Cloud Hosting

In the wake of the overturning of Roe v. Wade, many employees are seeking discreet access to reproductive care, often turning to employers for help. But if those conversations take place on workplace chat platforms, they could end up being used against employees in a court of law.

Earlier this year, as an increasing number of states cut access to reproductive care or even criminalized it, nonprofit advocacy group Fight for the Future published an open letter to Slack, calling on the workplace communication platform to implement end-to-end encryption. End-to-end encryption is a private communication system in which only users participating in the conversation can access its contents; the hope is that this would better protect abortion seekers who may be communicating with each other, colleagues or employers about company-provided resources and support.

The letter to Slack is part of the nonprofit's larger effort called Make DMs Safe, which is calling on Google, Apple, Twitter, Meta, Discord and Slack to make end-to-end encrypted messaging the tech industry the default.

Read more: The fight for abortion rights

"We've seen so many of these big tech companies make statements supporting abortion access while taking minor, symbolic action," says Leila Nashashibi, a campaigner at Fight for the Future. "But when it comes down to the actions that would really make a difference like protecting people's data and protecting people's privacy they are failing."

Currently, Slack which is used by more than 200,000 organizations, according to Statista only uses symmetric or single encryption, which uses a backend "public key" to encrypt and decrypt data across the organization. While it offers a basic level of security, it doesn't do much to protect the individual users within an employer's digital community.

End-to-end encryption, however, creates a single personalized key between both participants of a unique conversation, rendering the communication inaccessible to any other party, including the platform hosting the conversation, like Slack, a manager or employer, or even law enforcement.

"What's really important about end-to-end encryption is it brings us back to the protections of the warrant requirement, which limits indiscriminate searches and mass surveillance," says Jake Weiner, a lawyer at the Electronic Privacy Information Center (EPIC), which specializes in state and local policing as well as immigration surveillance. (EPIC has worked with Fight for the Future on past projects, but is not actively involved in its Make DMs Safe project.) "It basically keeps the police doing the things that they're supposed to be doing more than the subpoena process, which has no legal protections functionally."

When a police officer issues a warrant, they have to physically go to a judge and present probable cause as to why they think a crime has been committed, which includes putting forward substantial evidence upfront. Warrants also have to be particularized, according to Weiner, which means it has to be about a specific person or a specific investigation. Subpoenas, in comparison, can be issued for most types of data without the need for specification. In theory, law enforcement could subpoena Slack for all of their messages about abortion and it would be up to the platform to challenge it or not.

Read more: Republicans are testing abortion restrictions to see what sticks

All of Slack's available employer plans offer customizable retention settings, where customers can automatically delete messages and files after set periods of time as well as enterprise key management, a security add-on that allows organizations to manage their own encryption keys. In addition, Slack's policy is to not share customer data with any third-party or government entity unless legally required to do so including subpoenas. According to a spokesperson from Slack, the platform has committed to challenge any subpoena, unclear request or any ask deemed inappropriate.

But that kind of promise doesn't hold any legal weight, according to Sarah Geoghan, a lawyer with EPIC specialized in abortion surveillance, and still puts users in a vulnerable position.

"We cannot trust a large company's pinky-promise to protect abortion," she says. "For example, Google said that they would stop collecting location data, which could reveal whether someone was attending an abortion clinic, and that was not true. They're still collecting and retaining that information for longer than they had promised. So the reality is, abortion surveillance is happening and as of right now, companies have a lot of discretion on just how much they could comply with law enforcement requests for information."

Geoghan referenced the recent case of a 19-year-old Nebraska woman and her mother, who were accused of performing an illegal pregnancy termination after obtaining abortion pills when the daughter was 17. (Nebraska prohibits abortions after 20 weeks and the teenager was around 28 weeks pregnant when her pregnancy ended.) Authorities accessed Facebook messages between the mother and daughter through a subpoena to establish that the two discussed obtaining abortion pills. In July, the 19-year-old was sentenced to 90 days in jail and two years of probation.

