benrothke writes "Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security. With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers." Read below for the rest of Ben's review.

New submitter ukemike points out an article at CNET reporting on a how there's a "waiting list" for Apple to decypt iPhones seized by various law enforcement agencies. This suggests two important issues: first, that Apple is apparently both capable of and willing to help with these requests, and second, that there are too many of them for the company to process as they come in. From the article: "Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year. An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, 'contacted Apple to obtain assistance in unlocking the device,' U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was 'placed on a waiting list by the company.' A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock' an iPhone 4S. But after each police agency responded by saying they 'did not have the forensic capability,' Maynard resorted to asking Cupertino. Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."

Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"

First time accepted submitter ememisya writes "Ever thought it might be a good idea to store encrypted data in a QRCode video? Using this technique one could easily store 10GB of data to be available anywhere in the world, and completely free."

mikejuk writes with news of an advancement for homomorphic encryption and open source: "To be fully homomorphic the code has to be such that a third party can add and multiply numbers that it contains without needing to decrypt it. In other words they can change the data by working with just the encrypted version. This may sound like magic but a fully homomorphic scheme was invented in 2009 by Craig Gentry. This was a step in the right direction but the problem was that it is very inefficient and computationally intensive. Since then there have been a number of improvements that make the scheme practical in the right situations Now Victor Shoup and Shai Halevi of the IBM T J Watson Research Center have released an open source (GPL) C++ library, HElib, as a Github project. The code is said to incorporate many optimizations to make the encryption run faster. Homomorphic encryption has the potential to revolutionize security by allowing operations on data without the need to decrypt it."

Jeremiah Cornelius writes with what looks to be part of CISPA III: Children of CISPA. From the article: "A government task force is preparing legislation that would pressure companies such as Facebook and Google to enable law enforcement officials to intercept online communications as they occur. ... 'The importance to us is pretty clear,' says Andrew Weissmann, the FBI's general counsel. 'We don't have the ability to go to court and say, "We need a court order to effectuate the intercept." Other countries have that.' Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. 'This proposal is a non-starter that would drive innovators overseas and cost American jobs,' said Greg Nojeim, a senior counsel at the Center for Democracy and Technology. 'They might as well call it the Cyber Insecurity and Anti-Employment Act.'"

Virtucon writes "U.S. Magistrate William Callahan Jr. of Wisconsin has ruled in favor of the accused in that he should not have to decrypt his storage device. The U.S. Government had sought to compel Feldman to provide his password to obtain access to the data. Presumably the FBI has had no success in getting the data and had sought to have the judge compel Feldman to provide the decrypted contents of what they had seized. The Judge ruled (PDF): 'This is a close call, but I conclude that Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with "reasonably particularity" — namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.'" If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it.

hypnosec writes "Authorities in Japan are presumably worried about their inability to tackle cybercrime and, in a bid to stem one of the sources of anonymous traffic, the National Police Agency (NPA) is asking ISPs to block Tor. The recommendation comes from the special panel formed by the NPA after a hacker going by the name Demon Killer was found to regularly use Tor to anonymize his online activities, like posting of death threats on public message boards."

New submitter brennz writes "Cryptographers on StackExchange were discussing CipherCloud, using some promotional material from the same to provide detail. CipherCloud responded with a DMCA takedown request that some have characterized as abusive."

Sparrowvsrevolution writes "Bitcoin's recent spike and then collapse in value has convinced many that it's too unstable to use as a practical currency. But not the founder of Silk Road, the black market drug site that exclusively accepts Bitcoin in exchange for heroin, cocaine and practically every other drug imaginable. Silk Road's creator, who calls himself the Dread Pirate Roberts, broke his usual media silence to issue a short statement that Silk Road will survive Bitcoin's bubble and bust. The market's prices are generally pegged to the dollar, with prices in Bitcoin fluctuating to account for movements in the exchange rate. And Roberts explained that vendors on the site have the option to also hedge the Bitcoins that buyers place in escrow for their products, so that they can't lose money due to Bitcoin's volatility while the drugs are in the mail. As a result, only about 1,000 of the site's more than 11,000 product listings were taken down during the recent crash."

An anonymous reader links to an article at Ars explaining the dropping inventory of bridges available to users of the Tor project's encrypted messaging system. They're looking for more bridges, but that doesn't necessarily mean buying new hardware per se. From the article: "After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. 'Most of those bridges are down, and fresh ones are needed more than ever,' [Tor volunteer George] Kadiankakis wrote in an e-mail, 'since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria).' For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge."

An anonymous reader writes "Two hundred hackers from around the world gathered at a Miami Beach hotel Thursday and Friday for the Infiltrate Security conference, which focuses on systems hacking from the 'offensive' perspective (with slides). In a keynote address, Stephen Watt, who served two years in prison for writing the software used by his friend Alberto Gonzalez to steal millions of credit card numbers from TJX, Hannaford and other retailers, acknowledges he was a 'black hat' but denies that he was directly involved in TJX or any other specific job. Watt says his TCP sniffer logged critical data from a specified range of ports, which was then encrypted and uploaded to a remote server. Brad 'RenderMan' Haines gave a presentation on vulnerabilities of the Air Traffic Control system, including the FAA's 'NextGen' system which apparently carries forward the same weakness of unencrypted, unauthenticated location data passed between airplanes and control towers. Regarding the recent potential exploits publicized by Spanish researcher Hugo Teso, Haines says he pointed out similar to the FAA and its Canadian counterpart a year ago, but received only perfunctory response."

