This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

E-mail encryption
Washington Post
Quote:As encryption spreads, U.S. grapples with clash between privacy, security
By Ellen Nakashima and Barton Gellman April 10

For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?

Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?

“I donâ€t want a back door,” Rogers, the director of the nationâ€s top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. “I want a front door. And I want the front door to have multiple locks. Big locks.”

Law enforcement and intelligence officials have been warning that the growing use of encryption could seriously hinder criminal and national security investigations. But the White House, which is preparing a report for President Obama on the issue, is still weighing a range of options, including whether authorities have other ways to get the data they need rather than compelling companies through regulatory or legislative action.

The task is not easy. Those taking part in the debate have polarized views, with advocates of default commercial encryption finding little common ground with government officials who see increasing peril as the technology becomes widespread on mobile phones and on text messaging apps.

[Image: 1665]

Apple catalyzed the public debate in September when it announced that one of the worldâ€s most popular smartphones would come equipped with a unique digital key that can be used only by its owner. Even if presented with a warrant, Apple could no longer unlock an iPhone that runs its latest operating system.

Hailed as a victory for consumer privacy and security, the development dismayed law enforcement officials, who said it threatens what they describe as a ­centuries-old social compact in which the government, with a warrant based on probable cause, may seize evidence relevant to criminal investigations.

“What weâ€re concerned about is the technology risks” bringing the country to a point where the smartphone owner alone, who may be a criminal or terrorist, has control of the data, Deputy Assistant Attorney General David Bitkower said at a recent panel on encryption hosted by the nonprofit Congressional Internet Caucus Advisory Committee. That, he said, has not been the “standard American principle for the last couple of hundred years.”

Tech industry officials and privacy advocates take a different view. “I donâ€t believe that law enforcement has an absolute right to gain access to every way in which two people may choose to communicate,” said Marc Zwillinger, an attorney working for tech companies on encryption-related matters and a former Justice Department official. “And I donâ€t think our Founding Fathers would think so, either. The fact that the Constitution offers a process for obtaining a search warrant where there is probable cause is not support for the notion that it should be illegal to make an unbreakable lock. These are two distinct concepts.”

The increasing use of encrypted storage extends well beyond the iPhone or the similar option that Google offers — though not by default — on new versions of its Android operating system. Windows and Apple offer simple settings to encrypt the contents of personal computers, and several cloud storage companies encrypt the data they host with keys known only to their customers.

The Obama administration says it is not seeking to weaken the security tools themselves. “Thereâ€s no scenario in which we donâ€t want really strong encryption,” President Obama said in an interview with the online tech news outlet Re/Code in February. “I lean probably further in the direction of strong encryption than some do inside of law enforcement. But I am sympathetic to law enforcement, because I know the kind of pressure theyâ€re under to keep us safe. And itâ€s not as black and white as itâ€s sometimes portrayed.”

Until Rogersâ€s remarks, U.S. officials had declined to say how they believed they could guarantee government access to a locked device without introducing security flaws that others could also find.

Academic and industry experts, including Yahooâ€s chief of information security, Alex Stamos, say law enforcement is asking for the impossible. Any means of bypassing encryption, they say, is by definition a weakness that hackers and foreign spy agencies may exploit.

The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latterâ€s problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.

The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspectâ€s data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.

White House aides aim to report to Obama this month, though the date could slip. “We want to give the president a sense of what the art of the possible is,” said a senior administration official who requested anonymity because he was not authorized to speak on the record. “We want to enable him to make some decisions and strategic choices about this very critical issue that has so many strategic implications, not just for our cybersecurity but for law enforcement and national security, economic competitiveness overseas, foreign relations, privacy and consumer security.”

A central issue in the policy debate is trust, said Lance J. Hoffmann, founder of George Washington Universityâ€s Cyberspace Security Policy and Research Institute. “Itâ€s who do you trust with your data? Do you want to default to the government? To the company? Or to the individual? If you make a hybrid, how do you make the trade-off?”

The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready.