"They looked through her Facebook messages, which are not end-to-end encrypted," Geoghan says. "Once they had those messages they were able to subpoena her full communications on Facebook Messenger and had access to all of it. If those messages had been end-to-end encrypted in the first place, they wouldn't have had a subpoena. And if those communications hadn't been subpoenaed, they wouldn't have been able to access what was encrypted."

Read more: 4 questions employers have about abortion care and coverage

End-to-end encryption would not make the information completely unattainable. If law enforcement were to present a suspect with a viable warrant, the employer would be forced to disclose the conversation regardless of whether it was single or end-to-end encrypted.

What can, however, prevent law enforcement from accessing messages is if they're deleted entirely, making Slack's auto-deletion settings effective in that way. Once a message is deleted from a server, it is impossible for any third party regardless of warrants or subpoenas to access that information because it is unrecoverable.

"I would never recommend anyone discuss abortion activity on a workplace app not even over text message," Geoghan says. "That being said, a person's privacy and autonomy should not depend on their employer and it shouldn't be up to the employer to decide what their policy is about abortion so that someone has protections. They should do the bare minimum to protect communications."

Read more: Hundreds of drugmakers condemn Texas judge's abortion pill order

If employers want to actively share resources on abortion or offer their support, Geoghan suggests they use apps like Signal, an end-to-end encrypted messaging service for instant messaging, voice and video calls.

And while end-to-end encryption may not be a foolproof privacy protection, Nashashibi argues that adding any additional obstacle to platforms like Slack is still critical, and can give employees the time and space to make whatever arrangements they need to access the care they are seeking.

"It extends far beyond abortion seekers and providers in terms of safety we have to think about people all over the world working under different political contexts and how the lack of encryption affects their safety," she says. "We know that there's a history of law enforcement, gathering and acquiring online communications from companies and as long as these companies own the communications, they're putting people at risk."

Continue reading here:
Why Slack's privacy settings are a part of the abortion conversation - Employee Benefit News

YouTube influencers Josh Pieters and Archie Manners, popularly known as Josh & Archie, have shed light on the secret communication methods used by the activist group, Just Stop Oil. The duo discovered that the protesters employ an encrypted messaging service, specifically the Signal app, to ensure the confidentiality of their activities and prevent police intervention.

In a recent interview on Good Morning Britain, Pieters and Manners disclosed that they had a mole within the ranks of Just Stop Oil for approximately a week. This insider informed them about the groups use of Signal app, highlighting its effectiveness in preserving the element of surprise and secrecy.

The YouTubers decided to prank Just Stop Oil as part of their series of stunts, setting off alarms and attaching them to balloons during a meeting in London held on July 23rd. Reflecting on the prank, Manners characterized it as essentially very childish.

The revelation of Just Stop Oils use of encrypted messaging services raises questions about the groups intentions and methods. While activism can take various forms, the reliance on such technologies suggests a concerted effort to remain covert and avoid potential legal consequences.

By highlighting this aspect of the protesters behavior, Pieters and Manners provide insight into the steps taken by activist groups to evade detection and maintain privacy. As the prevalence of encrypted messaging services continues to grow, it becomes increasingly crucial for authorities to adapt their strategies to effectively monitor and respond to unlawful activities conducted through these platforms.

While the pranks orchestrated by Josh & Archie may be considered light-hearted entertainment, their discovery lends a deeper understanding of the tactics employed by Just Stop Oil and sheds light on the pervasive influence of encrypted messaging services in contemporary activism.

See the original post here:
YouTubers Reveal Encryption Tactics of Just Stop Oil Protesters - EnergyPortal.eu

Its been more than five years since I first asked whether ATSC 3.0, aka NextGen TV, would spell doom for over-the-air DVR. The answers are coming in now, and theyre not encouraging.

The latest television broadcasting standard, also called NextGen TV, is supposed to introduce new features such as 4K HDR video and dialog enhancement. But it also gives broadcasters the ultimate say over where and how you watch free local channels. With new encryption measures that many stations are now adopting, ATSC 3.0 can limit recording capabilities, block out-of-home viewing, and restrict the use of certain video player apps. Even basic playback requires seemingly endless certification hoops, potentially driving up the cost of ATSC 3.0 converter boxes.

