Clay Risen reports via the New York Times: David Kahn, whose 1967 book, "The Codebreakers," established him as the world's pre-eminent authority on cryptology -- the science of making and breaking secret codes -- died on Jan. 24 in the Bronx. He was 93. His son Michael said the death, at a senior-living facility, was from the long-term effects of a stroke in 2015.

Before Mr. Kahn's book, cryptology itself was something of a secret. Despite an explosion in cryptological technology and techniques during the 20th century and the central role they played during World War II, the subject was typically overlooked by historians, if only because their possible sources were still highly classified. "Codebreaking is the most important form of secret intelligence in the world today," Mr. Kahn wrote in his book's preface. "Yet it has never had a chronicler."

Over the course of more than 1,000 pages, along with some 150 pages of notes, Mr. Kahn laid out cryptology's long history, starting with ancient Egypt 4,000 years ago and proceeding through the French and American revolutions, the innovations wrought by the advent of the telegraph and telephone to the mid-20th century and the dawn of computer-assisted code breaking.

Jakub Lewkowicz reports via SD Times: The Linux Foundation has recently launched the Post-Quantum Cryptography Alliance (PQCA), a collaborative effort aimed at advancing and facilitating the adoption of post-quantum cryptography in response to the emerging threats of quantum computing. This alliance assembles diverse stakeholders, including industry leaders, researchers, and developers, focusing on creating high-assurance software implementations of standardized algorithms. The initiative is also dedicated to supporting the development and standardization of new post-quantum cryptographic methods, aligning with U.S. National Security Agency's guidelines to ensure cryptographic security against quantum computing threats.

The PQCA endeavors to serve as a pivotal resource for organizations and open-source projects in search of production-ready libraries and packages, fostering cryptographic agility in anticipation of future quantum computing capabilities. Founding members include AWS, Cisco, Google, IBM, IntellectEU, Keyfactor, Kudelski IoT, NVIDIA, QuSecure, SandboxAQ, and the University of Waterloo. [...] [T]he PQCA plans to launch the PQ Code Package Project aimed at creating high-assurance, production-ready software implementations of upcoming post-quantum cryptography standards, beginning with the ML-KEM algorithm. By inviting organizations and individuals to participate, the PQCA is poised to play a critical role in the transition to and standardization of post-quantum cryptography, ensuring enhanced security measures in the face of advancing quantum computing technology. You can learn more about the PQCA on its website or GitHub.

AmiMoJo writes: Apple has attacked proposals for the UK government to pre-approve new security features introduced by tech firms. Under the proposed amendments to existing laws, if the UK Home Office declined an update, it then could not be released in any other country, and the public would not be informed. The government is seeking to update the Investigatory Powers Act (IPA) 2016. The Home Office said it supported privacy-focused tech but added that it also had to keep the country safe.

A government spokesperson said: "We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption, but this cannot come at a cost to public safety." The proposed changes will be debated in the House of Lords tomorrow. Apple says it is an "unprecedented overreach" by the UK government. "We're deeply concerned the proposed amendments to the Investigatory Powers Act (IPA) now before Parliament place users' privacy and security at risk," said Apple in a statement. "It's an unprecedented overreach by the government and, if enacted, the UK could attempt to secretly veto new user protections globally preventing us from ever offering them to customers."

Slashdot reader Bruce66423 shared this report from the BBC: A Spanish court has cleared a British man of public disorder, after he joked to friends about blowing up a flight from London Gatwick to Menorca.

Aditya Verma admitted he told friends in July 2022: "On my way to blow up the plane. I'm a member of the Taliban." But he said he had made the joke in a private Snapchat group and never intended to "cause public distress"... The message he sent to friends, before boarding the plane, went on to be picked up by UK security services. They then flagged it to Spanish authorities while the easyJet plane was still in the air.

