WebProNews

Tag: Encryption

  • Dropbox Acquiring Boxcyptor Assets to Enable End-to-End Encryption

    Dropbox Acquiring Boxcyptor Assets to Enable End-to-End Encryption

    Dropbox has announced a deal to acquire assets from Boxcryptor in an effort to bring end-to-end encryption to its service.

    Dropbox is one of the most popular cloud storage services, but it doesn’t have end-to-end encryption like Tresorit and other more security-conscious services. Dropbox is looking to change that by acquiring assets from Boxcryptor. Boxcryptor is an independent service that helps user encrypt their files across a range of cloud services, adding an extra layer of security.

    Dropbox announced the deal in a blog post:

    Today, we’re excited to share that we’ve signed an agreement to acquire several key assets from Boxcryptor, a provider of end-to-end “zero-knowledge” encryption for cloud storage services. The combination of Boxcryptor’s leading encryption capabilities and Dropbox’s easy-to-use product, with our already robust security features, will help us better meet our customers’ evolving needs.

    The only downside to Dropbox’s plans is that it seems Boxcryptor’s features will only be available to business users:

    We plan to embed Boxcryptor’s capabilities natively within Dropbox for our business users on our paid plans, adding an additional layer of security by encrypting files locally on their devices prior to syncing their content to Dropbox.

    Despite the limitation, Dropbox’s announcement is good news for security-minded customers.

  • Windows Bug Could Result In Data Loss on Newer PCs

    Windows Bug Could Result In Data Loss on Newer PCs

    Microsoft is warning a bug in the latest versions of Windows could result in data loss when combined with some newer PCs.

    Microsoft has issued a knowledge base article detailing possible data loss issues as a result of the latest Vector Advanced Encryption Standard (AES). The impacted hardware will have either AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS) or AES with Galois/Counter Mode (GCM) (AES-GCM).

    The company says a recent change in Windows caused the issue.

    We added new code paths to the Windows 11 (original release) and Windows Server 2022 versions of SymCrypt to take advantage of VAES (vectorized AES) instructions. SymCrypt is the core cryptographic library in Windows. These instructions act on Advanced Vector Extensions (AVX) registers for hardware with the newest supported processors.

    Microsoft recommends customers upgrade to the latest preview releases.

    To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

    To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

    More information can be found here.

  • Experts Warn the EU’s DMA Will Break Encryption

    Experts Warn the EU’s DMA Will Break Encryption

    Another day, another attack on encryption, with security experts warning the EU’s DMA legislation will likely break, or severely weaken, encryption.

    The EU unveiled the Digital Markets Act (DMA) as its latest effort to crack down on Big Tech. In addition to severe fines, and even possible breakups, of companies that fail to abide by the legislation, the DMA calls for “gatekeeper companies” to make their services interoperable with smaller rivals.

    Messaging, in particular, is one of the most obvious areas impacted by this clause, with services like WhatsApp, Facebook Messenger, and Apple’s iMessage likely forced to open up and work with competitors. Unfortunately, since all of these services provide end-to-end encryption (E2EE), experts warn there is no easy way for the the services to work with each and still maintain the level of security and privacy they currently offer.

    In speaking with The Verge, one expert used a very low-tech example to illustrate the issues, especially with compatibility and accountability between various services.

    “If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Alec Muffett, former Facebook engineer and internet security expert, said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

    Similar questions plague potential implementation of the DMA. How will messages be securely sent across various platforms? If two different services use two different types of encryption, which company will modify its service to be compatible with the other? Will services opt to simply drop encryption when sending messages across services? Or will companies adopt some method of decrypting and re-encrypting as the message is passed from one service to another, making the communication vulnerable to interception, and thereby compromising privacy and security?

    Unfortunately, as has been stated time and time again, the encryption protocols people, companies, and governments rely on for privacy and security are not created, managed, or dictated by policies. They are, instead, bound and constrained by basic mathematics.

    Unfortunately for privacy and security, the mathematics of the DMA don’t quite add up.

