Tag Archives: Google

MacBookAir-USB-c

Shhh… The USB-C Makes those new MacBooks More Vulnerable

You may want to think twice about the new MacBook.

Apple may have ideas about its newly introduced USB-C but widely reported vulnerabilities of USB devices amplify big troubles ahead, as the following article explains.

MacBookAir-USB-c2

The NSA Is Going to Love These USB-C Charging Cables

Mario Aguilar
3/17/15 12:35pm

Thanks to Apple’s new MacBook and Google’s new Chromebook Pixel, USB-C has arrived. A single flavor of cable for all your charging and connectivity needs? Hell yes. But that convenience doesn’t come without a cost; our computers will be more vulnerable than ever to malware attacks, from hackers and surveillance agencies alike.

The trouble with USB-C stems from the fact that the USB standard isn’t very secure. Last year, researchers wrote a piece of malware called BadUSB which attaches to your computer using USB devices like phone chargers or thumb drives. Once connected, the malware basically takes over a computer imperceptibly. The scariest part is that the malware is written directly to the USB controller chip’s firmware, which means that it’s virtually undetectable and so far, unfixable.

Before USB-C, there was a way to keep yourself somewhat safe. As long as you kept tabs on your cables, and never stuck random USB sticks into your computer, you could theoretically keep it clean. But as The Verge points out, the BadUSB vulnerability still hasn’t been fixed in USB-C, and now the insecure port is the slot where you connect your power supply. Heck, it’s shaping up to be the slot where you connect everything. You have no choice but to use it every day. Think about how often you’ve borrowed a stranger’s power cable to get charged up. Asking for a charge from a stranger is like having unprotected sex with someone you picked up at the club.

What the Verge fails to mention however, is that it’s potentially much worse than that. If everyone is using the same power charger, it’s not just renegade hackers posing as creative professionals in coffee shops that you need to worry about. With USB-C, the surveillance establishment suddenly has a huge incentive to figure out how to sneak a compromised cable into your power hole.

It might seem alarmist and paranoid to suggest that the NSA would try to sneak a backdoor into charging cables through manufacturers, except that the agency has been busted trying exactly this kind of scheme. Last year, it was revealed that the NSA paid security firm RSA $10 million to leave a backdoor in their encryption unpatched. There’s no telling if or when or how the NSA might try to accomplish something similar with USB-C cables, but it stands to reason they would try.

We live in a world where we plug in with abandon, and USB-C’s flexibility is designed to make plugging in easier than ever. Imagine never needing to guess whether or not your aunt’s house will have a charger for your phone. USB-C could become so common that this isn’t even a question. Of course she has one! With that ubiquity and convenience comes a risk that the tech could become exploited—not just by criminals, but also by the government’s data siphoning machine.

Hacked

Shhh… Anatomy of a Hack – What Should You Do After You’re Hacked?

Ever wonder what happens when one’s hacked?

Here’s an insightful chilling account of how one victim attempted to trace the hacker who invaded into his onlife life and Bitcoin wallet.

Hacked-AnatomyOfAHack

Anatomy of a Hack

In the early morning hours of October 21st, 2014, Partap Davis lost $3,000. He had gone to sleep just after 2AM in his Albuquerque, New Mexico, home after a late night playing World of Tanks. While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.

Davis was careful when it came to digital security. He chose strong passwords and didn’t click on bogus links. He used two-factor authentication with Gmail, so when he logged in from a new computer, he had to type in six digits that were texted to his phone, just to make sure it was him. He had made some money with the rise of bitcoin and held onto the bitcoin in three protected wallets, managed by Coinbase, Bitstamp, and BTC-E. He also used two-factor with the Coinbase and BTC-E accounts. Any time he wanted to access them, he had to verify the login with Authy, a two-factor authenticator app on his phone.

Other than the bitcoin, Davis wasn’t that different from the average web user. He makes his living coding, splitting time between building video education software and a patchwork of other jobs. On the weekends, he snowboards, exploring the slopes around Los Alamos. This is his 10th year in Albuquerque; last year, he turned 40.

After the hack, Davis spent weeks tracking down exactly how it had happened, piecing together a picture from access logs and reluctant customer service reps. Along the way, he reached out to The Verge, and we added a few more pieces to the puzzle. We still don’t know everything — in particular, we don’t know who did it — but we know enough to say how they did it, and the points of failure sketch out a map of the most glaring vulnerabilities of our digital lives.

Mail.com

It started with Davis’ email. When he was first setting up an email account, Davis found that Partap@gmail.com was taken, so he chose a Mail.com address instead, setting up Partap@mail.com to forward to a less memorably named Gmail address.

Some time after 2AM on October 21st, that link was broken. Someone broke into Davis’ mail.com account and stopped the forwarding. Suddenly there was a new phone number attached to the account — a burner Android device registered in Florida. There was a new backup email too, swagger@mailinator.com, which is still the closest thing we have to the attacker’s name.

For simplicity’s sake, we’ll call her Eve.

How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in Mail.com’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on Mail.com. It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.

AT&T

Eve’s next step was to take over Partap’s phone number. She didn’t have his AT&T password, but she just pretended to have forgotten it, and ATT.com sent along a secure link to partap@mail.com to reset it. Once inside the account, she talked a customer service rep into forwarding his calls to her Long Beach number. Strictly speaking, there are supposed to be more safeguards required to set up call forwarding, and it’s supposed to take more than a working email address to push it through. But faced with an angry client, customer service reps will often give way, putting user satisfaction over the colder virtues of security.

