Skip to main content

Encryption

See All Stories

Google’s Hiroshi Lockheimer vaguely sides with Apple in FBI encryption battle

Site default logo image

Screen Shot 2016-02-18 at 10.19.16 PM

Following Google CEO Sundar Pichai’s vague series of tweets yesterday, Hiroshi Lockheimer, senior vice president of Android, Chrome OS and Chromecast, has come out and offered his own opinion on Apple’s battle with the government on national security versus user privacy. Earlier this week, a U.S. judge ruled that Apple must help the FBI obtain data from a passcode-locked iPhone 5c used by one of the gunmen in the fatal San Bernardino shooting. Apple CEO Tim Cook then responded by posting an open letter on Apple’s homepage saying that Apple would not comply with the court’s request.

Although Lockheimer’s responses are just as vague as Pichai’s, he does seem to agree with Cook and Apple…


Expand
Expanding
Close

Google CEO Pichai appears to side with Apple in series of vague tweets on FBI encryption battle

Site default logo image

heres-what-our-googr-pichais-sudden-rise1

It has been a wild 24 hours when it comes to smartphone encryption and user privacy versus national security. Last night, a U.S. judge ruled that Apple must help the FBI obtain data from a passcode-locked iPhone 5c used by one of the gunmen in the fatal San Bernardino shooting. Just hours later, Apple CEO Tim Cook responded by posting an open letter on Apple’s homepage saying that Apple would not comply with the court’s request. Now, Google CEO Sundar Pichai has chimed in on the matter, saying that he agrees with Cook.


Expand
Expanding
Close

Gmail will warn users before sending & receiving emails from insecure addresses

Inbox by Gmail

Google and the rest of the tech industry take security very seriously. As part of this year’s Safer Internet Day, Google is offering users 2GB of Drive storage if they perform a security check on their account. In another security minded update, Gmail will now flag emails sent to and received from non-encrypted sources.


Expand
Expanding
Close

CyanogenMod officially ends WhisperPush support, recommends downloading Signal app instead

cyanogenmod-lead

The CyanogenMod team has announced via an official blog post that it is ending support for WhisperPush, and that its services will be officially end of life from February 1st. WhisperPush, for those unaware, is an encryption service which keeps messages secure and private.

We’ve ultimately made the decision that we will no longer be supporting WhisperPush functionality directly within CyanogenMod. Further, WhisperPush services will be end-of-lifed beginning Feb 1st 2016. As this is a server side implementation, all branches of CM from CM10.2 and forward will be affected.

There are seemingly several reasons for CyanogenMod’s decision to end integrated WhisperPush support. The team says it saw many ‘hiccups’, and had a number of longstanding registration problems as well as issues in various countries with WhisperPush. Also, with the arrival of Snowden-endorsed Signal — an app which offers practically the same services — the necessity to continue the difficult development and upkeep of WhisperPush was significantly reduced.

We transitioned the work to CM13, instead opting to implement directly within our Messaging application. However, with the rapid adoption of the official Signal application, our implementation into Messaging would have been a seemingly unnecessary fork. Analyzing the costs of SMS verification (many thanks to Twilio for their support on this), usage traffic, server costs and registration numbers, forking would serve no larger long-term user benefit.

If you have a number registered with WhisperPush you should unregister  by heading to Settings>Privacy>WhisperPush on your device running any version of CyanogenMod from CM10.2 to CM12.1. Once February 1st rolls around, all numbers will be unregistered by CyanogenMod.

Those who have used, or use the service regularly are urged by the CM team to download the aforementioned Signal app. It comes from Open Whisper Systems (who helped create WhisperPush) and offers encrypted text messages and voice calls. What’s more, it’s cross platform and there’s a desktop beta version.

PSA: Beware 1Password web features can leak your browsing history, may show up in Google search

1password

AgileBits has promised to beef up the security of 1Password after a Microsoft software engineer discovered that details of which websites you visit are unencrypted and indexed by Google if you use the 1PasswordAnywhere feature. Dale Myers said that he discovered this by chance after a sync problem led him to investigate the files used to store the metadata.

It turns out that your metadata isn’t encrypted [allowing someone to] go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.

While passwords remain secure, privacy is placed at risk and the data obtained could, says Myers, be used in a phishing attempt.

Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials.

AgileBits said that the decision not to encrypt metadata was taken back in 2008, when decryption on mobile devices involved significant performance and battery-drain issues, and that it introduced a secure file format in 2012, but that it didn’t want to break compatibility with older versions by making that format the default.

The company said that work on making the secure file format the default was already in hand.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users.

For those who don’t want to wait, the company has posted instructions for manually migrating to the new format.

The 1Password Android app was updated in August with a freemium pricing model and the ability to create vaults on mobile. If you’re not yet using a password manager, check out our how-to guide over on 9to5Mac.

Via Engadget

Want your Gmail messages to self-destruct? There’s a Chrome extension for that…

Screen Shot 2015-07-24 at 09.45.24

Dmail is a Chrome extension which allows you to un-send, or revoke any emails you send through your Gmail account. The service was launched by the same brainiacs that brought us the Delicious social bookmarking tool.