  • Like a Bad Penny the EARN IT Act Is Back

    Like a Bad Penny the EARN IT Act Is Back

    In the latest attack on privacy and encryption, lawmakers have re-introduced the EARN IT Act, described as “one of the worst pieces of Internet legislation.”

    The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act is a piece of wildly unpopular legislation that was originally introduced in 2020. The goal of the legislation was to protect children and help eliminate online sexual abuse, obviously admirable goals that any decent human being supports.

    Unfortunately, when it was first introduced, the bill essentially sounded a death knell on encryption, which is the very basis of online privacy and security, and treated every online citizen as a suspect. The bill would have required companies to follow mandatory “best practices,” practices that would have forced companies to weaken encryption in order to comply.

    In its original incarnation, the bill was eventually amended to exclude encryption from the list of things that could increase corporate liability, and the “best practices” were changed to recommendations instead of requirements. Nonetheless, the bill remained unpopular enough to eventually be dropped.

    Mass Surveillance Is Once Again on the Table

    Despite its unpopularity, Senators Richard Blumenthal and Lindsay Graham have once again reintroduced it. The Electronic Frontier Foundation (EFF) describes the sweeping impact the bill would have.

    Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online—backups, websites, cloud photos, and more—is scanned.

    The bill’s goal is multi-pronged:

    • First and foremost, it attacks end-to-end encryption, encouraging “states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services.”
    • The bill encourages the use of government-approved software that will be used to scan everything sent online.
    • The bill paves the way for the establishment of a 19-person commission, made up largely of law enforcement personnel, that will establish voluntary “best practices” for companies to follow.

    As the EFF points out, despite provisions being added to protect encryption, the provisions fall far short of actually doing so. The door is still left wide open for companies to be held liable for what users of their platforms do, with a platform’s use of encryption being held up as an “evidence” of its culpability.

    Further, the bill essentially deputizes tech companies in an effort to do an end-run around the legal and constitutional issues of having a government-run surveillance state.

    The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies—from the largest ones to the very smallest ones—as its tools.

    In view of the enormity of problems the EARN IT act causes, Evan Greer, Director of digital human rights group Fight for the Future, said:

    The EARN IT Act is truly one of the worst pieces of Internet legislation I have seen in my entire career, and … that’s saying a lot. Please, we need REAL solutions to the harms of Big Tech, not poorly written laws that will get people killed and do more harm than good /endrant

    — Evan Greer (@evan_greer), January 31, 2022

  • Apple Will Check Photo Uploads for Child Sex Abuse Images

    Apple Will Check Photo Uploads for Child Sex Abuse Images

    Apple will begin checking photos being uploaded to its iCloud service against a database of Child Sexual Abuse Material (CSAM), in an effort to protect children.

    In the battle over encryption — known as the Crypto Wars — governments have often used protecting children as justification for promoting backdoors in encryption and security. Unfortunately, not matter how well-intentioned, as we have highlighted before, there is no way to securely create a backdoor in encryption that will be safe from exploitation by others.

    Apple appears to be trying to offer a compromise solution, one that would preserve privacy, while still protecting children.

    Apple outlined how its CSAM system will work:

    Apple’s method of detecting known CSAM is designed with user privacy in mind. Instead of scanning images in the cloud, the system performs on-device matching using a database of known CSAM image hashes provided by NCMEC and other child safety organizations. Apple further transforms this database into an unreadable set of hashes that is securely stored on users’ devices.

    Before an image is stored in iCloud Photos, an on-device matching process is performed for that image against the known CSAM hashes. This matching process is powered by a cryptographic technology called private set intersection, which determines if there is a match without revealing the result. The device creates a cryptographic safety voucher that encodes the match result along with additional encrypted data about the image. This voucher is uploaded to iCloud Photos along with the image.

    Using another technology called threshold secret sharing, the system ensures the contents of the safety vouchers cannot be interpreted by Apple unless the iCloud Photos account crosses a threshold of known CSAM content. The threshold is set to provide an extremely high level of accuracy and ensures less than a one in one trillion chance per year of incorrectly flagging a given account.

