The Courts

Newegg Beats Patent Troll Over SSL and RC4 Encryption 90 90

New submitter codguy writes to note that a few days ago, and after a previous failed attempt to fight patent troll TQP Development in late 2013, Newegg has now beaten this troll in a rematch. From the linked post: "Newegg went against a company that claimed its patent covered SSL and RC4 encryption, a common encryption system used by many retailers and websites. This particular patent troll has gone against over 100 other companies, and brought in $45 million in settlements before going after Newegg." This follows on Intuit's recent success in defending itself against this claim.
ch

Swiss Researchers Describe a Faster, More Secure Tor 59 59

An anonymous reader writes: Researchers from the Swiss Federal Institute of Technology and University College London published a paper this week describing a faster and more secure version of Tor called HORNET. On one hand, the new onion routing network can purportedly achieve speeds of up to 93 gigabits per second and "be scaled to support large numbers of users with minimal overhead". On the other hand, researchers cannot claim to be immune to "confirmation attacks" known to be implemented on Tor, but they point out that, given how HORNET works, perpetrators of such attacks would have to control significantly more ISPs across multiple geopolitical boundaries and probably sacrifice the secrecy of their operations in order to successfully deploy such attacks on HORNET.
Bug

The OpenSSH Bug That Wasn't 55 55

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.
Encryption

Tomb, a Successor To TrueCrypt For Linux Geeks 114 114

jaromil writes: Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.

As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.
Security

How Developers Can Rebuild Trust On the Internet 65 65

snydeq writes: Public keys, trusted hardware, block chains — InfoWorld's Peter Wayner discusses tech tools developers should be investigating to help secure the Internet for all. 'The Internet is a pit of epistemological chaos. As Peter Steiner posited — and millions of chuckles peer-reviewed — in his famous New Yorker cartoon, there's no way to know if you're swapping packets with a dog or the bank that claims to safeguard your money,' Wayner writes. 'We may not be able to wave a wand and make the Internet perfect, but we can certainly add features to improve trust on the Internet. To that end, we offer the following nine ideas for bolstering a stronger sense of assurance that our data, privacy, and communications are secure.'
Security

New RC4 Encryption Attacks Reduces Plaintext Recovery Time 44 44

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim's cookie and decrypt it in a much shorter amount of time than was previously possible. The paper "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.
Privacy

Anonymizing Wi-Fi Device Project Unexpectedly Halted 138 138

An anonymous reader notes that a project to develop an anonymizing Wi-Fi device has been canceled under mysterious circumstances. The device, called Proxyham, was unveiled a couple weeks ago by Rhino Security Labs. They said it would use low-frequency radio channels to connect a computer to public Wi-Fi hotspots up to 2.5 miles away, thus obscuring a user's actual location. But a few days ago the company announced it would be halting development and canceling a talk about it at Def Con, which would have been followed with a release of schematics and source code. They apologized, but appear to be unable to say anything further.

"In fact, all [the speaker] can say is that the talk is canceled, the ProxyHam source code and documentation will never be made public, and the ProxyHam units developed for Las Vegas have been destroyed. The banner at the top of the Rhino Security website promoting ProxyHam has gone away too. It's almost as if someone were trying to pretend the tool never existed." The CSO article speculates that a government agency killed the project and issued a gag order about it. A post at Hackaday calls this idea absurd and discusses the hardware needed to build a Proxyham. They say using it would be "a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges — but so will blowing up a mailbox with some firecrackers." They add, "What you’re seeing is just the annual network security circus and it’s nothing but a show."
Google

Encryption Rights Community: Protecting Our Rights To Strongly Encrypt 140 140

Lauren Weinstein writes: Around the world, dictatorships and democracies alike are attempting to restrict access to strong encryption that governments cannot decrypt or bypass on demand. Firms providing strong encryption to protect their users — such as Google and Apple — are now being accused by government spokesmen of "aiding" terrorism by not making their users' communications available to law enforcement on demand. Increasingly, governments that have proven incapable of protecting their own systems from data thefts are calling for easily abused, technologically impractical government "backdoors" in commercial encryption that would put all private communications at extreme risk of attacks. This new G+ community will discuss means and methods to protect our rights related to encrypted communications, unfettered by government efforts to undermine our privacy in this context.
Communications

For £70,000, You Might Be Able to Own an Enigma 65 65

In 2007, we mentioned the eBay sale of an Enigma machine; now, The Guardian reports that another one is to be auctioned off next week, with an expected selling price of about £70,000 (at this writing, that's about $108,000). According to the article, "The machine being offered for sale, which dates from 1943 and currently belongs to a European museum, will go under the hammer at Sotheby's in London on Tuesday." The new owner may have need of a restoration manual and some reproduction batteries.
Privacy

Snoopers' Charter Could Mean Trouble For UK Users of Encryption-Capable Apps 174 174

An anonymous reader writes with a story at IB Times that speculates instant messaging apps which enable encrypted communications (including Snapchat, Facebook Messenger and iMessage) could be banned in the UK under the so-called Snooper's Charter now under consideration. The extent of the powers that the government would claim under the legislation is not yet clear, but as the linked article says, it "would allow security services like the Government Communications Headquarters, or GCHQ, and MI5, or Military Intelligence Section 5, to access instant messages sent between people to and from the country," and evidently "would give the government right to ban instant messaging apps that use end-to-end encryption." That might sound outlandish, but reflects a popular and politically safe sentiment: "'In our country, do we want to allow a means of communication between people which we cannot read? My answer to that question is: "No, we must not,"' [Prime Minister] Cameron said earlier this year following the Charlie Hebdo shooting in Paris."
Encryption

The Rise of the New Crypto War 91 91

blottsie writes: For more than 20 years, the U.S. government has been waging a war on encryption, with the security and privacy of all Americans at stake. Despite repeated warnings from security experts, the FBI and other agencies continue to push tech companies to add "backdoors" to their encryption. The government's efforts, which have angered tech companies and researchers, are part of a long-running campaign to pry into every secure system—no matter what the consequences. This article takes readers from the first Crypto War of the early 1990s to the present-day political battle to keep everyone who uses the Internet safe.
United Kingdom

UK Privacy Advocate Caspar Bowden Dies 16 16

wendyg writes: Many outlets are reporting that UK privacy advocate Caspar Bowden has died. For ten years or so, Caspar was one of Microsoft's leading privacy officers, but he is most significantly known as a tireless campaigner against back-doored encryption and key escrow. As a founder of the Foundation for Information Policy Research, he spent countless hours studying the legislation that became the Regulation of Investigatory Powers Act and was instrumental in keeping some of the worst proposals out of the eventual law. Campaigners from Privacy International, Big Brother Watch, Open Rights Group, and No2ID all speak of how important his advice and insight were in their work.
Encryption

OpenSSL Patches Critical Certificate Forgery Bug 45 45

msm1267 writes: The mystery OpenSSL patch released today addresses a critical certificate validation issue where anyone with an untrusted TLS certificate can become a Certificate Authority. While serious, the good news according to the OpenSSL Project is that few downstream organizations have deployed the June update where the bug was introduced. From the linked piece: The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic. [Rich Salz, one of the developers] said there are no reports of public exploits.
Programming

WebAssembly and the Future of JavaScript 175 175

Nerval's Lobster writes: WebAssembly is the next stage in the evolution of client-side scripting. In theory, it will improve on JavaScript's speed. That's not to say that JavaScript is a slowpoke: Incremental speed improvements have included the rollout of asm.js (an optimized subset) in 2013. But WebAssembly—while not a replacement for JavaScript—is intended as a "cure" for a variety of issues where JavaScript isn't always a perfect fit, including video editing, encryption, peer-to-peer, and more. (Here's a full list of the Web applications that WebAssembly could maybe improve.) If WebAssembly is not there to replace JavaScript but to complement it, the key to the integration rests with the DOM and Garbage Collected Objects such as JavaScript strings, functions (as callable closures), Typed Arrays and Typed objects. The bigger question is, will WebAssembly actually become something big, or is it ultimately doomed to suffer the fate of other hyped JavaScript-related platforms such as Dart (a Google-only venture), which attracted buzz ahead of a Minimum Viable Product release, only to quickly fade away afterward?
The Media

