technology:encryption

  • Why You Should Never Save #passwords on #chrome or Firefox
    https://hackernoon.com/why-you-should-never-save-passwords-on-chrome-or-firefox-96b770cfd0d0?so

    Extracting Your Passwords in Cleartext with 12 Lines of CodeIn this article I will demonstrate how easy it is for hackers to extract every username and password saved on your Chrome profile. One would think that Chrome would have safety measures to encrypt your password, but apparently that is not the case — sorta. My Chrome profile, like many others, is set up so that there is another encryption password that I have to enter in order to sync all my passwords, bookmarks, settings, browser history, and etc. so it was pretty shocking to me how easy it was for me to extract and decrypt my passwords. Twelve lines of code easy.Demonstration and Proof of ConceptBefore we get started, I should mention that I have not tested this on macOS or any Linux distributions. To replicate this demonstration, (...)

    #identity-theft #security #cybersecurity


  • Facebook stored hundreds of millions of passwords unprotected
    https://www.theguardian.com/technology/2019/mar/21/facebook-admits-passwords-unprotected

    Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted. The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile (...)

    #Facebook #données


  • Switching from #bcrypt to SHA2 may save your CPU…and your sanity!
    https://hackernoon.com/switching-from-bcrypt-to-sha2-may-save-your-cpu-and-your-sanity-80673376

    Here’s the reality, billions of credentials have been leaked or stolen and are now easily downloaded online by anyone. Many of these databases of identities include passwords in plain text, while others are one-way hashed. One-way hashing is better (we’ll get to why in a second), but it is only as secure as is mathematically feasible. Let’s take a look at one-way hashing algorithms and how computers handle them.HashingA hash by definition is a function that can map data of an arbitrary size to data of a fixed size. SHA2 is a hashing algorithm that uses various bit-wise operations on any number of bytes to produce a fixed sized hash. For example, the #sha-256 algorithm produces a 256 bit result. The algorithm was designed specifically so that going from a hash back to the original bytes is (...)

    #password-hashing #encryption #security


  • How #whatsapp’s #security Mechanism Stands Out From Other Encryptions
    https://hackernoon.com/how-whatsapps-security-mechanism-stands-out-from-other-encryptions-6dd4b

    “It is found that WhatsApp security is the highest-notch of encryption that doesn’t allow hackers to glide into individual and group chats”The world’s largest messaging app in terms of the user base has updated its security feature “End-to-End Encryption” for its 1 billion users worldwide. WhatsApp encompasses tricky elements of security ranges where the encryption for group chatting and individual is quite hard and trickiest encryption.When WhatsApp added the highest degree of security, it raised to encounter the privacy of digital communication worldwide.The History of Encryption at a GlanceWhatsApp rolled out the information that it has joined “Facebook” in the year 2014 which turned to be one of the most historic changes that a social application experienced.Later, in the year 2016, (...)

    #end-to-end-encryption #whatsapp-security #chat-security


  • A Privacy-Focused Vision for Social Networking | Mark Zuckerberg, Facebook, 6 mars 2019
    https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634

    Over the last 15 years, Facebook and Instagram have helped people connect with friends, communities, and interests in the digital equivalent of a town square. But people increasingly also want to connect privately in the digital equivalent of the living room. As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today’s open platforms. Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.

    Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication. There are a number of reasons for this. Many people prefer the intimacy of communicating one-on-one or with just a few friends. People are more cautious of having a permanent record of what they’ve shared. And we all expect to be able to do things like payments privately and securely.

    Public social networks will continue to be very important in people’s lives — for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly. People find these valuable every day, and there are still a lot of useful services to build on top of them. But now, with all the ways people also want to interact privately, there’s also an opportunity to build a simpler platform that’s focused on privacy first.

    I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing. But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.

    I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever. This is the future I hope we will help bring about.
    We plan to build this the way we’ve developed WhatsApp: focus on the most fundamental and private use case — messaging — make it as secure as possible, and then build more ways for people to interact on top of that, including calls, video chats, groups, stories, businesses, payments, commerce, and ultimately a platform for many other kinds of private services.

    This privacy-focused platform will be built around several principles:
    Private interactions. People should have simple, intimate places where they have clear control over who can communicate with them and confidence that no one else can access what they share.
    Encryption. People’s private communications should be secure. End-to-end encryption prevents anyone — including us — from seeing what people share on our services.

    Reducing Permanence. People should be comfortable being themselves, and should not have to worry about what they share coming back to hurt them later. So we won’t keep messages or stories around for longer than necessary to deliver the service or longer than people want them.

    Safety. People should expect that we will do everything we can to keep them safe on our services within the limits of what’s possible in an encrypted service.

    Interoperability. People should be able to use any of our apps to reach their friends, and they should be able to communicate across networks easily and securely.

    Secure data storage. People should expect that we won’t store sensitive data in countries with weak records on human rights like privacy and freedom of expression in order to protect data from being improperly accessed.

    Over the next few years, we plan to rebuild more of our services around these ideas. The decisions we’ll face along the way will mean taking positions on important issues concerning the future of the internet. We understand there are a lot of tradeoffs to get right, and we’re committed to consulting with experts and discussing the best way forward. This will take some time, but we’re not going to develop this major change in our direction behind closed doors. We’re going to do this as openly and collaboratively as we can because many of these issues affect different parts of society.