    Needless to say, Apple’s announcement has been met with a variety of responses. The Electronic Frontier Foundation (EFF), in particular, has been highly critical of Apple’s decision, even accusing the company of going back on its former privacy stance and embracing backdoors.

    The EFF is particularly concerned Apple’s new system could be broadened to include speech, or virtually anything, governments may not approve of. While there is certainly a concern the system could be abused that way, it’s also a far cry from using an on-device method for screening something as vile as CSAM vs using it to monitor speech.

    In many ways, Apple’s new approach to combatting CSAM is somewhat similar to its approach to combatting malware. There have been times in the past when Apple took the liberty of proactively removing particularly dangerous malware from devices. Critics could argue that Apple could extend that, at the behest of governments, to removing any programs deemed offense. But that hasn’t happened. Why? Because there’s a big difference between removing malware and censoring applications.

    The National Center for Missing & Exploited Children, admittedly a critic of end-to-end encryption, praised Apple’s decision.

    “With so many people using Apple products, these new safety measures have lifesaving potential for children who are being enticed online and whose horrific images are being circulated in child sexual abuse material,” John Clark, chief executive of the NCMEC, said in a statement, via Reuters. “The reality is that privacy and child protection can co-exist.”

    Ultimately, only time will tell if Apple has struck the right balance between privacy and child protection. It’s worth noting Microsoft, Google and Facebook already have similar systems in place, but Apple believes its system offers significant benefits in the realm of privacy.

    In addition to going a long way toward protecting children, it’s also possible Apple’s willingness to make this concession will disarm one of the biggest arguments against end-to-end encryption, preserving the technology against legislative action.

  • IBM Brings It’s Quantum System One to Germany

    IBM Brings It’s Quantum System One to Germany

    IBM has unveiled its first quantum computer outside the US, bringing the Quantum System One to Germany.

    Quantum computing is considered the next big evolution of computing, capable of achieving things modern computers can’t. Everything from artificial intelligence to financial markets to encryption algorithms will be impacted by quantum computing. As a result, countries around the world are racing to advance the technology.

    IBM unveiled the new computer in partnership with Fraunhofer-Gesellschaft, Europe’s largest application-oriented research organization.

    “Quantum computing opens up new possibilities for industry and society,” says  Hannah Venzl, the coordinator of Fraunhofer Competence Network Quantum Computing. “Drugs and vaccines could be developed more quickly, climate models improved, logistics and transport systems optimized, or new materials better simulated. To make it all happen, to actively shape the rapid development in quantum computing, we need to build up expertise in Europe.”

    The new computer is already hard at work, testing simulations for new materials for energy storage systems, analyzing energy supply infrastructures, financial asset portfolios and improved deep learning for machine learning applications.

    “I am very pleased about the launch of the IBM Quantum System One in Germany, the most powerful quantum computer in Europe,” said Arvind Krishna, IBM CEO (translated from German.) “This is a turning point from which the German economy, industry and society will benefit greatly. Quantum computers promise to solve completely new categories of problems that are unattainable even for today’s most powerful conventional computers.”

  • Dropbox Passwords Going Free As LastPass Cripples Free Version

    Dropbox Passwords Going Free As LastPass Cripples Free Version

    Dropbox has announced it is making Dropbox Passwords free to all users, providing a valuable password management option when it’s needed most.

    Dropbox first introduced Dropbox Passwords last year to paid users. The company is now making it available to all users, including those with a free storage plan. The service uses zero-knowledge encryption, meaning that Dropbox cannot see or decipher the stored passwords.

    Most significantly, Dropbox’s service works across all compatible devices, filling an important need in the market. LastPass is a popular password manager, allowing users to sync their passwords across devices. Last month, however, the company announced it was restricting its free tier on a platform basis. Users can choose to use it on their computers or their mobile devices, but not both without upgrading to a paid plan.

    Dropbox’s service does have a couple of restrictions to the free tier. The free plan can only be used to store 50 passwords, and will only sync across three devices. Nonetheless, those restrictions are far better than the ones LastPass imposes.