“There is zero chance of any domestic restrictions on encryption absent a catastrophic event which clearly could have been stopped if the government had been able to break some encryption,” said Michael Vatis, a senior Justice Department cyber-official in the Clinton administration and a partner at Steptoe and Johnson. “That is the only way I could even imagine any restriction on encryption being passed by Congress.”

Even if Congress passed such a law, it could not bind device-makers and software engineers overseas. Privacy advocates said strong encryption technology is now sufficiently widespread that it is effectively beyond the reach of government control.

That is what Britain is discovering: It has a law that would require any telecom company to give the government access to data, but the law cannot be used to compel foreign firms that lack encryption keys to create them, legal experts said.

The debate in some ways harks back to the “cryptowars” of the 1990s, when the Clinton administration proposed having the government hold a decryption key “in escrow” for law enforcement seeking to wiretap encrypted voice calls. The proposal had its origins in the nuclear bunker where, to avoid the risk of a rogue actor launching a nuclear weapon, the government required two people, each holding part of a key, to put their parts together to unlock the weapon.

The government lost, primarily on policy grounds. “Fundamentally, what bothered me, and I think many people, is the notion that you donâ€t have a right to try to protect your communications but are forced to trust a third party over which you have no control,” said Whitfield Diffie, a pioneer of public-key cryptography who was part of the opposition that killed the proposal.

The debate now differs in at least one key respect: its global reach. Today, demand for data security transcends borders, as does law enforcementâ€s desire to obtain the data. Countries including the United Kingdom, Australia and China have passed or are contemplating laws seeking government access to communications similar to that sought by U.S. authorities.

The split-key approach floated by Rogers is a variant on that old approach and is intended to resolve some of the policy objections. Storing a master key in pieces would reduce the risk from hackers. A court could oversee the access.

But some technologists still see difficulties. The technique requires a complex set of separate boxes or systems to carry the keys, recombine them and destroy the new key once it has been used. “Get any part of that wrong,” said Johns Hopkins University cryptologist Matthew Green, “and all your guarantees go out the window.”

Officials say that if default encryption of e-mails, photos and text messages becomes the norm without the company holding a key, it could, as Bitkower said, render a warrant “no better than a piece of paper.”

Neither Bitkower nor FBI Director James B. Comey, who also has been vocal about the problem, has been able to cite a case in which locked data thwarted a prosecution. But they have offered examples of how the data are crucial to convicting a person.

Bitkower cited a case in Miami in December in which a long-haul trucker kidnapped his girlfriend, held her in his truck, drove her from state to state and repeatedly sexually assaulted her. She eventually escaped and pressed charges for sexual assault and kidnapping. His defense, Bitkower said, was that she engaged in consensual sex. As it turned out, the trucker had video-recorded his assault, and the phone did not have device encryption enabled. Law enforcement agents were able to get a warrant and retrieve the video. It “revealed in quite disturbing fashion that this was not consensual,” Bitkower said. The jury convicted the trucker.

Officials and former agents say there will be cases in which crimes will go unsolved because the data was unattainable because only the phone owner held the key. “I just look at the number of cases I had where, if the bad guy was using one of these [locked] devices, we never would have caught him,” said Timothy P. Ryan, a former FBI supervisory special agent who now leads Kroll Associates†cyber-investigations practice.

But, he said, “I think the genieâ€s out of the bottle on this one.”

Some experts say the challenge of device encryption may be diminished if law enforcement can compel a suspect to unlock his phone. But, they add, doing so may raise Fifth Amendment issues of self-incrimination in some cases.

Encryption of phone calls is the harder challenge and the one that agencies such as the NSA, which needs to hear what targets are saying rather than gather evidence for a prosecution, are more concerned about. Brute-force decryption is difficult and time-consuming, and getting ­covert access through manufacturers requires a level of specificity and access that is not often available, intelligence officials say.

“The basic question is, is it possible to design a completely secure system” to hold a master key available to the U.S. government but not adversaries, said Donna Dodson, chief cyber­security adviser at the Commerce Departmentâ€s National Institute of Standards and Technologies. “Thereâ€s no way to do this where you donâ€t have unintentional vulnerabilities.”

Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.
Barton Gellman writes for the national staff. He has contributed to three Pulitzer Prizes for The Washington Post, most recently the 2014 Pulitzer Prize for Public Service.
Email:            PGP key: AF7C8C3B
The capabilities of the NSA are huge, both their surveillance and actual legal standing. For example to be legally allowed compromise a service via a Subpeona and the service provider not being allowed to even tell anyone is insane, the idea of Warrant Canaries came via this. 

Perfect example in an encryption software called TrueCrypt - went down last year, by far the most accepted reasoning is NSA intervention. 

As a general rule the NSA can intercept and read any of your communications, personally if they're interested in alot my shite off they go, the hassle to try avoid them doing it outweighs the effort involved for me at least. From an Irish perspective, I'd be more worried about GCHQ, the UK version, less sophisticated than the NSA but certainly still have large capabilities.
Ah, TrueCrypt.  The big conspiracy theory.

Version 7.1a had been out for years.  Then all of a sudden 7.2 came out and some people may have updated to it automatically.  There was also this notice on their website.  All of a sudden users who "upgraded" could only decrypt their data and could no longer create new encrypted folders.  The authors of TrueCrypt were anonymous and there was some speculation that they may have been US government employees.

The advice from the TrueCrypt authors was that people should change over to M$ BitLocker, which many people thought was rediculous.  This also made people think that the rest of the information on their notice wasn't telling the truth either.  There is a discussion here of some of the theories behind TrueCrypt.

Personally, I'm still using TrueCrypt 7.1a.  It is the only solution that actually works for my particular set-up.
Email:            PGP key: AF7C8C3B
(12-04-2015, 02:56 PM)echo59 Wrote: Ah, TrueCrypt.  The big conspiracy theory.

Version 7.1a had been out for years.  Then all of a sudden 7.2 came out and some people may have updated to it automatically.  There was also this notice on their website.  All of a sudden users who "upgraded" could only decrypt their data and could no longer create new encrypted folders.  The authors of TrueCrypt were anonymous and there was some speculation that they may have been US government employees.

The advice from the TrueCrypt authors was that people should change over to M$ BitLocker, which many people thought was rediculous.  This also made people think that the rest of the information on their notice wasn't telling the truth either.  There is a discussion here of some of the theories behind TrueCrypt.

Personally, I'm still using TrueCrypt 7.1a.  It is the only solution that actually works for my particular set-up.

There was a public code audit of it done aswell, released in the last week or so which showed it was a good implementation,with only a few quite minor bugs. Hopefully one of the forks of it will take off proper now so development can continue, even if license restricted anon authors can't do much! I'm still using it aswell, few similar open source tools (which we've been required to migrate to in work) which are no where near as good functionality wise.
Here's quite a good website that talks you through OpenPGP encryption for whatever operating system (Windows, Mac, Linux) that you use.  Might be helpful for someone who is interested in dabbling.  If it doesn't go by default, just select your operating system in the menu at the top.

They also have quite a good infographic:
[Image: full-infographic.png]
Email:            PGP key: AF7C8C3B
It turns out that Facebook now supports OpenPGP.

Click here to read all about it.  You can upload your own public key.  This means that people who search for you on Facebook can see that you have a public key and can send you encrypted e-mails, if they're into that sort of thing themselves.

Also, if you check the "Use this public to encrypt notification e-mails from Facebook" option then e-mails from Facebook, such as password reset requests, will be encrypted and digitally signed by Facebook.  Another layer of security and a protection against spam.

Click here to upload your own OpenPGP details to your account.  Don't forget to add the Facebook public key to your keyring so that you can decrypt their e-mails.
Email:            PGP key: AF7C8C3B
---- Original Message ----
Subject: Safer Internet Day 2016
Sent: 8 Feb 2016 7:36 a.m.

Tomorrow, 2016-02-09 is this year's Safer Internet Day[1] themed "Play
your part for a better internet!".

The Safer Internet Day was first celebrated in 1999 to strengthen the
awareness for security within and on the internet.