Broadcasters say theyre trying to protect against media piracy, and that they might address some of these complaints in the future, but encryption still leaves them, rather than audiences, in control of whats possible. Over-the-air DVR has been one of the last great ways to watch TV on your own terms. NextGen TV could stop that from happening.

This story is part of TechHives in-depth coverage of the best over-the-air DVRs.

Although broadcasters downplayed ATSC 3.0s DRM (digital rights management) features in the standards early years, theyre starting to lock things down with encryption as more stations come online, and the issue has gained wider attention thanks to recent coverage by Tyler Antenna Man Kleinle and Lon Seidman.

Users can see which ATSC 3.0 stations are encrypted on the RabbitEars website, which has been tracking the NextGen TV rollout. Out of more than 400 NextGen TV channels in the United States, roughly 16 percent of them are now encrypted.

None of this should be noticeable if you have a smart TV with an ATSC 3.0 tuner, as it should already have the necessary keys to decrypt these locked-down channels. It also doesnt affect channels that use the current ATSC 1.0 standard, which broadcasters are required to support for at least another four years.

But if you were an early adopter of external ATSC 3.0 tuners such as the HDHomeRun Flex 4K or Bitrouter ZapperBox, you wont be able to watch any encrypted channels. These devices launched without DRM support before broadcasters started encrypting their channels, and while they plan to support DRM in the near future, the complications of doing so has led to numerous delays.

DRM isnt just a temporary inconvenience. It will also introduce new restrictions on your ability to access free, over-the-air channels through external tuners. Here are some examples that Ive confirmed with device makers:

DVR solutions such as Channels will need their own DRM certification, and its unclear if that will happen.

FancyBits

Pearl TV spokesman Dave Arland said future updates to ATSC 3.0s copy-protection system, called A3SA, could address these issues. (Pearl TV is the broadcaster consortium thats backing ATSC 3.0, and is a part-owner of A3SA.)

Remote viewing, for instance, is on the A3SA development roadmap, Arland said, and Pearl TV has proof-of-concept proposals that would allow external tuners to work without even occasional internet connectivity. While there are considerable technical challenges to letting users transfer recordings across devices, Arland said Pearl TV believes these are surmountable as well.

Arland did not deny that A3SA allows broadcasters to set expiration dates on recordings or block them outright, but said hes not aware of any broadcasters that are doing so. He also noted that A3SAs current rules prohibit restrictions on recordings for ATSC 1.0 channels that are simulcast in ATSC 3.0.

Content protection is designed to prevent piracy, not stop home recording, Arland said.

Well-intentioned or not, A3SA in its current form still serves to lock down over-the-air DVR and make it more like what you get with live TV streaming services. Instead of being free to watch local broadcasts on any device, using whichever app you prefer, youll be at the whims of the broadcasters and TV networks.

If youre not an over-the-air DVR user and only use an antenna for live TV, you might shrug off issues Ive raised above. But heres another reason to be concerned: DRM could make external tuner boxes more expensive.

Most existing TVs can only pick up broadcasts in the older ATSC 1.0 standard, and even some new TVs continue to ship without ATSC 3.0 tuners onboard. For viewers who dont want to replace their entire televisions, ATSC 3.0 will require an external converter box.

The HDHomeRun Flex 4K is one of only two ATSC 3.0 tuner boxes on the market right now.

SiliconDust

But one device maker, who asked not to be named in this story, said that ATSC 3.0 DRM has both up-front and ongoing costs, both for licensing and certification testing. For the small vendors that are currently building ATSC 3.0 tuner boxes, these costs can be significant, and like other licensing fees they inevitably get passed onto users. (Pearl TVs Dave Arland said A3SA provides significant per-model discounts to smaller manufacturers.)

DRM can also complicate the process of bringing new products to market in the first place. Nuvyyo, makers of the Tablo over-the-air DVR line, specifically pointed to DRM as the reason for delaying its first ATSC 3.0 tuner. The status of that product remains uncertain, as Nuvyyo has since been acquired by The E.W. Scripps Company, a major broadcaster.