  • Intel and Microsoft Working For DARPA On Usable Homomorphic Encryption

    Intel and Microsoft Working For DARPA On Usable Homomorphic Encryption

    Intel and Microsoft are working with the Defense Advanced Research Projects Agency (DARPA) to develop a usable form of homomorphic encryption.

    Homomorphic encryption is considered the holy grail of encryption. With standard options, data is encrypted when stored and in transit, but it must be decrypted to manipulate.

    In contrast, homomorphic encryption keeps all values encrypted, even when in use. For example, two numerical values encrypted with homomorphic encryption could be given to a third party, added together and returned. All values, including the calculated sum, would remain encrypted the entire time, with only the originator able to decrypt them. Homomorphic encryption would be a significant upgrade over current methods.

    Fully homomorphic encryption remains the holy grail in the quest to keep data secure while in use. Despite strong advances in trusted execution environments and other confidential computing technologies to protect data while at rest and in transit, data is unencrypted during computation, opening the possibility of potential attacks at this stage. This frequently inhibits our ability to fully share and extract the maximum value out of data. We are pleased to be chosen as a technology partner by DARPA and look forward to working with them as well as Microsoft to advance this next chapter in confidential computing and unlock the promise of fully homomorphic encryption for all. – Rosario Cammarota, principal engineer, Intel Labs, and principal investigator, DARPA DPRIVE program

    With ongoing cybersecurity threats, and an increased reliance on the cloud homomorphic encryption could be a valuable tool in the fight to keep data secure.

    We are pleased to bring our expertise in cloud computing and homomorphic encryption to the DARPA DPRIVE program, collaborating with Intel to advance this transformative technology when ready into commercial usages that will help our customers close the last-mile gap in data confidentiality —– keeping data fully secure and private, whether in storage, transit or use. – Dr. William Chappell, chief technology officer, Azure Global, and vice president, Mission Systems, Microsoft.

  • WhatsApp Delays Privacy Changes Amid Backlash

    WhatsApp Delays Privacy Changes Amid Backlash

    Facebook’s WhatsApp has announced it will delay its privacy policy changes, amid one of the biggest waves of backlash the company has faced.

    WhatsApp starting pushing a notification last week, informing users of changes to its privacy policy. Among the changes was data-sharing between WhatsApp and other Facebook owned companies. Users were not given the option to opt out, being given until February 8 to either accept the new terms or stop using the app.

    The reaction was swift and severe. People began closing their WhatsApp accounts and moving to competitors, especially Signal and Telegram. Soon after, Telegram announced it passed 500 million users, while Signal saw a 62-fold increase in downloads over the last week. Meanwhile, WhatsApp downloads experienced a 17% decline during the same period, according to U.S. News & World Report.

    The backlash appears to have gotten WhatApp’s attention, even if it’s not fundamentally changing the company’s plans. In a blog post entitled “Giving More Time For Our Recent Update,” the company says this:

    We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8. We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.

    In other words, WhatsApp is essentially saying: ‘We’ve heard you. Trust us, it’s not what you think, and we’re going to give you more time to get accustomed to us doing what we’re going to do regardless of whether you like it or not.”

    The problem with that approach? Trusting what Facebook says about privacy is like trusting the fox to guard the henhouse. The company has used up most people’s trust and goodwill after repeated and blatant privacy violations.

  • Signal Growing So Fast It Experienced Technical Issues

    Signal Growing So Fast It Experienced Technical Issues

    Signal has been adding so many new users that it experienced technical issues today.

    Signal is a messaging app that is widely considered one of the most secure communication platforms in existence. While the app has been popular among privacy-conscious users for some time, it has received a major boost since WhatsApp announced it would start sharing user data with other Facebook-owned companies.

    In fact, according to U.S. News & World Report, “Signal was downloaded by 17.8 million users over the past seven days, a 62-fold rise from the prior week, according to data from Sensor Tower. WhatsApp was downloaded by 10.6 million users during the same period, a 17% decline.”