    Résumé en français : « Mark Zuckerberg veut recentrer Facebook sur les échanges privés » https://www.lesechos.fr/tech-medias/hightech/0600849596938-mark-zuckerberg-veut-recentrer-facebook-sur-les-echanges-priv

    • « Welcome to Mark Zuckerberg’s information ghetto », lis-je dans la « Fake Newsletter » de Buzzfeed :

      (…) More than anything, though, I think it’s a response to the central problem that has plagued Facebook for years: Its scale. More than two billion people log into it every month, all around the world. They upload and interact with more content than humanity ever conceived of creating.

      Zuckerberg and his leadership team may have come to the realization that they achieved a truly unmanageable scale.

      They need to find ways to offer people value (and keep them on them platform) while reducing the overall amount of what I’ll call Addressable Content. This is content that’s publicly accessible on Facebook and could require review by a content moderator, or be the subject of takedown requests from governments or other entities.

      Addressable Content costs Facebook money and can result in regulation, harm to moderators, public outcry, and lawsuits.

      Zuckerberg’s new focus will reduce the total amount of Addressable Content by enabling content that disappears, that is encrypted end to end, and that only reaches a small group of people.

      Facebook will still have huge amounts of public content, and it will always need moderators. But by shifting content production and interaction out of more public spaces on the platform, the company can get its costs and controversies under control. It can manage its scale, while still collecting a motherlode of data on its users and serving them ads.

      Zuck’s plan could be a great business solution, unlocking more growth for Facebook at a time when one can reasonably wonder how, without access to China, it can continue to grow.

      But it’s also a solution that will push all that false, conspiratorial, violent, harmful, and hateful content off into information ghettos where journalists, researchers, and watchdogs will have a much more difficult time finding it and calling it out. — Craig

      Encore des articles sur la #modération (une partie du #CM)

      The secret lives of Facebook moderators in America
      https://www.theverge.com/2019/2/25/18229714/cognizant-facebook-content-moderator-interviews-trauma-working-conditions-

    • Facebook’s pivot to privacy is missing something crucial https://www.wired.com/story/facebook-zuckerberg-privacy-pivot

      Zuckerberg listed six privacy principles, but there was one glaring omission: He said nothing about how Facebook plans to approach data sharing and ad targeting in this privacy-focused future. The free flow of data between Facebook and third-party developers is, after all, the issue that caused the jaws of the national media to snap onto the company’s leg. One year ago this month, news broke that a man named Aleksandr Kogan had misappropriated the data of tens of millions of users and sent it to a shady political consulting firm called Cambridge Analytica. It soon became clear that Cambridge Analytica was not alone and that Facebook had allowed thousands of developers to collect data for years.

      The company’s loose policies on data collection over the years are also what allowed it to build one of the most successful advertising businesses in history. All the data the company collects helps advertisers segment and target people. And it’s the relentless pursuit of that data that has led to Facebook being accused of making inappropriate deals for data with device manufacturers and software partners. This is a history that Zuckerberg knows well, and one that he acknowledged in his post. “I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform—because frankly we don’t currently have a strong reputation for building privacy protective services,” he wrote.


  • Mark Zuckerberg’s Plans to Capitalize on Facebook’s Failures | The New Yorker
    https://www.newyorker.com/tech/annals-of-technology/mark-zuckerbergs-plans-to-capitalize-on-facebooks-failures

    On Wednesday, a few hours before the C.E.O. of Facebook, Mark Zuckerberg, published a thirty-two-hundred-word post on his site titled “A privacy-focused vision for social networking,” a new study from the market research firm Edison Research revealed that Facebook had lost fifteen million users in the United States since 2017. “Fifteen million is a lot of people, no matter which way you cut it,” Larry Rosin, the president of Edison Research, said on American Public Media’s “Marketplace.” “This is the second straight year we’ve seen this number go down.” The trend is likely related to the public’s dawning recognition that Facebook has become both an unbridled surveillance tool and a platform for propaganda and misinformation. According to a recent Harris/Axios survey of the hundred most visible companies in the U.S., Facebook’s reputation has taken a precipitous dive in the last five years, with its most acute plunge in the past year, and it scores particularly low in the categories of citizenship, ethics, and trust.

    While Zuckerberg’s blog post can be read as a response to this loss of faith, it is also a strategic move to capitalize on the social-media platform’s failures. To be clear, what Zuckerberg calls “town square” Facebook, where people post updates about new jobs, and share prom pictures and erroneous information about vaccines, will continue to exist. (On Thursday, Facebook announced that it would ban anti-vaccine advertisements on the site.) His new vision is to create a separate product that merges Facebook Messenger, WhatsApp, and Instagram into an encrypted and interoperable communications platform that will be more like a “living room.” According to Zuckerberg, “We’ve worked hard to build privacy into all our products, including those for public sharing. But one great property of messaging services is that, even as your contacts list grows, your individual threads and groups remain private. As your friends evolve over time, messaging services evolve gracefully and remain intimate.”

