“But the ISPs aren’t just using pro-competitive rhetoric to argue about ’concentration in #DNS.' They’re also claiming that DNS-over-HTTPS [#DoH] will put them at a competitive disadvantage in the market of spying on America and selling its secrets to all comers, a market that should not exist and that your ISP should not be in the business of.”
Switching from #bcrypt to SHA2 may save your CPU…and your sanity!
Here’s the reality, billions of credentials have been leaked or stolen and are now easily downloaded online by anyone. Many of these databases of identities include passwords in plain text, while others are one-way hashed. One-way hashing is better (we’ll get to why in a second), but it is only as secure as is mathematically feasible. Let’s take a look at one-way hashing algorithms and how computers handle them.HashingA hash by definition is a function that can map data of an arbitrary size to data of a fixed size. SHA2 is a hashing algorithm that uses various bit-wise operations on any number of bytes to produce a fixed sized hash. For example, the #sha-256 algorithm produces a 256 bit result. The algorithm was designed specifically so that going from a hash back to the original bytes is (...)
Why are we (still) sending so much web traffic unencrypted over the Internet?
Image credit: Bernard Hermant from UnsplashIt’s 2019 and, still, around 25% of websites on the Internet are visited without #encryption. Let’s look at why.This is Part 2 of a three-part series on public Wi-Fi insecurity. In Part 1, I showed how easily, even today, a hacker could victimize users of public Wi-Fi networks. I created a tool to catch a glimpse of how prevalent potentially-insecure activities occur on public Wi-Fi, and compared results to a similar report from Google.The results were consistently bleak: about a quarter of all website visits occur without the use of HTTPS.I was curious why there would be so much traffic over ol’ unencrypted HTTP, but that required actually inspecting packets at a deeper level. I decided jail didn’t sound like fun; so, back at home, I set up a little (...)
Can We End Data Exploitation in #google and #facebook?
One Company Believes They CanIn the age of WhatsApp, Signal, and other messaging apps, questions over data security or sharing have arisen. True, apps like WhatApp and Signal boast end to end #encryption, chances are your data is being used in a variety of ways.One indication that WhatsApp (owned by the now bad boy of user data -Facebook) utilizes its users’ data is that it has rolled out an ads platform. If data was not being culled from messages to enhance targeting I think I and many others would be shocked.But It’s Encrypted — So Why Are You Worrying?WhatsApp and Signal and Google may be encrypted between sender and receiver, but the data is actually stored on the phone and this data is not encrypted, which leaves a back door to either the app itself using the data to sell to others or (...)
What’s Shor’s Algorithm? (Quantum Computing Weekly News for Dec 11 2018)
What’s Shor’s Algorithm? | Quantum Computing Weekly Roundup Dec 11 2018This is a syndicated version of my weekly e-mail round-up of news about Quantum Computing. Visit the homepage to subscribe to updates and check out previous issues.? Hi there, and thank you for taking a look at lucky issue #7!Last week we had a great profile on Anastasia Marchenkova, and I highly recommend checking it out if you missed it, and I’m excited to say that we already have a new guest lined up for January! ?Looking for a particular area of quantum computing you’d like to see covered in the next issue? Ping me and let me know!Tiny Fact of the weekWhat’s this Shor’s algorithm thing I keep on hearing about? In short, it’s a quantum algorithm which is able to answer a very computationally difficult question relatively (...)
Source: Progress Software.Does paying a ransom sound like something from out of a movie? People may tend to associate ransoms with people being kidnapped. However, the threat of ransom malware, or ransomware, is a real one ravaging the web today.Ransomware is any dangerous virus which can attack and encrypt the files on a PC or within an entire network, transcoding the files so that they become inaccessible to the creators. At this point in the process, the victim knows something has happened, and the cybercriminal demands a ransom for allowing the victim access to his lost files which are being held hostage by the user of the malware.Once hacked, the odds for the victim reobtaining control of his files and/or device without paying the cybercrook are not too good. The dilemma is overly (...)