StrongAuth helps protect data with strong encryption, so that even if a company's network infrastructure is breached, its critical data -- including customers' credit card numbers, for example -- is still safe. Their software is open source, and their objective is to "become like the Toyota Camry of encryption key management," says StrongAuth CTO Arshad Noor. "Everybody should be able to afford it." These are big words from a company that only has 12 employees, all in Silicon Valley, but it's a company that not only has a strong reputation among its small and medium-sized business clients, but is starting to get acceptance from Fortune 500 behemoths, too. In this video interview (and in the transcript), Arshad not only talks about data security, but about how his company makes money while developing and relying purely on open source software. And did somebody ask about Linux? Yes, their software is all based on Linux. CentOS, to be exact.

A few months ago, Tatu Ylonen (creator of SSH 1.x) declared that lax key management was hazardous. Now there's work being done on a standard for automated key management. hypnosec sent in the news; quoting Parity News on the content of the draft: "It presents a process that would allow for moving of already issued keys to protected location, removal of unused keys, key rotation, providing rights of what can be done with the keys and establishing an approval process for issue of new keys." There's a non-WG mailing list; the final version of the standard is expected in October.

New submitter Chewbacon writes "If you can't hack it, smash and grab it. Video streaming service Vudu has emailed customers informing them of the theft of hard drives containing customer information. CNET reports the information on the stolen drives included: names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. Vudu's Chief Technology Officer Prasanna Ganesan said while no complete credit card numbers were stored on the hard drives and expressed confidence in password encryption, he felt the need to be proactive with the password reset and encouraged users to be proactive as well should the encrypted passwords become compromised. Vudu fails to mention, perhaps in a downplaying move, the last 4 digits of a credit card and much of the other information stolen is often enough to access an account through virtually any company's phone support."

First time accepted submitter snobody writes "Recently, an article was posted on Slashdot about the claim that law enforcement made about being frustrated by their inability to decrypt messages using Apple's iMessage. However, this article on Techdirt suggests that the DEA may be spewing out disinformation. As the Techdirt article says, if you switch to a new iDevice, you still are able to access your old iMessages, suggesting that Apple has the key somewhere in the cloud. Thus, if law enforcement goes directly to Apple, they should be able to get the key."

According to an report at CNET, "Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, 'it is impossible to intercept iMessages between two Apple devices' even with a court order approved by a federal judge." The article goes on to talk about ways in which the U.S. government is pressuring companies to leave peepholes for law enforcement in just such apps, and provides some insight into why the proprietary iMessage is (but might not always be) a problem for eavesdroppers, even ones with badges. Adds reader adeelarshad82, "It turns out that encryption is only half of the problem while the real issue lies in the Communications Assistance for Law Enforcement Act which was passed in 1994.

msm1267 writes "Tibetans inside China or in exile, along with Syrians, Iranians and other groups oppressed by autocratic regimes, rely on technology to communicate and organize protests. Yet state-sponsored attackers have infiltrated the devices and platforms used by the oppressed to put their freedom or lives in danger. Groups such as Tibet in Action or Citizen Lab Munk School of Global Affairs have put together resources to help educate and enhance the security of oppressed people."

An anonymous reader writes with this tidbit from Net Security: "Players of The War Z, a first-person zombie survival game, have been notified of a breach of the developer's forum and game databases and the theft of user data contained in them. 'The data accessed included email addresses used to log-in to the forum, forum passwords which we encrypt, email addresses used to log-in to the game, encrypted game passwords as well as in-game character names and the IP addresses from which players log-in to the forum and to the game,' the developer explained ...There is no mention of what encryption algorithm they use to encrypt the passwords, nor whether they are 'salted,' so their advice to users about immediately changing the passwords they used for the forum and the account is more than fitting."

We appreciate all the support we've gotten over the years from Slashdot's logged-in users. They take part actively in discussions, and in exchange for their active interest in the site, we like to give a few perks over and above what our beloved anonymous readers get. But we never want to deprive anonymous readers of the actual features of the site — whether you're a logged-in account holder, anonymous, a subscriber, or have a username but are browsing anonymously at any given moment, Slashdot has always been freely available to read for anyone with a browser and an uncensored Internet connection. It's a balance we try to maintain, too, Sure, we'd like you to login, and we think it has some worthwhile benefits (like tracking comment responses, building karma, and using the Zoo system to keep track of your friends and foes), but we'll never force you to. Today, we're building on this approach, by introducing a feature that benefits every logged-in user, but still leaves the page free to read for all. We'll be phasing in over the next few days a button that logged-in users and subscribers can click to decrypt the text of each Slashdot posting with the trivial transform known as Rot13. Read more, below!