Cory Dransfeldt

Sophos:

While we're all distracted by stockpiling latex gloves and toilet paper, there's a bill tiptoeing through the US Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.

Techdirt:

On May 29, 2018, the FBI promised to deliver an updated count of encrypted devices in its possession. As James Comey and his replacement, Chris Wray, continued to advocate for weakened encryption, the number of phones the FBI couldn't get into swelled from 880 in 2016 to over 7,800 by the time the FBI realized its phone-counting method was broken.

Wired:

A bipartisan pair of US senators today introduced long-rumored legislation known as the EARN IT Act. Meant to combat child sexual exploitation online, the bill threatens to erode established protections against holding tech companies responsible for what people do and say on their platforms.

The EFF:

Members of Congress are about to introduce a bill that will undermine the law that undergirds free speech on the Internet. If passed, the bill known as the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, will fulfill a long-standing dream of U.S. law enforcement.

Bruce Schneier:

In a notification email to its clients, the organisation said: "We recently discovered a bug in the Let's Encrypt certificate authority code. "Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates.

Brian Krebs:

The U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation's four largest wireless carriers for selling access to their customers' location information without taking adequate precautions to prevent unauthorized access to that data.

Let's Encrypt:

We issued our billionth certificate on February 27, 2020. We're going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates - one hundred million.

Ars Technica:

Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.

Ars Technica:

Morrison said that the Australian government had made moves to "ensure the integrity of our electoral system," including instructing the Australian Cyber Security Centre "to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available."

If they can't maintain security before forcefully introducing weaknesses I can't imagine what things will look like after.

Ars Technica:

The Russian government agency responsible for censorship on the Internet has accused Facebook and Twitter of failing to comply with a law requiring all servers that store personal data to be located in Russia.

Time to exit the market.

I've been seeing more incoming spam calls from numbers similar to mine recently. They're annoying in large part because traditional iOS call blockers like Hiya, Nomorobo and so forth don't screen them out (these apps apparently due this to err on the side of caution and avoid blocking what they see as legitimate local calls).

Rob Dodson:

Someone just tried to phish me, and it made me want to put together a little guide to help you catch this stuff before it ruins your day.

An excellent refresher on what to look out for to avoid phishing. Be careful out there.

Kurt Opsahl, The EFF:

The Department of Justice has said that they want to have an “adult conversation” about encryption. This is not it. The DOJ needs to understand that secure end-to-end encryption is a responsible security measure that helps protect people.

Mike Masnick, Techdirt:

At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.

Bruce Schneier:

We can be smarter than this. We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal. We can make corporate executives personally liable, so they know there's a downside to taking chances. We can make the business models that involve massively surveilling people the less compelling ones, simply by making certain business practices illegal.

The EFF:

"Our cell phones and laptops provide access to an unprecedented amount of detailed, private information, often going back many months or years, from emails to our coworkers to photos of our loved ones and lists of our closest contacts. This is light years beyond the minimal information generally contained in other kinds of personal items we might carry in our suitcases. It's time for courts and the government to acknowledge that examining the contents of a digital device is highly intrusive, and Fourth Amendment protections should be strong, even at the border," said EFF Staff Attorney Sophia Cope.

Andy Yen, TED.com:

If we squander privacy by allowing back doors or building illicit vulnerabilities into encryption tools, there is nothing to protect us from prying corporations, spying governments or even criminals bent on abusing our data. Unfortunately, there is no such thing as a back door that only lets the good guys in.

Data must always be encrypted, end-to-end, period — before it leaves your computer. Privacy is a fundamental right. Let's not squander it in the name of security.

Techdirt:

This is wonderful stuff if you're a fan of authoritarianism. Shut up and show your support. It's a message that's been sent several times by the new president. Now, it's being echoed by his top officials.

Yet another ill-considered power grab in the name of safety.

Jonathan Zdziarski has a detailed write-up on personal, technical security that you should read and consider implementing (particularly given recent events).

Wired:

It's not a firm guarantee, and who knows what a Trump administration will bring. For now, though, it's enough to appreciate the gains encryption made in 2016, and be hopeful that 2017 will only build on them.

Reuters::

Draft legislation that Senators Richard Burr and Dianne Feinstein, the Republican and Democratic leaders of the Intelligence Committee, had circulated weeks ago likely will not be introduced this year and, even if it were, would stand no chance of advancing, the sources said.

Fantastic news. This bill (and the push behind it) was ill-conceived at best and would have caused untold damage were it to pass.

The EFF::

The government's theory, that the All Writs Act gives it the power to compel American companies to write code and design products to ensure law enforcement access to encrypted content, is virtually without limits. No devices and indeed no encrypted messaging services, would be safe from such backdoor orders. If the government wins in San Bernardino, it could even force companies to give it access to software update systems, and send their users government surveillance software disguised as security patches.

Via Ars Technica:

...forcing companies to add backdoors to their products and services would have "undesirable consequences for the security of communicated and stored information," since "digital systems can become vulnerable to criminals, terrorists and foreign intelligence services."

Exactly.

Via Ars Technica:

On December 17, Juniper Networks issued an urgent security advisory about "unauthorized code" found within the operating system used by some of the company's NetScreen firewalls and Secure Service Gateway (SSG) appliances. The vulnerability, which may have been in place in some firewalls as far back as 2012 and which shipped with systems to customers until late 2013, allows an attacker to gain remote administrative access to systems with telnet or ssh access enabled.