Two Spanish F-18 fighter jets were sent to flank the aircraft. One followed the plane until it landed at Menorca, where the plane was searched. Mr Verma, who was 18 at the time, was arrested and held in a Spanish police cell for two days. He was later released on bail... If he had been found guilty, the university student faced a fine of up to €22,500 (£19,300 or $20,967) and a further €95,000 (£81,204 or $103,200) in expenses to cover the cost of the jets being scrambled.
But how did his message first get from the encrypted app to the UK security services? One theory, raised in the trial, was that it could have been intercepted via Gatwick's Wi-Fi network. But a spokesperson for the airport told BBC News that its network "does not have that capability"... A spokesperson for Snapchat said the social media platform would not "comment on what's happened in this individual case".
richi (Slashdot reader #74,551) thinks it's obvious what happened: SnapChat's own web site says they scan messages for threats and passes them on to the authorities. ("We also work to proactively escalate to law enforcement any content appearing to involve imminent threats to life, such as...bomb threats...."

"In the case of emergency disclosure requests from law enforcement, our 24/7 team usually responds within 30 minutes."

jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys."

jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."

From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...

In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...

On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.

Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy. From a report: The Chinese government's actions targeting a tool that Apple customers around the world use to share photos and documents -- and Apple's apparent inaction to address the flaws -- revive longstanding concerns by US lawmakers and privacy advocates about Apple's relationship with China and about authoritarian regimes' ability to twist US tech products to their own ends.

AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response. A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing "inappropriate information," judicial authorities in Beijing said this week. Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly.

According to Bloomberg, Apple's AirDrop feature has been cracked by a Chinese state-backed institution to identify senders who share "undesirable content". MacRumors reports: AirDrop is Apple's ad-hoc service that lets users discover nearby Macs and iOS devices and securely transfer files between them over Wi-Fi and Bluetooth. Users can send and receive photos, videos, documents, contacts, passwords and anything else that can be transferred from a Share Sheet. Apple advertises the protocol as secure because the wireless connection uses Transport Layer Security (TLS) encryption, but the Beijing Municipal Bureau of Justice (BMBJ) says it has devised a way to bypass the protocol's encryption and reveal identifying information.

According to the BMBJ's website, iPhone device logs were analyzed to create a "rainbow table" which allowed investigators to convert hidden hash values into the original text and correlate the phone numbers and email accounts of AirDrop content senders. The "technological breakthrough" has successfully helped the public security authorities identify a number of criminal suspects, who use the AirDrop function to spread illegal content, the BMBJ added. "It improves the efficiency and accuracy of case-solving and prevents the spread of inappropriate remarks as well as potential bad influences," the bureau added.

It is not known if the security flaw in the AirDrop protocol has been exploited by a government agency before now, but it is not the first time a flaw has been discovered. In April 2021, German researchers found that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. According to the researchers, Apple was informed of the flaw in May of 2019, but did not fix it.

Amazon-owned Wickr is dead, more than a year after reports showed it had become the app of choice for drug traffickers. 404 Media: If you open the encrypted messaging app Wickr Me today, you'll be greeted with a line of red text: "Reconnecting..." Below that, in white text over a black background, the app says "We're having issues connecting to the Wickr Me network. If the problem persists, try restarting your app or contacting support." Closing and reopening the app will not work. There is no point in contacting support either. That's because on December 31, 2023, Wickr Me, the free version of Wickr, was shut down entirely.

Wickr Me is no longer available to download on the Apple App Store or the Google Play Store. The app stopped accepting new users more than a year ago. And now, even current users cannot speak to one another. So ends the story of an app that while never reaching the popularity of other encrypted messaging apps like Signal, nor those that later turned on end-to-end encryption for the masses like WhatsApp, nonetheless played an important role in the adoption of and debate around secure communications.

An issue with Sony's projectors caused theater chain Alamo Drafthouse to close theaters entirely on New Year's Eve. "As of New Year's Day, however, most theaters and most showtimes now appear to be available, with a few exceptions," reports The Verge. From the report: It's not clear what happened. As New Year's Day is a holiday, we somewhat understandably haven't yet been able to reach Alamo or Sony spokespeople, and not every theater or every screening was affected. That didn't stop Alamo from blaming its Sony projectors for what at least one theater called a "nationwide" outage, however.

