Lavaboom Offers To Encrypt
A new webmail service named Lavaboom promises to provide easy-to-use email encryption without ever learning its users’ private encryption keys or message contents.
Lavaboom, based in Germany and founded by Felix MA1/4ller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden. Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.
Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.
Lavaboom calls this feature “zero-knowledge privacy” and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users’ browsers instead of its own servers.
The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plain text emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably won’t protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.
Security researchers have yet to weigh in on the strength of Lavaboom’s implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.
Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.
Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost a!8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.
Microsoft Issues New Policies
Microsoft Corp, under fire for accessing an employee’s private Hotmail account to prove he was illegally passing computer code to a blogger, has said it will now refer all suspicious activity on its email services to law enforcement.
The decision, announced by head lawyer Brad Smith on Friday, reverses Microsoft’s initial reaction to complaints last week, when it laid out a plan to refer such cases to an unidentified former federal judge, and proceed to open a suspect email account only if that person saw evidence to justify it.
“Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves,” said Smith, in a blog post on the software company’s website. “Instead, we will refer the matter to law enforcement if further action is required.”
Microsoft – which has recently cast itself as a defender of customer privacy – was harshly criticized last week by civil liberties groups after court documents made public in the prosecution of Alex Kibkalo in Seattle federal court for leaking trade secrets showed that Microsoft had accessed the defendant’s email account before taking the matter to legal authorities.
The company said last week its actions were within its legal rights under the terms of use of its email services, but has now acknowledged that its actions raised concerns about customer privacy.
The issue is poignant for Microsoft, which routinely criticizes Google Inc for serving up ads based on the content of users’ Gmail correspondence.
It has also been campaigning for more transparency in the legal process through which U.S. intelligence agencies can get access to email accounts following the revelations of former National Security Agency contractor Edward Snowden.
“While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us,” said Smith in his blog. “Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.”
Virtru Goes Office 365
April 8, 2014 by admin
Filed under Around The Net
Comments Off on Virtru Goes Office 365
Virtru has added Microsoft’s Office 365 and Outlook Desktop services to its growing list of compatible email platforms available on its encryption product.
The company, headquartered in Washington, D.C. and launched in January, is targeting people using major email providers who want stronger privacy controls for more secure communication.
The service is designed to be easy to use for end users who may not have the technical gumption to set up PGP (Pretty Good Privacy), a standard for signing and encrypting content.
Virtru is compatible with most major webmail providers, including Google’s Gmail, Yahoo’s Mail and Microsoft’s Outlook webmail, which replaced Hotmail.
Emails sent using Virtru through those services would look like gibberish, providing a greater degree of privacy. Law enforcement or other entities would not be able to read the content unless they could obtain the key.
Virtru uses a browser extension to encrypt email on a person’s computer or mobile device. The content is decrypted after recipients receive a key, which is distributed by Virtru’s centralized key management server.
Although Virtru handles key management, the company is working on a product that would allow that task to be managed on-site for users, as some administrators would be uncomfortable with another entity managing their keys.
Virtru has said it put aside funds to contest government orders such as a National Security Letter or law enforcement request that are not based on a standard of probable cause.
NSA Spies With Tracking Cookies
December 23, 2013 by admin
Filed under Around The Net
Comments Off on NSA Spies With Tracking Cookies
The browser cookies that online businesses use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.
The agency’s use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, theWashington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.
Google’s PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.
PREF cookies don’t store any user identifying information such as user name or email address. But they contain information on a user’s general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual’s browser.
The Google cookie, and those used by other online companies, can be used by the NSA to track a target user’s browsing habits and to enable remote exploitation of their computers, the Post said.
Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target’s computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.
It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).
Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.
However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed “Happyfoot,” allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.
An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.
An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency’s commitment to fulfill its mission of protecting the country against those seeking to do it harm.
“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies,” the spokeswoman said.
The Post’s latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.
Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.
Will Skype 3RD Party API’s End?
Angry Developers, a breed not unlike Angry Birds but without the desire to fling themselves at naughty pigs, have started a petition asking Microsoft to withdraw its plan to switch off the desktop API for Skype.
The news follows Microsoft’s announcement that support for third party applications will end in December. The change.org petition explains, “The decision to discontinue Skype’s Desktop API impacts our ability to use Skype within my normal Skype calling activities.” It goes on to request that, “Skype/Microsoft provide continued support for third party Skype utilities that have become mission critical to Skype’s users.”
The API runs a range of services, including call recording clients, and in some cases third party hardware including certain headsets. Its discontinuation will most likely see problems for third party instant messaging (IM) services that rely on the API to aggregate IM services, as Skype does not use the Jabber protocol.
Microsoft’s explanation of this was fairly straightforward. It said, “The Desktop API was created in 2004 and it doesn’t support mobile application development. We have, therefore, decided to retire the Desktop API in December 2013.”
However, many developers who receive income from their products using the Skype API are unsatisfied with this.
Although Skype has had a mobile client dating back as far as Windows Mobile 5, it has never had parity with the desktop version and there remains some bewilderment as to why Microsoft has made this decision.
At the time of writing shortly after launch on Friday, the petition had 540 signatures and rising, showing that there is a groundswell of support for the initiative.
HTC Cutting US Jobs
September 25, 2013 by admin
Filed under Around The Net
Comments Off on HTC Cutting US Jobs
In another sign of trouble at HTC, the Taiwan-based mobile device maker began downsizing its U.S. operations on Friday, eliminating an undisclosed number of staff.
The move is meant to “streamline and optimize” the company’s U.S. organization “after several years of aggressive growth,” HTC said in a Monday email. A company spokeswoman declined to specify how many employees would be affected.