    That growth hasn’t come without issues, however. For much of the day today, Signal has been experiencing technical difficulties, which the company has said is a reflection of its growth.

    The company later tweeted that it is making progress toward a resolution.

    Signal’s growth is good news for privacy advocates, and signals (pun intended) a bright future for the messaging app.

  • Signal Adds Encrypted Group Calls

    Signal Adds Encrypted Group Calls

    Signal has added a major new feature, giving users the ability to engage in encrypted groups calls.

    Signal is the most secure messaging app on the planet, offering end-to-end encryption and a level of security other platforms can’t match. As a result, Signal is the preferred communication platform of choice for the EU Commission, the US Senate and some military units.

    In spite of its security features, Signal has lagged behind competitors in convenience options and raw features, something the company has been working to rapidly address.

    The latest feature is a big step in that direction, adding group calling abilities. While the feature is currently limited to 5 participants, once a group call is started, members of the group can come and go at will.

    “Now when you open a group chat in Signal, you’ll see a video call button at the top. When you start a call, the group will receive a notification letting them know a call has started,” the company wrote in a blog post.

    “When you start or join a group call, Signal will display the participants in a grid view. You can also swipe up to switch to a view that automatically focuses the screen on who is speaking, and it will update in real time as the active speaker changes.”

    The company emphasizes that “group calls are free, private, and end-to-end encrypted.”

    Group calls are an important feature that helps Signal on par with competing products, like Apple iMessage and WhatsApp. The fact that Signal has added this feature while providing the same high degree of security is a big win for consumers.

  • FTC Holds Zoom Accountable For Misleading Security Claims

    FTC Holds Zoom Accountable For Misleading Security Claims

    Zoom has agreed to a settlement with the Federal Trade Commission (FTC) over misleading security claims.

    Zoom quickly established itself at the outset of the pandemic as one of the main methods of communication and remote work. Unfortunately for the company, it also faced a number of missteps in regard to security.

    In particular, the FTC took Zoom to task for claiming it offered end-to-end encryption from at least 2016, when it offered a much weaker type of security. End-to-end encryption ensures that only the sender and recipient can access the encrypted content. While Zoom claimed to offer this level of encryption, in reality, it held the keys that could allow it to decrypt meetings at will.

    In addition, customers who opted to save recordings of their meetings using Zoom’s cloud storage were misled about the level of encryption Zoom provided. The company claimed the recordings were encrypted immediately. Instead, the FTC found that some recordings were left as long as 60 days without being encrypted.

    “During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

    As part of the settlement, Zoom is prohibited from making false and misleading statements, must submit to third-party assessments, make sure updates do not interfere with third-party security security features and implement additional safeguards.

  • Zoom End-to-End Encryption Rolling Out Next Week

    Zoom End-to-End Encryption Rolling Out Next Week

    Zoom has announced it will be rolling out end-to-end encryption (E2EE) beginning next week.

    Zoom quickly became the de facto standard for remote work and distance learning during the coronavirus pandemic. Unfortunately, the company made a number of security missteps early on, leading to a 90-day moratorium on new features as the company focused on security.

    One of those issues revolved around E2EE. The company’s early marketing made it appear as if it offered E2EE when, in fact, it did not. The company later announced definitive plans to implement E2EE, although only for paid accounts. After feedback and criticism, the company reversed course, announcing its intention to bring E2EE to all users.

    Those plans are coming to fruition, with the company implementing the first phase of its E2EE plans next week:

    We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days. Zoom users – free and paid – around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.

    CEO Eric S. Yuan highlighted the benefits of E2EE, both to customers and the Zoom platform:

    End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world. This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises.

    Once enabled, users will know their meetings are encrypted with E2EE by looking at the green shield icon in the upper left corner. The normal checkmark, indicating GCM encryption, will be replaced by a padlock.

  • US Joins International Call For Encryption Backdoors

    US Joins International Call For Encryption Backdoors

    Once again, the US is calling for weakened encryption, along with the Five Eyes, Japan and India.

