Follow me @glynmoody on Twitter or identi.ca, and on Google+

Last August, when someone posted a question about CipherCloud’s service to StackExchange, a popular question and answer site for software developers. “How is CipherCloud doing homomorphic encryption?” the question read.

That’s a geeky question, but an honest one. CipherCloud’s service is designed to encrypt data stored in exiting online applications without hampering the way these applications operate, and that’s not an easy thing to do. If you encrypt a collection of data, for instance, you may have trouble searching that data. One solution is a technique called “homomorphic encryption,” which would let users manipulate encrypted data as if it wasn’t encrypted — and that’s what the question was getting at.

On Saturday, the company sent a DMCA takedown notice and defamation complaint to StackExchange. With its letter, CipherCloud complained that StackExchange users violated its intellectual property in posting its marketing materials to the site and that defamed its operation in misrepresenting the way its technology works. The users guessed that CipherCloud used something called deterministic encryption, a relatively weak form of security. The company said this is not the case, pointing out that one of the posters, Sid Shetye, is the CEO of CipherDb, a company that competes with CipherCloud in some ways.

“I don’t think there’s a court in the country that would hold [the posters] liable for defamation,” [Corynne McSherry of the EFF] says. And if CipherCloud did try to bring defamation charges against the users, she says, the company could be exposed to a potential counter suit under SLAPP laws, which are designed to prevent individuals or companies from using bogus lawsuits to silence critics.

Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals.

An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge.

Which brings us to the question of why, exactly, this sensitive law enforcement document leaked to a news outlet in the first place. It would be very strange, after all, for a cop to deliberately pass along information that could help drug dealers shield their communications from police. One reason might be to create support for the Justice Department’s longstanding campaign for legislation to require Internet providers to create backdoors ensuring police can read encrypted communications—even though in this case, the backdoor would appear to already exist.

The CNET article itself discusses this so-called “Going Dark” initiative. But another possible motive is to spread the very false impression that the article creates: That iMessages are somehow more difficult, if not impossible, for law enforcement to intercept. Criminals might then switch to using the iMessage service, which is no more immune to interception in reality, and actually provides police with far more useful data than traditional text messages can. If that’s what happened here, you have to admire the leaker’s ingenuity—but I’m inclined to think people are entitled to accurate information about the real level of security their communication enjoy.

The solution to public surveillance problems should not involve discouraging people from providing public resources like open wireless, since this cuts against the general interest and takes away a common good. As we've explained elsewhere, wireless encryption provides few benefits compared to the much stronger end-to-end encryption, a technology that can thrive alongside environments with open wireless access. The settlement could have gone so much farther by educating people how to run open wireless networks safely and securely—for example, through open guest networks.

It is apparent that too little thought and analysis went into this settlement document, and, as a result, the requirements do the public a huge disservice by hurting the Open Wireless Movement.

Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server

Google is in an ideal position to overcome these difficulties, and finally make strong e-mail encryption a mass phenomenon. Their Gmail service—the one David Petraeus was using to exchange steamy messages with his biographer and lover, Paula Broadwell—has some 425 million active users by last count. Many of those users access the service through a Web interface, which Google can change and update for all users simultaneously. That means we could all wake up tomorrow to find a handy new “Encrypt Message” button included in the familiar Gmail interface we're already using. Meanwhile, Google (along with Facebook) has rapidly become a kind of universal Internet identity provider, with the Google Account used as a key not only to access Google’s own myriad offerings, but many other independent online services as well.

Because truly strong encryption is “end to end”—meaning the end-users generate, store, and have sole access to their own private encryption keys—a robust content encryption system may require users to have appropriate client software installed on their own machines. Here, too, Google is well positioned to provide a solution: They already make a widely-used browser, Chrome, and a popular operating system for mobile devices, Android, which could be updated with the necessary functionality built-in, eliminating the need for a separate browser plug-in.

Meanwhile, Google would garner enormous goodwill from privacy advocates, reams of free press coverage, and an attractive new selling point, not only for Gmail but for Chrome and Android as well. Encryption would likely be a particularly appealing feature for Google's paying enterprise customers, whose messages may contain information that is not only private but highly valuable. At the very least, it's worth running the numbers again to see whether offering strong encryption might now be a net boon to the company's bottom line.

Because people are loss-averse, taking away something people already have and value can be all but impossible—while preventing them from getting it in the first place is far easier. By rolling out e-mail encryption now, Google can ensure that ordinary users see myopic efforts to regulate secure communications infrastructure as something that affects all of our privacy and security—not just that of faceless crooks or terrorists.