“However, to achieve our long-term goals as a business and return maximum value to our shareholders, this is a necessary step to drive ongoing innovation,” the company said.
HTC has been facing a difficult year on weak earnings that have sent its stock price tumbling. In the second quarter, its net profit plummeted 83 percent year-over-year, despite strong reviews for its flagship smartphone, the HTC One.
The weak financials are major change from only a couple years ago when HTC was riding high selling Android smartphones in the U.S. But starting in late 2011, the company’s net profit has sagged on increased competition from Samsung and Apple.
To recover, HTC has focused on building up its “One” smartphone brand. In addition, the company has expanded its China presence, and in August launched a new marketing campaign that’s enlisted Hollywood actor Robert Downey Jr.
While the company has largely focused selling high-end handsets, in July HTC said it was planning on selling more mid-tier and entry level phones to regain market share. The new phones will launch at end of the third quarter or early fourth quarter.
But the company’s troubles go beyond issues with smartphone sales and marketing. In September, Taiwanese authorities arrested three HTC employees for allegedly stealing company secrets. One of the employees arrested was Thomas Chien, HTC’s vice president of product design.
HTC has declined to offer further details on the case.
Google Snubs Privacy
August 29, 2013 by admin
Filed under Around The Net
Comments Off on Google Snubs Privacy
Search giant Google has told the British government it is immune to prosecution on privacy issues and it can do what it like. The US Company is accused of illegally snooping on its British customers by bypassing privacy settings on Apple devices, such as iPads, to track their browsing history.
A group of British people took Google to court but the search engine is trying to get the case thrown out. Its argument is that it is not subject to British privacy law because it is based in California. This is the second time that Google has tried to avoid British law by pretending to operate in another country. It has come under fire for failing to pay tax in the UK
Nick Pickles, director of Big Brother Watch, said: ‘It is deeply worrying for a company with millions of British users to be brazenly saying they do not regard themselves bound by UK law. Solicitor Dan Tench, of law firm Olswang, said this was another instance of Google being here when it suits them and not being here when it doesn’t. Ironically when the US ordered Google to stop what it was doing, it forced the search engine to pay a $22.5million to regulators.
There are some indications that Google may not get its way. In July the Information Commissioner’s Office told Google its privacy rules breached UK law so it will be very hard for it to stand up in court and say it didn’t.
Google Encrypts Data
August 27, 2013 by admin
Filed under Around The Net
Comments Off on Google Encrypts Data
Google officially announced it will by default encrypt data warehoused in its Cloud Storage service.
The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post.
“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys,” Barth wrote. “We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”
The data and metadata around an object stored in Cloud Storage is encrypted with a unique key using 128-bit Advanced Encryption Standard algorithm, and the “per-object key itself is encrypted with a unique key associated with the object owner,” Barth wrote.
“These keys are additionally encrypted by one of a regularly rotated set of master keys,” he wrote. “Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”
Data collection programs revealed by former U.S. National Security Agency contractor Edward Snowden have raised questions about U.S. government data requests made to Internet companies such as Google for national security investigations.
A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.
“Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process,” she wrote. “When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”
DDoS Attacks Rising
One in five UK businesses experienced a DDoS attack last year according to a new survey.
Analytics firm Neustar said that while the percentage is significantly lower than that experienced by their US equivalents it is still fairly high. More than 22 percent of the 381 organisations participating in the annual trends study reported DDoS attacks, compared to 35 percent experiencing the same in a separate study carried out among US firms in 2012.
Neustar set out to measure revenue ‘risk per hour’ which is a measure of what it might cost a business in a particular sector to experience DdoS downtime. They found that the majority of organisations reckoned this at less than $1,500 per hour.
Most of the rest put it somewhere between $1,500 and $15,000 although one in four financial services firms put the number at $250,000 per hour. This cost included brand damage and unexpected customer service calls.
Yahoo Still Playing Pac-Man
July 16, 2013 by admin
Filed under Around The Net
Comments Off on Yahoo Still Playing Pac-Man
Yahoo announced on Wednesday that it bought Qwiki for an undisclosed sum, as the firm’s spending spree continues.
Qwiki started out as a video focused search engine in 2011, before making its way into the iTunes Store as an app that turns images and videos into digital story boards.
Yahoo announced its acquisition of Qwiki on Wednesday, although it kept quiet about what it plans to do with the company and how much it spent. However, according to Allthingsd, Yahoo spent approximately $50m to further expand its digital offerings.
What’s more, while it’s unclear what Yahoo’s plans are at present, it’s likely that the firm is looking to challenge Vine and Instagram in the social video market.
Yahoo announced the news, naturally, on Tumblr. It said, “We’re excited to announce that Yahoo acquired Qwiki – a company that uses awesome technology to bring together pictures, music and video to capture the art of storytelling.
“We will continue to support the Qwiki app, and the team will join Yahoo in our New York city office to reimagine Yahoo’s storytelling experience. Stay tuned … there’s much more to come!”
Qwiki also had something to say, posting on its website, “Thank you for being a part of our story – one which is far from over. The Qwiki app will live on as a standalone entity inside Yahoo, where we will grow our thriving community and where our team will continue to work to help you share life’s best experiences.
“We are proud of the work we’ve done, and humbled by unwavering support from the NY tech community. New York is such a big part of who we are, and what we will become.”
Yahoo’s buyout of Qwiki is the latest in a series of acquisitions by the firm. Recently the firm announced that it bought Tumblr for a cool $1.1bn, with Yahoo CEO Marissa Mayer promising “not to screw it up”.