Once forwarding was set up, all of Davis’ voice calls belonged to Eve. Davis still got texts and emails, but every call was routed straight to the attacker. Davis didn’t realize what had happened until two days later, when his boss complained that Davis wasn’t picking up the phone.


Google and Authy

Next, Eve set her sights on Davis’ Google account. Experts will tell you that two-factor authentication is the best protection against attacks. A hacker might get your password or a mugger might steal your phone, but it’s hard to manage both at once. As long as the phone is a physical object, that system works. But people replace their phones all the time, and they expect to be able to replace the services, too. Accounts have to be reset 24 hours a day, and two-factor services end up looking like just one more account to crack.

Davis hadn’t set up Google’s Authenticator app, the more secure option, but he had two-factor authentication enabled — Google texted him a confirmation code every time he logged in from a new computer. Call forwarding didn’t pass along Davis’ texts, but Eve had a back door: thanks to Google’s accessibility functions, she could ask for the confirmation code to be read out loud over the phone.

Authy should have been harder to break. It’s an app, like Authenticator, and it never left Davis’ phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve’s control.

It was the same trick that had fooled Google: as long as she had Davis’ email and phone, two-factor couldn’t tell the difference between them. At this point, Eve had more control over Davis’s online life than he did. Aside from texting, all digital roads now led to Eve.

Coinbase

At 3:19AM, Eve reset Davis’s Coinbase account, using Authy and his Mail.com address. At 3:55AM, she transferred the full balance (worth roughly $3,600 at the time) to a burner account she controlled. From there, she made three withdrawals — one 30 minutes after the account was opened, then another 20 minutes later, and another five minutes after that. After that, the money disappeared into a nest of dummy accounts, designed to cover her tracks. Less than 90 minutes after his Mail.com account was first compromised, Davis’ money was gone for good.

Authy might have known something was up. The service keeps an eye out for fishy behavior, and while they’re cagey about what they monitor, it seems likely that an account reset to an out-of-state number in the middle of the night would have raised at least a few red flags. But the number wasn’t from a known fraud center like Russia or Ukraine, even if Eve might have been. It would have seemed even more suspicious when Eve logged into Coinbase from the Canadian IP. Could they have stopped her then? Modern security systems like Google’s ReCAPTCHA often work this way, adding together small indicators until there’s enough evidence to freeze an account — but Coinbase and Authy each only saw half the picture, and neither had enough to justify freezing Partap’s account.


BTC-E and Bitstamp

When Davis woke up, the first thing he noticed was that his Gmail had mysteriously logged out. The password had changed, and he couldn’t log back in. Once he was back in the account, he saw how deep the damage went. There were reset emails from each account, sketching out a map of the damage. When he finally got into his Coinbase account, he found it empty. Eve had made off with 10 bitcoin, worth more than $3,000 at the time. It took hours on the phone with customer service reps and a faxed copy of his driver’s license before he could convince them he was the real Partap Davis.

What about the two other wallets? There was $2,500 worth of bitcoin in them, with no advertised protections that the Coinbase wallet didn’t have. But when Davis checked, both accounts were still intact. BTC-e had put a 48-hour hold on the account after a password change, giving him time to prove his identity and recover the account. Bitstamp had an even simpler protection: when Eve emailed to reset Davis’s authentication token, they had asked for an image of his driver’s license. Despite all Eve’s access, it was one thing she didn’t have. Davis’ last $2,500 worth of bitcoin was safe.


Twitter

It’s been two months now since the attack, and Davis has settled back into his life. The last trace of the intrusion is Davis’ Twitter account, which stayed hacked for weeks after the other accounts. @Partap is a short handle, which makes it valuable, so Eve held onto it, putting in a new picture and erasing any trace of Davis. A few days after the attack, she posted a screenshot of a hacked Xfinity account, tagging another handle. The account didn’t belong to Davis, but it belonged to someone. She had moved onto the next target, and was using @partap as a disposable accessory to her next theft, like a stolen getaway car.

Who was behind the attack? Davis has spent weeks looking for her now — whole afternoons wasted on the phone with customer service reps — but he hasn’t gotten any closer. According to account login records, Eve’s computer was piping in from a block of IP addresses in Canada, but she may have used Tor or a VPN service to cover her tracks. Her phone number belonged to an Android device in Long Beach, California, but that phone was most likely a burner. There are only a few tracks to follow, and each one peters out fast. Wherever she is, Eve got away with it.

Why did she choose Partap Davis? She knew about the wallets upfront, we can assume. Why else would she have spent so much time digging through the accounts? She started at the mail.com account too, so we can guess that somehow, Eve came across a list of bitcoin users with Davis’ email address on it. A number of leaked Coinbase customer lists are floating around the internet, although I couldn’t find Davis’ name on any of them. Or maybe his identity came from an equipment manufacturer or a bitcoin retailer. Leaks are commonplace these days, and most go unreported.

Davis is more careful with bitcoin these days, and he’s given up on the mail.com address — but otherwise, not much about his life has changed. Coinbase has given refunds before, but this time they declined, saying the company’s security wasn’t at fault. He filed a report with the FBI, but the bureau doesn’t seem interested in a single bitcoin theft. What else is there to do? He can’t stop using a phone or give up the power to reset an account. There were just so many accounts, so many ways to get in. In the security world, they call this the attack surface. The bigger the surface, the harder it is to defend.

Most importantly, resetting a password is still easy, as Eve discovered over and over again. When a service finally stopped her, it wasn’t an elaborate algorithm or a fancy biometric. Instead, one service was willing to make customers wait 48 hours before authorizing a new password. On a technical level, it’s a simple fix, but a costly one. Companies are continuously balancing the small risk of compromise against the broad benefits of convenience. A few people may lose control of their account, but millions of others are able to keep using the service without a hitch. In the fight between security and convenience, security is simply outgunned.

