serisec

Category: encryption

  • Hong Kong Police Can Force You to Reveal Your Encryption Keys

    Hong Kong Police Can Force You to Reveal Your Encryption Keys According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc.—even if you are just transiting the airport. In a security alert dated March 26, the U.S. Consulate General said that,…

  • New Mexico’s Meta Ruling and Encryption

    New Mexico’s Meta Ruling and Encryption Mike Masnick points out that the recent New Mexico court ruling against Meta has some bad implications for end-to-end encryption, and security in general: If the “design choices create liability” framework seems worrying in the abstract, the New Mexico case provides a concrete example of where it leads in…

  • They seized $4.8m in crypto… then gave the master key to the internet

    They seized $4.8m in crypto… then gave the master key to the internet South Korea’s National Tax Service (NTS) has found itself in the middle of a deeply embarrassing – and costly – blunder after accidentally handing thieves the master key to a seized cryptocurrency wallet. Read more in my article on the Hot for…

  • Microsoft Is Finally Killing RC4

    Microsoft Is Finally Killing RC4 After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued…

  • Substitution Cipher Based on The Voynich Manuscript

    Substitution Cipher Based on The Voynich Manuscript Here’s a fun paper: “The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext“: Abstract: In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a…

  • New Anonymous Phone Service

    New Anonymous Phone Service A new anonymous phone service allows you to sign up with just a zip code. Bruce Schneier Go to bruce schneier

  • State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns

    State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram. Read more in my article…

  • IACR Nullifies Election Because of Lost Decryption Key

    IACR Nullifies Election Because of Lost Decryption Key The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key. For this election and in accordance with the bylaws…

  • Book Review: The Business of Secrets

    Book Review: The Business of Secrets The Business of Secrets: Adventures in Selling Encryption Around the World by Fred Kinch (May 24, 2004) From the vantage point of today, it’s surreal reading about the commercial cryptography business in the 1970s. Nobody knew anything. The manufacturers didn’t know whether the cryptography they sold was any good.…

  • Signal’s Post-Quantum Cryptographic Implementation

    Signal’s Post-Quantum Cryptographic Implementation Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it had been. Then they…

  • A Surprising Amount of Satellite Traffic Is Unencrypted

    A Surprising Amount of Satellite Traffic Is Unencrypted Here’s the summary: We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’…

  • Your favourite phone apps might be leaking your company’s secrets

    Your favourite phone apps might be leaking your company’s secrets Most of the apps on your phone are talking to a server somewhere – sending and receiving data through messages sent through APIs, the underlying infrastructure that allows apps to communicate. And here’s the problem – hackers have determined that the APIs of mobile apps,…

  • Digital Threat Modeling Under Authoritarianism

    Digital Threat Modeling Under Authoritarianism Today’s world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires us to assess risks and make judgments accordingly. Arriving…

  • Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner

    Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault. Then we time-hope to the post-quantum scramble:…

  • Encryption Backdoor in Military/Police Radios

    Encryption Backdoor in Military/Police Radios I wrote about this in 2023. Here’s the story: Three Dutch security analysts discovered the vulnerabilities­—five in total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but…

  • Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture

    Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture Well, this is interesting: The auction, which will include other items related to cryptology, will be held Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid between $300,000 and $500,000. Along with the original handwritten plain text…

  • Free decryptor for victims of Phobos ransomware released

    Free decryptor for victims of Phobos ransomware released There is good news for any organisation which has been hit by the Phobos ransomware. Japanese police have released a free decryptor capable of recovering files encrypted by both the notorious Phobos ransomware, and its offshoot 8Base. Read more in my article on the Fortra blog. Graham…

  • “Encryption Backdoors and the Fourth Amendment”

    “Encryption Backdoors and the Fourth Amendment” Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective: Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment’s requirement that…

  • Using Signal Groups for Activism

    Using Signal Groups for Activism Good tutorial by Micah Lee. It includes some nonobvious use cases. Bruce Schneier Go to bruce schneier

  • Florida Backdoor Bill Fails

    Florida Backdoor Bill Fails A Florida bill requiring encryption backdoors failed to pass. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing

    Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing QR codes are being weaponised by scammers — so maybe think twice before scanning that parking meter. And in a blunder so dumb it makes autocorrect look smart, the White House explains how it leaked war plans on Signal because an iPhone mistook a…

  • More Countries are Demanding Backdoors to Encrypted Apps

    More Countries are Demanding Backdoors to Encrypted Apps Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea. Also: “A Feminist Argument…

  • An iCloud Backdoor Would Make Our Phones Less Safe

    An iCloud Backdoor Would Make Our Phones Less Safe Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access…

  • Trusted Encryption Environments

    Trusted Encryption Environments Really good—and detailed—survey of Trusted Encryption Environments (TEEs.) Bruce Schneier Go to bruce schneier

  • UK Is Ordering Apple to Break Its Own Encryption

    UK Is Ordering Apple to Break Its Own Encryption The Washington Post is reporting that the UK government has served Apple with a “technical capability notice” as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big…

  • Short-Lived Certificates Coming to Let’s Encrypt

    Short-Lived Certificates Coming to Let’s Encrypt Starting next year: Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before—short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS…