, for instance, that instead of protecting U.S. national security through his new executive order on refugees and immigrants, Trump is endangering the United States by bolstering the terrorists narrative that the West hates Muslims.

I think we all have to look within ourselves and say Where is that line that I will not cross? one Foreign Service officer said.

Since Trump was elected in November, many State Department employees have also met quietly for other reasons. Groups of Muslims who work at Foggy Bottom, for instance, have held meetings to discuss fears that they could be subject to witch hunts and see their careers stall under the new administration. A few of Trumps top aides have spoken out against radical Islamism in such harsh terms that some Muslims believe the aides are opposed to the religion of Islam as a whole.

Steven Aftergood, who directs the Project on Government Secrecy at the Federation of American Scientists, indicated that its too soon to say whether theres a broad trend of bureaucratic resistance to Trump taking hold.

"Quite a few federal employees seem to be looking for constructive ways to express discontent," he said. "Meanwhile, tension is still growing, not subsiding."

EPA employees are uniquely concerned about their future, having faced barbs from Trump advisers who have toyed with cutting the agency's staff by two-thirds and from other Republicans who want to eliminate the agency altogether. So career staffers are discussing the best way to alert the public to whats happening behind the scenes.

Im suddenly spending my days comparing the importance of the oath I took when I started my career service and the code that I have as an American, an EPA employee said.

EPA employees have started reaching out to former Obama administration political appointees, who they hope will help them spread the word about any possible improper conduct at the agency.

Its probably much safer to have those folks act as the conduit and to act as the gathering point rather than somebody in the agency, the employee said. Youre putting your career and your livelihood and your paycheck at risk every time you talk to somebody.

Organizations such as the Government Accountability Project, which advocates for whistleblowers, have been busy as federal employees fret about what their new bosses may ask them to do.

Weve had a significant number of federal employees who have contacted us in recent weeks, said Louis Clark, the nonprofits CEO. It has to be the largest influx of people trying to reach us that weve seen.

The largest group of callers? The people who want to know what to do if theyre asked to violate the law, Clark said.

Jeff Ruch, executive director of Public Employees for Environmental Responsibility, said EPA employees are in perhaps the deepest pit of despair among his groups membership.

He said his group has been fielding calls on everything from what triggers a reduction in the federal workforce to how long they can carry health insurance benefits if they are pushed out.

Asked how EPA employees are feeling, Ruch said, In the broadest sense, scared and depressed.

Rachael Bade contributed to this report.

See the original post:
Federal workers turn to encryption to thwart Trump - Politico