    The Five Eyes is a group of nations that cooperate on intelligence, comprised of the US, UK, Australia, New Zealand and Canada. The extent of the Five Eyes’ spying was brought to the public’s attention as a result of Edward Snowden’s leaks.

    In an international statement, the Five Eyes, along with Japan and India, have once again called on companies to achieve the impossible.

    The statement beings with the following statement supporting strong encryption:

    We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security. It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council. Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.

    The next part of the statement, however, directly contradicts the opening remark:

    Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content. We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:

    • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
    • Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
    • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

    As has been pointed out repeatedly at WPN, what the international statement calls for is not theoretically, practically or scientifically possible. Encryption is based on mathematics. For encryption to be “strong,” it must be based on a sound mathematical implementation.

    The minute a backdoor is created, that strength vanishes. There is simply no way to simultaneously have strong encryption combined with a method to defeat that encryption. No matter how well intentioned such a backdoor may be, any such method would ultimately weaken encryption for everyone—including those, as the statement highlights, whose very lives depend on secure, encrypted communication.

    This is one of the reasons that, as previously reported, secure messaging app Signal has already said it would not be able to continue operating in the US should legislation be passed enforcing encryption backdoors. For perspective, Signal is used by congressional staff and the military, specifically because it is so secure.

    What is not clear is whether the officials calling for encryption backdoors understand the underlying principle and are disingenuously claiming otherwise, or whether they truly do not understand how encryption works.

  • Verizon Future-Proofs Network With Quantum Key Distribution

    Verizon Future-Proofs Network With Quantum Key Distribution

    Verizon has become the first wireless carrier to pilot the use of quantum key distribution (QKD) to help secure its network.

    Quantum key distribution is a type of cryptography that relies on the principles involved in quantum mechanics, and specifically quantum entanglement. As a result, because information is transmitted in a quantum state, it’s impossible for a third-party to snoop on the transmission without being detected. This makes QKD one of the only types of encryption that is future-proofed in a world where quantum computing will render other forms of encryption obsolete.

    Verizon has now demonstrated how QKD can be used to protect its network. Quantum keys were created and exchanged over a QKD network and used to encrypt video streams. The recipient was able to watch the videos in real-time, while any hackers would be instantly detected.

    “We continue to innovate and discover new ways to ensure safe networks and communications down the road for both consumers and enterprises,” said Nicki Palmer, chief product development officer at Verizon. “In testing advanced security technologies, our QKD trial demonstrates how quantum-based technology can strengthen data security today and in the future.”

    “The use of quantum mechanics is a great step forward in data security,” said Christina Richmond, analyst at IDC. “Verizon’s own tests, as well other industry testing, have shown that deriving “secret keys” between two entities via light photons effectively blocks perfect cloning by an eavesdropper if a key intercept is attempted. Current technological breakthroughs have proven that both the quantum channel and encrypted data channel can be sent over a single optical fiber. Verizon has demonstrated this streamlined approach brings greater efficiency for practical large-scale implementation allowing keys to be securely shared over wide-ranging networks.”

  • Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Cloud has introduced Confidential Computing in a bid to help secure data in the cloud.

    Google and Microsoft are both founding members of the Confidential Computing industry group. The goal of Confidential Computing is to encrypt and secure data while it is being used and processed. This is far different than current encryption methods, wherein data must be decrypted in order to access it. In its current incarnation, Google Cloud encrypts data in transit and at rest, but the data must be decrypted to work with.

    Confidential Computing is a game-changer since it keeps data encrypted at every step of the process, including when the data is being accessed.

    “Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing,” write Nelly Porter, Senior Product Manager; Gilad Golan, Engineering Director, Confidential Computing; and Sam Lugani, Lead Security PMM, G Suite & GCP platform. “Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

    “Confidential VMs, now in beta, is the first product in Google Cloud’s Confidential Computing portfolio. We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure. Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”

    This is an exciting development in the realm of cloud security, and specifically for Google Cloud. As the first major cloud provider to offer Confidential Computing, this is a big win for Google as it battles its larger rivals in the cloud space.

