Security

Fine, OK, no backdoors, says Deputy AG. Just keep PLAINTEXT copies of everyone's messages

Sure, that won’t go wrong at all


The US Deputy Attorney General has told business leaders that Uncle Sam won't demand mandatory backdoors in encryption – so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle.

Speaking at the 2017 North American International Cyber Summit in Detroit on Monday, Deputy Attorney General Rod Rosenstein appeared to shift tack on his earlier position that end-to-end encryption systems, such as instant messengers and video call apps, should grant special access exclusively to crime investigators on demand.

Tech giants are resisting weakening their strong end-to-end and filesystem crypto just to help cops and Feds arbitrarily decipher suspects' messages and files on devices. So, Rosenstein has another approach: let people send stuff encrypted as normal, but a plaintext copy of everything – from communications to files on devices – must be retained in an unencrypted form for investigators to delve into as needed.

"Encryption serves a valuable purpose. It is a foundational element of data security and essential to safeguarding data against cyber-attacks. It is critical to the growth and flourishing of the digital economy, and we support it. I support strong and responsible encryption," he said.

"I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."

Despite the fact that doing this would be a massive money and time suck, in terms of storage capacity and processing, it also kind of takes the point out of using encrypted conversations for privacy. It also means that any hacker who breaks into these archives would have access to the crown jewels of personal and corporate secrets.

'There has never been a right to absolute privacy' – US Deputy AG slams 'warrant-proof' crypto

READ MORE

Mind you, that would surely never happen. We never come across stories about servers getting hacked, and certainly the government is immune from such incidents, especially where they involve staffers' fingerprints and security clearances.

Rosenstein prefaced his suggestions with dire warnings about the effects of online crime. Since January 1 last year, there has been an average of 4,000 ransomware "attacks" a day, up 300 per cent on the previous year, he claimed, and said the FBI warned him ransomware infects more than 100,000 computers a day around the world.

In other scary news, Rosenstein warned that botnets – commandeered internet-of-things devices – could end up crashing large chunks of the internet. Speaking of crashing, he also warned that hackers could launch devastating attacks against autonomous cars that could leave passengers injured or killed.

He said that some CEOs had told him that they were reluctant to report hacking attacks to the authorities. Rosenstein said he understood those concerns but that it was vital for businesses to get in touch so that the perpetrators could be stopped from using the same attacks against others.

"Many cyberattacks are directed by foreign governments. When you are up against the military or intelligence services of a foreign nation-state, you should have our federal government in your corner," he said.

"By alerting law enforcement about a cyber incident, your organization performs a public service; it helps strengthen the cyber defenses of others. When law enforcement understands the details of an attack, we can promptly work on trying to apprehend the perpetrator, potentially before the next attack." ®

Send us news
99 Comments

If you're the 1% and have 10 mins to spare this July, bid for a place on first Blue Origin space tourism launch

For everyone else, get back to work and ordering those Amazon Prime deals

Blue Origin is planning to launch its first crew into space on July 20 – and a seat on this inaugural spaceflight is up for auction.

There will be three stages to this process. Anyone can enter a sealed bid from May 5: all you have to do is fill out a form containing personal and contact information, and say how much you’re willing to pay to go space.

On May 19, Blue Origin will unseal the auction, and people must place the high bid to continue. Finally, on June 12, the richest person highest bidder and thus winning space tourist will be determined at auction held live online.

Continue reading

‘Unauthorized API’ in VMware cost management tool can be exploited to hijack appliances

Remote code execution possible on vRealize Business for Cloud – which knows a lot about your private and public platforms

VMware has admitted its vRealize Business for Cloud product includes an “unauthorised VAMI API” that can be exploited to achieve remote code execution on the virtual appliance. The security flaw is rated critical, scoring 9.8 on the ten-point Common Vulnerability Scoring System.

VAMI is the vCenter Server Appliance Management Interface, the tool administrators use to drive its flagship vCenter Server Appliance and manage fleets of virtual machines. For VAMI to have an "unauthorised" API that can be abused by miscreants to gain unauthorized control of systems over the network or internet is very scary indeed.

VMware’s advisory does not explain how an unauthorised API made its way into such a sensitive product.

Continue reading

Robo-taxis hit the streets of Beijing – albeit a small fleet in a geo-fenced suburb

Code for the Baidu Apollo brains of the service is yours for the taking on GitHub, too

Chinese web giant Baidu has commenced operations of actual autonomous taxis on the streets of Beijing.

The Apollo robo-taxi service only operates in Shougang Park, an area of the capital city that will host some events in the 2022 Winter Olympics. Just ten self-driving cars are rolling in this first commercial test of the tech.

The cars are summoned with an Uber-like app and offer level-four autonomy – meaning they can independently drive in predefined geo-fenced areas, and allow humans to take the wheel if they feel it necessary.

Continue reading

Can your AI code be fooled by vandalized images or clever wording? Microsoft open sources a tool to test for that

Counterfit automatically creates adversarial inputs to find weaknesses

Microsoft this week released a Python tool that probes AI models to see if they can be hoodwinked by malicious input data.

And by that, we mean investigating whether, say, an airport's object-recognition system can be fooled into thinking a gun is a hairbrush, or a bank's machine-learning-based anti-fraud code can be made to approve dodgy transactions, or a web forum moderation bot can be tricked into allowing through banned hate speech.