Ask Slashdot: Which Expert Bloggers Do You Read? 203 203

An anonymous reader writes: The crush of news sites today is almost overwhelming. For true bits of news — bare facts and alerts that something has happened — it doesn't really matter which site you read it on. Some tiny, no-name website can tell me $company1 bought $company2 just as well as Reuters, CNN, or the NY Times. When it comes to opinion pieces and analysis, though, it's a different story. One of the generalist tech bloggers at the NY Times probably isn't going to have many worthwhile posts comparing database sorting algorithms or explaining the Cassini spacecraft's orbital path or providing soldering techniques for fixing a busted monitor. An example most of us are familiar with: Bruce Schneier generally provides good advice on security and encryption. So: what expert bloggers do you keep tabs on? I'm not looking for any particular posting frequency. This type of person I'm thinking of is probably not a journalist, and may not post very often at all — posting frequency matters far less than the signal-to-noise ratio. My goal is to build a big list of smart people who write interesting things — mainly for topics you'd expect to see on Slashdot, but I'm open to other subjects, as well.
Security

Crypto Experts Blast Gov't Backdoors For Encryption 102 102

loid_void writes with a link to a New York Times report about some of the world's best-known cryptography experts, who have prepared a report which concludes that there is no viable technical solution which "would allow the American and British governments to gain "exceptional access" to encrypted communications without putting the world's most confidential data and critical infrastructure in danger." From the article: [T]he government’s plans could affect the technology used to lock financial institutions and medical data, and poke a hole in mobile devices and the countless other critical systems — including pipelines, nuclear facilities, the power grid — that are moving online rapidly. ... “The problems now are much worse than they were in 1997,” said Peter G. Neumann, a co-author of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley research laboratory. “There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.” The authors include Neumann, Harold Abelson, Susan Landau, and Bruce Schneier.
Programming

Linux 4.2-rc1 Is One of the Largest Kernel Releases of Recent Times 110 110

An anonymous reader writes: Linus Torvalds ended the Linux 4.2 kernel merge window today by releasing Linux 4.2-rc1. He quickly wrote, "I thought this release would be one of the biggest ones ever, but it turns out that it will depend on how you count." By most metrics, Linux 4.2 is shaping up to be a very large release. Linux 4.2 is bringing plenty of new features including the new 'AMDGPU' kernel graphics driver, Intel Broxton support, NCQ TRIM improvements, F2FS file-system encryption, new ARM CPU/board support, Renesas R8/300 arch support, and many other additions.
DRM

Microsoft Edge, HTML5, and DRM 140 140

An anonymous reader writes: Microsoft is building its new browser, Edge, with the intention of avoiding many of the flaws that plagued Internet Explorer over its long and tumultuous life. Part of this involves moving away from plug-ins, and Edge will not support ActiveX. Instead, they're focusing on interoperable media, and that means non-plug-in video players that meet HTML5 specs. Of course, not all video players want to disseminate their content for free, which means: DRM. Microsoft's Edge team has published a new post explaining how they'll be handling support for DRM and "premium media" in the new browser.

They say, "Windows 10 and Microsoft Edge support DASH, MSE, EME and CENC natively, and other major browsers ship implementations of MSE and CENC compliant EME. This support allows developers to build plug-in free web video apps that runs across a huge range of platforms and devices, with each MSE/EME implementation built on top of a different media pipeline and DRM provider. In the days when DRM systems used proprietary file formats and encryption methods, this variation in DRM providers by browser would have presented a significant issue. With the development and use of Common Encryption (CENC), the problem is substantially reduced because the files are compressed in standard formats and encrypted using global industry standards. The service provider issues the keys and licenses necessary to consume the content in a given browser, but the website code, content and encryption keys are common across all of them, regardless of which DRM is in use."
Firefox

Firefox 39 Released, Bringing Security Improvements and Social Sharing 172 172

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.
Encryption

Cameron Asserts UK Gov't Will Leave No "Safe Space" For Private Communications 260 260

An anonymous reader writes with the story from Ars Technica that UK prime minister David Cameron "has re-iterated that the UK government does not intend to 'leave a safe space — a new means of communication — for terrorists to communicate with each other.'" That statement came Monday, as a response to Conservative MP David Bellingham, "who asked [Cameron, on the floor of the House of Commons] whether he agreed that the 'time has come for companies such as Google, Facebook and Twitter to accept and understand that their current privacy policies are completely unsustainable?' To which Cameron replied: 'we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on.'" This sounds like the UK government is declaring a blustery war on encryption, and it might not need too much war: some companies can be persuaded (or would be eager) to cooperate with the government in handing over all kinds of information. However, the bluster part may leave even the fiercest surveillance mostly show: as Ars writer Glyn Moody asks, what about circumstances "where companies can't hand over keys, or where there is no company involved, as with GnuPG, the open source implementation of the OpenPGP encryption system?" Or Tor?