"It was pretty strange when Russia decided to announce last week that it had successfully run tests between June 15 and July 15 to show it could disconnect itself from the internet," writes an associate professor of cybersecurity policy at Tufts Fletcher School of Law and Diplomacy. The tests seem to have gone largely unnoticed both in and outside of Russia, indicating that whatever entailed did not involve Russia actually disconnecting from the global internet... since that would be impossible to hide. Instead, the tests — and, most of all, the announcement about their success — seem to be intended as some kind of signal that Russia is no longer dependent on the rest of the world for its internet access. But it's not at all clear what that would even mean since Russia is clearly still dependent on people and companies in other countries for access to the online content and services they create and host — just as we all are...

For the past two years, ever since implementing its "sovereign internet law" in 2019, Russia has been talking about establishing its own domestic internet that does not rely on any infrastructure or resources located outside the country. Presumably, the tests completed this summer are related to that goal of being able to operate a local internet within Russia that does not rely on the global Domain Name System to map websites to specific IP addresses. This is not actually a particularly ambitious goal — any country could operate its own domestic internet with its own local addressing system if it wanted to do so instead of connecting to the larger global internet... The Center for Applied Internet Data Analysis at the University of California San Diego maintains an Internet Outage Detection and Analysis tool that combines three data sets to identify internet outages around the world... The data sets for Russia from June 15 through July 15, the period of the supposed disconnection tests, shows few indications of any actual disconnection other than a period around July 5 when unsolicited traffic from Russia appears to have dropped off.

Whatever Russia did this summer, it did not physically disconnect from the global internet. It doesn't even appear to have virtually disconnected from the global internet in any meaningful sense. Perhaps it shifted some of its critical infrastructure systems to rely more on domestic service providers and resources. Perhaps it created more local copies of the addressing system used to navigate the internet and tested its ability to rely on those. Perhaps it tested its ability to route online traffic within the country through certain chokepoints for purposes of better surveillance and monitoring. None of those are activities that would be immediately visible from outside the country and all of them would be in line with Russia's stated goals of relying less on internet infrastructure outside its borders and strengthening its ability to monitor online activity.

But the goal of being completely independent of the rest of the world's internet infrastructure while still being able to access the global internet is a nonsensical and impossible one. Russia cannot both disconnect from the internet and still be able to use all of the online services and access all of the websites hosted and maintained by people in other parts of the world, as appears to have been the case during the monthlong period of testing... Being able to disconnect your country from the internet is not all that difficult — and certainly nothing to brag about. But announcing that you've successfully disconnected from the internet when it's patently clear that you haven't suggests both profound technical incompetence and a deep-seated uncertainty about what a domestic Russian internet would actually mean.

First Major League Baseball experimented with automated umpiring of balls and strikes in the minor leagues.

Now the Verge reports they're trying a time-saving tactic that might also make it harder to cheat: Baseball has a sign stealing problem — or at least, a technological one, seeing how reading another team's pitches is technically legal, but using Apple Watches or telephoto cameras and then suspiciously banging on trash cans is very much not. But soon the MLB may try fighting fire with fire: on August 3rd, it plans to begin testing an encrypted wireless communication device that replaces the traditional flash of fingers with button taps, according to ESPN.

The device, from a startup called PitchCom, will be tested in the Low-A West minor league first. As you'd expect from something that's relaying extremely basic signals, it's not a particularly complicated piece of kit: one wristband transmitter for the catcher with nine buttons to signal "desired pitch and location," which sends an encrypted audio signal to receivers that can squeeze into a pitcher's cap and a catcher's helmet.

The receivers use bone-conduction technology, so they don't necessarily need to be up against an ear, and might theoretically be harder to eavesdrop on. (Bone conduction stimulates bones in your head instead of emitting audible sound.)
"MLB hopes the devices will cut down on time spent by pitchers stepping off the rubber and changing signals," reports the Associated Press, noting another interesting new rule. "A team may continue to use the system if the opposing club's device malfunctions."

But don't worry about that, reports ESPN: Hacking the system, the company says, is virtually impossible. PitchCom uses an industrial grade encryption algorithm and transmits minimal data digitally, making it mathematically impossible for someone to decrypt intercepted transmissions, according to the company.

