Runefox writes "Cerulean Studios, the company behind the long-lived Trillian instant messaging client, has released preliminary specifications to their proprietary "Astra" protocol, now named IMPP (Instant Messaging and Presence Protocol), which provides continuous client functionality as well as mandatory TLS encryption for clients. According to their blog, Cerulean Studios' motivation for the release is to promote interoperability among the throngs of IM services and clients available by allowing others to also use the protocol. Future concepts include federation with XMPP. While the documentation is in an early state and the protocol is claimed to still be in development, it is hoped that it will help decentralize the very heavily fragmented messaging ecosystem. It's implied that, in turn, greater options for privacy may become available in the wake of the PRISM scandal via privately-run federated servers, unaffiliated with major networks, yet still able to communicate with them."
Want business-intelligence news delivered to your inbox? Signup for SlashBI Update now.
Writing "Wow, this is going to really set the cat amongst the pigeons once this gets around," an anonymous reader links to a story at The Guardian about some good old fashioned friendly interception, and the slide-show version of what went on at recent G20 summits in London: "Foreign politicians' calls and emails intercepted by UK intelligence; Delegates tricked into using fake internet cafes; GCHQ analysts sent logs of phone calls round the clock; Documents are latest revelations from whistleblower Edward Snowden."
c0lo writes "Kim Dotcom alleges, in an 20 min interview with the Australian public television, that Megaupload was offered up by the New Zealand's PM 'on a silver platter' as part of negotiations with Warner Brothers executives for shooting The Hobbit in New Zealand. He promises that he'll substantiate the claims in court. He also says that the extradition case the U.S. government is weak and the reason behind the latest delay in extradition hearing (postponed from August this year to March next year) is an attempt to bleed Dotcom dry of his money. Also interesting, Dotcom says that the latest debacle of the massive scale online online surveillance by U.S. spy agencies has triggered an 'explosion' of interest in mega.co.nz, the 'cloud storage' site with user generated encryption."
First time accepted submitter jarle.aase writes "It's doable today to use a mix of virtual machines, VPN, TOR, encryption (and staying away from certain places; like Google Plus, Facebook, and friends), in order to retain a reasonable degree of privacy. In recent days, even major mainstream on-line magazines have published such information. (Aftenposten, one of the largest newspapers in Norway, had an article yesterday about VPN, Tor and Freenet!) But what about the cell-phone? Technically it's not hard to design a phone that can switch off the GSM transmitter, and use VoIP for calls. VoIP could then go from the device through Wi-Fi and VPN. Some calls may be routed trough PSTN gateways — allowing the agencies to track the other party. But they will not track your location. And they will not track pure, encrypted VoIP calls that traverse trough VPN and use anonymous SIP or XMPP accounts. Android may not be the best software for such a device, as it very eagerly phones home. The same is true for iOS and Windows 8. Actually, I would prefer a non cloud-based mobile OS from a vendor that is not in the PRISM gallery. Does such a device exist yet? Something that runs a relatively safe OS, where GSM can be switched totally off? Something that will only make an outgoing network connection when I ask it to do so?" And in the absence of a perfect solution, what do you do instead? (It's still Android and using the cell network, but Red Phone — open sourced last year — seems like a good start.)
Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"
Lauren Weinstein writes "Now, what's really going on with PRISM? The government admits that the program exists, but says it is being 'mischaracterized' in significant ways (always a risk with secret projects sucking up information about your citizens' personal lives). The Internet firms named in the leaked documents are denying that they have provided 'back doors' to the government for data access. Who is telling the truth? Likely both. Based on previous information and the new leaks, we can make some pretty logical guesses about the actual shape of all this. Here's my take."
Bennett Haselton writes with his take on a case going back and forth in U.S. courts right now about whether a defendant can be ordered to decrypt his own hard drives when they may incriminate him. "A Wisconsin defendant in a criminal child-pornography case recently invoked his Fifth Amendment right to avoid giving the FBI the password to decrypt his hard drive. At the risk of alienating fellow civil-libertarians, I admit I've never seen the particular value of the Fifth Amendment right against self-incrimination. So I pose this logical puzzle: come up with a specific, precisely defined scenario, where the Fifth Amendment makes a positive difference." Read on for the rest of Bennett's thoughts.
hansamurai writes with an update to a story we've been following for a while. Jeffrey Feldman is at the center of an ongoing case about whether or not crime suspects can be forced to decrypt their own hard drives. (Feldman is accused of having child pornography on his hard drives.) After initially having a federal judge say Feldman was protected by the Fifth Amendment, law enforcement officials were able to break the encyption on one of his many seized storage devices. The decrypted contents contained child pornography, so a different judge said the direct evidence of criminal activity meant Feldman was not protected anymore by the Fifth Amendment. Now, a third judge has granted the defense attorney's emergency motion to rescind that decision, saying Feldman is once again (still?) protected by the Fifth Amendment. Feldman's lawyer said, "I will move heaven and earth to make sure that the war on the infinitesimal amount of child pornography that recirculates on the Internet does not eradicate the Fifth Amendment the way the war on drugs has eviscerated the Fourth Amendment. This case is going to go many rounds. Regardless of who wins the next round, the other side will appeal, invariably landing in the lap of the Seventh Circuit Court of Appeals and quite possibly the U.S. Supreme Court. The grim reality facing our country today is one where we currently have a percentage of our population behind bars that surpasses even the heights of the gulags in Stalinist Russia. On too many days criminal lawyers lose all rounds. But for today: The Shellow Group: 1, Government: 0."