The default #OpenSSH #key #encryption is worse than plaintext
That’s a fair argument to say that standard password-encrypted keys are about as good as plaintext: the encryption is ineffective. But I made a stronger statement: it’s worse.
How do you fix this? OpenSSH has a new key format that you should use. “New” means 2013. This format uses bcrypt_pbkdf, which is essentially bcrypt with fixed difficulty, operated in a PBKDF2 construction. Conveniently, you always get the new format when generating Ed25519 keys, because the old SSH key format doesn’t support newer key types. That’s a weird argument: you don’t really need your key format to define how Ed25519 serialization works since Ed25519 itself already defines how serialization works. But if that’s how we get good KDFs, that’s not the pedantic hill I want to die on. Hence, one answer is ssh-keygen -t ed25519. If, for compatibility reasons, you need to stick to RSA, you can use ssh-keygen -o. That will produce the new format, even for old key types. You can upgrade existing keys with ssh-keygen -p -o -f PRIVATEKEY . If your keys live on a Yubikey or a smart card, you don’t have this problem either.
Attention, gnome-keyring (version inférieur à 3.28) ne gère pas ce type de clé, cf :
Exploring Decentralization With Homomorphic #encryption
We live in a world where data is the new oil, distributed systems and heterogeneous networking are becoming the norm of modern software industry. It is estimated that on average we generate around 2.5 quintillion bytes of data per day. A report by Cisco predicts the following:● By 2020, the gigabyte (GB) equivalent of all movies ever made will cross the global Internet every 2 minutes.● Globally, IP traffic will reach 511 terabits per second (Tbps) in 2020, the equivalent of 142 million people streaming Internet high-definition (HD) video simultaneously, all day, every day.● Global IP traffic by 2020 will be equivalent to 504 billion DVDs per year, 42 billion DVDs per month, or 58 million DVDs per hour.Cisco also updated their Global consumer web, email, data traffic prediction for (...)
French goverment will use Matrix Riot to replace Whatsapp
According to a recent report, the French government is currently developing an end-to-end encrypted alternative to WhatsApp and Telegram that its officials could use without worrying about foreign spying. Although the French government’s spokesperson said that the government’s app will be ...
Managing #encryption Keys With #aws KMS In Node.js
itsgoingdown.orgSecurity is very important when developing applications. How do you encrypt data and manage encryption keys in your application? Successful key management is critical to the #security of a cryptosystem. This is where KMS’s come into play. Let’s first see what a KMS really is.Key Management System (KMS)According to Wikipedia,A key management system (KMS), also known as a crytographic key management system (CKMS), is an integrated approach for generating, distributing and managing cryptographic keys for devices and applications. Compared to the term key management, a KMS is tailored to specific use-cases such as secure software update or machine-to-machine communication. In an holistic approach, it covers all aspects of security — from the secure generation of keys over the (...)
What does #privacy mean on a public blockchain?
Strict new laws have come into effect for organisations dealing with personal data. What does that mean for businesses that store information on transparent, open and permanent ledgers?News of Cambridge Analytica’s misappropriation of data from some 87 million Facebook users has brought the issue of data protection squarely back into the spotlight. For years, consumers have effectively traded personal data for online services: data is considered the ‘oil’ of the internet, and the users of social networks, e-commerce platforms and almost every other free service have upheld this tacit bargain.In the last few weeks, we have seen where this leads — where, in fact, it was always and inevitably going to lead. It has become abundantly clear what the price of our personal data might be: freedom and (...)
I am creating a social network to replace #facebook
No, really. I’m serious.When I tell my friends and family that I am working on a social network to replace Facebook, the most common response I get is: “Oh, well, that’s modest!” It’s definitely not a modest goal, but I believe this is what is needed in the world today. And it’s one thing I actually know how to do to, which I believe will help make the world better. How can I not try?Note written to myself on the bulletin board by my desk. (CC BY-SA Robert Guinness)Let me give you a bit of background. I became a Facebook user sometime in the spring of 2004 when it was still in its early days. At the time, I was Facebook’s biggest fan. Well, one of its biggest fans, at least. Actually, before I could even join, I emailed Zuckerberg and asked him what I could do to help bring a Facebook site to (...)
Any trust we ever had in the network is gone - pervasive #encryption is now the norm. The network is deprived of user data but users are still beholden to third parties: in practice they now trust the endpoints, who are subject to the same temptations that the network once was.
IBM want to encrypt everything
Data breaches and exposures all invite the same lament: if only the compromised data had been encrypted. Bad guys can only do so much with exfiltrated data, after all, if they can’t read any of it. Now, IBM says it has a way to encrypt every level of a network, from applications to local databases and cloud services, thanks to a new mainframe that can power 12 billion encrypted transactions per day.
The IBM Z mainframe locks data down with public 256-bit AES encryption—the same robust protocol used in the ubiquitous SSL and TLS web encryption standards, and trusted by the US government for protecting classified data. But the company’s breakthrough lies less in quality than it does quantity. Thanks to some proprietary on-chip processing hardware, IBM Z can encrypt up to 13 gigabytes of data per second per chip, with roughly 24 chips per mainframe, depending on the configuration.
You and your contacts keep complete control your data, but you needn’t setup your own computer server in order to do so. Plus, you can send messages without even connecting to the internet. Using Briar, you can send messages over Bluetooth, a shared WiFi connection, or even a shared USB stick. That could be a big advantage for people in places where internet connections are unreliable, censored, or non-existent.
Briar is the work of computer scientist Michael Rogers, security expert Eleanor Saitta, interaction designer Bernard Tyers, software engineer Ximin Luo, and a few other volunteers.
Five Eyes nations stare menacingly at tech biz and its encryption • The Register
Officials from the United States, the United Kingdom, Canada, Australia and New Zealand will discuss next month plans to force tech companies to break #encryption on their products.
Y’aura du monde au #Fosdem 2017 ce WE ?
#Bruxelles #Brussels #logiciel #libre #Architectures #Building #Cloud #Documentation #Security #Encryption #Kubernetes #Lua #Ruby #Python #Qt #Go #Valgrind #Perl #Linux #BSD #Java #MySQL #Mozilla #GNU
Over 150 filmmakers and photojournalists call on major camera manufacturers to build encryption into their cameras
Including Laura Poitras, Alex Gibney and Joshua Oppenheimer.
We, the undersigned documentary filmmakers and photojournalists, are writing to urge your company to build encryption features into your still photo and video camera products. These features, which are currently missing from all commercial cameras on the market, are needed to protect our safety and security, as well as that of our sources and subjects worldwide.
Without encryption capabilities, photographs and footage that we take can be examined and searched by the police, military, and border agents in countries where we operate and travel, and the consequences can be dire.
Poitras, who is on the board of directors for the FPF, somewhat famously had to destroy some of the SD cards she used when filming Edward Snowden for her Citizenfour documentary. While there are encrypted hard drives and even USB sticks, cameras (and the memory cards they use) don’t have built-in file protection. That means a journalist or filmmaker’s work is in jeopardy if those things get confiscated at any point in the time between shooting and storing those files.
Une coalition de photographes réclame le chiffrement sur les appareils photo
Researchers from Google develop AI that designs it’s own form of encryption
Researcher from the deep learning project Google Brain are working on artificial intelligence that is capable of creating it’s own form of AI-generated and human-independent encryption. The neural networks can autonomously encrypt and decrypt information.
According to a research paper Martín Abadi and David G. Andersen from Google have designed three neural networks named Alice, Bob and Eve. The researchers assigned each AI a different task. Alice had to send a encrypted message to Bob that only Bob could read. Meanwhile Eve had to figure out how to intercept and decode this message.
The experiment started with a plain-text message that Alice encrypted. Over the course of 15.000 attempts the neural network was able to design it’s own encryption strategy. Bob simultaneously figured out how to decrypt this same message. The message could not be deciphered by Eve.