Criminals have hacked into a Gumtree-style website used for buying and selling firearms, making off with a 111,000-entry database containing partial information from a CRM product used by gun shops across the UK. The Register reports: The Guntrader breach earlier this week saw the theft of a SQL database powering both the Guntrader.uk buy-and-sell website and its electronic gun shop register product, comprising about 111,000 users and dating between 2016 and 17 July this year. The database contains names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords. It is a severe breach of privacy not only for Guntrader but for its users: members of the UK's licensed firearms community. Guntrader spokesman Simon Baseley told The Register that Guntrader.uk had emailed all the users affected by the breach on July 21 and issued a further update yesterday.

Guntrader is roughly similar to Gumtree: users post ads along with their contact details on the website so potential purchasers can get in touch. Gun shops (known in the UK as "registered firearms dealers" or RFDs) can also use Guntrader's integrated gun register product, which is advertised as offering "end-to-end encryption" and "daily backups", making it (so Guntrader claims) "the most safe and secure gun register system on today's market." [British firearms laws say every transfer of a firearm (sale, drop-off for repair, gift, loan, and so on) must be recorded, with the vast majority of these also being mandatory to report to the police when they happen...]

The categories of data in the stolen database are: Latitude and longitude data; First name and last name; Police force that issued an RFD's certificate; Phone numbers; Fax numbers; bcrypt-hashed passwords; Postcode; Postal addresses; and User's IP addresses. Logs of payments were also included, with Coalfire's Barratt explaining that while no credit card numbers were included, something that looks like a SHA-256 hashed string was included in the payment data tables. Other payment information was limited to prices for rifles and shotguns advertised through the site. The Register recommends you check if your data is included in the hack by visiting Have I Been Pwned. If you are affected and you used the same password on Guntrader that you used on other websites, you should change it as soon as possible.

Threat actors who spread and manage malware have long abused legitimate online services. As we found during our investigation into the use of TLS by malware, more than half of network traffic generated by malware uses TLS encryption, and 20 percent of that involved the malware communicating with legitimate online services. During the timeframe of that research, we found that four percent of the overall TLS-protected malware downloads came from one service in particular: Discord. From a report: The growing popularity of the game-centric text and voice chat platform has not failed to draw the attention of malware operators. Discord operates its own content delivery network, or CDN, where users can upload files to share with others. The service also publishes an API, enabling developers to create new ways to interact with Discord other than through its client application. We observed significant volumes of malware hosted in Discord's own CDN, as well as malware interacting with Discord APIs to send and receive data.

Several password-hijacking malware families specifically target Discord accounts. SophosLabs also found malware that leveraged Discord chat bot APIs for command and control, or to exfiltrate stolen information into private Discord servers or channels. As the origins of the service were tied to online gaming, Discord's audience includes large numbers of gamers -- including players of youth-oriented titles such as Fortnite, Minecraft, or Roblox. Among the malicious files we discovered in Discord's network, we found game cheating tools that target games that integrate with Discord, in-game. The tools allegedly make it possible, exploiting weaknesses in Discord's protocols, for one player to crash the game of another player. We also found applications that serve as nothing more than harmless, though disruptive, pranks.

Cellphones "can be transformed into surveillance devices," writes the Guardian, reporting startling new details about which innocent people are still being surveilled (as part of a collaborative reporting project with 16 other media outlets led by the French nonprofit Forbidden Stories).

Long-time Slashdot reader shanen shared the newspaper's critique of a "privatised government surveillance industry" that's made NSO a billion-dollar company, thanks to its phone-penetrating spy software Pegaus: [NSO] insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of "legitimate criminal or terror group targets". Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data... The presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools. Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state. Our reporting is rooted in the public interest. We believe the public should know that NSO's technology is being abused by the governments who license and operate its spyware.

But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups [which track the general locations of cellphone users] can be exploited in this environment.

It is not possible to know without forensic analysis whether the phone of someone whose number appears in the data was actually targeted by a government or whether it was successfully hacked with NSO's spyware. But when our technical partner, Amnesty International's Security Lab, conducted forensic analysis on dozens of iPhones that belonged to potential targets at the time they were selected, they found evidence of Pegasus activity in more than half.
The investigators say that potential targets included nearly 200 journalists around the world, including numerous reporters from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, and even the editor of the Financial Times.

