Ars Technica: Decades-old PGP bug allowed hackers to spoof just about anyone’s signature

Ars Technica: Decades-old PGP bug allowed hackers to spoof just about anyone’s signature. “For their entire existence, some of the world’s most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs.”

Engadget: FBI admits to ‘over-counting’ inaccessible mobile devices

Engadget: FBI admits to ‘over-counting’ inaccessible mobile devices. “For the last two years, the FBI has repeatedly claimed that thousands of phones linked to criminal investigations were inaccessible due to locks and encryption. Last year FBI Director Christopher Wray said it had failed to access 7,800 mobile devices, but tonight a Washington Post report reveals that number is incorrect. According to the Post, the accurate number is between 1,000 and 2,000, with a recent internal estimate putting at about 1,200 devices, and in a statement, the FBI responded: ‘The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.'”

Ars Technica: Decade-old Efail flaws can leak plaintext of PGP- and S/MIME-encrypted emails

Ars Technica: Decade-old Efail flaws can leak plaintext of PGP- and S/MIME-encrypted emails. “Unfixed bugs in widely used email programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, researchers said early Monday morning. The attacks assume that an attacker has possession of the encrypted emails and can trick either the original sender or one of the recipients into opening an invisible snippet of the intercepted message in a new email.”

CNET: Twitter may be tinkering with encrypted direct messages

CNET: Twitter may be tinkering with encrypted direct messages. “Twitter may be working on beefing up the security of messages sent directly between users, according to code spotted in the app’s developer tools. The feature, dubbed ‘Secret Conversation’ in the Android APK, appears to allow users to trade encrypted direct messages, putting it in competition with secure messaging apps like Signal, Telegram or WhatsApp.”

EFF: There is No Middle Ground on Encryption

EFF: There is No Middle Ground on Encryption . “Encryption is back in the headlines again, with government officials insisting that they still need to compromise our security via a backdoor for law enforcement. Opponents of encryption imagine that there is a ‘middle ground’ approach that allows for strong encryption but with ‘exceptional access’ for law enforcement. Government officials claim that technology companies are creating a world where people can commit crimes without fear of detection.”

Google’s new chat service won’t be secure like iMessage and WhatsApp: Amnesty International (Indian Express)

Indian Express: Google’s new chat service won’t be secure like iMessage and WhatsApp: Amnesty International . “Google has been slammed by Amnesty International’s Technology and Human Rights researcher Joe Westby for a new ‘Chat’ feature that will not be encrypted. Westby called the decision to launch a messaging service without end-to-end encryption ‘baffling’ and said the move aims to show Google’s ‘utter contempt for the privacy of Android users’ as it easily allows cybercriminals and government spies to access to take control of users’ private communication.”

ZDNet: Telegram told to give encryption keys to Russian authorities

ZDNet: Telegram told to give encryption keys to Russian authorities. “A top Russian court has told encrypted messaging app Telegram to share its encryption keys with state authorities. Telegram, founded by Russian entrepreneur Pavel Durov, has been fighting an effort by the FSB, the state’s security service formerly known as the KGB, which last year demanded that the company hand over its private encryption keys.”