    This new Facebook promises to store data securely in the cloud, and delete messages after a set amount of time to reduce “the risk of your messages resurfacing and embarrassing you later.” (Apparently, Zuckerberg already uses this feature, as Tech Crunch reported, in April, 2018.) Its interoperability means, for example, that users will be able to buy something from Facebook Marketplace and communicate with the seller via WhatsApp; Zuckerberg says this will enable the buyer to avoid sharing a phone number with a stranger. Just last week, however, a user discovered that phone numbers provided for two-factor authentication on Facebook can be used to track people across the Facebook universe. Zuckerberg does not address how the new product will handle this feature, since “town square” Facebook will continue to exist.

    Once Facebook has merged all of its products, the company plans to build other products on top of it, including payment portals, banking services, and, not surprisingly, advertising. In an interview with Wired’s editor-in-chief, Nicholas Thompson, Zuckerberg explained that “What I’m trying to lay out is a privacy-focused vision for this kind of platform that starts with messaging and making that as secure as possible with end-to-end encryption, and then building all of the other kinds of private and intimate ways that you would want to interact—from calling, to groups, to stories, to payments, to different forms of commerce, to sharing location, to eventually having a more open-ended system to plug in different kinds of tools for providing the interaction with people in all the ways that you would want.”

    L’innovation vient maintenant de Chine, en voici une nouvelle mention

    If this sounds familiar, it is. Zuckerberg’s concept borrows liberally from WeChat, the multiverse Chinese social-networking platform, popularly known as China’s “app for everything.” WeChat’s billion monthly active users employ the app for texting, video conferencing, broadcasting, money transfers, paying fines, and making medical appointments. Privacy, however, is not one of its attributes. According to a 2015 article in Quartz, WeChat’s “heat map” feature alerts Chinese authorities to unusual crowds of people, which the government can then surveil.

    “I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever,” Zuckerberg tells us. “This is the future I hope we will help bring about.” By announcing it now, and framing it in terms of privacy, he appears to be addressing the concerns of both users and regulators, while failing to acknowledge that a consolidated Facebook will provide advertisers with an even richer and more easily accessed database of users than the site currently offers. As Wired reported in January, when the merger of Facebook’s apps was floated in the press, “the move will unlock huge quantities of user information that was previously locked away in silos.”

    Le chiffrage des messages est loin d’être une panacée pour la vie privée, ni pour la responsabilité sociale des individus.

    Zuckerberg also acknowledged that an encrypted Facebook may pose problems for law enforcement and intelligence services, but promised that the company would work with authorities to root out bad guys who “misuse it for truly terrible things like child exploitation, terrorism, and extortion.” It’s unclear how, with end-to-end encryption, it will be able to do this. Facebook’s private groups have already been used to incite genocide and other acts of violence, suppress voter turnout, and disseminate misinformation. Its pivot to privacy will not only give such activities more space to operate behind the relative shelter of a digital wall but will also relieve Facebook from the responsibility of policing them. Instead of more—and more exacting—content moderation, there will be less. Instead of removing bad actors from the service, the pivot to privacy will give them a safe harbor.

    #facebook #Cryptographie #Vie_privée #Médias_sociaux #Mark_Zuckerberg


  • CounterMail - protecting your privacy - encrypted pgp email webmail
    https://countermail.com

    CounterMail is a secure and easy to use online email service, designed to provide maximum security and privacy without any unnecessary complexity.

    You can access your email account at any time, from anywhere in the world. Your account will always be encrypted and anonymous.

    An Interview with Simon Persson - Founder of Secure Email Provider CounterMail - Unfinished ManUnfinished Man
    https://www.unfinishedman.com/interview-simon-persson-founder-countermail-secure-email-provider

    We are under Swedish jurisdiction and swedish laws, Sweden still have better privacy laws than many other countries
    We don’t log IP-addresses
    You can pay anonymously if you follow our instructions, or simply just use Bitcoin
    Incoming email will be encrypted to your public key, which means no emails will be stored as plaintext on our server, only in encrypted format
    Web based OpenPGP encryption with no possibility to disable the end-to-end encryption, passwords and decrypted texts is never sent to our server
    We have an USB-key option, which gives you two factor authentication, and increased protection
    Our webmail server do not have any hard drives, only CD-ROM, which means no “leakage” to any hard drive is possible
    Our customers never have any direct connection to our mailserver, regardless how they connect to their account, IMAP/SMTP/webmail always connects to a diskless server (tunnel)
    You can delete the private key from our server (but we recommend this only for advanced users, your private key is always encrypted on our server anyway)
    We have an additional encryption layer to protect against man-in-the-middle attacks

    If anyone can find any other established provider that have all our privacy and security features, we will give that person $10k as a reward!