Self-destructing email isn’t exactly a new thing. Google itself rolled out a feature that lets you un-send a message once you’ve sent it. The only issue with Google’s built-in service however, is that you only have 30 seconds to change your mind about sending an email to someone. Dmail lets you revoke emails whenever you like. I took it for a quick spin to see what it’s like, and I have to say, it’s an incredibly convenient way to make all your outgoing communication more secure. It also happens to be ridiculously easy to use.


Expand
Expanding
Close

Site default logo image

Project Vault is a super secure, isolated computing environment from Google

0529_vault2

One major barrier to adoption of new hardware and software solutions in the workplace is a top-down requirement that all communications are encrypted, secured from the prying eyes of today’s brazen hackers. It’s the reason why there are still thousands of businesses out there shockingly still issuing Blackberry phones. With more and more consumers and companies alike clamoring for a bring-your-own-device future, how can employees ensure their devices are as secure as chief information officer’s would like? Google has an idea.

Project Vault, shown off today at Google’s I/O conference, is a microSD card with full operating system, ARM-based processor, NFC chip, and antenna packed inside of it. Oh, and 4GB of storage. While that’s pretty incredible in and of itself, what really makes this microSD card special is that the OS it runs is known as a Real Time Operating System (RTOS), and is packed with a suite of cryptographic solutions for keeping data secure and messaging with others using Project Vault microSD cards encrypted. An RTOS is different from the operating systems most of us are used to (i.e. Unix) that can’t run every process we throw at them simultaneously but switch between tasks rapidly, ensuring at the very least that the computer is still responsive to its user (i.e. doesn’t freeze). Real-time operating systems have stricter deadlines to complete the tasks that are thrown at them.

The main function of Project Vault will be super-secure messaging so hackers, or the NSA, cannot snoop (which also explains why Vault uses an RTOS – all resources are dedicated to encrypting and sending/receiving messages quickly). The encryption only works when both the sender and the receiver are using Project Vault SD cards, however, but it’ll work on any device with a microSD slot – so laptops, smartphones, tablets, etc. are supported. Google says the microSD card can also be used to encrypt video and as an alternative to passwords (where the card could generate cryptographic key pairs and store them securely). The company has an SDK up on Github for it that developers can use to build applications for the new project. Maybe the next Snowden will send confidential documents to journalists using his smartphone?

Site default logo image

Google among those asking Obama to reject calls for government access to encrypted data

obama-apple-google

Google and Apple have co-signed a letter calling on President Obama to reject any government proposal to allow the government backdoor access to encrypted data on smartphones and other devices. The Washington Post says the letter, due to be delivered today, is signed by more than 140 tech companies, prominent technologists and civil society groups.

The signatories urge Obama to follow the group’s unanimous recommendation that the government should “fully support and not undermine efforts to create encryption standards” and not “in any way subvert, undermine, weaken or make vulnerable” commercial software.

The FBI has been pushing increasingly hard to require tech companies to build in backdoor access to their encryption systems to allow access by law enforcement, even going so far as to say that Apple could be responsible for the death of a child. a NY District Attorney has also cited public safety as justification for demanding access to encrypted data.

The letter calling on Obama to reject this argument is also signed by five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden.

Many in the tech industry have pointed out that, aside from the obvious concerns over government intrusion into the private lives of its citizens, any backdoor used by the government could potentially be discovered and exploited by hackers and foreign governments.

Google admits Hangouts doesn’t use end-to-end encryption, conversations can be wiretapped

Site default logo image

hangouts

Following a Reddit AMA on government surveillance, Google has admitted that while it does encrypt Hangouts conversations, it does not use end-to-end encryption, meaning the company itself can tap into those sessions when it receives a government court order requiring it to do so. This contrasts with the end-to-end encryption used by some services, like Apple’s FaceTime, which cannot be tapped even by the company offering the service.

Motherboard noted that Google has always been vague about the level of encryption offered for Google Hangouts, and that when pressed by principal technologist at the American Civil Liberties Union Christopher Soghoian, the company would say only that messages were encrypted “in transit” … 
Expand
Expanding
Close

Google reverses course on Lollipop’s requirement that devices be encrypted by default

Site default logo image

lollipop-screen-nexus-6

Back when Android 5.0 was announced, Google revealed that it would require all devices running the upgraded OS to use full-disk encryption by default to protect users. However, it seems that Google has now reversed course on that decision and allowed several Lollipop devices to ignore this requirement.

As noted by Ars Technica, several Android devices—both new and old—that run the Lollipop software have decided to forgo encryption for some reason. This includes previously released devices that were upgraded to the new software such as the Moto G, and new devices that ship with Lollipop, like the more recent Moto E.


Expand
Expanding
Close

British prime minister says he’ll ban encrypted chat apps if he can’t see your messages

Site default logo image

hangouts

For several months we’ve followed the U.S. government’s attempts to work around encryption in chat apps, even taking the hyperbole to an illogical extreme at one point, but we haven’t yet seen similar threats from other nations… or at least, we hadn’t until today.

