Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

How to Roll a Strong Password with 20-Sided Dice and Fandom-Inspired Wordlists

D20 1200x600

Here’s the not-so-secret recipe for strong passphrases: a random element like dice, a long list of words, and math. And as long as you have the first two, the third takes care of itself. All together, this adds up to diceware, a simple but powerful method to create a passphrase that even the most sophisticated computer could take at least thousands of years to guess. 

In short, diceware involves rolling a series of dice to get a number, and then matching that number to...

Read More

Back to School Essentials for Security

Sec og 0

Going back to school? This is a perfect time for a digital security refresh to ensure the privacy of you and your friends is protected!

It’s a good time to change your passwords. The best practice is to have passwords that are unique, long, and random. In order to keep track of these unique, long and random passwords, consider downloading a password manager.

As a great additional measure: You can add login notifications to your...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls

Sls cellsite 2018 notext

Sen. Ron Wyden has sent a letter to the U.S. Department of Justice concerning disruptions to 911 emergency services caused by law enforcement’s use of cell-site simulators (CSS, also known as IMSI catchers or Stingrays). In the letter, Sen. Wyden states that:

Senior officials from the Harris Corporation—the manufacturer of the cell-site simulators used most frequently by U.S. law enforcement agencies—have confirmed to my office that Harris’ cell-site simulators completely disrupt...

Read More

Don’t Shoot Messenger

Fph encryption facebook 0

Late last week, Reuters reported that Facebook is being asked to “break the encryption” in its Messenger application to assist the Justice Department in wiretapping a suspect's voice calls, and that Facebook is refusing to cooperate. The report alarmed us in light of the government’s ongoing calls for backdoors to encrypted communications, but on reflection we think it’s unlikely that Facebook is being ordered to break encryption in Messenger and that the reality is more...

Read More

Giving Privacy Badger a Jump Start

Privacy badger student fix 0
Giving Privacy Badger a Jump Start: Teaching new Badgers to block from the get-go

When new users try Privacy Badger, they often get confused about why Privacy Badger isn’t blocking anything right away.  But that’s because Privacy Badger learns about trackers as you browse; up until now, it hasn’t been able to block trackers on the first few sites it sees after being installed.

With today’s update,  however, new users won't have to wait to see Privacy Badger in...

Read More

Sextortion Scam: What to Do If You Get the Latest Phishing Spam Demanding Bitcoin

Phishing2b

You may have arrived at this post because you received an email from a purported hacker who is demanding payment or else they will send compromising information—such as pictures sexual in nature—to all your friends and family. You’re searching for what to do in this frightening situation.

Don’t panic. Contrary to the claims in your email, you haven't been hacked (or at least, that's not what prompted that email). This is merely a new variation on an old scam which is popularly...

Read More

Moving Your Site From "Not Secure" to Secure

Http warning

Maybe you’re a beginner to web development, but you’ve done the hard work: you taught yourself what you needed to know, and you’ve lovingly made that website and filled it with precious content. But one last task remains: you don’t have that little green padlock with the word “secure” beside your website’s address. You don’t yet have that magical “S” after “HTTP”.

You might have heard or noticed recently that something is different on Google Chrome: if your website does not have a...

Read More

Google Chrome Now Marks HTTP Sites "Not Secure"

Http warning

Last week, the movement to encrypt the web achieved another milestone: Google’s Chrome browser made good on its promise to mark all HTTP sites “not secure.” EFF welcomes this move, and we are calling on other browsers to follow suit.

This is the latest in the web’s massive shift from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it...

Read More

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this is...

Read More

A Technical Deep Dive into STARTTLS Everywhere

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this...

Read More

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

Biometrics

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

... Read More

HART: Homeland Security’s Massive New Database Will Include Face Recognition, DNA, and Peoples’ “Non-Obvious Relationships”

Biometric hart 2b
So why do we know so little about it?

The U.S. Department of Homeland Security (DHS) is quietly building what will likely become the largest database of biometric and biographic data on citizens and foreigners in the United States. The agency’s new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics—from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal...

Read More

How To Turn PGP Back On As Safely As Possible

Og efail resized

UPDATE: For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice in our FAQ on the topic, but undoubtedly the...

Read More

Amazon, Stop Powering Government Surveillance

Face 1

EFF has joined the ACLU and a coalition of civil liberties organizations demanding that Amazon stop powering a government surveillance infrastructure. Last week, we signed onto a letter to Amazon condemning the company for developing a new face recognition product that enables real-time government surveillance through police body cameras and the smart cameras blanketing many cities. Amazon has been heavily marketing this tool—called “Rekognition”—to law enforcement, and it’s already being...

Read More

Egyptian Blogger and Activist Wael Abbas Detained

Wael

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.

When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the internet to help silence him in real life. But, following Abbas's detention on Wednesday by police in Cairo, we now fear that decisions—and lack of...

Read More

FBI Admits It Inflated Number of Supposedly Unhackable Devices

Mobile privacy knight 2 0

We’ve learned that the FBI has been misinforming Congress and the public as part of its call for backdoor access to encrypted devices. For months, the Bureau has claimed that encryption prevented it from legally searching the contents of nearly 7,800 devices in 2017, but today the Washington Post reports that the actual number is far lower due to "programming errors" by the FBI.

Frankly, we’re not surprised. FBI Director Christopher Wray and others argue that law enforcement needs...

Read More

Pretty Good Procedures for Protecting Your Email

Og efail resized

UPDATE: For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

A group of researchers recently released a paper that describes a new class of serious vulnerabilities in the popular encryption standard PGP (including GPG) as implemented in email clients. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and...

Read More

Using the Command Line to Decrypt a Message on Linux

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

Note that the first three steps (opening the terminal) will vary between desktop environments.

Open the Activities view by clicking all the way in the top left corner of your screen.

Read More

PGP and EFAIL: Frequently Asked Questions

Og efail resized

UPDATE: For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email, and theorized many more which others could build upon. For users who have few—or even no—alternatives for end-to-end encryption, news of these vulnerabilities may leave many questions unanswered.

Digital security trainers, whistleblowers, journalists,...

Read More

Using the Command Line to Decrypt a Message on Windows

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

1. Open the start menu by clicking the “Windows” icon in the bottom-left corner of the screen or pressing the “Windows” key on your keyboard.

2. Next, type “cmd” in the start menu that appears,...

Read More

Using the Command Line to Decrypt a Message on macOS

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

1. Open Finder (the blue smiley face icon) from the dock.

        

2. Click Applications on the left side of the window.

3. Scroll down and...

Read More

Exporting PGP-Encrypted Email From Outlook

Og efail resized

After disabling the GpgOL plugin, you will need to save encrypted messages as files on your hard drive in order to view them later on.

1. Select the encrypted message.

2. Right-click the file ending in “.asc”, then click “Save As.”

3. Click on “Desktop” to choose where you will save the file. Type “encrypted” for the filename, and click...

Read More

Exporting PGP-Encrypted Email From Apple Mail

Og efail resized

After disabling the GPGTools plugin for Apple Mail, you will need to save encrypted messages as files on your hard drive in order to view them later o

1. Select the encrypted message. (Note: If you have followed the instructions for how to disable GPG in Apple Mail correctly, you will see something like the below image, instead of seeing the email with a note that it was decrypted.)

2. Click the “View” menu in the menu bar on the...

Read More
Close tooltip