An anonymous reader writes "After having first decided against forcing a suspect to decrypt a number of hard drives that were believed to be his and to contain child pornography, a U.S. judge has changed his mind and has now ordered the suspect to provide law enforcement agents heading the investigation with a decrypted version of the contents of his encrypted data storage system, or the passwords needed to decrypt forensic copies of those storage devices. Jeffrey Feldman, a software developer at Rockwell Automation, has still not been charged with any crime, and the prosecution initially couldn't prove conclusively that the encrypted hard drives contained child pornography or were actually Feldman's, which led U.S. Magistrate Judge William Callahan to decide that forcing him to decrypt them would violate his Fifth Amendment right against self-incrimination. But new evidence has made the judge reverse his first decision (PDF): the FBI has continued to try to crack the encryption on the discs, and has recently managed to decrypt and access one of the suspect's hard drives... The storage device was found to contain 'an intricate electronic folder structure comprised of approximately 6,712 folders and subfolders,' approximately 707,307 files (among them numerous files which constitute child pornography), detailed personal financial records and documents belonging to the suspect, as well as dozens of his personal photographs."
zrbyte writes "One-time pads are the holy grail of cryptography — they are impossible to crack, even in principle. However, the ability to copy electronic code makes one-time pads vulnerable to hackers. Now engineers at the California Institute of Technology in Pasadena, have found a way around this to create a system of cryptography that is invulnerable to electronic attack. Their solution is based on a special kind of one-time pad that generates a random key through the complexity of its physical structure, namely shining a light through a diffusive glass plate."
benrothke writes "Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security. With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers." Read below for the rest of Ben's review.
New submitter ukemike points out an article at CNET reporting on a how there's a "waiting list" for Apple to decypt iPhones seized by various law enforcement agencies. This suggests two important issues: first, that Apple is apparently both capable of and willing to help with these requests, and second, that there are too many of them for the company to process as they come in. From the article: "Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year. An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, 'contacted Apple to obtain assistance in unlocking the device,' U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was 'placed on a waiting list by the company.' A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock' an iPhone 4S. But after each police agency responded by saying they 'did not have the forensic capability,' Maynard resorted to asking Cupertino. Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."
Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"
First time accepted submitter ememisya writes "Ever thought it might be a good idea to store encrypted data in a QRCode video? Using this technique one could easily store 10GB of data to be available anywhere in the world, and completely free."
mikejuk writes with news of an advancement for homomorphic encryption and open source: "To be fully homomorphic the code has to be such that a third party can add and multiply numbers that it contains without needing to decrypt it. In other words they can change the data by working with just the encrypted version. This may sound like magic but a fully homomorphic scheme was invented in 2009 by Craig Gentry. This was a step in the right direction but the problem was that it is very inefficient and computationally intensive. Since then there have been a number of improvements that make the scheme practical in the right situations Now Victor Shoup and Shai Halevi of the IBM T J Watson Research Center have released an open source (GPL) C++ library, HElib, as a Github project. The code is said to incorporate many optimizations to make the encryption run faster. Homomorphic encryption has the potential to revolutionize security by allowing operations on data without the need to decrypt it."
Jeremiah Cornelius writes with what looks to be part of CISPA III: Children of CISPA. From the article: "A government task force is preparing legislation that would pressure companies such as Facebook and Google to enable law enforcement officials to intercept online communications as they occur. ... 'The importance to us is pretty clear,' says Andrew Weissmann, the FBI's general counsel. 'We don't have the ability to go to court and say, "We need a court order to effectuate the intercept." Other countries have that.' Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. 'This proposal is a non-starter that would drive innovators overseas and cost American jobs,' said Greg Nojeim, a senior counsel at the Center for Democracy and Technology. 'They might as well call it the Cyber Insecurity and Anti-Employment Act.'"
Virtucon writes "U.S. Magistrate William Callahan Jr. of Wisconsin has ruled in favor of the accused in that he should not have to decrypt his storage device. The U.S. Government had sought to compel Feldman to provide his password to obtain access to the data. Presumably the FBI has had no success in getting the data and had sought to have the judge compel Feldman to provide the decrypted contents of what they had seized. The Judge ruled (PDF): 'This is a close call, but I conclude that Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with "reasonably particularity" — namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.'" If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it.
hypnosec writes "Authorities in Japan are presumably worried about their inability to tackle cybercrime and, in a bid to stem one of the sources of anonymous traffic, the National Police Agency (NPA) is asking ISPs to block Tor. The recommendation comes from the special panel formed by the NPA after a hacker going by the name Demon Killer was found to regularly use Tor to anonymize his online activities, like posting of death threats on public message boards."
Sparrowvsrevolution writes "Bitcoin's recent spike and then collapse in value has convinced many that it's too unstable to use as a practical currency. But not the founder of Silk Road, the black market drug site that exclusively accepts Bitcoin in exchange for heroin, cocaine and practically every other drug imaginable. Silk Road's creator, who calls himself the Dread Pirate Roberts, broke his usual media silence to issue a short statement that Silk Road will survive Bitcoin's bubble and bust. The market's prices are generally pegged to the dollar, with prices in Bitcoin fluctuating to account for movements in the exchange rate. And Roberts explained that vendors on the site have the option to also hedge the Bitcoins that buyers place in escrow for their products, so that they can't lose money due to Bitcoin's volatility while the drugs are in the mail. As a result, only about 1,000 of the site's more than 11,000 product listings were taken down during the recent crash."