...lots of cloud services that offer encryption let the user choose whether or not to let the provider keep a backup copy of the user's keys. The more paranoid could sacrifice some mobility and convenience—and risk losing access to some of their messages if their local copies of the key are destroyed—by opting not to let Google keep even an encrypted copy of their key. Or, as a middle ground, a user could always store an encrypted backup copy of her key with a different cloud provider, like Dropbox, which need not even be known to Google. That provides all of the advantages of storing the key with Google at a relatively minor cost in added hassle, but substantially raises costs for any attacker, who now must not only crack the passphrase protecting the key, but figure out where in the cloud that key is located. Assuming it's accessed relatively infrequently (most of us read our e-mail on the same handful of devices most of the time) even a governmental attacker with subpoena power and access to IP logs is likely to be stymied, especially if the user is also employing traffic-masking tools like Tor

A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.

China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.

The case involves RetroShare, which describes itself thus:

RetroShare is a Open Source cross-platform, Friend-2-Friend and secure decentralised communication platform.

It lets you to securely chat and share files with your friends and family, using a web-of-trust to authenticate peers and OpenSSL to encrypt all communication. RetroShare provides filesharing, chat, messages, forums and channels

Follow me @glynmoody on Twitter or identi.ca, and on Google+

1. A method for transmitting data comprising a sequence of blocks in encrypted form over a communication link from a transmitter to a receiver comprising, in combination, the steps of:

providing a seed value to both said transmitter and receiver,

generating a first sequence of pseudo-random key values based on said seed value at said transmitter, each new key value in said sequence being produced at a time dependent upon a predetermined characteristic of the data being transmitted over said link,

encrypting the data sent over said link at said transmitter in accordance with said first sequence,

generating a second sequence of pseudo-random key values based on said seed value at said receiver, each new key value in said sequence being produced at a time dependent upon said predetermined characteristic of said data transmitted over said link such that said first and second sequences are identical to one another a new one of said key values in said first and said second sequences being produced each time a predetermined number of said blocks are transmitted over said link, and

decrypting the data sent over said link at said receiver in accordance with said second sequence.

2. The method as set forth in claim 1 further including the step of altering said predetermined number of blocks each time said new key value in said first and said second sequences is produced.

“When the government grants you the right to a patent, they grant you the right to exclude others from using it,” Spangenberg says simply when I reach by phone him in his Dallas office. He makes no apology for the fact that TQP doesn’t use the encryption patent itself, or even have a website. “If you buy a hundred-foot lot in the middle of Manhattan, you’re not required to develop it…Companies have the right to protect their IP dollars.”

But when I point out to Spangenberg that RC4 was invented by MIT cryptographer Ron Rivest in 1987, two years before the filing date of TQP’s patent, he counters that defendants’ infringement actually has nothing to do with RC4. Instead he claims the infringement lies solely in the use of the SSL or TLS “handshake” that establishes a secure connection between a web browser and a web server, a technology invented in 1994 and used by virtually every secure web page.

Schneier says he worked with Michael Jones on a technology related to secure payment systems in the 1990s. But since Jones’ work was acquired by TQP and used for lawsuits, he’s actually consulted to a half-dozen defendants in Spangenberg’s cases, many of whom settled for undisclosed sums rather than risk an expensive trial.

Schneier describes TQP as a “really bad patent troll” and the intellectual property it’s using to cudgel defendants as a “crappy patent” that ought to be invalidated by prior art–evidence of previous invention of the same technology.

You can call me Slate. All you need to know is that I am well trained and can perform what you need done. I do not need to know your situation with the hit and prefer not to. I’m hired when you want to make sure that the hit doesn’t get traced back to you.

• Minimum age for hit is 18.
• I do not care of the gender of the hit.
• I do not kill pregnant women.
• I do not torture the target.
• If hit is a political figure, or is in law enforcement (judges, policemen) there will be an additional fee.
• For an additional fee, I can set it up as a “suicide” or an “accident”
• Hit will take place within 4 weeks.
• Hits outside of the continental US will require an additional 2 weeks of logistics and $5000 in travel fees.
• Once the hit has been made I will message you with a picture or a video and the remaining balance must be paid in full.

I remember reading [Sinn Féin' leader] Gerry Adams's autobiography at a time when most people considered him a terrorist. I can remember that if he was interviewed on TV they had to use an actor to do a voiceover, because it was illegal to broadcast his actual voice. It wasn't that I agreed with Gerry Adams' beliefs or actions, but I did feel that it was far more productive to understand where people are coming from, to try to step into their shoes, rather than simply demonizing them, which was official government policy at that time. It left me with a strong sense of the futility of censorship, and the value of free communication.

All emails, telephone calls and other communications with the rest of the world will begin to be monitored within 90 days at a cost of million of dollars, according to a deadline given by the government to operators including PTCL.