    #sécurité #vie_privée #email


  • Quantum Computing — Can Blockchain be Hacked?
    https://hackernoon.com/quantum-computing-can-blockchain-be-hacked-19c2ec7bac85?source=rss----3a

    Quantum Computing — Can Blockchain be Hacked?“Cryptography is the field concerned with linguistic and mathematical techniques for securing information, particularly in communications” and the security characteristic of Distributed Ledger Technology. Quantum computers have long been dubbed as the Achilles’ heel of Bitcoin and the whole cryptocurrency industry. Due to their overwhelming advantage in computing speed, quantum computers could theoretically be used to disrupt the activity not only of a decentralized system or a blockchain but of any software using any kind of encryption.In Germany, you probably call that ‘Bauernfänger’ (since in Germany we have a single word for almost everything), in English perhaps ‘hornswoggle people’s attention by plotting an attention-grabbing headline’ or (...)

    #distributed-ledgers #legacy-systems #quantum-computing #quantum-computer #quantum-computing-hacks


  • KDE is adding Matrix to its IM framework | KDE.news
    https://dot.kde.org/2019/02/20/kde-adding-matrix-its-im-framework

    However, our search for a better solution has finally come to an end: as of today we are officially using Matrix for collaboration within KDE! Matrix is an open protocol and network for decentralized communication, backed by an open standard and open source reference implementations for servers, clients, client SDKs, bridges, bots and more. It provides all the features you’d expect from a modern chat system: infinite scrollback, file transfer, typing notifications, read receipts, presence, search, push notifications, stickers, VoIP calling and conferencing, etc. It even provides end-to-end encryption (based on Signal’s double ratchet algorithm) for when you want some privacy.


  • JSON Web Tokens (JWT) Demystified
    https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640?source=rss----3a8144eabfe3-

    JSON Web Token (JWT, often pronounced “jot”) is a powerful tool for confidently transmitting data between two parties through tokens. These parties can consist of users, servers, or any other combination of services. Based on an open standard (RFC-7519), JWTs are digitally signed with an encryption algorithm, so the receiving party can trust the information contained within. In computer #security this concept is known as Data Integrity.One main benefit of using a #jwt is that it’s very compact (assuming the issuer uses JWS Compact Serialization, which is recommended). They are generally small enough to be sent through a POST request, in an HTTP Header, or even as a query string within a URL. However, the more claims you add to a JWT, the more bloated it becomes. You could theoretically (...)

    #coding #json-web-token #nodejs


  • Asymmetric #cryptography In Blockchains
    https://hackernoon.com/asymmetric-cryptography-in-blockchains-d1a4c1654a71?source=rss----3a8144

    Asymmetric cryptography, also known as public-key cryptography, is one of the key components of #blockchain technology. This form of cryptography allows everyone to verify the integrity of transactions, protect funds from hackers and much more. But how does it work?What is asymmetric cryptography?To understand asymmetric cryptography it is important to first understand the meaning of cryptography.Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. Encryption is a key concept in cryptography — It is a process whereby a message is encoded in a format that cannot be read or understood by an eavesdropper. The technique is old and was first used by Caesar to (...)

    #crypto #cryptocurrency #security


  • Can We End Data Exploitation in #google and #facebook?
    https://hackernoon.com/can-we-end-data-exploitation-in-google-and-facebook-7ee3ba888ea9?source=

    One Company Believes They CanIn the age of WhatsApp, Signal, and other messaging apps, questions over data security or sharing have arisen. True, apps like WhatApp and Signal boast end to end #encryption, chances are your data is being used in a variety of ways.One indication that WhatsApp (owned by the now bad boy of user data -Facebook) utilizes its users’ data is that it has rolled out an ads platform. If data was not being culled from messages to enhance targeting I think I and many others would be shocked.But It’s Encrypted — So Why Are You Worrying?WhatsApp and Signal and Google may be encrypted between sender and receiver, but the data is actually stored on the phone and this data is not encrypted, which leaves a back door to either the app itself using the data to sell to others or (...)

    #end-data-exploitation #privacy


  • Why Signal and not Threema ? : signal
    https://www.reddit.com/r/signal/comments/852qor/why_signal_and_not_threema

    Signal is open source, Threema is not, so that disqualifies Threema as a secure app in my opinion. You could as well continue using WhatsApp since it’s also end to end encrypted but closed source. Wire is another great alternative, and it’s German.

    Hacker erklären, welche Messenger-App am sichersten ist - Motherboard
    https://motherboard.vice.com/de/article/7xea4z/hacker-erklaren-welche-messenger-app-am-sichersten-ist


    C’est en allemand, mais c’est valable sans égard de la langue que vous utilisez pour votre communication.
    – La communication sécurisée en ligne doit obligatoirement passer par une app et un prootocole open source.
    – Il vous faut un système qui exclue ou rend très difficile la collection de métatdonnées par des tiers.
    – Votre système de communication « voice » et « chat » doit fonctionner avec des clients smartphome et desktop si vous voulez entretenir un fil de commmunication indépendamment du type d’appareil à votre disposition.

    Passons sur les exigences plus poussées, je ne vois que Signal qui satisfait tous ces besoins. Après on peut toujours utiliser plusieurs « messenger apps » afin de rester au courant des « updates » de tout le monde - à l’exception des apps de Facebook (Whatsapp), Wechat et Google parce que leur utilistion constitue une menace de votre vie privée simplement par l’installation sur votre portable.