"Due to nation-wide technical difficulties with Sony, we aren't able to play any titles today," read part of a taped paper sign hanging inside a Woodbury, Minnesota location. That apparently didn't keep the customer who took a picture of that sign from watching The Apartment at that very same location, though: "When we went to our seats, the wait staff let us know that despite the fact that the previews were playing, we wouldn't know until the movie actually started whether we could see the film or not. If it didn't work, the screen would just turn black. Luckily, the film went through without a hitch."

What might have only affected some screenings at some theaters? I've seen speculation on Reddit that it may have something to do with expired digital certificates used to unlock encrypted films, but we haven't heard that from Alamo or Sony. We're looking forward to finding out. Longtime Slashdot reader innocent_white_lamb suggests that "[a] cryptographic key used to master all movies distributed by Deluxe" was the culprit after it expired on December 30. "This means that almost all Hollywood movies will no longer play on many commercial cinema servers. In particular, many showings of Wonka and Aquaman had to be cancelled due to the expired encryption key." From their submitted story: Deluxe and the movie companies have been frantically trying to remaster and send out revised versions of current movies over the past few days. Nobody knows what will happen to older movie titles since everything mastered by Deluxe since 2011 may be affected and may need to be remastered if it is to be shown in movie theaters again. There are at least four separate threads discussing this matter on Film-Tech.com, notes innocent_white_lamb.

"Billions of people" uses social media every month, notes the Wall Street Journal.. But "fewer and fewer are actually posting."

Instead they're favoring "a more passive experience, surveys of users and research from data-analytics firms say." In an October report from data-intelligence company Morning Consult, 61% of U.S. adult respondents with a social-media account said they have become more selective about what they post. The reasons are varied: People say they feel they can't control the content they see. They have become more protective about sharing their lives online. They also say the fun of social media has fizzled. This lurker mentality is widespread, across Meta Platforms' Instagram and Facebook along with X and TikTok....

In a survey conducted in the U.S. this summer, research firm Gartner found more than half of respondents believed the quality of social media has declined in the past five years. They cited misinformation, toxicity and the proliferation of bots as reasons it has gotten worse. "The less you trust social-media brands, the less of a good experience you're having," says Gartner analyst Emily Weiss. Users are less likely to share opinions or insight into their lives since the community they are looking for isn't there, she adds. Ads and suggested posts have also sucked the joy out of apps, some users say... The algorithmic spotlight on creators and their hyper-curated content has made some users feel insecure and less likely to share their own photos and videos, says Kevin Tran, media and entertainment analyst at Morning Consult. In turn, some now think of social apps more as sources of entertainment, like YouTube or Netflix.

Gartner estimates that 50% of users will either abandon or significantly limit their interactions with social media in the next two years.
Any threat to interacting is a threat to business, the article notes, adding "The companies are responding." They are investing in more private user experiences like messaging, and making interactions more secure. And encouraging people to post to a more intimate audience — as with Instagram's recently expanded Close Friends feature... Meta responded to user complaints, saying it would continue to work on improving recommendations to help creators reach more people. The company added a snooze button that pauses suggested posts for 30 days at a time, and chronological feeds that temporarily only show posts from accounts people follow... Meta began shifting its resources toward messaging, including efforts to enable end-to-end encryption by default across all of its messaging services... TikTok has also shown signs of investing more in the messaging portion of its app, nudging users to chat with people they haven't messaged in a while.
When the Wall Street Journal posted their article on Threads, Adam Mosseri (head of Instagram) responded that "People are sharing to feeds less, but to Stories more," and "even more still" in Messages ("even photos and videos"). Mosseri also said that Instagram's Notes feature — basically a post where you cab specify a smaller subset of your followers to see it — "have quickly become a big thing, particularly for young people.

"So it's no so much that people are sharing less," Mosseri argued, "but rather than they're sharing differently."

A Canadian cybersecurity firm has warned that as soon as 2025, quantum computers could make current encryption methods useless.

But now Slashdot reader christoban shares a "reality check" — an IEEE Spectrum takedown with the tagline "Hype is everywhere, skeptics say, and practical applications are still far away." The quantum computer revolution may be further off and more limited than many have been led to believe. That's the message coming from a small but vocal set of prominent skeptics in and around the emerging quantum computing industry... [T]here's growing pushback against what many see as unrealistic expectations for the technology. Meta's head of AI research Yann LeCun recently made headlines after pouring cold water on the prospect of quantum computers making a meaningful contribution in the near future.