The Windows giant's tool, dubbed Counterfit, is available on GitHub under the MIT license, and is command-line controlled. Essentially, the script can be instructed to delve into a sizable toolbox of programs that automatically generate thousands of adversarial inputs for a given AI model under test. If the output from the model differs from what was expected from the input, then this is recorded as a successful attack.

Continue reading

Signal banned for booking obviously targeted ads? That story's too good to be true, Facebook claims

Antisocial giant dismisses chat app rival's 'stunt' in escalating war of words

Encrypted messaging service Signal on Tuesday made a show of trolling Instagram and its parent company Facebook by creating ads that incorporated audience targeting categories into its ad copy.

The ads address viewers by identifying targeting criteria like lifestyle categories, occupation, geographic location, and personal interests presumably gleaned through online data collection.

Apart from the marketing value of tweaking a dominant messaging rival, Signal did so, it claims, to expose the inner workings of ad tech data collection.

Continue reading

Basecamp CEO issues apology after 'no political discussions at work' edict blows up in his face

30% of employees reportedly walked out following sudden rule change

Jason Fried, CEO of project management tool Basecamp, has issued a public apology following a major bust-up over new policies that discouraged employees from discussing "societal politics" at work.

Writing on the company's blog, Fried said: "Last week was terrible. We started with policy changes that felt simple, reasonable, and principled, and it blew things up culturally in ways we never anticipated. David [Heinemeier Hansson, CTO] and I completely own the consequences, and we're sorry. We have a lot to learn and reflect on, and we will."

The furore began on 26 April, when Fried published a list of changes to working conditions at Basecamp.

Continue reading

AWS to cut Python 2.7 off at the knees in July with 'minor version update' for Chalice

Seriously, it's time to move on

Amazon is the latest to drive a knife into the twitching corpse of Python 2 with an announcement that AWS Chalice will follow Lambda in nudging customers to later versions.

15 July is the cut-off date, which is generous considering the Python Software Foundation pulled the plug on fixes and support for Python 2 on 1 January 2020. AWS Lambda was supposed to follow suit on 1 June 2020 but, well, stuff happened in 2020 (in October support was stretched a little further until "at least 1 June 2021"). It took until 24 March 2021 for Amazon to settle on a death date for the tech.

Chalice is a framework for Lambda, and so will follow suit with what the cloud behemoth described as a "minor version update" that will require Python 3.6 or above (the Lambda crew recommends 3.8).

Continue reading

Aerospike adds set indexing and SQL expressions to make the distributed NoSQL database more ML-friendly

New Spark 3.0 connector will appeal to users too, analyst says

Distributed NoSQL database Aerospike is introducing set indexes and SQL operations within expressions in the pursuit of greater machine learning efficiency via its Apache Spark 3.0 connector.

Speaking to The Register, chief product officer Srini Srinivasan claimed the combined tweaks could help reduce the feedback cycle to improve ML models from days to hours.

A key-value and multi-modal database, Aerospike can run on the edge to support so-called real-time decisions based on pre-existing ML models in applications such as fraud detection. It is also used to feed data back into the ML model management commonly used by data pipeline platform Apache Spark to ensure models reflect changes to data patterns in the real world.

Continue reading

21 nails in Exim mail server: Vulnerabilities enable 'full remote unauthenticated code execution', millions of boxes at risk

Nearly 4 million to be exact, say researchers

Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server."

Exim is a mail transfer agent (MTA), responsible for receiving and forwarding email messages. It runs primarily on Unix or Linux and is the default MTA on Debian - though Ubuntu and Red Hat Enterprise Linux use Postfix by default.

Some hosting companies use Exim to provide email services to their customers, and it was also popular in universities and other educational institutions (it was initially developed at the University of Cambridge in 1995) though many of these have transitioned to Office 365 or Google email, not least Cambridge itself.

Continue reading

Microsoft's Edge browser for Linux hits the Beta Channel... if you're into that kind of thing

Add yet another Chromium browser to your collection

Microsoft's Edge browser has taken another step to stability on Linux with the addition of the operating system to its Beta Channel.

Quite why anyone would actually want Microsoft's latest attempt at a browser on Linux is open to question. From the perspective of the Windows giant, getting developers to test their code on the platform is the name of the game and the move from the Dev Channel to Beta signifies a stable edition is on the way.

The first preview builds of Edge for Linux turned up in 2020. Penguinistas have not been treated to the daily updates of the Canary Channel – only Windows, HoloLens 2, and MacOS users get those – but they have been receiving regular drops on the Dev Channel. In March, for example, lucky Linux fans were able to synchronise their settings using their Microsoft account.

Continue reading

Facebook Oversight Board upholds decision to ban Trump, asks FB to look at own 'potential contribution' to 'narrative of electoral fraud'

Looks like you can safely ignore that friend request... forever

The Facebook Oversight Board has upheld former President Donald Trump’s ban from Facebook and Instagram - but not before advising the platform to look at its own role in the Capitol-storming mess.

The social media giant was the first major platform to ban Trump following the January 6 insurrection, when hundreds of his supporters stormed the US capitol with the aim to disrupt the certification of the 2020 election results.

In its ruling, the Oversight Board, which has been described as “the Supreme Court for Facebook,” affirmed the decision to ban Trump, although it criticised the social platform for failing to adhere to its existing content moderation policies.

Continue reading