Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

ESNI: A Privacy-Protecting Upgrade to HTTPS

Today, the content-delivery network Cloudflare is announcing an experimental deployment of a new web privacy technology called ESNI. We’re excited to see this development, and we look forward to a future where ESNI makes the web more private for all its users.

Over the past several years, we at EFF have been working to encrypt the web. We and our partners have made huge strides to make web browsing safer and more privacy through tools like HTTPS Everywhere and the Let’s Encrypt...

Read More

Microsoft Clears the Air About Fighting CLOUD Act Abuses

Five of the largest U.S. technology companies pledged support this year for a dangerous law that makes our emails, chat logs, online videos and photos vulnerable to warrantless collection by foreign governments.

Now, one of those companies has voiced a meaningful pivot, instead pledging support for its users and their privacy. EFF appreciates this commitment, and urges other companies to do the same.

Microsoft’s long-titled “Six Principles for International Agreements...

Read More

Offline: Activists and Technologists Still Face Grave Threats for Expression

A decade ago, before social media was a widespread phenomenon and blogging was still a nascent activity, it was nearly unthinkable outside of a handful of countries—namely China, Tunisia, Syria, and Iran—to detain citizens for their online activity. Ten years later, the practice has become all too common, and remains on the rise in dozens of countries. In 2017, the Committee to Protect Journalists found that more than seventy percent of imprisoned journalists were arrested for online...

Read More

How to Roll a Strong Password with 20-Sided Dice and Fandom-Inspired Wordlists

Here’s the not-so-secret recipe for strong passphrases: a random element like dice, a long list of words, and math. And as long as you have the first two, the third takes care of itself. All together, this adds up to diceware, a simple but powerful method to create a passphrase that even the most sophisticated computer could take at least thousands of years to guess. 

In short, diceware involves rolling a series of dice to get a number, and then matching that number to...

Read More

Back to School Essentials for Security

Going back to school? This is a perfect time for a digital security refresh to ensure the privacy of you and your friends is protected!

It’s a good time to change your passwords. The best practice is to have passwords that are unique, long, and random. In order to keep track of these unique, long and random passwords, consider downloading a password manager.

As a great additional measure: You can add login notifications to your...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls

Sen. Ron Wyden has sent a letter to the U.S. Department of Justice concerning disruptions to 911 emergency services caused by law enforcement’s use of cell-site simulators (CSS, also known as IMSI catchers or Stingrays). In the letter, Sen. Wyden states that:

Senior officials from the Harris Corporation—the manufacturer of the cell-site simulators used most frequently by U.S. law enforcement agencies—have confirmed to my office that Harris’ cell-site simulators completely disrupt...

Read More

Don’t Shoot Messenger

Update (September 28, 2018): Reuters reports that the court has denied the government's request to force Facebook to assist with the wiretap.

Late last week, Reuters reported that Facebook is being asked to “break the encryption” in its Messenger application to assist the Justice Department in wiretapping a suspect's voice calls, and that Facebook is refusing to cooperate. The report alarmed us in light of the government’s ongoing calls for backdoors to...

Read More

Giving Privacy Badger a Jump Start

Giving Privacy Badger a Jump Start: Teaching new Badgers to block from the get-go

When new users try Privacy Badger, they often get confused about why Privacy Badger isn’t blocking anything right away.  But that’s because Privacy Badger learns about trackers as you browse; up until now, it hasn’t been able to block trackers on the first few sites it sees after being installed.

With today’s update,  however, new users won't have to wait to see Privacy Badger in...

Read More

Sextortion Scam: What to Do If You Get the Latest Phishing Spam Demanding Bitcoin

Updated Jan 23rd 2019 to include latest variations on this scam.

You may have arrived at this post because you received an email from a purported hacker who is demanding payment or else they will send compromising information—such as pictures sexual in nature—to all your friends and family. You’re searching for what to do in this frightening situation.