    Roland Schilling (33) und Frieder Steinmetz (28) haben vor sechs Jahren begonnen, an der TU Hamburg unter anderem zu dieser Frage zu forschen. In einer Zeit, als noch niemand den Namen Edward Snowden auch nur gehört hatte, brüteten Schilling und Steinmetz bereits über die Vor- und Nachteile verschiedener Verschlüsselungsprotokolle und Messenger-Apps. So haben sie beispielsweise im vergangenen Jahr geschafft, die Verschlüsselung von Threema per Reverse Engineering nachzuvollziehen.

    Ihre Forschung ist mittlerweile zu einer Art Aktivismus und Hobby geworden, sagen die beiden: Sie wollen Menschen außerhalb von Fachkreisen vermitteln, wie elementar die Privatsphäre in einer Demokratie ist. Im Interview erklären sie, auf was man bei der Wahl des Messengers achten soll, welche App in punkto Sicherheit nicht unbedingt hält, was sie verspricht und warum Kreditinstitute sich über datenhungrige Messenger freuen.
    ...
    Roland Schilling: Bei mir ist es anders. Ich bringe die Leute einfach dazu, die Apps zu benutzen, die ich auch nutze. Das sind ausschließlich Threema, Signal und Wire. Wenn Leute mit mir reden wollen, dann klappt das eigentlich immer auf einer von den Dreien.
    ...
    Frieder: ... Signal und WhatsApp etwa setzen auf die gleiche technische Grundlage, das Signal-Protokoll, unterscheiden sich aber in Nuancen. Threema hat ein eigenes, nicht ganz schlechtes Protokoll, das aber beispielsweise keine ‘Perfect Forward Secrecy’ garantiert. Die Technik verhindert, dass jemand mir in der Zukunft meinen geheimen Schlüssel vom Handy klaut und damit meine gesamte verschlüsselte Kommunikation entschlüsseln kann, die ich über das Handy geführt habe. Signal und WhatsApp haben das.
    ...
    Roland: Ein gutes Messenger-Protokoll ist Open Source und ermöglicht damit Forschern und der Öffentlichkeit, eventuell bestehende Schwachstellen zu entdecken und das Protokoll zu verbessern. Leider gibt es auf dem Messenger-Markt auch viele Angebote, die ihre vorgebliche „Verschlüsselung“ diesem Prozess entziehen und geheim halten, oder das Protokoll zwar veröffentlichen, aber auf Kritik nicht eingehen.

    Secure WhatsApp Alternatives – Messenger Comparison
    https://www.boxcryptor.com/en/blog/post/encryption-comparison-secure-messaging-apps

    Threema and Telegram under Control of Russia’s Government ?
    https://medium.com/@vadiman/threema-and-telegram-under-control-of-russias-government-f81f8e28714b

    WhatsApp Exploited by NSA and US Secret Services?
    Go to the profile of Vadim An
    Vadim An
    Mar 7, 2018
    This is the end of era centralized communication!

    The 2017/2018 years are hot and saturated with cybersecurity challenges. Almost every week, a major media source reported hacking incidents or backdoor exploits in popular communication and messaging services. Some of which granted government agents unauthorized access to private and confidential information from within the communications industry.

    According to mass-media reports, one of the most popular Swiss secure messaging apps Threema moved under the control of the Russian government and has been listed in the official registry with a view to controlling user communications.

    This can be seen on regulatory public website https://97-fz.rkn.gov.ru/organizer-dissemination/viewregistry/#searchform

    This knockout news was commented by Crypviser — innovative German developer of the most secure instant communication platform based on Blockchain technologies, of the point of view, what does it mean for millions of Threema users?

    To answer this question, let’s understand the requirements for getting listed in this registry as an “information-dissemination organizers” according to a new Russian federal law, beginning from 01 June 2018.

    The law requires that all companies listed in internet regulator’s registry must store all users’ metadata (“information about the arrival, transmission, delivery, and processing of voice data, written text, images, sounds, or other kinds of action”), along with content of correspondence, voice call records and make it accessible to the Russian authorities. Websites can avoid the hassle of setting aside this information by granting Russian officials unfettered, constant access to their entire data stream.

    This is very bad news for Threema users. Threema officials have reported that they are not aware of any requirements to store, collect, or provide information. Maybe not yet though since there is still some time until 01 June 2018 when the new law kicks in and Threema will be obligated to provide direct access to sensitive user’s data.

    It’s possible that Threema is fully aware of this despite claiming otherwise. They may realize that the most popular messenger in Russia, Telegram, has been under pressure since refusing to officially cooperate with Russian secret services. If Russia takes steps to block Telegram as a result, then Threema would become the next best alternative service. That is assuming they’re willing to violating the security and privacy rights of its users by giving in to the new law’s requirements.

    Based on the reports of Financial Time magazine, the Telegram founder agreed to register their app with Russian censors by the end of June 2017. This, however; is not a big loss for Telegram community because of the lack of security in Telegram to date. During the last 2 years, its security protocol has been criticized many times and many security issues were found by researchers. Although there is no direct evidence showing that Telegram has already cooperated with the Russian government or other governments, these exploitable bugs and poor security models make Telegram users vulnerable victims to hackers and secret services of different countries.