3/5 11:10am ET: Updated to clarify Bitstamp security protocols.

DeptOftheInternet

Shhh… Department of the Internet: How the Government Has Taken Over Our Lives

It’s mid-week… thought I should share something light for a change: an alternative comic look into privacy and the government takeover of the internet in our daily lives.

ProtonMail

Shhh… ProtonMail: Email Privacy and Encryption

Sending an email message is like sending a postcard. That’s the message Hillary Clinton probably now wish she heard earlier.

Andy Yen, a scientist at CERN – the European Organization for Nuclear Research – co-founded ProtonMail, an encrypted email startup based in Geneva, Switzerland. As he explained in this TEDTalk, it is easy to make encryption easy for all to use and keep all email private.

But curiously, it seems so much like PGP.

Obama-China

Shhh… How Come Obama Suddenly Understood & Explained to China Why Backdoors into Encryption is Really Bad?

“Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

That’s a quote from Obama reported in The Guardian (see article below).

Oh great, so Obama actually understood the consequences of government gaining backdoors into encryption? He should give the same advice to his NSA director Mike Rogers who somehow struggled when asked about the issue recently.

Building backdoors into encryption isn’t only bad for China, Mr President

Trevor Timm
@trevortimm
Wednesday 4 March 2015 16.15 GMT

Want to know why forcing tech companies to build backdoors into encryption is a terrible idea? Look no further than President Obama’s stark criticism of China’s plan to do exactly that on Tuesday. If only he would tell the FBI and NSA the same thing.

In a stunningly short-sighted move, the FBI – and more recently the NSA – have been pushing for a new US law that would force tech companies like Apple and Google to hand over the encryption keys or build backdoors into their products and tools so the government would always have access to our communications. It was only a matter of time before other governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago.

As President Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.”

Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

Bravo! Of course these are the exact arguments for why it would be a disaster for US government to force tech companies to do the same. (Somehow Obama left that part out.)

As Yahoo’s top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week, building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically possible to produce the flaw – and we, for some reason, trust the US government never to abuse it – other countries will inevitably demand access for themselves. Companies will no longer be in a position to say no, and even if they did, intelligence services would find the backdoor unilaterally – or just steal the keys outright.

For an example on how this works, look no further than last week’s Snowden revelation that the UK’s intelligence service and the NSA stole the encryption keys for millions of Sim cards used by many of the world’s most popular cell phone providers. It’s happened many times before too. Ss security expert Bruce Schneier has documented with numerous examples, “Back-door access built for the good guys is routinely used by the bad guys.”

Stamos repeatedly (and commendably) pushed the NSA director for an answer on what happens when China or Russia also demand backdoors from tech companies, but Rogers didn’t have an answer prepared at all. He just kept repeating “I think we can work through this”. As Stamos insinuated, maybe Rogers should ask his own staff why we actually can’t work through this, because virtually every technologist agrees backdoors just cannot be secure in practice.

(If you want to further understand the details behind the encryption vs. backdoor debate and how what the NSA director is asking for is quite literally impossible, read this excellent piece by surveillance expert Julian Sanchez.)

It’s downright bizarre that the US government has been warning of the grave cybersecurity risks the country faces while, at the very same time, arguing that we should pass a law that would weaken cybersecurity and put every single citizen at more risk of having their private information stolen by criminals, foreign governments, and our own.

Forcing backdoors will also be disastrous for the US economy as it would be for China’s. US tech companies – which already have suffered billions of dollars of losses overseas because of consumer distrust over their relationships with the NSA – would lose all credibility with users around the world if the FBI and NSA succeed with their plan.

The White House is supposedly coming out with an official policy on encryption sometime this month, according to the New York Times – but the President can save himself a lot of time and just apply his comments about China to the US government. If he knows backdoors in encryption are bad for cybersecurity, privacy, and the economy, why is there even a debate?

Mega-cloud

Shhh… US Pressures Forced PayPal to Punish Mega (& MegaChat) for Encrypted Communications & Keeping Our Privacy

This is bizarre (see article below) but a good sign that what Mega offers in encrypted communications is the real deal and the authorities are certainly not impressed, thus the pressures on credit card companies to force Paypal to block out Mega, as they did previously with WikiLeaks.

BUT don’t forget Kim Dotcom’s newly launched end-to-end encrypted voice calling service “MegaChat” comes in both free and paid versions – see my earlier piece on how to register for MegaChat.

Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files

By Andy
on February 27, 2015

After coming under intense pressure PayPal has closed the account of cloud-storage service Mega. According to the company, SOPA proponent Senator Patrick Leahy personally pressured Visa and Mastercard who in turn called on PayPal to terminate the account. Bizarrely, Mega’s encryption is being cited as a key problem.

During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ‘Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,’ it offered insight into the finances of some of the world’s most popular cyberlocker sites.

The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz – the most scrutinized file-hosting startup in history – was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA.

“We consider the report grossly untrue and highly defamatory of Mega,” Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega’s inclusion in the report has come back to bite the company in a big way.

Speaking via email with TorrentFreak this morning, Gaylard highlighted the company’s latest battle, one which has seen the company become unable to process payments from customers. It’s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician.

According to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ‘rogue’ companies listed in the NetNames report.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments.

“It is very disappointing to say the least. PayPal has been under huge pressure,” Gaylard told TF.

The company did not go without a fight, however.

“MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,” the company explains.

paypalWhat makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company’s business is indeed legitimate.

However, PayPal also advised that Mega’s unique selling point – it’s end-to-end-encryption – was a key concern for the processor.

“MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s ‘unique encryption model’ presents an insurmountable difficulty,” Mega explains.

As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge.

Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users.

“MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,” the company concludes.

US-China

Shhh… NSA Demands on Crypto Backdoors Led to US-China Spat on Backdoors & Encryption

Photo (above) credit: US-China Perception Monitor.

GlennGreenward-Tweets

The tweet from Glenn Greenwald above sums up the prevailing stance between the US and China (see video clip below) on backdoors and encryption matters – please see also article below.

It’s not like the NSA has not been warned and China may just be the first of many to come.

The United States Is Angry That China Wants Crypto Backdoors, Too

Written by
Lorenzo Franceschi-Bicchierai
February 27, 2015 // 03:44 PM EST

When the US demands technology companies install backdoors for law enforcement, it’s okay. But when China demands the same, it’s a whole different story.

The Chinese government is about to pass a new counter terrorism law that would require tech companies operating in the country to turn over encryption keys and include specially crafted code in their software and hardware so that chinese authorities can defeat security measures at will.

Technologists and cryptographers have long warned that you can’t design a secure system that will enable law enforcement—and only law enforcement—to bypass the encryption. The nature of a backdoor door is that it is also a vulnerability, and if discovered, hackers or foreign governments might be able to exploit it, too.

Yet, over the past few months, several US government officials, including the FBI director James Comey, outgoing US Attorney General Eric Holder, and NSA Director Mike Rogers, have all suggested that companies such as Apple and Google should give law enforcement agencies special access to their users’ encrypted data—while somehow offering strong encryption for their users at the same time.


“If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

Their fear is that cops and feds will “go dark,” an FBI term for a potential scenario where encryption makes it impossible to intercept criminals’ communications.

But in light of China’s new proposals, some think the US’ own position is a little ironic.

“You can’t have it both ways,” Trevor Timm, the co-founder and the executive director of the Freedom of the Press Foundation, told Motherboard. “If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

He’s not the only one to think the US government might end up regretting its stance.


Someday US officials will look back and realize how much global damage they’ve enabled with their silly requests for key escrow.

— Matthew Green (@matthew_d_green) February 27, 2015

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Ironically, the US government sent a letter to China expressing concern about its new law. “The Administration is aggressively working to have China walk back from these troubling regulations,” US Trade Representative Michael Froman said in a statement.

A White House spokesperson did not respond to a request for comment from Motherboard.

“It’s stunningly shortsighted for the FBI and NSA not to realize this,” Timm added. “By demanding backdoors, these US government agencies are putting everyone’s cybersecurity at risk.”

In an oft-cited examples of “if you build it, they will come,” hackers exploited a system designed to let police tap phones to spy on more than a hundred Greek cellphones, including that of the prime minister.

At the time, Steven Bellovin, a computer science professor at Columbia University, wrote that this incident shows how “built-in wiretap facilities and the like are really dangerous, and are easily abused.”

That hasn’t stopped other from asking though. Several countries, including India, Kuwait and UAE, requested BlackBerry to include a backdoor in its devices so that authorities could access encrypted communications. And a leaked document in 2013 revealed that BlackBerry’s lawful interception system in India was “ready for use.”

NSA-Rogers

Shhh… NSA Want Framework to Access Encrypted Communications

NSA Director Admiral Michael Rogers said at a cyber security conference in Washington DC Monday this week that the government needs to develop a “framework” so that the NSA and law enforcement agencies could read encrypted data when they need and he was immediately challenged by top security experts from the tech industry, most notably Yahoo’s chief information security officer Alex Stamos (see transcript).

LenovoThinkPad2

Shhh… Pre-installed Superfish Malware Leaves Lenovo Computers Vulnerable to Man-in-the-Middle Attacks

I’m a self-confessed hardcore fan of the good old IBM Thinkpad laptops but I’ve shied away from the black box ever since the Lenovo acquisition in 2005. And this (see video clips below) is one of those reasons. My tilt these days is towards those laptops with no parts made in China

TimCook-Obama-CybersecuritySummit

Obama’s Still On the Wrong Frequency On Cybersecurity Issues

This is probably the most telling moment of how US President Barack Obama is still on the wrong frequency on cyber matters…

Obama blamed the “impact on their [the tech companies] bottom lines” for the mistrust between the government and Silicon Valley in the aftermath of the Snowden revelations. These were his words, straight from the POTUSA mouth rather than reading from the scripts, in an exclusive interview with Re/code’s Kara Swisher (see video below) following the well publicized cybersecurity summit at Stanford University last Friday, when he signed an executive order to encourage the private sector to share cybersecurity threat information with other companies and the US government.

Contrast that with the high-profile speech by Apple CEO Tim Cook (see video below), who warned about “life and death” and “dire consequences” in sacrificing the right to privacy as technology companies had a duty to protect their customers.

His speech was delivered before Obama’s address to the summit – which the White House organized to foster better cooperation and the sharing of private information with Silicon Valley – best remembered for the absence of leaders from tech giants like Google, Yahoo and Facebook who gave Obama the snub amid growing tensions between Silicon Valley and the Obama administration. Heavyweights whom Obama counted as “my friends” in the Re/code interview (watch closely his expression at the 39th second of the clip above).

