WhatsApp Would Not Remove End-To-End Encryption For UK Law, Says Chief

An anonymous reader quotes a report from The Guardian: WhatsApp would refuse to comply with requirements in the online safety bill that attempted to outlaw end-to-end encryption, the chat app's boss has said, casting the future of the service in the UK in doubt. Speaking during a UK visit in which he will meet legislators to discuss the government's flagship internet regulation, Will Cathcart, Meta's head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world. He said: "It's a remarkable thing to think about. There isn't a way to change it in just one part of the world. Some countries have chosen to block it: that's the reality of shipping a secure product. We've recently been blocked in Iran, for example. But we've never seen a liberal democracy do that. "The reality is, our users all around the world want security," said Cathcart. "Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users." The UK government already has the power to demand the removal of encryption thanks to the 2016 investigatory powers act, but WhatsApp has never received a legal demand to do so, Cathcart said. The online safety bill is a concerning expansion of that power, because of the "grey area" in the legislation. Under the bill, the government or Ofcom could require WhatsApp to apply content moderation policies that would be impossible to comply with without removing end-to-end encryption. If the company refused to do, it could face fines of up to 4% of its parent company Meta's annual turnover -- unless it pulled out of the UK market entirely.

Read more of this story at Slashdot.

WhatsApp Says It Would Leave UK If Government Tried to Weaken Encryption

WhatsApp would exit the U.K. market rather than be in thrall to the government's proposed Online Safety Bill if it undermined the app's end-to-end encryption, the platform's chief has said (via BBC News).


End-to-end encryption ensures that only the user and the person they are communicating with can read or listen to what is sent, and nobody in between, not even Meta/Facebook, can gain access to this content. However, the government, and some child-protection charities, argue that such encryption hinders efforts to combat the growing problem of online child abuse.

Under the bill, the government could force WhatsApp to apply content moderation policies that are impossible to implement without removing end-to-end encryption. If WhatsApp refused to do so, it could face fines of up to 4 percent of its parent company Meta's annual turnover.

But speaking during a U.K. visit in which he will meet legislators to discuss the government's internet regulation, Meta's head of WhatsApp, Will Cathcart, said it would refuse to comply if asked to weaken its encryption, since it would do so for all users.

"Our users all around the world want security - 98% of our users are outside the U.K., they do not want us to lower the security of the product," he said, adding that the app would rather accept being blocked in the U.K. "We've recently been blocked in Iran, for example. We've never seen a liberal democracy do that."

Encrypted messaging app Signal's president Meredith Whittaker also recently said it "would absolutely, 100% walk" and halt its service in the U.K. if the bill required it to scan messages.

Asked if he would go as far as Signal, Cathcart told the BBC: "We won't lower the security of WhatsApp. We have never done that - and we have accepted being blocked in other parts of the world."

"When a liberal democracy says, 'Is it OK to scan everyone's private communication for illegal content?' that emboldens countries around the world that have very different definitions of illegal content to propose the same thing," Cathcart said.

WhatsApp is the most popular messaging platform in the U.K., used by more than seven in 10 adults who are online, according to communication regulator Ofcom.

The U.K. government's Online Safety Bill is expected to return to parliament this summer.
This article, "WhatsApp Says It Would Leave UK If Government Tried to Weaken Encryption" first appeared on MacRumors.com

Discuss this article in our forums

SeaMonkey as an I2P Suite

I2P is one of the many darknets floating around (running over?) the internet and I’ve been playing around with it since, like, high school. It’s peer-to-peer, censorship resistant, and overall just super cool. And by peer-to-peer I mean that you can share files over the network (using torrents) while both remaining anonymous and not being a nuisance to other users (unlike Tor).

Also unlike Tor it doesn’t have its own “browser bundle”.

I mean, it did at one point. But then it got discontinued.

Before the browser bundle I had to rely on a manually configured secondary browser, which I am now back to doing. It’s not a majorly inconvenient process, but wow was that browser bundle very convenient.