    The same security benchmark issues have been explored in the biggest communication app WhatsApp. The security model of WhatsApp has been recognized as vulnerable by the most reputed cryptographic experts and researchers worldwide. According to the Guardian, a serious “backdoor” was found in encryption. More specifically, the key exchange algorithm.

    A common security practice in encrypted messaging services involves the generation and store of a private encryption key offline on the user’s device. And only the public key gets broadcasted to other users through the company’s server. In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping of users encrypted private communication.

    Tobias Boelter, security researcher from the University of California, has reported that WhatsApp’s end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats, by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background.

    The Guardian reports, “WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.”

    But on the other hand, the developer of Signal messaging app Open Whisper Systems says, ”There is no WhatsApp backdoor”, “it is how cryptography works,” and the MITM attack “is endemic to public key cryptography, not just WhatsApp.”

    It’s worth noting that none of the security experts or the company itself have denied the fact that, if required by the government, WhatsApp can intercept your chats. They do say; however, WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. With this statement, agrees on a cybersecurity expert and CTO of Crypviser, Vadim Andryan.

    “The Man-in-the-Middle attack threat is the biggest and historical challenge of asymmetric cryptography, which is the base of end-to-end encryption model. It’s hard to say, is this “backdoor” admitted intentionally or its became on front due lack of reliable public — key authentication model. But it definitely one of the huge disadvantages of current cryptographic models used for secure instant communication networks, and one of the main advantage of Crypviser platform.”

    Crypviser has introduced a new era of cryptography based on Blockchain technologies. It utilizes Blockchain to eliminate all threats of Man-in-the-Middle attack and solves the historical public key encryption issue by using decentralized encryption keys, exchanges, and authorization algorithms. The authentication model of Crypviser provides public key distribution and authorization in peer-to-peer or automated mode through Blockchain.

    After commercial launch of Crypviser unified app, ”messenger” for secure social communication will be available on the market in free and premium plans. The free plan in peer-to-peer authentication mode requires user interaction to check security codes for every new chat and call. The full-featured premium plan offers Blockchain based automated encryption model and powerful professional security features on all levels.

    You can see the comperisation table of Crypviser with centralized alternatives in the below table

    #internet #communication #sécurité #vie_privée


  • Design sprint federated chat ecosystem
    http://constantvzw.org/site/Design-sprint-federated-chat-ecosystem.html

    XMPP is a long standing protocol for libre federated chat which in recent years brought the federated chat ecosystem to modern mobile clients, cross device chat and end-to-end encryption based on Signal. Running up to FOSDEM, the XMPP community (with support of OSP) is hosting a design sprint for federated chat ecosystem. More info + how to join: https://discourse.opensourcedesign.net/t/design-sprint-for-federated-chat-ecosystem-xmpp-30-1-and-01-2-bruxelles/830

    And more...

    #And_more...


  • The Crypto Anarchist Manifesto
    https://www.activism.net/cypherpunk/crypto-anarchy.html
    Précurseur de la très romatique Declaration of the Independence of Cyberspace et du Manifeste du web indépendant plus raisonnable et pragmatique le manifeste des anars cryptograhiques sera encore d’actualité en 2019.

    From: tcmay@netcom.com (Timothy C. May)
    Subject: The Crypto Anarchist Manifesto
    Date: Sun, 22 Nov 92 12:11:24 PST

    Cypherpunks of the World,

    Several of you at the “physical Cypherpunks” gathering yesterday in Silicon Valley requested that more of the material passed out in meetings be available electronically to the entire readership of the Cypherpunks list, spooks, eavesdroppers, and all. <Gulp>

    Here’s the “Crypto Anarchist Manifesto” I read at the September 1992 founding meeting. It dates back to mid-1988 and was distributed to some like-minded techno-anarchists at the “Crypto ’88” conference and then again at the “Hackers Conference” that year. I later gave talks at Hackers on this in 1989 and 1990.

    There are a few things I’d change, but for historical reasons I’ll just leave it as is. Some of the terms may be unfamiliar to you...I hope the Crypto Glossary I just distributed will help.

    (This should explain all those cryptic terms in my .signature!)

    –-Tim May

    ...................................................

    The Crypto Anarchist Manifesto
    Timothy C. May <tcmay@netcom.com>

    A specter is haunting the modern world, the specter of crypto anarchy.

    Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation.

    The technology for this revolution—and it surely will be both a social and economic revolution—has existed in theory for the past decade. The methods are based upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication, and verification. The focus has until now been on academic conferences in Europe and the U.S., conferences monitored closely by the National Security Agency. But only recently have computer networks and personal computers attained sufficient speed to make the ideas practically realizable. And the next ten years will bring enough additional speed to make the ideas economically feasible and essentially unstoppable. High-speed networks, ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers, and encryption chips now under development will be some of the enabling technologies.

    The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy.

    Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property.

    Arise, you have nothing to lose but your barbed wire fences!