The government has assigned PTCL and other operators to install monitoring equipment by the end of this year for checking voice and email communications from abroad and the services of the country’s spy agency will be used basically to check and curb blasphemous and obscene websites on the Internet.

“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."

Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

The very features that make Silent Circle so valuable from a civil liberties and privacy standpoint make law enforcement nervous. Telecom firms in the United States, for instance, have been handing over huge troves of data to authorities under a blanket of secrecy and with very little oversight. Silent Circle is attempting to counter this culture by limiting the data it retains in the first place. It will store only the email address, 10-digit Silent Circle phone number, username, and password of each customer. It won’t retain metadata (such as times and dates calls are made using Silent Circle). Its IP server logs showing who is visiting the Silent Circle website are currently held for seven days, which Janke says the company plans to reduce to just 24 hours once the system is running smoothly.

Nadim Kobeissi, a Montreal-based security researcher and developer, took to his blog last week to pre-emptively accuse the company of “damaging the state of the cryptography community.” Kobeissi’s criticism was rooted in an assumption that Silent Circle would not be open source, a cornerstone of encrypted communication tools because it allows people to independently audit coding and make their own assessments of its safety (and to check for secret government backdoors). Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

But what if, one day down the line, things change and Canada or another country where Silent Circle has servers tries to force them to build in a secret backdoor for spying? Janke has already thought about that—and his answer sums up the maverick ethos of his company.

“We won’t be held hostage,” he says, without a quiver of hesitation. “All of us would rather shut Silent Circle down than ever allow a backdoor or be bullied into an ‘or else’ position.”

The CryptoParty movement hopes to do something about that by inviting people to come along to informal meetings to learn about crypto, how to install it and how to use it in everyday computing in order to strengthen their privacy and protect themselves from surveillance. The driving force behind the idea is the Australian digital rights activist Asher Wolf, well known on Twitter. The specific impetus came from approval of the Cybercrime Legislation Amendment Bill 2011 by the Australian Senate. Here's what it will do, as explained on the academic blog The Conversation:

The bill effects changes in the Telecommunications Act 1997 and Telecommunications (Interception and Access) Act 1979 and will force carriers and internet service providers (ISPs) to preserve stored communications, when requested by certain domestic authorities (such as the Australian Federal Police), or when requested by those authorities acting on behalf of nominated foreign countries.

This means a warrant will be needed before the police or security agencies can force carriers or ISPs to monitor, capture and store website use, data transmissions, voice and multimedia calls, and all other forms of communication over the digital network.

Of course, there's still the question of whether this project will have any major impact on the use of crypto by general users. After all, it's not as if people haven't been recommending the thoroughgoing application of encryption for everyday tasks before. As the by-now venerable Cypherpunk's Manifesto put it:

We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Here's a great example spotted by the annalist blog, which reports on a parliamentary enquiry about expenditures by the German Federal Ministry of the Interior, responsible for internal security. What was probably thought to be no more than a few dozen pages of boring and thus safe figures turned out to reveal something quite shocking:

The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers [used for "man-in-the-middle" attacks on mobile phones] used by German police.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

[District spokesman Pascual Gonzalez] said the chips, which are not encrypted and chronicle students only by a serial number, also assist school officials to pinpoint where kids are at any given time, which he says is good for safety reasons. “With this RFID, we know exactly where the kid is within the school,” he said noting students are required to wear the ID on a lanyard at all times on campus.

The lack of encryption makes it not technically difficult to clone a card to impersonate a fellow student or to create a substitute card to play hooky, and makes the cards readable by anyone who wanted to install their own RFID reader, though all they would get is a serial number that’s correlated with the student’s ID number in a school database.

Like most state-financed schools, their budgets are tied to average daily attendance. If a student is not in his seat during morning roll call, the district doesn’t receive daily funding for that pupil, because the school has no way of knowing for sure if the student is there. But with the RFID tracking, students not at their desk but tracked on campus are counted as being in school that day, and the district receives its daily allotment for that student.

A tip for school districts: if you're going to use RFID chips as a way to get more federal funding while pretending it's about student safety, pretend harder.

As the list of questions on the Joint Committee's Web page makes clear, it seems to be doing a thorough job, exploring every aspect of the proposed legislation. As well as a public consultation (now closed), it is also taking oral evidence from a wide range of interested parties, both for and against the plans. Yesterday, one of the people who spoke before the Committee was Jimmy Wales, who did not mince his words:

Jimmy Wales, the founder of Wikipedia, has sharply criticised the government's "snooper's charter", designed to track internet, text and email use of all British citizens, as "technologically incompetent".

He said Wikipedia would move to encrypt all its connections with Britain if UK internet companies, such as Vodafone and Virgin Media, were mandated by the government to keep track of every single page accessed by UK citizens.

