Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this is...

Read More

A Technical Deep Dive into STARTTLS Everywhere

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this...

Read More

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

Biometrics

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

... Read More

HART: Homeland Security’s Massive New Database Will Include Face Recognition, DNA, and Peoples’ “Non-Obvious Relationships”

Biometric hart 2b
So why do we know so little about it?

The U.S. Department of Homeland Security (DHS) is quietly building what will likely become the largest database of biometric and biographic data on citizens and foreigners in the United States. The agency’s new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics—from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal...

Read More

How To Turn PGP Back On As Safely As Possible

Og efail resized

Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice in our FAQ on the topic, but undoubtedly the most frequently asked question has been: how long is for now? When will it be safe to use PGP for email again?

... Read More

Amazon, Stop Powering Government Surveillance

Face 1

EFF has joined the ACLU and a coalition of civil liberties organizations demanding that Amazon stop powering a government surveillance infrastructure. Last week, we signed onto a letter to Amazon condemning the company for developing a new face recognition product that enables real-time government surveillance through police body cameras and the smart cameras blanketing many cities. Amazon has been heavily marketing this tool—called “Rekognition”—to law enforcement, and it’s already being...

Read More

Egyptian Blogger and Activist Wael Abbas Detained

Wael

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.

When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the internet to help silence him in real life. But, following Abbas's detention on Wednesday by police in Cairo, we now fear that decisions—and lack of...

Read More

FBI Admits It Inflated Number of Supposedly Unhackable Devices

Mobile privacy knight 2 0

We’ve learned that the FBI has been misinforming Congress and the public as part of its call for backdoor access to encrypted devices. For months, the Bureau has claimed that encryption prevented it from legally searching the contents of nearly 7,800 devices in 2017, but today the Washington Post reports that the actual number is far lower due to "programming errors" by the FBI.

Frankly, we’re not surprised. FBI Director Christopher Wray and others argue that law enforcement needs...

Read More

Pretty Good Procedures for Protecting Your Email

Og efail resized

A group of researchers recently released a paper that describes a new class of serious vulnerabilities in the popular encryption standard PGP (including GPG) as implemented in email clients. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email. See EFF’s analysis and FAQ for more detail.

Our...

Read More

Using the Command Line to Decrypt a Message on Linux

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

Note that the first three steps (opening the terminal) will vary between desktop environments.

Open the Activities view by clicking all the way in the top left corner of your screen.

Read More

PGP and EFAIL: Frequently Asked Questions

Og efail resized

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email, and theorized many more which others could build upon. For users who have few—or even no—alternatives for end-to-end encryption, news of these vulnerabilities may leave many questions unanswered.

Digital security trainers, whistleblowers, journalists, activists, cryptographers, industry, and nonprofit organizations have relied on PGP for 27 years as a way to protect email...

Read More

Using the Command Line to Decrypt a Message on Windows

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

1. Open the start menu by clicking the “Windows” icon in the bottom-left corner of the screen or pressing the “Windows” key on your keyboard.

2. Next, type “cmd” in the start menu that appears,...

Read More

Using the Command Line to Decrypt a Message on macOS

Og efail resized

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

1. Open Finder (the blue smiley face icon) from the dock.

        

2. Click Applications on the left side of the window.

3. Scroll down and...

Read More

Exporting PGP-Encrypted Email From Outlook

Og efail resized

After disabling the GpgOL plugin, you will need to save encrypted messages as files on your hard drive in order to view them later on.

1. Select the encrypted message.

2. Right-click the file ending in “.asc”, then click “Save As.”

3. Click on “Desktop” to choose where you will save the file. Type “encrypted” for the filename, and click...

Read More

Exporting PGP-Encrypted Email From Apple Mail

Og efail resized

After disabling the GPGTools plugin for Apple Mail, you will need to save encrypted messages as files on your hard drive in order to view them later o

1. Select the encrypted message. (Note: If you have followed the instructions for how to disable GPG in Apple Mail correctly, you will see something like the below image, instead of seeing the email with a note that it was decrypted.)

