Tag Archive for: endangering

The Commission’s gross violation of privacy — endangering encryption – POLITICO


Press play to listen to this article

Markéta Gregorová is a member of the European Parliament from the European Pirate Party.

Strong end-to-end encryption is an essential part of a secure and trustworthy Internet. It protects us every time we make an online transaction, when we share medical information or when we interact with friends and family.

Strong encryption also protects children — it allows them to communicate with trusted friends and family members in confidence, and allows others to report online abuse and harassment confidentially. It keeps our personal data personal, and our private conversations private. 

But now that fundamental technology is being threatened by the European Commission.

The European Union’s new regulation intending to fight child sexual abuse online will require Internet platforms — including end-to-end encrypted messaging apps like Signal and WhatsApp — to “detect, report and remove” images of child sexual abuse shared on their platforms. In order to do this, however, platforms would have to automatically scan every single message — a process known as “client-side scanning.”

But not only is this a gross violation of privacy, there’s no evidence that the technology exists to do this effectively and safely, without undermining the security provided by end-to-end encryption. And while the proposed regulation is well-intentioned, it will result in weakening encryption and making the Internet less secure.

Only two months ago, the New York Times reported that Google had flagged medical images that a man in San Francisco had taken of his son’s groin as child sexual abuse material. He had sent the images to his doctor seeking medical advice for his child, only to have his account shut down and become the subject of a police investigation. 

The current regulations would create such mandatory measures for platforms, enforcing them with significant fines of up to 6 percent of an offender’s global turnover — meaning tech companies would be forced to be overzealous for fear of falling foul of the rules. This greatly increases the possibility of such false-positives…

Source…

In-vehicle wireless devices are endangering emergency first responders

Enlarge (credit: Emergency Vehicles)

In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, but a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.

Affecting human life

Worse still, it turned out that many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

Read 12 remaining paragraphs | Comments

Biz & IT – Ars Technica

Dell installs self-signed root certificate on laptops, endangering users’ privacy

Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.

The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it’s installed on, comes bundled with its corresponding private key, making the situation worse.

With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.

To read this article in full or to leave a comment, please click here

Network World Security