Access Now

Proposed State Bans on Phone Encryption Make Zero Sense:

Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.

Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be.

Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt:

A New York assemblyman has reintroduced a new bill that aims to essentially disable strong encryption on all smartphones sold in the Empire State.

Among other restrictions, the proposed law states that “any smartphone that is manufactured on or after January 1, 2016 and sold or least in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider.”

If it passes both houses of the state legislature and is signed by the governor, the bill would likely be the first state law that would impose new restrictions on mobile-based cryptography. Undoubtedly, if it makes it that far, the law would likely face legal challenges from Apple and Google, among others.

accessnow:

This 11-year-old is selling cryptographically secure passwords for $2 each:

Earlier this month, Mira Modi, 11, began a small business at dicewarepasswords.com, where she generates six-word Diceware passphrases by hand.

Diceware is a well-known decades-old system for coming up with passwords. It involves rolling actual six-sided dice as a way to generate truly random numbers that are matched to a long list of English words. Those words are then combined into a non-sensical string (“ample banal bias delta gist latex”) that exhibits true randomness and is therefore difficult to crack. The trick, though, is that these passphrases prove relatively easy for humans to memorize.

“This whole concept of making your own passwords and being super secure and stuff, I don’t think my friends understand that, but I think it’s cool,” Modi told Ars by phone.

This 11-year-old is selling cryptographically secure passwords for $2 each:

Earlier this month, Mira Modi, 11, began a small business at dicewarepasswords.com, where she generates six-word Diceware passphrases by hand.

Diceware is a well-known decades-old system for coming up with passwords. It involves rolling actual six-sided dice as a way to generate truly random numbers that are matched to a long list of English words. Those words are then combined into a non-sensical string (“ample banal bias delta gist latex”) that exhibits true randomness and is therefore difficult to crack. The trick, though, is that these passphrases prove relatively easy for humans to memorize.

“This whole concept of making your own passwords and being super secure and stuff, I don’t think my friends understand that, but I think it’s cool,” Modi told Ars by phone.

Certain members of Congress and the FBI want to force companies to give the government special access to our data—such as by building security vulnerabilities or giving the government a “golden key” to unlock our encrypted communications. But security experts agree that it is not possible to give the government what it wants without creating vulnerabilities that could be exploited by bad actors.

These proposals jeopardize not just our private data, but the security of every technology that relies on this encryption.

One voice could tilt the balance in this debate. We need the President to speak out for uncompromised security.

Sign the petition here to submit your signature electronically to the White House’s “We the People” site. Help us make this the most popular petition in the site’s history.

SHA1 algorithm securing e-commerce and software could break by year’s end:

SHA1, one of the Internet’s most crucial cryptographic algorithms, is so weak to a newly refined attack that it may be broken by real-world hackers in the next three months, an international team of researchers warned Thursday.

SHA1 has long been considered theoretically broken, and all major browsers had already planned to stop accepting SHA1-based signatures starting in January 2017. Now, researchers with Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore have released a paper that argues real-world attacks that compromise the algorithm will be possible well before the cut-off date. The results of real-world forgeries could be catastrophic since the researchers estimate SHA1 now underpins more than 28 percent of existing digital certificates.