To provide everybody with the means to protect their communication and
privacy CAcert's share has long been to offer free email and client
certificates, enabling everyone to authenticate their peers and exchange
encrypted emails with them.

So take a moment to think about take part in this event to promote email
encryption with CAcert S/MIME certificates.

Want to join in? But lack a friend to send encrypted mails to? Why not
demonstrate them how easy it is to setup and protect your emails? Or how
convenient password-less logins can be?

Show and tell how easy it is to identify the sender of a digitally
signed email and explain the risks you avoid by doing so.

Even if you or your friends got nothing to hide: Why not use encryption
out of habit anyway; just in case the need arose? Training yourself now
to protect yourself will make you feel safe when you might depend on it

We live in a world where encryption is more and more becoming
ubiquitous. Encryption is not about hiding, but about protecting what's
precious. So spread the word on how your friends can too stay safe when
communicating online or when in need of protecting what is dear to them.

Explaining how encryption works, what it can and cannot do, and
guarantees you get from using it are important to stay safe. The
involved math isn't even scary or required to be understood: it's just
not what you have to deal with every day. Understanding the basic
concepts and helping others understand how they play together is the
foundation for building your personal stronghold in the digital age.

Use this opportunity to experiment! The tools are there and the
community is here to help you with your questions.

Please let us know how you participated.

And stay safe on the internet!


Best regards

Marcus Mängel
Public Relation Officer CAcert Inc.
Email:            PGP key: AF7C8C3B
RTE News - First public report of an e-mail company deliberately scanning incoming e-mails for security services.

Quote:Yahoo 'secretly searched' emails for US intelligence
Updated / Oct. 4, 2016 21:29

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by US intelligence officials, according to people familiar with the matter.

The company complied with a classified US government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a US internet company agreeing to a spy agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters.

That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

"Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand.

Yahoo declined any further comment.

Through a Facebook spokesman, Mr Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company's legal team, according to the three people familiar with the matter.

US phone and internet companies are known to have handed over bulk customer data to intelligence agencies.

But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time web collection or one that required the creation of a new computer program.
Email:            PGP key: AF7C8C3B
I'm OK with that too be honest

Sent from my X5pro using Tapatalk
Often the sheep do not like the sheepdog,  until the wolf comes.  Then the sheep try to hide behind the sheepdog, begging for his protection.
At least Yahoo finally managed to get search working :-)

To be fair Yahoo are saying they don't, and that they only do the minimum as required by national security letters. I would take a very good guess that gmail, microsoft etc all do the exact same as Yahoo. The article alleging the searching was pretty vague and a bit wishy washy technically aswell. Basically anything you send over the internet unencrypted will be read by NSA/GCHQ, even some encrypted stuff...
Who cares really? It's not like they are interested in the shit that I send. If it leads to info on an potential attack then it's done it's job. People need to remember the type of person that the security services are up against. - Home of the real emergency service personnel.
Pretty traumatic seeing m4j's emails and searches

Sent from my X5pro using Tapatalk
Often the sheep do not like the sheepdog,  until the wolf comes.  Then the sheep try to hide behind the sheepdog, begging for his protection.
(05-10-2016, 07:10 PM)foreign Wrote: Who cares really? It's not like they are interested in the shit that I send. If it leads to info on an potential attack then it's done it's job. People need to remember the type of person that the security services are up against.

Anybody actually communicating as part of a terror threat is going to use encrypted e-mail or some other service.  But it is also important that people realise that everything they send by e-mail is in clear view and can be intercepted by anybody unless it is encrypted.  How many times have you sent personal stuff between work and home e-mail addresses?  For example, sending a credit card statement to yourself so that you can put in an expenses claim?  Anybody could potentially gain access to that email with your credit card details, not just security services.

It came out today that the Yahoo / NSA app had a vulnerability that meant that it could also be hacked by external sources.

Also, supposedly their Chief Information Security Officer resigned when he discovered that Yahoo had developed this function.
Email:            PGP key: AF7C8C3B