Memex

Shhh… New Search Engine Memex to Reach the Other 95% of the Web (And Dark Web) that Google Missed

Popular search engines like Google, Yahoo and Bing can only access 5 percent of all the contents in the internet space. So that’s one good reason to be excited about the new breed search engine Memex, now at beta stage, developed by the US military’s Defense Advanced Research Projects Agency (DARPA) which is capable of ploughing through the entire web space including the Dark Web, that part (much of the other 95 percent) of the cyber ecosystem where criminals operate in the shadows to buy, sell and advertise their illegal trades such as weapons and sex trafficking.

Find out more about MEMEX from this exclusive 60 Minutes clip:

And more about the Dark Web:

SamsungSmartTV

Shhh… Spy Alert: Your Smart TV Watches You – Just Like Your Computer

This is really nothing new but I’m posting it because similar “news” resurfaced again the past week.

Let’s not forget smart TV are essentially becoming more like computers. And yes, they can watch you and your loved ones discreetly without your knowledge.

If you’ve already bought one, the easy solution is to cover the webcam with a duct tape unless you need to use it.

SourceCode3

Shhh… US in Long Battle As China Request Source Code From Western Technology Companies

This spat on intrusive rules is going to be a huge long battle.

The US is voicing opposition to Chinese rules that foreign vendors hand over the source code if they were to supply computer equipments to Chinese banks – which could expand to other sectors as the matter is “part of a wider review”.

Other measures to comply with include the setting up of research and development centers in China and building “ports” for Chinese officials to manage and monitor the data processed by their hardware.

Submitting to these “intrusive rules” for a slice of the huge Chinese markets also means alienating the rest of the world – as complying with these rules means creating backdoors, adopting Chinese encryption algorithms and disclosing sensitive intellectual property.

Find out more from this video:

Obama-XiJinping4

US-China Spat on Intrusive Rules – And Actual Intrusions

Speaking of “intrusive rules” (see BBC report far below) and “actual intrusions” in China, the latter I have expanded recently in two articles – one on Apple yesterday and the other on VPN blocks last week – and merged in this new column I’m also pasting right below.

The long and short of it, it’s espionage made easy. Period.


Apple Lets Down Its Asia Users

Written by Vanson Soo
MON,02 FEBRUARY 2015

Knuckling under to China on security inspections

If you are a die-hard fan of Apple products and if you, your company or business have anything to do with mainland China, recent developments involving the US tech giant can be construed as bad news, with deeper implications than what was generally thought and reported.

First, about Apple.

I have always liked the beauty and elegance of Apple products. I have owned two Mac laptops and an iPhone but I have shunned them as anyone deeply conscious and concerned about privacy and security should do. Edward Snowden, for example, who laid bare extensive snooping by the US National Security Agency, recently said he had never used the iPhone given the existence of secret surveillance spyware hidden in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices including iPhones, iPads and Mac computers. The move understandably makes business sense to Apple [and its shareholders] as China is just too huge a market to ignore – so the Cupertino-based company [whose market capitalization hit US$683 billion last week, more than double Microsoft’s US$338 billion] realized it simply couldn’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

What Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well documented that Apple users were [and probably still are] known for their cult-like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers.

The company has also denied working with any government agencies to create back doors into its products or servers… So surrendering to security audits wouldn’t?

If only Apple users managed to chuck away their cult mentality and come to their senses about their privacy and security risks, the firm would realize the Google approach, though still not perfect, is a better way of cultivating brand loyalty.

And in case you’re wondering, I use Linux most of the time – and shun the most popular Linux distributions to be on the safe side.a

Now next. And this is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News surfaced in late January that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

The real impact is not merely on domestic residents who were cut off from YouTube, BBC/CNN news and other information sources but resident expatriates, multinationals, foreign embassies and those traveling to China, especially businessmen and executives. Think: Chinese espionage now made easy!

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through it, which effectively shields internet traffic from government filters that have set criteria on what sites can be accessed.

And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

Obama-XiJinping5

29 January 2015 Last updated at 14:35

US tech firms ask China to postpone ‘intrusive’ rules

By Kevin Rawlinson BBC News

US business groups are seeking “urgent discussions” over new Chinese rules requiring foreign firms to hand over source code and other measures.

The groups wrote to senior government officials after the introduction of the cybersecurity regulations at the end of last year.

The US Chamber of Commerce and other groups called the rules “intrusive”.

The regulations initially apply to firms selling products to Chinese banks but are part of a wider review.

“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice,” the letter read.

The groups said that the rules would force technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property.

Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centres in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware, Reuters reported.

Source code is the usually tightly guarded series of commands that create programs. For most computing and networking equipment, it would have to be turned over to officials, according to the new regulations.

Tension

In the letter, a copy of which has been seen by the BBC, the groups have asked the Chinese government to delay implementation of the regulations and “grant an opportunity for discussion and dialogue for interested stakeholders with agencies responsible for the initiatives”.

They added: “The domestic purchasing and related requirements proposed recently for China’s banking sector… would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” the letter, which was dated 28 January, read.

The letter from the American groups, including the US Chamber of Commerce, AmCham China and 16 others, was addressed to the Central Leading Small Group for Cyberspace Affairs, which is led personally by Chinese President Xi Jinping.

It comes at a time of heightened tension between the USA and China over cybersecurity. In May last year, Beijing denounced US charges against Chinese army officers accused of economic cyber-espionage.

Pressure

It was also alleged that the US National Security Agency spied on Chinese firm Huawei, while the US Senate claimed that the Chinese government broke into the computers of airlines and military contractors.

American tech firms, such as Cisco and Microsoft, are facing increased pressure from Chinese authorities to accept rigorous security checks before their products can be purchased by China’s sprawling, state-run financial institutions.