Speaking at a media event celebrating the 10-year anniversary of Meta's Fundamental AI Research team he said the technology is "a fascinating scientific topic," but that he was less convinced of "the possibility of actually fabricating quantum computers that are actually useful." While LeCun is not an expert in quantum computing, leading figures in the field are also sounding a note of caution. Oskar Painter, head of quantum hardware for Amazon Web Services, says there is a "tremendous amount of hype" in the industry at the minute and "it can be difficult to filter the optimistic from the completely unrealistic."

A fundamental challenge for today's quantum computers is that they are very prone to errors. Some have suggested that these so-called "noisy intermediate-scale quantum" (NISQ) processors could still be put to useful work. But Painter says there's growing recognition that this is unlikely and quantum error-correction schemes will be key to achieving practical quantum computers. The leading proposal involves spreading information over many physical qubits to create "logical qubits" that are more robust, but this could require as many as 1,000 physical qubits for each logical one. Some have suggested that quantum error correction could even be fundamentally impossible, though that is not a mainstream view. Either way, realizing these schemes at the scale and speeds required remains a distant goal, Painter says... "I would estimate at least a decade out," he says.
A Microsoft technical fellow believes there's fewer applications where quantum computers can really provide a meaningful advantage, since operating a qubit its magnitudes slower than simply flipping a transistor, which also makes the throughput rate for data thousands or even millions of times slowers.

"We found out over the last 10 years that many things that people have proposed don't work," he says. "And then we found some very simple reasons for that."

An anonymous reader shared this report from Reuters: In February, a Canadian cybersecurity firm delivered an ominous forecast to the U.S. Department of Defense. America's secrets — actually, everybody's secrets — are now at risk of exposure, warned the team from Quantum Defen5e (QD5). QD5's executive vice president, Tilo Kunz, told officials from the Defense Information Systems Agency that possibly as soon as 2025, the world would arrive at what has been dubbed "Q-day," the day when quantum computers make current encryption methods useless. Machines vastly more powerful than today's fastest supercomputers would be capable of cracking the codes that protect virtually all modern communication, he told the agency, which is tasked with safeguarding the U.S. military's communications.

In the meantime, Kunz told the panel, a global effort to plunder data is underway so that intercepted messages can be decoded after Q-day in what he described as "harvest now, decrypt later" attacks, according to a recording of the session the agency later made public. Militaries would see their long-term plans and intelligence gathering exposed to enemies. Businesses could have their intellectual property swiped. People's health records would be laid bare... One challenge for the keepers of digital secrets is that whenever Q-day comes, quantum codebreakers are unlikely to announce their breakthrough. Instead, they're likely to keep quiet, so they can exploit the advantage as long as possible.
The article adds that "a scramble is on to protect critical data. Washington and its allies are working on new encryption standards known as post-quantum cryptography... Beijing is trying to pioneer quantum communications networks, a technology theoretically impossible to hack, according to researchers...

"In a quantum communications network, users exchange a secret key or code on subatomic particles called photons, allowing them to encrypt and decrypt data. This is called quantum key distribution, or QKD."

An anonymous reader quotes a report from TechCrunch: In recent years, tools such as Figma, TLDraw, Apple's Freeform and Arc browser's Easel functionality have tried to sell the idea of using an "infinite canvas" for capturing and sharing ideas. French startup Kosmik is building on that general concept with a knowledge-capturing tool that doesn't require the user to switch between different windows or apps to capture information. Kosmik was founded in 2018 by Paul Rony and Christophe Van Deputte. Prior to that, Rony worked at a video production company as a junior director, and he wanted a single whiteboard-type canvas instead of file and folders where he could put videos, PDFs, websites, notes and drawings. And that's when he started to build Kosmic, Rony told TechCrunch, drawing on a prior background in computing history and philosophy.