So far, weve yet to see an external tuner ship for less than $200, and even ADTHs upcoming tuner box has a price of around $100. While DRM might not be solely to blame, it is a factor in limiting options and keeping prices high.

While the rise of on-demand streaming has made DVR less relevant, in a way its more important than ever. As streaming services raise prices for ad-free viewing and trim their catalogs, being able to record TV programming on a device of your choosing is one of the last ways for viewers to exercise some control.

ATSC 3.0 DRM threatens to take that away. Combined with the dismantling of CableCARD, it ensures that users will be funneled into apps in which the content providers call the shotseven for free, over-the-air TV.

What can you do about it? Lon Seidman has encouraged users to complain to the FCC, which is seeking public feedback about the future of over-the-air TV. Broadcasters want the ability to turn off ATSC 1.0 as soon as its feasible, but they need the FCCs permission to do it, and a loud and sustained consumer outcry could force some concessions on the encryption front.

Alternatively, you can just ride out ATSC 1.0 until the bitter end. As of now, thatll be at least until July 2027, as the FCC is requiring broadcasters to support the old standard until then. If you buy an over-the-air DVR todayeven one without ATSC 3.0 supportyoull get at least four years of life out of it, and in a sense youll be voting against the new standard.

Either way, enjoy the unfettered state of over-the-air DVR while it lasts, because its future looks very cloudy.

Sign up for Jareds Cord Cutter Weekly newsletter to get columns like this in your inbox every Friday.

Continued here:
NextGen TV's DRM puts future of the over-the-air DVR in doubt - TechHive

Enclave Markets, which claims to be the worlds first fully encrypted exchange (FEX) that combines the best parts of centralized and decentralized finance, announced that it has entered into a strategic partnership with Hidden Road Partners, the global credit network for institutions.

As a result of the partnership, Hidden Road counterparties will now be able to trade digital assets through Enclave Markets fully confidential and secure exchange.

Enclave Markets FEX provides an anonymous trading environment where counterparties can transact with minimal slippage, negligible market impact and decentralized custody, without a single controlling entity.

Enclaves encryption protects counterparties from front-running and information leakage.

This confidentiality greatly expands the number of viable counterparties, as no information regarding participants or their positions can escape the trading platform.

Furthermore, Hidden Road will act as a prime broker for its counterparties who elect to trade via Enclave Markets, greatly increasing capital efficiency and ensuring that client assets never leave their prime broker of choice from order creation through settlement.

This initiative from Enclave Markets further demonstrates the demand for secure, confidential trading platforms that improve capital efficiency and liquidity while empowering counterparties to custody and settle assets with their partner of choice.

David Wells, CEO of Enclave Markets, commented:

Typically, traders at competing firms avoid trading with one another to prevent potential front-running, exposure of trading strategies and general market impact. By integrating with Hidden Road, one of the worlds most esteemed liquidity and credit providers, its institutional clients using our FEX gain access to completely anonymous trading, which allows them to mitigate risk and get the most out of any investment opportunity. To increase the adoption of digital assets, it is important that institutions have access to trading venues that they can trust, and this endorsement from Hidden Road demonstrates that Enclave does just that. Were excited to work with Hidden Road to mature the trading landscape, something thats been part of Enclaves mission from the start.

Hidden Road facilitates trading bilaterally between market participants while giving counterparties full ownership over trading technology, liquidity and custody.

At launch, the strategic partnership will allow counterparties that use Hidden Road as their prime broker to conduct OTC trading via Enclave Markets crossing network, Enclave Cross, with additional trading capabilities at a later date.

All trading activity and settlements made by Hidden Road as a prime broker over Enclave Cross are executed via direct transactions, ensuring assets are held by one of Enclaves many trusted custodians.

Michael Higgins, Global Head of Business Development at Hidden Road, added:

Institutions expect robust, predictable trading experiences in any asset class, be it traditional or digital. Enclaves novel, albeit familiar, approach offers Hidden Road counterparties a secure, anonymous and streamlined option for trading digital assets. Adding Enclave to the roster of venues and partners available to Hidden Roads counterparties further enhances both firms offerings to the market.