    –-
    ..........................................................................
    Timothy C. May | Crypto Anarchy: encryption, digital money,
    tcmay@netcom.com | anonymous networks, digital pseudonyms, zero
    408-688-5409 | knowledge, reputations, information markets,
    W.A.S.T.E.: Aptos, CA | black markets, collapse of governments.
    Higher Power: 2^756839 | PGP Public Key: by arrangement.

    https://www.eff.org/cyberspace-independence

    #internet #cryptographie


  • https://www.hrw.org/everyday-encryption

    EVERYDAY ENCRYPTION
    This game is about the everyday choices you make about your security, and the role encryption plays in those choices. Digital security is always about making compromises and tradeoffs—what do you want to protect, and from whom? You can never be 100 percent secure, but encryption can help reduce your digital security risks.

    #informatique #didactique #jeu #surveillance #chiffrement #autodéfense #numérique


  • What’s Shor’s Algorithm? (Quantum Computing Weekly News for Dec 11 2018)
    https://hackernoon.com/whats-shor-s-algorithm-quantum-computing-weekly-news-for-dec-11-2018-721

    What’s Shor’s Algorithm? | Quantum Computing Weekly Roundup Dec 11 2018This is a syndicated version of my weekly e-mail round-up of news about Quantum Computing. Visit the homepage to subscribe to updates and check out previous issues.👋 Hi there, and thank you for taking a look at lucky issue #7!Last week we had a great profile on Anastasia Marchenkova, and I highly recommend checking it out if you missed it, and I’m excited to say that we already have a new guest lined up for January! 🎉Looking for a particular area of quantum computing you’d like to see covered in the next issue? Ping me and let me know!Tiny Fact of the weekWhat’s this Shor’s algorithm thing I keep on hearing about? In short, it’s a quantum algorithm which is able to answer a very computationally difficult question relatively (...)

    #encryption #cryptography #quantum-computer #quantum-computing


  • Australia’s war on encryption : the sweeping new powers rushed into law
    https://www.theguardian.com/technology/2018/dec/08/australias-war-on-encryption-the-sweeping-new-powers-rushed-into-law

    Australia has made itself a global guinea pig in testing a regime to crack encrypted communication Telecommunications providers have argued that compromising a messaging system, website or cloud storage system to get at a targeted user may put others at risk. Photograph : Alamy Stock Photo In the hit US TV series The Wire police are initially baffled when the criminal suspects they are investigating begin to communicate through photographic messages of clock faces. After several seasons (...)

    #cryptage #surveillance


  • The unbelievable tale of a fake hitman, a kill list, a darknet vigilante... and a murder | WIRED UK
    https://www.wired.co.uk/article/kill-list-dark-web-hitmen


    Si vous avez jamais réfléchi ce que vous pourriez faire contre les abus de hackers black hat , contre les criminels qui font leur commerce avec votre carte de crédit ou contre les spammeurs qui vous bouffent des minutes chaque matin, voici une histoire à ne pas rater. C’est risqué de s’engager pour la bonne cause.

    There are no hitmen in this story. There are no sharply dressed assassins screwing silencers on to their Glocks, no operatives assigned, nor capos directing them.

    There is a website, though – a succession of websites, to be precise – where all those things are made out to be true. Some people fall for it. Looking for a hitman, they download Tor, a browser that uses encryption and a complex relaying system to ensure anonymity, and allows them to access the dark web, where the website exists. Under false names, the website’s users complete a form to request a murder. They throw hundreds of bitcoins into the website’s digital purse.

    The website’s admin is scamming them: no assassination is ever executed. The admin would dole out a hail of lies for why hits had been delayed, and keep the bitcoins.

    But, elsewhere, someone called Chris Monteiro has been disrupting the website’s operations for years, triggering its admin’s wrath.

    Au fond l’histoire suit la partition écrite pour les musiciens des orchestres rouges et noires. Il ne faut faire confiance à personne. Il ne faut pas commetre d’erreur car chaque erreur se paie. Au mieux on arrive à changer de trottoir quand un espion croise ton chemin sans égard du côté pour lequel il prétend se battre.

    #dark_web #crime #phishing #répression #police #internet


  • Deepin 15.8 Promo Video Proves Distro Deserves ‘Blingiest Desktop’ Crown
    https://www.omgubuntu.co.uk/2018/11/deepin-15-8-promo-video

    The recent Deepin 15.8 release impressed many on its arrival — now a new promo video published by the team behind demonstrates precisely why. The five-minute clip, which we’ve embedded above, showcases the distro’s recent crop of UI changes and UX tweaks, including a new boot menu, disk encryption feature, and optional ‘dark mode’. And call me sucker […] This post, Deepin 15.8 Promo Video Proves Distro Deserves ‘Blingiest Desktop’ Crown, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.


  • 15 Most Popular Payment Gateway Solutions
    https://hackernoon.com/15-most-popular-payment-gateway-solutions-ad49342298b9?source=rss----3a8

    A payment gateway is an application that authorizes payment for e-businesses, online retails, brick and mortar businesses and more. It is virtual equivalent to the physical point of sale established in many retail outlets.It encrypts confidential information, such as credit & debit card numbers to make you sure that the data which is passed between the customer and merchant is confidential and secure.How does a payment gateway work?A customer places an order on website or mobile by just pressing submit button or equivalent button to reach payment gateway and enters card details in the specified spaces.The customer’s web browser encrypts the detail which is to be sent between the browser and the web server. This is to be done via SSL(Secure Socket Layer) encryption technique. The (...)