To a certain extent, this is just bluster: Wales has no formal power to instruct Wikipedia to encrypt its connections, and even assuming that happened, it's not certain that companies like Google and Facebook would risk fines or imprisonment for their staff by refusing to hand over encryption keys. But Wales' intervention had a big symbolic importance: he's not only the co-founder of Wikipedia -- which even politicians have heard of and probably use -- he's also one of the UK government's own special tech advisers, appointed back in March.

His comments are, therefore, a real slap in the face, and a useful reminder that by pushing for this kind of total surveillance the UK government is not only making itself look oppressive, but stupid too.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies, according to an exchange of communications between the Canadian company and the Indian government.

"No problem until today trying to watch HBO," a standard definition TV owner with an HR 20 DVR noted on Saturday. "Get message that the program is content protected. I can view every other channel except HBO. This wasn't the case last week. Something new?"

Ditto declared another poster a few hours later: "Noticed something strange this week also regarding HBO. Although my Sony is connected via HDMI I get the message that my 'set is not compatible with..... ' displayed too briefly to read in its entirety. It is displayed when changing between HBO channels. Same TV, same HR20 for nearly six years, never a problem prior to this."

...

"As of today, I can no longer watch HBO over HDMI to my television," another consumer disclosed. "I get an error message that says 'HDMI connection not permitted. Press SELECT for more information.' (And pressing Select does nothing.)."

Turns out the problem is HDCP encryption, a newer part of the HDMI standard that premium channels are requiring pay TV operators to implement. Ostensibly this is to stop people from obtaining high-definition copies of movies and TV shows—but of course, HDCP was cracked a while ago and this will do little or nothing to stop the dedicated (and highly organized) groups that make such copies available. Meanwhile, it forces a bunch of paying customers who were happily and habitually enjoying the content to suddenly go out and get expensive new equipment (or, quite reasonably, turn to piracy to replace what was taken from them even though they still pay for it). DirecTV suggests a workaround—switching to component video instead of HDMI—but as Ars points out, this is a pretty weak response: component video is much lower quality, and some content still won't work, because first-run movies employ selectable output control (another silly DRM restriction) to prevent analog output.

It's truly amazing that companies like HBO still pursue such strategies. There is not, and never has been, a form of DRM that effectively prevents piracy—but every single form of DRM reduces the value of the product to legitimate subscribers. It's pretty bizarre to continually punish the only people who aren't engaged in the behavior you want to stamp out.

A short time later, [NSA deputy director Chris] Inglis arrived in Bluffdale at the site of the future data center, a flat, unpaved runway on a little-used part of Camp Williams, a National Guard training site. There, in a white tent set up for the occasion, Inglis joined Harvey Davis, the agency’s associate director for installations and logistics, and Utah senator Orrin Hatch, along with a few generals and politicians in a surreal ceremony. Standing in an odd wooden sandbox and holding gold-painted shovels, they made awkward jabs at the sand and thus officially broke ground on what the local media had simply dubbed “the spy center.” Hoping for some details on what was about to be built, reporters turned to one of the invited guests, Lane Beattie of the Salt Lake Chamber of Commerce. Did he have any idea of the purpose behind the new facility in his backyard? “Absolutely not,” he said with a self-conscious half laugh. “Nor do I want them spying on me.”

For his part, Inglis simply engaged in a bit of double-talk, emphasizing the least threatening aspect of the center: “It’s a state-of-the-art facility designed to support the intelligence community in its mission to, in turn, enable and protect the nation’s cybersecurity.” While cybersecurity will certainly be among the areas focused on in Bluffdale, what is collected, how it’s collected, and what is done with the material are far more important issues. Battling hackers makes for a nice cover—it’s easy to explain, and who could be against it? Then the reporters turned to Hatch, who proudly described the center as “a great tribute to Utah,” then added, “I can’t tell you a lot about what they’re going to be doing, because it’s highly classified.”

And then there was this anomaly: Although this was supposedly the official ground-breaking for the nation’s largest and most expensive cybersecurity project, no one from the Department of Homeland Security, the agency responsible for protecting civilian networks from cyberattack, spoke from the lectern. In fact, the official who’d originally introduced the data center, at a press conference in Salt Lake City in October 2009, had nothing to do with cybersecurity. It was Glenn A. Gaffney, deputy director of national intelligence for collection, a man who had spent almost his entire career at the CIA. As head of collection for the intelligence community, he managed the country’s human and electronic spies.

But there is, of course, reason for anyone to be distressed about the practice. Once the door is open for the government to spy on US citizens, there are often great temptations to abuse that power for political purposes, as when Richard Nixon eavesdropped on his political enemies during Watergate and ordered the NSA to spy on antiwar protesters. Those and other abuses prompted Congress to enact prohibitions in the mid-1970s against domestic spying.