Don’t panic. Contrary to the claims in your email, you haven't been hacked (or at least, that's not what...

Read More

Moving Your Site From "Not Secure" to Secure

Maybe you’re a beginner to web development, but you’ve done the hard work: you taught yourself what you needed to know, and you’ve lovingly made that website and filled it with precious content. But one last task remains: you don’t have that little green padlock with the word “secure” beside your website’s address. You don’t yet have that magical “S” after “HTTP”.

You might have heard or noticed recently that something is different on Google Chrome: if your website does not have a...

Read More

Google Chrome Now Marks HTTP Sites "Not Secure"

Last week, the movement to encrypt the web achieved another milestone: Google’s Chrome browser made good on its promise to mark all HTTP sites “not secure.” EFF welcomes this move, and we are calling on other browsers to follow suit.

This is the latest in the web’s massive shift from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it...

Read More

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this is...

Read More

A Technical Deep Dive into STARTTLS Everywhere

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this...

Read More

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

... Read More

HART: Homeland Security’s Massive New Database Will Include Face Recognition, DNA, and Peoples’ “Non-Obvious Relationships”

So why do we know so little about it?

The U.S. Department of Homeland Security (DHS) is quietly building what will likely become the largest database of biometric and biographic data on citizens and foreigners in the United States. The agency’s new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics—from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal...

Read More

How To Turn PGP Back On As Safely As Possible

UPDATE: Enigmail and GPG Tools have been patched for EFAIL. For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice...

Read More

Amazon, Stop Powering Government Surveillance

EFF has joined the ACLU and a coalition of civil liberties organizations demanding that Amazon stop powering a government surveillance infrastructure. Last week, we signed onto a letter to Amazon condemning the company for developing a new face recognition product that enables real-time government surveillance through police body cameras and the smart cameras blanketing many cities. Amazon has been heavily marketing this tool—called “Rekognition”—to law enforcement, and it’s already being...

Read More

Egyptian Blogger and Activist Wael Abbas Detained

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.

When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the internet to help silence him in real life. But, following Abbas's detention on Wednesday by police in Cairo, we now fear that decisions—and lack of...

Read More

FBI Admits It Inflated Number of Supposedly Unhackable Devices

We’ve learned that the FBI has been misinforming Congress and the public as part of its call for backdoor access to encrypted devices. For months, the Bureau has claimed that encryption prevented it from legally searching the contents of nearly 7,800 devices in 2017, but today the Washington Post reports that the actual number is far lower due to "programming errors" by the FBI.

Frankly, we’re not surprised. FBI Director Christopher Wray and others argue that law enforcement needs...

Read More

Pretty Good Procedures for Protecting Your Email

UPDATE: Enigmail and GPG Tools have been patched for EFAIL. For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

A group of researchers recently released a paper that describes a new class of serious vulnerabilities in the popular encryption standard PGP (including GPG) as implemented in email clients. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative...

Read More

Using the Command Line to Decrypt a Message on Linux

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

Note that the first three steps (opening the terminal) will vary between desktop environments.

Open the Activities view by clicking all the way in the top left corner of your screen.

Read More

PGP and EFAIL: Frequently Asked Questions

UPDATE: Enigmail and GPG Tools have been patched for EFAIL. For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email, and theorized many more which others could build upon. For users who have few—or even no—alternatives for end-to-end encryption, news of these vulnerabilities may leave many questions unanswered.

Digital...

Read More

Using the Command Line to Decrypt a Message on Windows

If you have disabled the PGP plugin from your mail client and saved a copy of an encrypted email to your desktop, this guide will help you read that message in as safe a way as possible given what we know about the vulnerability described by EFAIL.

1. Open the start menu by clicking the “Windows” icon in the bottom-left corner of the screen or pressing the “Windows” key on your keyboard.

2. Next, type “cmd” in the start menu that appears,...

Read More
Close tooltip