Here's one view, from Germany. Politicians from the Die Linke party posed a number of questions to their government on the subject of the latter's use of surveillance techniques (original PDF in German). Most of the answers were the kind of thing you might expect -- "we can't possibly go into details" etc. etc. -- but one was surprising. To the question:

Is the technology used also capable of decrypting at least partially, or evaluating, encrypted communications (eg via SSH or PGP)?

Yes, the technology used is generally able to do that, depending on the type and quality of the encryption.

Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

According to this article in Crikey, the secret services in Australia have apparently woken up to this fact; but rather than convince their government that data retention is therefore an expensive and intrusive waste of time, they have decided to take the damage to the next level:

In a major admission, the Attorney-General's Department has revealed Australia's intelligence and law enforcement agencies are seeking the legal power to break into internet routing encryption services such as Tor, after admitting the centerpiece of its proposed national security reforms, data retention, will be "trivially easy" to defeat.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

Californians have learned to ignore Proposition 65 labels because they are white noise: they don't communicate anything about degrees of danger or probabilities.

When I went through the San Jose airport Saturday morning in a long line at TSA, we passengers were subjected to John Pistole's warning, on an infinite loop, of the dangers of terrorism. We've all seen enough to know that it's not that dangerous. So we tend to ignore government warnings.

So when there really is a high-probability threat and the government warns us, we tend to dismiss that too. Government cries wolf way too often.

We were worried about the part of the DMCA called 17 U.S.C. § 1201(a)(1), which says that “No person shall circumvent a technological measure that effectively controls access to a work protected under [copyright law].” We had to disable the rootkit to detect what it was hiding, and we had to partially disable the software to figure out what it was doing. An angry record company might call either of those steps an act of circumvention, landing us in court. Instead of talking to the public, we talked to our lawyer.

The research community saw this problem coming and repeatedly asked Congress to amend the bill that would become the DMCA, to create an effective safe harbor for research. There was a letter to Congress from 50 security researchers (including me), another from the heads of major scientific societies, and a third from the leading professional society for computer scientists. But with so much at stake in the act for so many major interests, our voice wasn’t heard. As they say in Washington, we didn’t have a seat at the table.

Congress did give us a research exemption, but it was so narrowly defined as to be all but useless. (So perhaps we did have a seat—at the kids’ table.) I’ll spare you the details, but basically, there is a 116-word section of the Act titled “Permissible Acts of Encryption Research,” and it appears to have been written without consulting any researchers. There may be someone, somewhere, who has benefited from this exemption, but it fails to protect almost all of the relevant research. It didn’t protect Alex and me, because we were investigating spyware that didn’t rely on the mathematical operations involved in encryption.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

During the proceedings, Walker's attorneys objected to the presence of media in the courtroom and then the discussion evolved to the illicit microphones that were placed on the judge's bench and behind books on both sides of counsel table. According to the complaint, which asks for a permanent injunction, "It was then learned that these privileged communications were instantaneously transferred to the headquarters of TMZ Enterprises."

Walker says that as a result of TMZ's conduct, he has experienced "tremendous fear and distrust of the judicial system" and is suing for wiretapping, invasion of privacy, intentional infliction of emotional distress and eavesdropping on confidential communication. He's seeking $100,000 in actual damages and more in punitive damages.

The complaint also asserts that TMZ's "conduct is ongoing" and violates attorney-client privilege. Asking for a permanent injunction over TMZ's alleged conduct, the plaintiff says "its threat to the public interest is tremendous. No matter who the alleged victim in a case is, there can be no lawful justification."

• Eviscerating existing privacy laws by giving overly broad legal immunity to companies who share users' private information, including the content of communications, with the government.
• Authorizing companies to disclose users' data directly to the NSA, a military agency that operates secretly and without public accountability.
• Broad definitions that allow users' sensitive personal information to be used for a range of purposes, including for "national security," not just computer and network security.

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'"

In all, there were at least a dozen officers with pistols, shotguns, and assault rifles pointed at him. They had police dogs circling his house and cruisers had sealed off a nearby street. Krebs, who was dressed in just gym shorts and a T-shirt, complied. Wisely.

"Two different guys were barking orders at me," he continued. "I finally said: 'Which way should I go?'" One officer told Krebs to lie on the ground, but before he could comply the other cop ordered Krebs to walk backwards. Eventually, "they put the cuffs on me and took me up the street. I was freezing the whole time."

After about five minutes in custody, Krebs explained that he was the victim of a monstrous crime known as swatting. One of the officers asked if Krebs was the person who had filed a report a few months earlier. When Krebs replied yes, the officers did a quick search of his home. With preparations for a dinner party clearly on display, it quickly became apparent that Krebs' home was not a crime scene and that the call was part of a fiendish plot. An officer told him later that they had tried calling him before he opened his front door but no one had answered the phone.

Often local police are left to investigate, even when the perpetrators may be half a world away. He wants that to change. "Your local police department, the ones that are responding to these distress calls, they don't have the bandwidth," he said. "This is an area where federal law enforcement needs to be coordinating investigations. I'd like to see some sort of recognition or statement from federal law enforcement that this is something they're actively investigating."

Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Compare the dangers of air travel to those of driving. To make flying as dangerous as using a car, a four-plane disaster on the scale of 9/11 would have to occur every month, according to analysis published in the American Scientist. Researchers at Cornell University suggest that people switching from air to road transportation in the aftermath of the 9/11 attacks led to an increase of 242 driving fatalities per month—which means that a lot more people died on the roads as an indirect result of 9/11 than died from being on the planes that terrible day. They also suggest that enhanced domestic baggage screening alone reduced passenger volume by about 5 percent in the five years after 9/11, and the substitution of driving for flying by those seeking to avoid security hassles over that period resulted in more than 100 road fatalities.