British prime minister David Cameron said today that unless the government is given backdoor access to encrypted messaging services, he’s just going to outlaw them:


Expand
Expanding
Close

NY district attorney says Google’s encryption policy “an issue of public safety” for law enforcement

Site default logo image

NYPD-iPhone-01

Bloomberg reports that a Manhattan District Attorney is challenging recent moves by Apple, Google and other tech companies by suggesting government pass laws that prevent mobile devices from being “sealed off from law enforcement.” In an interview this week, the government official called it “an issue of public safety.”


Expand
Expanding
Close

WhatsApp updated with end-to-end encryption between Android devices

WhatsApp

The Wall Street Journal reports that WhatsApp has been updated with end-to-end encryption for messages sent and received between Android smartphones and tablets. The cross-platform messaging service claims it will be unable to help decrypt messages for law enforcement, a noteworthy move given increasing concerns about government surveillance and tracking over the past few years.
Expand
Expanding
Close

Android ‘L’ to include data encryption by default, preventing police from accessing files

Site default logo image

tune-in-live-to-google_s-io-press-event-live-stream-starting-at-9-am-pt12-pm-et-9to5google-2014-06-25-12-26-17-2014-06-25-12-26-19

Google said today that the upcoming Android L release would enable data encryption by default when users set up a new device. Previous versions of Android included the security measure as an option, but many users did not choose to activate it. Now the feature will automatically be turned on, meaning no data on the phone will be accessible without the owner’s password.

Essentially this will prevent anyone—including police—from reading stored text messages, viewing photos from the phone’s library, or checking the call history (among other things) even if allowed to do so by a court order. Apple rolled out a similar feature to its iPhone users with an update yesterday.

As reported by the Washington Post:

Expand
Expanding
Close

You’ll soon be able to install paid apps on Android Wear as Google offers ‘workaround’

Site default logo image

apps

If you’ve been frustrated by the fact that you can’t install paid apps on your Android Wear devices, your frustration should soon be at an end. Google has just notified developers of a workaround to the problem, which was caused by a bug in the anti-piracy measures employed with paid apps … 
Expand
Expanding
Close

Google breaks down how much email is encrypted during transit, launches End-to-End encryption tool

Site default logo image

Google wants you to know exactly how much email you send and receive is encrypted during transit, so today it launched a new section in its Transparency Report that does exactly that:

When you mail a letter to your friend, you hope she’ll be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That’s why we send important messages in sealed envelopes, rather than on postcards… Email works in a similar way. Emails that are encrypted as they’re routed from sender to receiver are like sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards.

Google notes that Gmail has always used encryption in transit using Transport Layer Security (TLS), but that doesn’t do much if the email client on the other end isn’t doing the same.  Around 40 to 50 percent of emails between Gmail and others aren’t encrypted, according to Google, and it provided the following chart of what services are using encryption:
Expand
Expanding
Close

Google discusses new techniques that improve Chrome’s security and performance

Site default logo image

ssl-speed

Google’s recent partnership to make the internet a safer place to play hasn’t stopped the company from working on its own products. The software giant recently opened up about a set of security enhancements to Chrome that make its famed browser safer and faster. Google anti-abuse research lead, Elie Bursztein published a post on the company’s blog detailing the measures taken to improve Chrome for desktop and Android.


Expand
Expanding
Close

Google is reportedly working on end-to-end encryption for Gmail

Site default logo image

Gmail_Icon

Google is currently developing a process that will make it easier for Gmail users to encrypt their emails, according to Venture Beat’s unnamed sources. For over 20 years, Pretty Good Privacy (PGP) has been an encryption standard, but the platform hasn’t always been the most user-friendly. This, along with growing concerns over unwanted internet surveillance has prompted Google to task its engineers with making PGP easier to use.


Expand
Expanding
Close

Google reportedly considering boosting search rankings of websites with encryption

Site default logo image

google headquarters

Google is considering giving higher search rankings to websites that use security encryption, according to The Wall Street Journal. If true, this could force more websites to adopt a secure setup, possibly making it harder for cyber criminals to spy on web users. This new idea was recently mentioned at a conference by Matt Cutts, the head of Google’s Webspam team. Still under consideration, if Google decides to move forward with this process, a change reportedly won’t happen for quite a while. 


Expand
Expanding
Close

Boeing enters smartphone race with the secure, tamper-proof Android ‘Boeing Black’

Site default logo image

Following reports last night when the device was spotted going through the FCC, Reuters reports Boeing today officially announced a new Android smartphone with a number of innovative security features. Dubbed “Boeing Black,” the device will be marketed towards government officials and other organizations that highly value keeping their data secure. The tamper-proof device builds in a number of security features for encrypting calls and more and is designed to wipe itself clean of any data if someone attempts to open the physical casing of the phone. Here’s a bit more from Boeing’s website:
Expand
Expanding
Close