Learning to Protect Communications with Adversarial Neural Cryptography
(Martín Abadi, David G. Andersen (Google Brain))
La France veut lancer une initiative internationale contre le chiffrement
Au nom de la lutte contre le terrorisme, le ministre de l’Intérieur Bernard Cazeneuve a annoncé hier que la France souhaitait impulser une initiative européenne à l’encontre du chiffrement des communications. L’exécutif espère que ses propositions auront un écho mondial. Il mise pour cela sur le soutien de l’Allemagne.
c’est la fête...
Limiter le chiffrement - Oui, et alors ?
J’ai pas envie de développer, vous savez sans doute déjà tout ça :
le chiffrement est nécessaire, pour avoir un tout petit peu de vie privée, c’est un pilier des démocraties occidentales, c’est une caractéristique des régimes totalitaires que de nier aux gens le droit d’avoir une correspondance privée ;
le chiffrement qui ne soit pas de bout en bout ne sert à rien, sauf à faire un peu de décoration (l’espionnage a lieu sur les serveurs, si ce n’est pas chiffré de bout en bout, alors c’est en clair sur les serveurs) ;
interdire le chiffrement ne gênera pas les terroristes qui voudront s’en servir (ils font terrorisme comme crime, l’amende pour utilisation d’une application interdite, ils s’en branlent) ;
ça donnera à quiconque sait installer une application de chiffrement de bout en bout un très haut taux de reconnaissance sociale dans les milieux qui rejettent la société actuelle, un peu comme le premier passage par la prison est valorisé chez les délinquants, dans l’idée ;
la supposée interdiction sera donc simplement un accord avec les entreprises qui développent les applications les plus connues pour que ces applications stockent des copies accessibles aux policiers, du coup tous les espions du monde pourront tranquillement faire de l’espionnage économique.
Toute analyse qui s’appuie sur l’idée que nos ministres sont idiots est invalide. Toute analyse qui s’appuie sur le fait qu’ils soient incompétents, ou mal informés, cherche à leur trouver une excuse qui n’est pas la bonne.
If the French government does now want backdoors added, it will be against the advice of its own National Agency for Information System Security. In a letter published by French newspaper Libération, the agency’s director general Guillaume Poupard warned the government against demanding crypto backdoors. As Next Inpact reported, he said this would have a “disastrous effect” on computer security.
Ce qui montre l’incapacité et le manque de compréhension du cryptage, vouloir stocker et décrypter des infos qui seraient codées quand il n’y a pas la moindre politique pour que les sites français qui utilisent facebook google et consorts sans jamais en comprendre les conséquences, livrant à la NSA et à l’économie américaine des informations en continu sur leurs utilisateurs. Le chiffrement c’est aussi une nécessité économique mais ces crétins ne l’ont pas encore compris. Ça me rappelle quand les américains avaient un contrat de gestion des ordinateurs de la CEE, la blague.
Encryption under fire in Europe as France and Germany call for decrypt law
While referencing the importance of encryption for lawful activity such as protecting financial transactions, Cazeneuve singled out certain comms apps that make use of end-to-end encryption as problematic for security services — name-checking the Telegram app specifically. (Although it’s worth noting that Telegram only uses e2e encryption for a ‘secret chats’ feature; other messaging apps, such as WhatsApp, have rolled out e2e encryption as the default for all comms.)
“What we are saying, however, is that exchanges more systematic operated via some applications, such as Telegram, must be able, as part of court proceedings — and I stress this — to be identified and used as evidence by the investigation and magistrates services,” said Cazeneuve
He noted that some Internet companies are co-operating with European security services that request access to their user data but flagged Telegram as a company where state security agencies have “no contact”.
Telcos are lobbying for the law to be expanded to encompass Internet companies. Even as security agencies are pushing for backdoors into encryption. Leaving data protection advocates to point out the folly of risking the security of all users…
Google tests Chrome (Canary) TLS connections with post-quantum cryptography
Today we’re announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google’s servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used.
Google Chrome Adds Anti-Tampering System to Fend Off Quantum Computing Attacks
Bruce Schneier comment
Consider this an opportunity to advance our cryptographic knowledge, not an offer of a more-secure encryption option.