Beijing has considered its reliance on foreign technology a national security weakness, particularly following former National Security Agency contractor Edward Snowden’s revelations that US spy agencies planted code in American-made software to snoop on overseas targets.

The cyber-space policy group approved a 22-page document in late 2014 that contained the heightened procurement rules for tech vendors, the New York Times reported on Thursday.

Apple-Shanghai3

From Apple With Love – Granting Chinese Security Audits Leaves More Deep & Profound Implications Than Betrayal of Apple Die-Hards

I always like the beauty and elegance of Apple products (I had 2 Mac laptops and 1 iPhone) but I have to admit I have already shunned them as anyone deeply conscious and concerned about privacy and security should do – Snowden, for example, recently said he never used the iPhone given the existence of secret surveillance spyware in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices like the iPhones, iPads and Mac computers. The move understandably makes business sense to Apple (and its shareholders) as China is just too huge a market to ignore – so the Cupertino-based company (whose market capitalization hit $683 billion last week, more than double Microsoft’s $338 billion) realized it simply can’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

And what Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well-documented Apple users were (and probably still are) well known for their “cult” like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers. The company has also denied working with any government agencies to create back doors into its products or servers… (So surrendering to security audits wouldn’t?)

If only Apple users somewhat managed to chuck away their cult mentality and come to their senses (about their privacy and security risks), the US tech giant would realize the Google approach (though still not the perfect example) is a better way to cultivating brand loyalty (see article below).

And in case you’re wondering, I use laptops with no parts made in China along with Linux most of the time – and shun the most popular Linux distributions to be on the safe side.


Apple’s New Security Concessions to Beijing

By Doug Young | January 27, 2015, 10:13 AM

Apple is deepening its uneasy embrace of Beijing security officials, with word that it has agreed to allow security audits for products that it sells in China. This latest development comes less than a year after Apple took the unusual step of moving some of the user information it collects to China-based servers, which was also aimed at placating security-conscious regulators in Beijing.

Apple’s increasingly close cooperation with Beijing contrasts sharply with Google, whose popular Internet products and services are increasingly being locked out of China as it refuses to play by Beijing’s rules. Other global tech giants are also having to deal with the delicate situation, each taking a slightly different approach to try to protect user privacy while complying with Beijing’s insistence that they make their information available to security-conscious government regulators.

As a relatively neutral observer, I can sympathize with both the Apples and Googles of the world. Companies like Apple have decided that China is simply too large for them to ignore, and thus are taking steps to address Beijing’s security concerns as a condition for access to the huge market. Microsoft has also taken a similar tack, and Facebook is showing it will also be willing to play by such rules with its recent repeated lobbying for a chance to set up a China-based service.

Google has taken a more defiant stance by refusing to compromise user privacy and free speech, with the result that a growing number of its products and services are now blocked in China. The company shuttered its China-based search website in 2010 over a dispute with Beijing on self censorship. Last year many of its global sites and even its Gmail email service also became increasingly difficult to access for users in China.

Apple isn’t being nearly so defiant, and the latest headlines say it has agreed to the audits of its products by the State Internet Information Office. The reports say Apple agreed to the audits when CEO Tim Cook met with State Internet Information Office official Lu Wei during a December trip to the U.S. I previously wrote about Lu’s trip after photos appeared on an official Chinese government website showing him visiting the offices of Facebook, Apple, and also Amazon.

Lu reportedly told Cook that China needs to be sure that Apple’s popular iPhones, iPads, and other products protect user privacy and also don’t compromise national security. Unlike other PC and cellphone makers that simply sell their devices to consumers, Apple actively keeps records of its product users and some of their usage habits and other related information on remote computers.

This latest move looks like an extension of another one last summer, which saw Apple agree to host some of the data from its China-based users on servers based inside the country. That move also looked aimed at calming national security worries from Beijing, since storing such information on China-based computers would make it more accessible to investigators conducting security-related probes.

In an interesting twist to the story, this latest report comes from a state-owned newspaper in Beijing, making it a sort of semi-official disclosure of China’s approach to the matter. That would follow the government’s own announcement of Lu Wei’s December trip, and perhaps shows that Beijing wants to be more open about steps it’s taking to address national security threats like terrorism. That kind of more open attitude could help both domestic and foreign companies to better navigate China’s tricky cyber realm, though it won’t be of much help to defiant companies like Google that are more intent on protecting free speech and user privacy.

Cryptoquip

Shhh… Why (Obama & Cameron) the NSA is Breaking Our Encryption and Why We Should Care

Here’s one nice TEDTalk on why encryption is important for everyone and why breaking or weakening it – British Prime Minister David Cameron and US President Barack Obama are now pushing for a ban on encryption – is not a good idea. To put it bluntly and briefly, it is shooting our own foot.

VPN-China0

Shhh… China’s Block to VPN Services Has Global Impacts

This is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News has surfaced over the weekend that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through the designated pipe, which effectively shield internet traffic from government filters that have set criteria on what sites can be accessed.

Find out more about this news below – And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

VPN-China
VPN-China2
VPN-China3
VPN-China4

FacialRecog-FBI2

Shhh… Facial Recognition & Risks: FBI to Photograph All Americans

FacialRecog-FBI3

Following up on an earlier post on the same topic:

iCloud

Shhh… Facial Recognition & Risks: Encoding Your Photos with Photoscrambler

Continuing on my blog post yesterday – shouldn’t one feel guilty about posting photos of their loved ones online without knowing or truly understanding the underlying risks?

Well instead of covering the face(s), how about encoding your photos with personal secret code so that only you and those selected parties can see them? That’s what this software PhotoScrambler is about.