In addition, the investigators say they found evidence the Pegasus software had been installed on the phone of the fiancée of murdered Saudi journalist Jamal Khashoggi. NSO denies this to the Washington Post. But they also insist that they're simply licensing their software to clients, and their company "has no insight" into those clients' specific intelligence activities.

The Washington Post reports that Amnesty's Security Lab found evidence of Pegasus attacks on 37 of 67 smartphones from the list which they tested. But beyond that "for the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty's detective work."

Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.

"Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government," reports SecurityWeek, "and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product's manufacturer)." Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, "No one may 'collect, sell or publish information on network product security vulnerabilities,' say the rules issued by the Cyberspace Administration of China and the police and industry ministries...."

AP describes this action as "further tightening the Communist Party's control over information". This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
"I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China's cybersecurity capabilities," Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that "the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains...."

But he also believes this could rebound against China. "One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can't do so in China, why would they stay? This probably helps China in the short term but harms them in the long term."

The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. "If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said. "That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."

An anonymous reader writes: When a team of Chinese scientists beamed entangled photons from the nation's Micius satellite to conduct the world's first quantum-secured video call in 2017, experts declared that China had taken the lead in quantum communications. New research suggests that lead has extended to quantum computing as well. In three preprint papers posted on arXiv.org last month, physicists at the University of Science and Technology of China (USTC) reported critical advances in both quantum communication and quantum computing. In one of the studies, researchers used nanometer-scale semiconductors called quantum dots to reliably transmit single photons -- an essential resource for any quantum network -- over 300 kilometers of fiber, well over 100 times farther than previous attempts. In another, scientists improved their photonic quantum computer from 76 detected photons to 113, a dramatic upgrade to its "quantum advantage," or how much faster it is than classical computers at one specific task. The third paper introduced Zuchongzhi, made of 66 superconducting qubits, and performed a problem with 56 of them -- a figure similar to the 53 qubits used in Google's quantum computer Sycamore, which set a performance record in 2019.

All three achievements are world-leading, but Zuchongzhi in particular has scientists talking because it is the first corroboration of Google's landmark 2019 result. "I'm very pleased that someone has reproduced the experiment and shown that it works properly," says John Martinis, a former Google researcher who led the effort to build Sycamore. "That's really good for the field, that superconducting qubits are a stable platform where you can really build these machines." Quantum computers and quantum communication are nascent technologies. None of this research is likely to be of practical use for many years to come. But the geopolitical stakes of quantum technology are high: full-fledged quantum networks could provide unhackable channels of communication, and a powerful quantum computer could theoretically break much of the encryption currently used to secure e-mails and Internet transactions.

Starting today in the U.S. (and other countries in the not too distant future), you'll be able to encrypt the video footage captured via your Ring devices. ZDNet reports: This is done with Amazon's Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you'll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.

Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring's servers (at rest). Law enforcement doesn't have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer's enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device. In addition, you'll need to opt into using E2EE. It doesn't turn on automatically with the software update. You'll also need to set a passphrase, which you must remember. AWS doesn't keep a copy. If you lose it, you're out of luck. [Just know that if you use E2EE, various features will be missing, such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline. E2EE also won't work with many Ring devices.] ZDNet notes that while police can still ask for or demand your video and audio content, they won't be able to decrypt your E2EE end-to-end encrypted video "because the private keys required to decrypt the videos are only stored on customer's enrolled mobile devices."

"The giant ransomware attack against Kaseya might have been entirely avoidable," writes Engadget: Former staff talking to Bloomberg claim they warned executives of "critical" security flaws in Kaseya's products several times between 2017 and 2020, but that the company didn't truly address them... Employees reportedly complained that Kaseya was using old code, implemented poor encryption and even failed to routinely patch software. The company's Virtual System Administrator, the remote maintenance tool that fell prey to ransomware, was supposedly rife with enough problems that workers wanted the software replaced.

One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.

Kaseya has declined to comment...

The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
Engadget adds the Kaseya's software "was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy."