See the original post here:
Enclave Markets, The CeFi, DeFi Focused Encrypted Exchange, Teams Up With Hidden Road Partners | Crowdfund - Crowdfund Insider

The story so far: The Computer Emergency Response Team of India issued an alert for ransomware dubbed Akira. The ransomware, found to target both Windows and Linux devices, steals and encrypts data, forcing victims to pay double ransom for decryption and recovery. The group behind the ransomware has already targeted multiple victims, mainly those located in the U.S., and has an active Akira ransomware leak site with information, including their most recent data leaks.

The Akira ransomware is designed to encrypt data, create a ransomware note and delete Windows Shadow Volume copies on affected devices. The ransomware gets its name due to its ability to modify filenames of all encrypted files by appending them with the .akira extension. The ransomware is designed to close processes or shut down Windows services that may keep it from encrypting files on the affected system. It uses VPN services, especially when users have not enabled two-factor authentication, to trick users into downloading malicious files.

Once the ransomware infects a device and steals/encrypts sensitive data, the group behind the attack extorts the victims into paying a ransom, threatening to release the data on their dark web blog if their demands are not met.

As mentioned above, the ransomware deletes the Windows Shadow Volume copies on the affected device. These files are instrumental in ensuring that organisations can back up data used in their applications for day-to-day functioning. VSS services facilitate communication between different components without the need to take them offline, thereby ensuring data is backed up while it is also available for other functions. Once the ransomware deletes the VSS files it proceeds to encrypt files with the pre-defined the .akira extension.

The ransomware also terminates active Windows services using the Windows Restart Manager API, preventing any interference with the encryption process. It is designed to not encrypt Program Data, Recycle Bin, Boot, System Volume information, and other folders instrumental in system stability. It also avoids modifying Windows system files with extensions like .syn. .msl and .exe.

Once sensitive data is stolen and encrypted, the ransomware leaves behind a note named akira_readme.txt which includes information about the attack and the link to Akiras leak and negotiation site.

Each victim is given a unique negotiation password to be entered into the threat actors Tor site. Unlike other ransomware operations, this negotiation site just includes a chat system that the victim can use to communicate with the ransomware gang, a report from The Bleeping Computer shares.

(For top technology news of the day, subscribeto our tech newsletter Todays Cache)

Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files. Other methods used to infect devices include drive-by-download, a cyber-attack that unintentionally downloads malicious code onto a device, and specially crafted web links in emails, clicking on which downloads malicious code. The ransomware reportedly also spreads through insecure Remote Desktop connections.

Maintain up-to-date offline backups

Ensure OS and networks are updated regularly, with virtual patching for legacy systems

Establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation

Strong password policies

Strong Multi-Factor Authentication

Strict external device usage policy

Data-at-rest and data-in-transit encryption

Blocking attachment file types with .exe,.pif, .url, or other such extensions

Avoid clicking on suspicious links to avoid downloads of malicious code

Conduct regular security audits of systems, especially database servers

In use since March 2023, the ransomware has steadily built up a list of victims, targetting corporate networks in various domains including education, finance, real estate, manufacturing, and consulting. Once it breaches a corporate network, the ransomware spreads laterally to other devices after gaining Windows domain admin credentials. The threat actors also steal sensitive corporate data for leverage in their extortion attempts.

CERT-In has advised users to follow basic internet hygiene and protection protocols to ensure their security against ransomware. These include maintaining up to date offline backups of critical data, to prevent data loss in the event of an attack.

Additionally, users are advised to ensure all operating systems and networks are updated regularly, with virtual patching for legacy systems and networks. Companies must also establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation, which prevents spam by detecting email spoofing. Strong password policies and multi-factor authentication (MFA) must be enforced. There should also be a strict external device usage policy in place and data-at-rest and data-in-transit encryption along with blocking attachment file types like .exe, .pif, or .url to avoid downloading malicious code. The agency has also advised periodic security audits of critical networks/systems, especially database servers.

View original post here:
What is the Akira ransomware, and why has the government issued a warning against it? - The Hindu