"It took us almost three years to make a working product to include baseline features like data encryption, offline-first mode and build a spatial canvas-based UI," Rony explained. "We have built all of this on IPFS, so when two people collaborate everything is peer-to-peer rather than relying on a server-based architecture." Kosmik offers an infinite canvas interface where you can insert text, images, videos, PDFs and links, which can be opened and previewed in a side panel. It also features a built-in browser, saving users from having to switch windows when they need to find a relevant website link. Additionally, the platform sports a PDF reader, which lets the user extract elements such as images and text.

The tool is useful for designers, architects, consultants, and students to build boards of information for different projects. The tool is useful for them as they don't need to open up a bunch of Chrome tabs and put details into a document, which is not a very visual medium for various media types. Some retail investors are using the app to monitor stock prices and consultants are using them for their project boards. Available via the web, Mac, and Windows, Kosmik ships with a basic free tier, though this has a limit of 50MB of files and 5GB of storage with 500 canvas "elements." For more storage and unlimited elements, the company offers a $5.99 monthly subscription, with plans in place to eventually offer a "pay-once" model for those who only want to use the software on a single device.

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

Amrita Khalid reports via The Verge: Proton has released a desktop version of its Proton Mail app that will give users full access to both Proton Mail and Proton Calendar and (eventually) the ability to view your emails offline. The desktop app is available in beta is optimized for both Windows and macOS, and encrypts sent emails end-to-end just like with the browser version, according to the Swiss company, while offline access to emails will be available "soon." [...] It's important to note that you'll still need internet access to both send and encrypt your emails on Proton. But the offline feature will let you view and draft emails while traveling, during a power outage, or any other situation where you don't have access to the internet.

Proton is also bringing encrypted auto-forwarding to paid users, both on its desktop and browser versions, though the encryption for forwards will only apply when the forwarded emails go to other Proton users. The company says it has made improvements to Proton Calendar, too, including a fully searchable web version. Not everyone will be able to access Proton's desktop app right away. Proton is restricting access to its paid "Visionary" tier for legacy users at first (though the company is reopening subscriptions to that tier through January 3rd, 2024). The plan is to make the desktop app available to all users in early 2024.

Google Maps will soon give you the option to store your location data on your device instead of in the cloud. Android Police reports: In the coming year, Google is planning to switch things up by defaulting to saving your Timeline directly on your device instead of the cloud. You'll also have the option to wipe out bits or the whole information dossier whenever you want and disable location history completely. When you're jumping ship to a new device and want to keep your data close, you always have the option to back it up in the cloud. Google assures you that it'll lock it up with encryption.

Another significant update is the shorter default amount of time before your location history is auto-deleted. Soon, when you turn on location history, the default auto-delete time shrinks to three months. In the past, it used to hang around for 18 months by default. If you're the sentimental type, you can extend the Timeline's lifespan or turn off the auto-delete option. Google Maps has another nifty trick up its sleeve: soon, you can erase all traces of your trips with just a few taps. Say you've got a favorite hangout spot and you want to keep it to yourself. You can wipe the slate clean right from the app, whether it's searches, directions, visits, or shares. This handy feature is making its debut on Maps for Android and iOS in the next few weeks.

Finally, you will soon be able to click on the blue dot on the map to view your Location History and Timeline at a glance. It allows you to tweak what you share and store on Maps, all without having to dive into the settings. Currently, the blue dot only gives you some neat shortcuts for parking saves and location sharing.

A 16-year-old high school student reverse engineered Apple's messaging protocol, leading to the launch of an interoperable Android app called "Beeper Mini".