The European Union has allocated $4.7 million in funding to upgrade Cerberus, a platform used by EU law enforcement agencies to crack passwords and access encrypted devices. From a report: Developed in 2019 for an initial cost of $2.7 million, Cerberus stands for Child Exploitation Response by Beating Encryption and Research to Unprotect Systems. The platform is a collection of finely tuned algorithms that utilize high-performance computers to crack passwords for devices seized during law enforcement investigations. Sources close to the project have told The Record this week that the new $4.7 million in funding will be used as part of a new project called Overclock, which aims to expand the Cerberus platform with new algorithms that can be used to crack passwords on a broader set of new devices. Once finished, EU law enforcement hopes to be able to expand their digital forensics capabilities in regards to extracting and recovering data from secure devices.

An anonymous reader quotes a report from Ars Technica: Like most Internet-of-things (IoT) devices these days, Amazon's Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can "remove any... personal content from the applicable device(s)" before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data. Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND -- which is short for the boolean operator "NOT AND" -- stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.

Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn't. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners' Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process. The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory. "An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks)," the researchers wrote in a research paper. "We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset."

After extracting the flash contents from their six new devices, the researchers used the Autospy forensic tool to search embedded multimedia card images. The researchers analyzed NAND dumps manually. They found the name of the Amazon account owner multiple times, along with the complete contents of the wpa_supplicant.conf file, which stores a list of networks the devices have previously connected to, along with the encryption key they used. Recovered log files also provided lots of personal information. After dumping and analyzing the recovered data, the researchers reassembled the devices. The researchers wrote: "Our assumption was, that the device would not require an additional setup when connected at a different location and Wi-Fi access point with a different MAC address. We confirmed that the device connected successfully, and we were able to issue voice commands to the device. When asked 'Alexa, Who am I?', the device would return the previous owner's name. The re-connection to the spoofed access point did not produce a notice in the Alexa app nor a notification by email. The requests are logged under 'Activity' in the Alexa app, but they can be deleted via voice commands. We were able to control smart home devices, query package delivery dates, create orders, get music lists and use the 'drop-in' feature. If a calendar or contact list was linked to the Amazon account, it was also possible to access it. The exact amount of functionality depends on the features and skills the previous owner had used." Furthermore, the researchers were able to find the rough location of the previous owner's address by asking questions about nearby restaurants, grocery stores, and public libraries. "In a few of the experiments, locations were accurate up to 150 meters," reports Ars.

An Amazon spokeswoman said: "The security of our devices is a top priority. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to access Amazon account passwords or payment card information because that data is not stored on the device." The threats most likely apply to Fire TV, Fire Tablets, and other Amazon devices, as well as many other NAND-based devices that don't encrypt user data, including the Google Home Mini.

Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities. BleepingComputer reports: DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service. When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination. The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.

"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised," says the now-seized doublevpn.com website. "International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue." Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.

"When U.S. law enforcement officials need to cast a wide net for information, they're increasingly turning to the vast digital ponds of personal data created by Big Tech companies via the devices and online services that have hooked billions of people around the world," reports the Associated Press: Data compiled by four of the biggest tech companies shows that law enforcement requests for user information — phone calls, emails, texts, photos, shopping histories, driving routes and more — have more than tripled in the U.S. since 2015. Police are also increasingly savvy about covering their tracks so as not to alert suspects of their interest... In just the first half of 2020 — the most recent data available — Apple, Google, Facebook and Microsoft together fielded more than 112,000 data requests from local, state and federal officials. The companies agreed to hand over some data in 85% of those cases. Facebook, including its Instagram service, accounted for the largest number of disclosures.

Consider Newport, a coastal city of 24,000 residents that attracts a flood of summer tourists. Fewer than 100 officers patrol the city — but they make multiple requests a week for online data from tech companies. That's because most crimes — from larceny and financial scams to a recent fatal house party stabbing at a vacation rental booked online — can be at least partly traced on the internet. Tech providers, especially social media platforms, offer a "treasure trove of information" that can help solve them, said Lt. Robert Salter, a supervising police detective in Newport.

"Everything happens on Facebook," Salter said. "The amount of information you can get from people's conversations online — it's insane."

As ordinary people have become increasingly dependent on Big Tech services to help manage their lives, American law enforcement officials have grown far more savvy about technology than they were five or six years ago, said Cindy Cohn, executive director of the Electronic Frontier Foundation, a digital rights group. That's created what Cohn calls "the golden age of government surveillance." Not only has it become far easier for police to trace the online trails left by suspects, they can also frequently hide their requests by obtaining gag orders from judges and magistrates. Those orders block Big Tech companies from notifying the target of a subpoena or warrant of law enforcement's interest in their information — contrary to the companies' stated policies...