  • EARN IT Act Moves Forward After Addressing Encryption Concerns

    EARN IT Act Moves Forward After Addressing Encryption Concerns

    The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019 (EARN IT Act) has passed the Senate Judiciary Committee after addressing concerns about weakening encryption.

    The EARN IT Act is aimed at protecting children and eliminating online sexual abuse. Many critics, however, were afraid the bill went too far in weakening encryption that law-abiding users rely on.

    The bill addresses the Section 230 protections that limit the liability companies incur from the actions of users on their platforms. In order to maintain their protections, the original bill called for companies to follow mandatory “best practices” outlined by a commission of experts. Many companies and critics warned that these “best practices” could require companies to weaken industry-standard encryption, leaving them little recourse.

    Senator Graham filed an amendment that waters down that provision of the bill, specifically changing the “best practices” to recommendations rather than requirements. In addition, according to The Verge, Senator Patrick Leahy filed an amendment—that was approved—that would “exclude encryption” as a factor that would increase a company’s liability.

    The bill will now move to the Senate floor for a vote by the entire body.

  • Senators Introduce Legislation Attacking Encryption

    Senators Introduce Legislation Attacking Encryption

    Another day, another attack on the encryption standards that protect every single person using the internet and computing devices.

    Senators Lindsey Graham, Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act in a bid “to bolster national security interests and better protect communities.”

    It’s hard to tell whether the authors are trying to attack encryption, or if they simply don’t understand how it works…or both. Either way, the result is the same: This legislation will gut the end-to-end encryption (E2EE) billions of people rely on.

    Case in point:

    “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans,” says Graham.

    Similarly:

    ”This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

    The announcement specifically states:

    “Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of ‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.”

    These statements ignore some of the basic facts involved in the encryption debate. Let’s break this down.

    1. All of the above statements place a great deal of emphasis on a warrant. The encryption debate has never been about tech companies’ willingness or unwillingness to abide by a warrant. The issue, plain and simple, is that you cannot have strong encryption that has backdoors. Experts have been warning about the dangers of weakening encryption for years. They’ve done so here, and here, and here, and here, and here, and here and here, as well as countless other places too numerous to list.

      Ultimately, this is not a case where these senators can ‘have their cake and eat it too.’ Either everyone has strong encryption that protects them, or no one does. Even these senators rely on encryption to conduct their business. Signal is widely considered to be the most secure messaging app on the planet, in large part because of the type of encryption this legislation targets. It is so secure that the Senate specifically encourages Senate staff to use Signal.

      Yet this legislation is so dangerous to the very type of encryption that Signal relies on that the company has already warned that, if it passes, Signal will likely stop being available in the US altogether.

      Again, either everyone has strong encryption or no one does…including the senators targeting encryption.

    2. The legislation wrongly asserts that companies fail to cooperate with law enforcement, “even when criminal activity is clearly taking place.” Again, this is not a matter of intentionally failing to cooperate; it is a technical impossibility.

      Companies simply cannot create strong encryption that can simultaneously be accessed at will, either by the company, law enforcement or anyone else. In many cases, such as Apple, companies cooperate as much as they possibly can, but they cannot change the laws of physics.
    3. The assertion that “‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user” ignores how the technology is frequently used by the “ordinary user.” The fact is, E2EE protects private communication, securing text messages, video chats, emails and voice calls, ensuring people can communicate without fear.

      Businesses rely on E2EE on a daily basis to ensure they can freely discuss internal matters without fear of corporate eavesdropping and espionage. Victims of abuse often rely on these services to communicate with loved ones without their abuser being able to find them. Journalists and activists in areas ruled by oppressive regimes rely on E2EE for their very lives.

    The announcement cites several examples where E2EE thwarted attempts by law enforcement. While true, the question remains: How is that different from any other technology?

    One example encryption proponents cite is shredder manufacturers. Do these companies have to create shredders that reconstitute a document just because some bad actors use paper shredders to cover their tracks? Of course not. While some do use shredders to cover illegal activity, the vast majority of individuals use them for perfectly legal reasons.