---

I’ve been a die hard user of Firefox (and browsers based on/related to Firefox, like Camino or pre-Chromium Flock) since the early/mid 2000s and I have no plans to ever switch over to Chrome or its ilk. Even though the browser wars are over, I will forever continue the struggle as part of the dissident Firefox-users campaign. Sure, I have to rely on Google for plenty of other things (like my phone, calendar, contacts, cloud storage, captcha protection for this site, and so on), but they’ll never get my browser! Or email! Or web searches (mostly)!

You can have my Gecko layout engine when you uninstall it from my cold, bricked, SSD.

So obviously, I’d use something Firefox-ish for my manually configured secondary browser. And the Firefox-ish browser I’m using here is SeaMonkey; the direct descendant of the original Mozilla Application Suite which Firefox, as well as Thunderbird (which I still use as a desktop mail/RSS client), were spun off of from.

In addition to a browser, SeaMonkey includes an email (and newsgroup) client, an IRC client, an HTML editor, and an email address book.

So, why SeaMonkey? And not, like… a separate Firefox profile or container tab or something.

Well, for all their similarities (both being darknet-proxy-software things and all), I2P and Tor are different. They fill different niches, I guess. While they both have hidden services and out-proxies to the clearweb, Tor’s focus is definitely on the latter, while I2P seems to focus more on the former. And I2P’s hidden services aren’t all websites (I’m not saying all of Tor’s are though); I2P also has email, and IRC, and torrents too!

And also I’m already comfortable doing things this way. Leave me alone.

---

Installing I2P and SeaMonkey

The first thing I did here was actually getting the software. I did a manual download/installation rather than relying on my machine’s package manager, because I didn’t want to have to build possibly outdated versions from the AUR that may overwrite whatever changes I made after an update. Links to download both SeaMonkey and I2P are below.

Download SeaMonkey → https://www.seamonkey-project.org/releases/

Download I2P → https://geti2p.net/en/download

Configuring the browser

Like I said before, I2P hidden services aren’t all websites, but that is a large part of them, so configuring SeaMonkey’s browser was going to be necessary.

Configuring the browser is pretty straightforward. The process for SeaMonkey is more-or-less the same as the process for Firefox, the only difference being the location of where the changes needed to be made. In SeaMonkey, the Preferences are in the Edit menu, and the proxy settings will be in Proxies under the Advanced section.

And once that’s configured (and once I2P is running) the router homepage can be found here: http://127.0.0.1:7657

I will admit that it has been a bit painful when I have to run updates for SeaMonkey, as I’ve had to temporarily disable the proxy. Updates to I2P, however, are done entirely within I2P! Via torrents!

I love torrents.

Configuring the mail client

Thanks to the mysterious and venerable postman, getting an I2P email address is super easy. And it works like any other email address; messages can be sent to whoever! And that ain’t just limited to other folks with I2P email addresses. It works Clearnet-to-I2P (and vice versa) as well!

I don’t really make use of the email service, because I’d really only be sending encrypted emails talking about encryption (relevant xkcd), but it’s still a useful tool for folks that need it. And by default, I2P actually has a pre-configured browser-integrated mail client that works great.

But sometimes having a dedicated(-ish) mail client is good. It’s not something I need, but still, I can do it with SeaMonkey.

If you can set up a mail client for a normal email account then you can do the same for an I2P mail account. Only POP3 works though, so that’s what I had to use; no IMAP. Also, I didn’t have to select any encryption/connection security settings because all packets being sent through I2P are encrypted anyways.

I used 127.0.0.1 as the host for both POP and SMTP over ports 7660 and 7659 respectively (as mentioned in I2P’s list of used ports). By default, these ports are tunneled to/from the mail service that postman runs, but if I wanted to use another service I can change them in the I2P tunnel settings.

Configuring the IRC client

I was able to configure the IRC client, Chatzilla, pretty quickly as well. It was just the matter of adding a network named irc2p, and then adding a server under that network, with the actual “server” being 127.0.0.1 and the port being 6668.

And again, no encryption/connection security settings were necessary here either because everything’s encrypted anyways.

I2P has some documentation on configuring other IRC clients that’s definitely worth a read.

Like the email service, the mentioned port (6668) is also set to tunnel to/from the a service run by postman, but I can always change this if I want (same way as the email stuff).