Nearly all big tech companies — from Amazon to rental sites like Airbnb, ride-hailing services like Uber and Lyft and service providers like Verizon — now have teams to respond...
Cohn says American law is still premised on the outdated idea that valuable data is stored at home — and can thus be protected by precluding home searches without a warrant. At the very least, Cohn suggests more tech companies should be using encryption technology to protect data access without the user's key.

But Newport supervising police detective Lt. Robert Salter supplied his own answer for people worried about how police officers are requesting more and more data. "Don't commit crimes and don't use your computer and phones to do it."

The New York Times tells the story of Fayçal Ziraoui, a 38-year-old French-Moroccan business consultant who "caused an online uproar" after saying he'd cracked the last two unsolved ciphers of the four attributed to the Zodiac killer in California "and identified him, potentially ending a 50-year-old quest." Maybe because he said he cracked them in just two weeks. Many Zodiac enthusiasts consider the remaining ciphers — Z32 and Z13 — unsolvable because they are too short to determine the encryption key. An untold number of solutions could work, they say, rendering verification nearly impossible.

But Mr. Ziraoui said he had a sudden thought. The code-crackers who had solved the [earlier] 340-character cipher in December had been able to do so by identifying the encryption key, which they had put into the public domain when announcing their breakthrough. What if the killer used that same encryption key for the two remaining ciphers? So he said he applied it to the 32-character cipher, which the killer had included in a letter as the key to the location of a bomb set to go off at a school in the fall of 1970. (It never did, even though police failed to crack the code.) That produced a sequence of random letters from the alphabet. Mr. Ziraoui said he then worked through a half-dozen steps including letter-to-number substitutions, identifying coordinates in numbers and using a code-breaking program he created to crunch jumbles of letters into coherent words...

After two weeks of intense code-cracking, he deciphered the sentence, "LABOR DAY FIND 45.069 NORT 58.719 WEST." The message referred to coordinates based on the earth's magnetic field, not the more familiar geographic coordinates. The sequence zeroed in on a location near a school in South Lake Tahoe, a city in California referred to in another postcard believed to have been sent by the Zodiac killer in 1971.

An excited Mr. Ziraoui said he immediately turned to Z13, which supposedly revealed the killer's name, using the same encryption key and various cipher-cracking techniques. [The mostly un-coded letter includes a sentence which says "My name is _____," followed by a 13-character cipher.] After about an hour, Mr. Ziraoui said he came up with "KAYR," which he realized resembled the last name of Lawrence Kaye, a salesman and career criminal living in South Lake Tahoe who had been a suspect in the case. Mr. Kaye, who also used the pseudonym Kane, died in 2010.

The typo was similar to ones found in previous ciphers, he noticed, likely errors made by the killer when encoding the message. The result that was so close to Mr. Kaye's name and the South Lake Tahoe location were too much to be a coincidence, he thought. Mr. Kaye had been the subject of a report by Harvey Hines, a now-deceased police detective, who was convinced he was the Zodiac killer but was unable to convince his superiors. Around 2 a.m. on Jan. 3, an exhausted but elated Mr. Ziraoui posted a message entitled "Z13 — My Name is KAYE" on a 50,000-member Reddit forum dedicated to the Zodiac Killer.

The message was deleted within 30 minutes.

"Sorry, I've removed this one as part of a sort of general policy against Z13 solution posts," the forum's moderator wrote, arguing that the cipher was too short to be solvable.

An anonymous reader quotes a report from BleepingComputing: The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA. A set of 13 archives, allegedly containing sensitive ADATA files, have been publicly available at a cloud-based storage service, at least for some time. [...] Two of the leaked archives are quite large, weighing over 100GB, but several of them that could have been easily downloaded are less than 1.1GB large. Per the file metadata published by the threat actor, the largest archive is close to 300GB and its name gives no clue about what it might contain. Another large one is 117GB in size and its name is just as nondescript as in the case of the first one (Archive#2). Judging by the names of the archives, Ragnar Locker likely stole from ADATA documents containing financial information, non-disclosure agreements, among other type of details.