    The same is true of E2EE. There will always be those who use any technology for illegal, immoral and unethical reasons. The vast majority, however, will use it as it was intended, for perfectly legal activity.

    If passed, however, this new legislation will punish the whole on behalf of the few.

  • Signal Now Allows Chat History Transfer on iOS

    Signal Now Allows Chat History Transfer on iOS

    Secure messaging app Signal has added the ability to transfer one’s chat history on iOS devices.

    Signal is a popular messaging app that is widely considered to be the most secure messaging platform available. It is used by Edward Snowden, and even Senate staff are encouraged to use it.

    One glaring issues on iOS has been the inability to transfer your chat history to a new device. Instead, moving to a new device meant leaving behind all your Signal threads (this writer can personally attest to how frustrating it was). Now, however, it seems Signal has finally brought this feature to iOS.

    “Signal iOS now includes a new feature that makes it possible to switch to a brand-new iPhone or iPad while securely transferring Signal information from your existing iOS device,” writes Nora Trapp on Signal’s blog. “As with every new Signal feature, the process is end-to-end encrypted and designed to protect your privacy. Transfers also occur over a local connection (similar to AirDrop), so even large migrations can be completed quickly.”

    The only caveat is the transfer process requires access to the old phone, so it won’t work if it has been sold, lost or stolen. As long as you still have the old phone, however, simply install Signal on the new phone and go through the registration process. After entering your number, the app will ask if you want to transfer your messages from your old device. If you opt to migrate, your old phone will provide a migration prompt, while the new phone will generate a QR code. Scan the QR code on the new phone with the old one and the transfer will begin.

    This is excellent news for Signal fans and eliminates one of the few pain points associated with having the most secure communication possible.

    Image Credit: Signal

  • IBM Unveils Homomorphic Encryption Toolkit for macOS and iOS

    IBM Unveils Homomorphic Encryption Toolkit for macOS and iOS

    IBM has unveiled a toolkit for developers to start implementing homomorphic encryption on macOS and iOS.

    Homomorphic encryption is an exciting evolution of encryption technology that allows authorized individuals to manipulate encrypted data without decrypting it. Any computations performed on the data will provide the same results as if they had been performed on an unencrypted copy.

    This has tremendous benefits to data security, as the decryption step is a weak point in the process. Once data is decrypted in traditional encryption methods, anything can happen to it. Homomorphic encryption, however, ensures it remains protected, while still being able to be used.

    “FHE is particularly suited to industries which are regulated and make use of private, confidential and ‘crown jewel’ data, such as finance and healthcare, since the technology can make it possible to share financial information or patient health records broadly while restricting access to all but the necessary data,” writes IBM’s Flavio Bergamaschi.

    While adopting homomorphic encryption will require rethinking the entire security process, its advantages would seem to be well worth it.

  • Messaging App Signal Adds Blur Tool

    Messaging App Signal Adds Blur Tool

    Popular messaging app Signal has added blur tools to help protect the identities and privacy of people in photos.

    Signal is widely to considered to be the most secure messaging platform on the planet. It uses end-to-end encryption and is open-source software. It is so secure that Edward Snowden uses it and the US Senate has urged senators and their aides to use it.

    Now the company is taking the next step, adding blur tools to help protect the identity of people in photos.

    “The latest version of Signal for Android and iOS introduces a new blur feature in the image editor that can help protect the privacy of the people in the photos you share,” writes Moxie Marlinspike, Signal’s creator and CEO. “Now it’s easy to give every face a hiding place, or draw a fuzzy trace over something you want to erase. Simply tap on the new blur tool icon to get started.”

    The new feature relies on the underlying libraries in iOS and Android. As a result, all of the processing is done on-device, ensuring absolute privacy. In the event the underlying libraries don’t detect a face and blur it automatically, the new tool can also be used to manually blur an area with the blur brush.

    This is an excellent upgrade to an already stellar application, and will surely see widespread use.