But on Friday the Verge reported that "less than a week after its launch, the app started experiencing technical issues when users were suddenly unable to send and receive blue bubble messages." Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. "If it's Apple, then I think the biggest question is... if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS...? Beeper Mini is here today and works great. Why force iPhone users back to sending unencrypted SMS when they chat with friends on Android?"
Apple says they're unable to verify that end-to-end encryption is maintained when messages are sent through unauthorized channels, according to a statement quoted by TechCrunch: "At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users."
Beeper responded on X: We stand behind what we've built. Beeper Mini is keeps your messages private, and boosts security compared to unencrypted SMS. For anyone who claims otherwise, we'd be happy to give our entire source code to mutually agreed upon third party to evaluate the security of our app.
Ars Technica adds: On Saturday, Migicovsky notified Beeper Cloud (desktop) users that iMessage was working again for them, after a long night of fixes. "Work continues on Beeper Mini," Migicovsky wrote shortly after noon Eastern time.
Engadget notes: The Beeper Mini team has apparently been working around the clock to resolve the outage affecting the new "iMessage on Android" app, and says a fix is "very close." And once the fix rolls out, users' seven-day free trials will be reset so they can start over fresh.
Meanwhile, at around 9 p.m. EST, Beeper CEO Eric Migicovsky posted on X that "For 3 blissful days this week, iPhone and Android users enjoyed high quality encrypted chats. We're working hard to return to that state."

Data breaches and ransomware attacks are getting worse. Some 2.6 billion personal records have been exposed in data breaches over the past two years and that number continues to grow, according to a new report commissioned by Apple. From a report: Apple says the escalating intrusions, combined with increases in ransomware means the tech industry needs to move toward greater use of encryption. According to the report, prepared by MIT professor emeritus Stuart E. Madnick:

1. Data breaches in the US through the first nine months of the year are already 20% higher than for all of 2022.
2. Nearly 70 percent more ransomware attacks were reported through September 2023, than in the first three quarters of 2022.
3. Americans and those in the UK topped the list of those most targeted in ransomware attacks in 2023, followed by Canada and Australia. Those four countries accounted for nearly 70% of reported ransomware attacks.
4. One in four people in the US had their health data exposed in a data breach during the first nine months of 2023.

An anonymous reader quotes a report from Ars Technica: Meta has started enabling end-to-end encryption (E2EE) by default for chats and calls on Messenger and Facebook despite protests from the FBI and other law enforcement agencies that oppose the widespread use of encryption technology. "Today I'm delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook," Meta VP of Messenger Loredana Crisan wrote yesterday. In April, a consortium of 15 law enforcement agencies from around the world, including the FBI and ICE Homeland Security Investigations, urged Meta to cancel its plan to expand the use of end-to-end encryption. The consortium complained that terrorists, sex traffickers, child abusers, and other criminals will use encrypted messages to evade law enforcement.

Meta held firm, telling Ars in April that "we don't think people want us reading their private messages" and that the plan to make end-to-end encryption the default in Facebook Messenger would be completed before the end of 2023. Meta also plans default end-to-end encryption for Instagram messages but has previously said that may not happen this year. Meta said it is using "the Signal Protocol, and our own novel Labyrinth Protocol," and the company published two technical papers that describe its implementation (PDF). "Since 2016, Messenger has had the option for people to turn on end-to-end encryption, but we're now changing personal chats and calls across Messenger to be end-to-end encrypted by default. This has taken years to deliver because we've taken our time to get this right," Crisan wrote yesterday. Meta said it will take months to implement across its entire user base. A post written by two Meta software engineers said the company "designed a server-based solution where encrypted messages can be stored on Meta's servers while only being readable using encryption keys under the user's control."

"Product features in an E2EE setting typically need to be designed to function in a device-to-device manner, without ever relying on a third party having access to message content," they wrote. "This was a significant effort for Messenger, as much of its functionality has historically relied on server-side processing, with certain features difficult or impossible to exactly match with message content being limited to the devices."

The company says it had "to redesign the entire system so that it would work without Meta's servers seeing the message content."

An anonymous reader quotes a report from TechCrunch: In 2015, as part of the wave of encrypting all the things on the internet, encouraged by the Edward Snowden revelations, Facebook announced that it would allow users to receive encrypted emails from the company. Even at the time, this was a feature for the paranoid users. By turning on the feature, all emails sent from Facebook -- mostly notifications of "likes" and private messages -- to the users who opted-in would be encrypted with the decades-old technology called Pretty Good Privacy, or PGP. Eight years later, Facebook is killing the feature due to low usage, according to the company. The feature was deprecated Tuesday. Facebook declined to specify exactly how many users were still using the encrypted email feature.