FacialRecogn

Shhh… Facial Recognition & Risks: How Much Is Your Face Worth?

If you’re still coining your new year resolutions… how about never to post (and tag) any photos of yourself and loved ones online?

Yes, it’s a social norm these days – just look at the Facebook sphere – but I can’t explain the risks better than this excellent presentation (below) from the Make Use Of blog about facial recognition technology and the risks of posting our photos online.

Food for thoughts?

FacialRecog-1
FacialRecog-2
FacialRecog-3
FacialRecog-4
FacialRecog-5
FacialRecog-6
FacialRecog-7
FacialRecog-8

iPhone-Encryption

Shhh… DOJ Uses 18th Century Law to Make Apple Unlock Encrypted iPhones

It’s time to raise the antenna again on smartphone encryption matters.

Law enforcement agencies, particularly the FBI, have been desperately pressurizing the Congress to force Apple and Google to do away with their new default smartphone encryption. And authorities are apparently giving in.

According to an exclusive report by Ars Technica (below) earlier this week, court documents from 2 federal criminal cases in New York and California show the US Department of Justice on October 31 this year went as far as exercising a 18th century law – the All Writs Act – to compel Apple and at least one other company to cooperate with law enforcement officials in investigations dealing with locked and encrypted smartphones.

The 225-year-old law gives the courts the right to issue whatever writs or orders in order to compel someone to do something.

To the extent that Apple has recently beefed up encryption in its latest iOS 8, the fact that the DOJ would go to such absurd lengths might set worrying precedence – recall a recent ludicrous DOJ assertion that the new encryption standards would kill a child.

A more disturbing question: What would you do if you were FBI director James Comey making his rounds to denounce smartphone encryption?

Make the DOJ use the All Writs Act to force manufacturers to install convenient backdoors. Why not?

—————————————-

Feds want Apple’s help to defeat encrypted phones, new legal case shows

Prosecutors invoke 18th-century All Writs Act to get around thorny problem.
by Cyrus Farivar – Dec 1 2014, 10:00pm CST

OAKLAND, CA—Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

Some legal experts are concerned that these rarely made public examples of the lengths the government is willing to go in defeating encrypted phones raise new questions as to how far the government can compel a private company to aid a criminal investigation.

Two federal judges agree that the phone manufacturer in each case—one of which remains sealed, one of which is definitively Apple—should provide aid to the government.

Ars is publishing the documents in the California case for the first time in which a federal judge in Oakland specifically notes that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.”

The two orders were both handed down on October 31, 2014, about six weeks after Apple announced that it would be expanding encryption under iOS 8, which aims to render such a data handover to law enforcement useless. Last month, The Wall Street Journal reported that DOJ officials told Apple that it was “marketing to criminals” and that “a child will die” because of Apple’s security design choices.

Apple did not immediately respond to Ars’ request for comment.

Meet the “All Writs Act”

Alex Abdo, an attorney with the American Civil Liberties Union, wondered if the government could invoke the All Writs Act to “compel Master Lock to come to your house and break [a physical lock] open.”

“That’s kind of like the question of could the government compel your laptop maker to unlock your disk encryption?” he said. “And I think those are very complicated questions, and if so, then that’s complicated constitutional questions whether the government can conscript them to be their agents. Then there’s one further question: can the government use the All Writs Act to compel the installation of backdoors?”

But, if Apple really can’t decrypt the phone as it claims, the point is moot.

“Then that’s pretty much the end of it,” Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, told Ars. “The writ doesn’t require Apple to do something that is impossible for it to do.”

Andrew Crocker, a legal fellow also at the Electronic Frontier Foundation, pointed out on Twitter on Tuesday that back in 2005, a different New York magistrate refused to accept the government’s invocation of the All Writs Act to obtain real-time cell site data.

As Magistrate Judge James Orenstein wrote at the time:

Thus, as far as I can tell, the government proposes that I use the All Writs Act in an entirely unprecedented way. To appreciate just how unprecedented the argument is, it is necessary to recognize that the government need only run this Hail Mary play if its arguments under the electronic surveillance and disclosure statutes fail.

The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature’s intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.

“Any capabilities [Apple] may have to unlock the iPhone”

One of the new phone search cases was filed in federal court in Oakland, just across the bay from San Francisco, while another was filed in federal court in Manhattan.

In the Oakland case, prosecutors asked a federal judge in to “assist in the execution of a federal search warrant by facilitating the un-locking of an iPhone.”

Ars went in person to the Oakland courthouse on Wednesday to obtain the documents and is publishing both the government’s application and the judge’s order for the first time here. The All Writs Act application and order are not available via PACER, the online database for federal court records.

“This Court has the authority to order Apple, Inc., to use any capabilities it may have to unlock the iPhone,” Garth Hire, an assistant US attorney, wrote to the court and cited the All Writs Act.

“The government is aware, and can represent, that in other cases, courts have ordered the unlocking of an iPhone under this authority,” he wrote. “Additionally, Apple has routinely complied with such orders.”

“This court should issue the order because doing so would enable agents to comply with this Court’s warrant commanding that the iPhone be examined for evidence identified by the warrant,” he continued. “Examination of the iPhone without Apple’s assistance, if it is possible at all, would require significant resources and may harm the iPhone. Moreover, the order is not likely to place any unreasonable burden on Apple.”

In response, Magistrate Judge Kandis Westmore ordered that Apple “provide reasonable technical assistance to enable law enforcement agents to obtain access to unencrypted data.” She did not specifically mention the All Writs Act.