Configuring a desktop shortcut

Since I did a manual install of both SeaMonkey and I2P, I had to do some manual work to actually set up a shortcut. I installed both pieces of software in the same directory (i2p-browser) and then wrote a bash script to, first, start the I2P router (in headless mode) and, then, start SeaMonkey. After SeaMonkey exits, I then stop the router.

#!/bin/bash

/path/to/my/i2p-browser/i2p/i2prouter start && wait
/path/to/my/i2p-browser/seamonkey/seamonkey && wait
/path/to/my/i2p-browser/i2p/i2prouter stop

I then created a .desktop file to point at this script, and stuck it where all of those custom .desktop files go in GNOME (~/.local/share/applications/). That way a shortcut will be in my applications menu, and I can start the whole thing with one click.

[Desktop Entry]
Type=Application
Name=i2p Browser
Comment=
Categories=Network;WebBrowser;Security;
Exec=bash /path/to/my/i2p-browser/i2p_browser_start.sh
Icon=/path/to/my/i2p-browser/i2p/docs/console.ico

Yeah, I use GNOME. Fight me.

By default, when I2P starts, it will open the router console in the default browser. Since I didn’t want this, and wanted to use SeaMonkey, I unchecked that settings in the router config.

---

A web browser, mail client, and IRC client. That pretty much covers everything that’s part of SeaMonkey. And once it’s all configured, it’s on to browsing the invisible internet.

But what about torrents? I’ve mentioned torrents a few times here. How am I going to start using those? Well I could try configuring my normal torrent client, Deluge, to proxy traffic through I2P using a SAM Bridge and…

I2P actually includes, by default, a browser-accessible torrent client called I2PSnark! And, because of how I2P works, it’s totally anonymous! Since, like, everything is encrypted. And also I2P is a darknet.

I2P has plenty of other cool features that I really need to explore, like anonymous git hosting. Maybe after I play around with (finally) setting up my own hidden service on I2P (they’re called eepsites) like I did with Tor I can finally do that.

Will Quantum Computing Bring a Cryptopocalypse?

"The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away," notes Security Week. But "The arrival of cryptanalytically-relevant quantum computers that will herald the cryptopocalypse will be much sooner — possibly less than a decade." It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.... [T]his is not a threat for the future — the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the 'harvest now, decrypt later' threat. Intellectual property and commercial plans — not to mention military secrets — will still be valuable to adversaries when the cryptopocalypse happens. The one thing we can say with certainty is that it definitely won't happen in 2023 — probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies — and they're not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor's algorithm and crack PKI encryption in a meaningful timeframe. It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years. Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer — which is more likely to be 20 to 30 years away.... "Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way," comments Mike Parkin, senior technical engineer at Vulcan Cyber. Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. "New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner," he said. "It is also believed that quantum advancements don't have to directly decrypt today's encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it's no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don't even know about yet." Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. "Where is the threat in 2023 and beyond?" he asks. "Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future." The article warns that "the coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure." (The chief revenue officer at Quintessence Labs tells the site that symmetric encryption like AES-256 "is theorized to be quantum safe, but one can speculate that key sizes will soon double.") "The only quantum secure cryptography known is the one-time pad." Thanks to Slashdot reader wiredmikey for sharing the article.

Read more of this story at Slashdot.

CircleCI Says Hackers Stole Encryption Keys and Customers' Secrets

Last month, CircleCI urged users to rotate their secrets following a breach of the company's systems. The company confirmed in a blog post on Friday that some customers' data was stolen in the breach. While the customer data was encrypted, cybercriminals obtained the encryption keys able to decrypt the data. TechCrunch reports: The company said in a detailed blog post on Friday that it identified the intruder's initial point of access as an employee's laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication. The company took the blame for the compromise, calling it a "systems failure," adding that its antivirus software failed to detect the token-stealing malware on the employee's laptop. Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token. CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company's production systems, which store customer data. "Because the targeted employee had privileges to generate production access tokens as part of the employee's regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys," said Rob Zuber, the company's chief technology officer. Zuber said the intruders had access from December 16 through January 4. Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. "We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores," Zuber added. Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said. Zuber said that CircleCi employees who retain access to production systems "have added additional step-up authentication steps and controls," which should prevent a repeat-incident, likely by way of using hardware security keys.

Read more of this story at Slashdot.