2. Click the “View” menu in the menu bar on the...

Read More

Exporting PGP-Encrypted Email From Thunderbird

Og efail resized

After disabling Enigmail, you will need to save encrypted messages as files on your hard drive in order to view them later on.

These instructions will work on most desktop operating systems.

1. Select the encrypted message.

2. Click on the hamburger menu (the three horizontal lines).

3. Hover over “Save As” on the left side of the menu pop-up.

4. Click on “File.

Read More

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

Og efail resized

Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to...

Read More

Disabling PGP in Outlook with Gpg4win

Og efail resized

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email. In response, EFF’s current recommendation is to disable PGP integration in email clients.

Disabling PGP decryption in Outlook requires running the Gpg4win installer again so that you can choose not to have the GpgOL plug-in on your system. Your existing keys will remain available on your machine.

Download and open the Gpg4win installer.

You’ll then see the Gpg4win...

Read More

Disabling PGP in Apple Mail with GPGTools

Og efail resized

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email. In response, EFF’s current recommendation is to disable PGP integration in email clients.

Disabling PGP decryption in Apple Mail requires deleting a “bundle” file used by the application. Your existing keys will remain available on your machine.

1. First, click the Mail icon in the dock.  

2. Click “Mail” in the menu bar...

Read More

Disabling PGP in Thunderbird with Enigmail

Og efail resized

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email. In response, EFF’s current recommendation is to disable PGP integration in email clients.

Disabling PGP decryption in Thunderbird only requires disabling the Enigmail add-on. Your existing keys will remain available on your machine.

First click on the Thunderbird hamburger menu (the three horizontal lines).

2. Select...

Read More

Attention PGP Users: New Vulnerabilities Require You To Take Action Now

Og efail resized

UPDATE (5/14/18): More information has been released. See EFF's more detailed explanation and analysis here.

A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past...

Read More

Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate Staff

Og governmenthacking vulnerabilitiesequities

Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door briefing for Senate staff about the realities of device encryption. While policymakers hear frequently from the FBI and the Department of Justice about the dangers of encryption and the so-called Going Dark problem, they very rarely hear from actual engineers, cryptographers, and computer scientists. Indeed, the usual suspects testifying before Congress on encryption are nearly the antithesis of technical...

Read More

There is No Middle Ground on Encryption

Og encryption defendencryption

Encryption is back in the headlines again, with government officials insisting that they still need to compromise our security via a backdoor for law enforcement. Opponents of encryption imagine that there is a “middle ground” approach that allows for strong encryption but with “exceptional access” for law enforcement. Government officials claim that technology companies are creating a world where people can commit crimes without fear of detection.

Despite this renewed rhetoric,...

Read More

We’re in the Uncanny Valley of Targeted Advertising

Zuck 1 0

Mark Zuckerberg, Facebook’s founder and CEO, thinks people want targeted advertising. The “overwhelming feedback,” he said multiple times during his congressional testimony, was that people want to see “good and relevant” ads. Why then are so many Facebook users, including leaders of state in the U.S. Senate and House, so fed up and creeped out by the uncannily on-the-nose ads? Targeted advertising on Facebook has gotten to the point that it’s so “good,” it’s bad—for users, who feel...

Read More

Congressmembers Raise Doubts About the “Going Dark” Problem

Og encryption key apple

In the wake of a damning report by the DOJ Office of Inspector General (OIG), Congress is asking questions about the FBI’s handling of the locked iPhone in the San Bernardino case and its repeated claims that widespread encryption is leading to a “Going Dark” problem. For years, DOJ and FBI officials have claimed that encryption is thwarting law enforcement and intelligence operations, pointing to large numbers of encrypted phones that the government allegedly cannot access as part of its...

Read More