According to one estimate of direct and indirect costs borne by the U.S. as a result of 9/11, the New York Times suggested the attacks themselves caused $55 billion in "toll and physical damage," while the economic impact was $123 billion. But costs related to increased homeland security and counterterrorism spending, as well as the wars in Iraq and Afghanistan, totaled $3,105 billion. Mueller and Stewart estimate that government spending on homeland security over the 2002-11 period accounted for around $580 billion of that total.

If you had asked us two years or two months or two days ago if we thought that there would be a time in the near future when Securities and Exchange employees would not be regularly reprimanded for watching porn on their work-issued computers for 98 percent of the workday, we would have said absolutely not. No judgment, but in our professional opinion, people do not go from, among other things:

* Receiving “over 16,000 access denials for Internet websites classified by the Commission’s Internet filter as either “Sex” or “Pornography” in a one-month period”

* Accessing “Internet pornography and downloading pornographic images to his SEC computer during work hours so frequently that, on some days, he spent eight hours accessing Internet pornography…downloading so much pornography to his government computer that he exhausted the available space on the computer hard drive and downloaded pornography to CDs or DVDs that he accumulated in boxes in his office.”

…to living a porn-free existence at l’office.

Several Securities and Exchange Commission staffers responsible for monitoring the markets and exchanges broadly misused computer equipment to download music and failed to properly safeguard sensitive information, a report has found.

The report also found that the staffers failed to protect their computers and devices from hackers, even as they were urging exchanges and clearing agencies to do just that.

Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs.

The report says the staff may have brought the unprotected laptops to a Black Hat convention where hacking experts discuss the latest trends. They also used them to tap into public wireless networks and brought the devices along with them during exchange inspections.

[T]he full report... details an even broader array of problems, from misleading the SEC about the office's need to buy Apple Inc products, to cases in which staffers took iPads and laptops home and used them primarily for pursuits such as personal banking, surfing the Web and downloading music and movies.

Rymer found that the office did not have any planning or oversight into its purchases of computer equipment. From 2006 through 2010, the office got permission to spend $1.8 million on technology devices.

Defendants' acts have not only harmed Plaintiffs and Class members by subjecting their Private Information to hackers, they have harmed Plaintiffs and Class members by devaluing their video games -- purchased from Defendants under certain assurances of security -- by adding elements of risk to each and every act of playing said games.

Moreover, rather than shouldering the burden of adopting sufficient security measures to prevent these repeated hacks and to protect the Private Information of their customers, Defendants instead have informed their customers, after the point of sale, that they must purchase additional security products in order to ensure the sanctity of their Private Information. These additional, post-purchase costs for security products -- which Defendants assert are the only measures that may be taken to ensure something even approximating account security when playing their video games -- were not disclosed to Plaintiffs and Class members prior to the purchase of Defendants' products.

The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.

The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.

When a player attaches an Authenticator to his or her account, it means that logging in to Battle.net will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.

Many players have voiced strong approval for our security-related efforts. Blizzard deeply appreciates the outpouring of support it has received from its players related to the frivolous claims in this particular suit."

Aware of the problems with the official e-mail system, Essex County Clerk Christopher Durkin suggested an alternative option: "Displaced voters can email a request for a ballot at cj_durkin@hotmail.com," according to a post on the Facebook page of the town of West Orange, NJ. Interestingly, security researcher Ashkan Soltani notes that Durkin's Hotmail address has his mother's maiden name as a "password recovery" question. This means that anyone who can figure out Durkin's mother's maiden name could seize control of his Hotmail account and intercept voters' official ballot requests.

The Open Wireless Movement envisions a world where people readily have access to open wireless Internet connections—a world where sharing one's network in a way that ensures security yet preserves quality is the norm. Much of this vision is attainable now. In fact, many people have routers that already feature "guest networking" capabilities. To make this even easier, we are working with a coalition of volunteer engineers to build technologies that would make it simple for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access. And we're working with advocates to help change the way people and businesses think about Internet service.

We're also teaching the world about the many benefits of open wireless in order to help society move away from closed networks and to a world in which open access is the default. We are working to debunk myths (and confront truths) about open wireless while creating technologies and legal precedent to ensure it is safe, private, and legal to open your network.

Discomfort with the government’s capacity, technical or legal, to collect and retain massive amounts of personal information is understandable. But the 2008 FISA amendments sought a compromise between two essential goals: preserving American liberty and robustly defending Americans’ lives and property. We favored the law and believe that it should be extended.

“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."

All-in-all, the Dutch proposal has to be one of the most foolish ever presented by a government in this area, and shows the folly of trying to come up with quick fixes for the currently-fashionable issue of "cybercrime", instead of really thinking through the consequences. Let's hope calmer heads prevail, and the proposal is withdrawn.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Matonis reviews the limited US case law here, and concludes:

To say the cryptocurrency bitcoin is disruptive would be an understatement. Bitcoin not only disrupts payments and monetary sovereignty, it also disrupts the legal enforcement of anti-money laundering laws, asset seizure, and capital controls. It is very likely that a key disclosure case will make it to the U.S. Supreme Court where it is far from certain that the Fifth Amendment privilege, as it relates to a refusal to decrypt bitcoin assets, will be universally upheld.

Follow me @glynmoody on Twitter or identi.ca, and on Google+