The ransomware attack on ADATA happened on May 23rd, 2021, forcing them to take systems offline, the company told BleepingComputer. As the Ragnar Locker leak clearly shows, ADATA did not pay the ransom and restored the affected systems on its own. The ransomware actor claims stealing 1.5TB of sensitive files before deploying the encryption routine, saying that they took their time in the process because of the poor network defenses. The recently leaked batch of archives is the second one that Ragnar Locker ransomware publishes for ADATA. The previous one was posted earlier this month and includes four small 7-zip archives (less than 250MB together) that can still be downloaded.

Google has open-sourced a collection of C++ libraries for implementing Fully Homomorphic Encryption (FHE) in modern applications. From a report: Fully homomorphic encryption, or simply homomorphic encryption, is a form of data encryption that allows users/applications to perform mathematical computations on encrypted data without decrypting it first, keeping the data's privacy intact. While the concept of homomorphic encryption has been around since 1978, when it was first described at a theoretical level, and 2009, when it was first implemented in practice, it has not been broadly adopted in software due to its complexity, advanced cryptography techniques, and lack of open-source code and public documentation. However, despite this, today, FHE is a hot technology in software design.

FHE allows software vendors to work on encrypted data without sharing the encryption/decryption keys with untrustworthy systems such as client-side apps or publicly-hosted web servers, where the keys could be stolen or intercepted by malware or malicious human operators. FHE allows developers to keep data secure, encrypted, and private, all at the same time, and Google hopes that developers will use its FHE libraries as the first step into adopting this new type of encryption technology within their applications.

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper. Motherboard: The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case. Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, "from a source." They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: "In a million tries we never even got close to such a weak instance," they wrote. "This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations." Researchers dubbed the attack "divide-and-conquer," and said it was "rather straightforward." In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That's what allows an attacker to get the key and decrypt all traffic, according to the researchers.

Along with a string of new features across several areas of Android, Google is at last turning on end-to-end encryption (E2EE) for everyone in the Messages app. Beta testers have been able to use E2EE messaging since November. From a report: E2EE in Messages is only available in one-on-one conversations for the time being, not group chats. Both participants need to have RCS chat features enabled to use it. You'll know if a message you're about to send will be encrypted if you see a lock icon on the send button.

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces that use it is that it isn't end-to-end encrypted, allowing Google -- or any requesting government agency -- access to a company's files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys. From a report: Google Workspace, the company's enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company's data will be indecipherable to Google. Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales or Virtru, which are compatible with Google's specifications. The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.

"Within a decade, quantum computers could be powerful enough to break the cryptographic security that protects cell phones, bank accounts, email addresses and — yes — bitcoin wallets," writes CNBC.

But fortunately, that would happen only if we do nothing in the meantime, they're told by Thorsten Groetker, former Utimaco CTO "and one of the top experts in the field of quantum computing." Crypto experts told CNBC they aren't all that worried about quantum hacking of bitcoin wallets for a couple of different reasons. Castle Island Ventures founding partner Nic Carter pointed out that quantum breaks would be gradual rather than sudden. "We would have plenty of forewarning if quantum computing was reaching the stage of maturity and sophistication at which it started to threaten our core cryptographic primitives," he said. "It wouldn't be something that happens overnight."

There is also the fact that the community knows that it is coming, and researchers are already in the process of building quantum-safe cryptography. "The National Institute of Science and Technology (NIST) has been working on a new standard for encryption for the future that's quantum-proof," said Fred Thiel, CEO of cryptocurrency mining specialist Marathon Digital Holdings. NIST is running that selection process now, picking the best candidates and standardizing them.

"It's a technical problem, and there's a technical solution for it," said Groetker. "There are new and secure algorithms for digital signatures. ... You will have years of time to migrate your funds from one account to another." Groetker said he expects the first standard quantum-safe crypto algorithm by 2024, which is still, as he put it, well before we'd see a quantum computer capable of breaking bitcoin's cryptography. Once a newly standardized post-quantum secure cryptography is built, Groetker said, the process of mass migration will begin. "Everyone who owns bitcoin or ethereum will transfer [their] funds from the digital identity that is secured with the old type of key, to a new wallet, or new account, that's secured with a new type of key, which is going to be secure," he said.
There will still be the problem of users who forget their password or died without sharing their key.

But in those scenarios, CNBC suggests, "an organization could lock down all accounts still using the old type of cryptography and give owners some way to access it."