    #mobile-app-development #ecommerce #payments #magento #paypal


  • #ransomware Is a Dangerous Reality
    https://hackernoon.com/ransomware-is-a-dangerous-reality-edb9a597a42d?source=rss----3a8144eabfe

    Source: Progress Software.Does paying a ransom sound like something from out of a movie? People may tend to associate ransoms with people being kidnapped. However, the threat of ransom malware, or ransomware, is a real one ravaging the web today.Ransomware is any dangerous virus which can attack and encrypt the files on a PC or within an entire network, transcoding the files so that they become inaccessible to the creators. At this point in the process, the victim knows something has happened, and the cybercriminal demands a ransom for allowing the victim access to his lost files which are being held hostage by the user of the malware.Once hacked, the odds for the victim reobtaining control of his files and/or device without paying the cybercrook are not too good. The dilemma is overly (...)

    #ransomware-danger #security #hacking #encryption


  • Coders of the world, unite: can Silicon Valley workers curb the power of Big Tech?
    https://www.theguardian.com/news/2017/oct/31/coders-of-the-world-unite-can-silicon-valley-workers-curb-the-power-of-

    neveragain.tech
    http://neveragain.tech

    Write a list of things you would never do. Because it is possible that in the next year, you will do them. —Sarah Kendzior [1]

    Our pledge

    We, the undersigned, are employees of tech organizations and companies based in the United States. We are engineers, designers, business executives, and others whose jobs include managing or processing data about people. We are choosing to stand in solidarity with Muslim Americans, immigrants, and all people whose lives and livelihoods are threatened by the incoming administration’s proposed data collection policies. We refuse to build a database of people based on their Constitutionally-protected religious beliefs. We refuse to facilitate mass deportations of people the government believes to be undesirable.

    We have educated ourselves on the history of threats like these, and on the roles that technology and technologists played in carrying them out. We see how IBM collaborated to digitize and streamline the Holocaust, contributing to the deaths of six million Jews and millions of others. We recall the internment of Japanese Americans during the Second World War. We recognize that mass deportations precipitated the very atrocity the word genocide was created to describe: the murder of 1.5 million Armenians in Turkey. We acknowledge that genocides are not merely a relic of the distant past—among others, Tutsi Rwandans and Bosnian Muslims have been victims in our lifetimes.

    Today we stand together to say: not on our watch, and never again.

    We commit to the following actions:

    We refuse to participate in the creation of databases of identifying information for the United States government to target individuals based on race, religion, or national origin.
    We will advocate within our organizations:
    to minimize the collection and retention of data that would facilitate ethnic or religious targeting.
    to scale back existing datasets with unnecessary racial, ethnic, and national origin data.
    to responsibly destroy high-risk datasets and backups.
    to implement security and privacy best practices, in particular, for end-to-end encryption to be the default wherever possible.
    to demand appropriate legal process should the government request that we turn over user data collected by our organization, even in small amounts.
    If we discover misuse of data that we consider illegal or unethical in our organizations:
    We will work with our colleagues and leaders to correct it.
    If we cannot stop these practices, we will exercise our rights and responsibilities to speak out publicly and engage in responsible whistleblowing without endangering users.
    If we have the authority to do so, we will use all available legal defenses to stop these practices.
    If we do not have such authority, and our organizations force us to engage in such misuse, we will resign from our positions rather than comply.
    We will raise awareness and ask critical questions about the responsible and fair use of data and algorithms beyond our organization and our industry.


  • Don’t Panic, You Can Boot Linux on Apple’s New Devices
    https://www.omgubuntu.co.uk/2018/11/apple-t2-chip-cant-boot-linux

    Does Apple stop Linux from booting on its newly refreshed Mac Mini PC or MacBookAir laptops?  That’s the claim currently circling the web’s collective drain, with posts stating that the new T2 ‘secure enclave’ chip Apple has baked in to its new models (to help to beef up device security, encryption, manage touch ID, and ensure the microphone […] This post, Don’t Panic, You Can Boot Linux on Apple’s New Devices, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.


  • The default #OpenSSH #key #encryption is worse than plaintext
    https://latacora.micro.blog/2018/08/03/the-default-openssh.html

    That’s a fair argument to say that standard password-encrypted keys are about as good as plaintext: the encryption is ineffective. But I made a stronger statement: it’s worse.

    How do you fix this? OpenSSH has a new key format that you should use. “New” means 2013. This format uses bcrypt_pbkdf, which is essentially bcrypt with fixed difficulty, operated in a PBKDF2 construction. Conveniently, you always get the new format when generating Ed25519 keys, because the old SSH key format doesn’t support newer key types. That’s a weird argument: you don’t really need your key format to define how Ed25519 serialization works since Ed25519 itself already defines how serialization works. But if that’s how we get good KDFs, that’s not the pedantic hill I want to die on. Hence, one answer is ssh-keygen -t ed25519. If, for compatibility reasons, you need to stick to RSA, you can use ssh-keygen -o. That will produce the new format, even for old key types. You can upgrade existing keys with ssh-keygen -p -o -f PRIVATEKEY . If your keys live on a Yubikey or a smart card, you don’t have this problem either.