But she added:


It is further ordered that, to the extent that data on the iOS device is encrypted, Apple may provide a copy of the encrypted data to law enforcement but Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.

Westmore’s language is a near-duplicate of a June 6, 2014 order issued by a different judge from the Northern California district, San Jose division, which is about 40 miles south of Oakland. There, Magistrate Judge Howard Lloyd ordered Apple to assist in the search of an iPad Mini, months before the release of iOS 8.

New spying tools afoot

On Tuesday, The Wall Street Journal reported on an order issued by a federal magistrate in New York in a case involving alleged credit card fraud.

In that Manhattan case, Magistrate Judge Gabriel Gorenstein granted the government’s proposed order on the same day as Westmore (October 31, 2014), also citing the All Writs Act, which compels the unnamed phone manufacturer to provide “reasonable technical assistance” in unlocking the device.

The mystery company could challenge the judge’s order, according to Brian Owsley, a former federal magistrate judge who now is a law professor at Indiana Tech.

“Unfortunately, we will probably not know because the issue will likely be sealed even though there should be more transparency in these issues,” he told Ars by e-mail, noting that during his tenure on the bench he could not remember a time when the government invoked the All Writs Act.

“It is only through greater transparency will we start to get the answers. If the provider simply complies we will know nothing. Here, Judge Gorenstein’s approach strikes me as very even-handed, but the inherent problem is that those who are concerned about privacy issues in general simply have to hope that the provider will speak up for us.”

But Orin Kerr, a law professor at George Washington University and a former federal prosecutor, does not believe that the seized phone in the New York case was an iOS 8 device.

“The government obtained a warrant on October 10 for a phone already in its possession,” he told Ars by e-mail. “Apple’s announcement was something like September 18. If it was an iPhone, it was probably an iPhone running [on] an earlier operating system.”

Still, Alex Abdo, the ACLU attorney, after reading a copy of the Oakland documents, concluded that the “government’s application raises troubling questions about the extent to which it can force companies to break the products they sell.”

“We are heartened, however, that the court recognized that possibility and stopped short of ordering Apple to come up with a way to decrypt its customers’ data,” he added.

“More broadly, it is disconcerting that the government is relying on a catch-all law to seek surveillance powers that it should be seeking from Congress and the public,” said Abdo. “If the government wants new spying tools, it should allow our democratic process to debate them openly first.”

UPDATE 1:50pm CT: Jonathan Mayer, a lecturer at Stanford Law, said that use of the All Writs Act is not as novel as it may seem. (He recommended his recent lecture on the subject!)

“The TL;DR is that there is nothing new about using the All Writs Act to compel assistance,” Mayer told Ars by e-mail. “And there is also nothing new about using it to compel assistance with unlocking a phone. That repeated language you saw? It’s provided by Apple itself!”

“As for the opinion discounting the All Writs Act, that had to do with surveillance under the Electronic Communications Privacy Act. Where ECPA applies, the All Writs Act doesn’t. (It’s just a default, as the court rightly noted.) Phone unlocking isn’t covered by ECPA, so the All Writs Act remains in play.”

Blackberry-Encryption

Shhh… Former NSA Attorney: Encryption Behind Blackberry’s Demise & Warning to Apple and Google

The authorities hate smartphone encryption and it shows. And they’re in concerted efforts to wage a war against it.

In echoing the recent messages from FBI director James Comey and GCHQ chief Robert Hannigan, former NSA general counsel Stewart Baker told the Web Summit audience in Dublin earlier this week that the moves by Google and Apple and others to encrypt user data was more hostile to western intelligence gathering than to surveillance by China or Russia.

In a conversation with Guardian special projects editor James Ball, Baker used Blackberry as an example:

Encrypting user data had been a bad business model for Blackberry, which has had to dramatically downsize its business and refocus on business customers. “Blackberry pioneered the same business model that Google and Apple are doing now – that has not ended well for Blackberry,” said Baker.

He claimed that by encrypting user data Blackberry had limited its business in countries that demand oversight of communication data, such as India and the UAE and got a bad reception in China and Russia. “They restricted their own ability to sell. We have a tendency to think that once the cyberwar is won in the US that that is the end of it – but that is the easiest war to swim.”

Baker said the market for absolute encryption was very small, and that few companies wanted all their employees’ data to be completely protected. “There’s a very comfortable techno-libertarian culture where you think you’re doing the right thing,” said Baker.

“But I’ve worked with these companies and as soon as they get a law enforcement request no matter how liberal or enlightened they think they are, sooner to later they find some crime that is so loathsome they will do anything to find that person and identify them so they can be punished.

This latest anti-encryption blabbing drew quick defense from Blackberry COO Marty Beard, who found Baker’s remarks “don’t make any sense”.

“Security is a topic that’s increasing in importance,” Beard told the audience at FedScoop’s FedTalks event Thursday. “It’s the reason that all G7 countries and the G20 work with BlackBerry.

“We just see it growing in importance. The increasing cybersecurity threats are exploding, security across all [technology] layers is critical.”

Right2Bforgotten

Shhh… The BBC “Forgotten” List (& Forgotten Company Directors?)

The BBC plans to publish a regularly updated list of articles removed from the search engine Google following the controversial “right to be forgotten rule”.

Google has so far received some 153,000 requests which have involved about half a million different link and 40 percent of these links have been removed. However, according to associate professor David Glance, director of the Center for Software Practice at the University of Western Australia:

… there is a great deal of concern about the sorts of things that are being removed. So, for example, information about former company directors have been removed. So various people are now asking for that type of information to be restored because it’s part of the public record and important information when you are considering the effectiveness or the background of a company or the directors.”