• House Speaker Mike Johnson said he doesn't use Signal, an encrypted messaging app.
• "A lot of them text," Johnson said of his GOP colleagues. "That's our main means of communication."
• He jokes that his texts are "probably being monitored by the Russians."

House Speaker Mike Johnson said on Wednesday that he doesn't use Signal, telling an interviewer that he's in "zero" chats on the encrypted messaging app.

Instead, Johnson said, he primarily communicates via regular text messages.

"I get about 400 a day literally just from members," Johnson said at an Axios News Shapers event in Washington, DC. "A lot of them text. That's our main means of communication."

He added, jokingly: "Probably being monitored by the Russians, for all I know."

Signal is an popular messaging app that uses end-to-end encryption to keep text messages secure, preventing third parties — including foreign governments — from being able to read messages.

While Apple's iMessage also uses end-to-end encryption, regular SMS text messages are generally not encrypted, leaving them vulnerable to hacking.

Signal was at the center of a recent scandal in Washington, when Atlantic Editor-in-Chief Jeffrey Goldberg was mistakenly added to a chat on the platform in which Defense Secretary Pete Hegseth, National Security Advisor Mike Waltz, Vice President JD Vance, and other Trump administration officials discussed upcoming strikes in Yemen.

Trump recently discouraged members of his administration from using the app following the incident.

"If you want to know the truth. I would frankly tell these people not to use Signal, although it's been used by a lot of people," Trump told The Atlantic. "But, whatever it is, whoever has it, whoever owns it, I wouldn't want to use it."

When Google announced Tuesday that end-to-end encrypted messages were coming to Gmail for business users, some people balked, noting it wasn’t true E2EE as the term is known in privacy and security circles. Others wondered precisely how it works under the hood. Here’s a description of what the new service does and doesn’t do, as well as some of the basic security that underpins it.

When Google uses the term E2EE in this context, it means that an email is encrypted inside Chrome, Firefox, or just about any other browser the sender chooses. As the message makes its way to its destination, it remains encrypted and can’t be decrypted until it arrives at its final destination, when it’s decrypted in the recipient's browser.

Giving S/MIME the heave-ho

The chief selling point of this new service is that it allows government agencies and the businesses that work with them to comply with a raft of security and privacy regulations and at the same time eliminates the massive headaches that have traditionally plagued anyone deploying such regulation-compliant email systems. Up to now, the most common means has been S/MIME, a standard so complex and painful that only the bravest and most well-resourced organizations tend to implement it.

Read full article

Comments

Mobile networks continue to be a major target for cybersecurity breaches, and Chinese hacking group Salt Typhoon’s persistent attacks on multiple carriers are only the latest known examples.  The mobile carrier startup Cape is taking a novel approach to addressing the problem: It has built a service it says can provide a more secure, private […]

© 2024 TechCrunch. All rights reserved. For personal use only.

The UK is no longer recommending the use of encryption for at-risk groups following its iCloud backdoor demands

© 2024 TechCrunch. All rights reserved. For personal use only.

iMessage, Signal, and WhatsApp have made E2EE the default for messaging, but Skype paved the way decades ago.

© 2024 TechCrunch. All rights reserved. For personal use only.

After the United Kingdom demanded that Apple create a backdoor that would allow government officials globally to spy on encrypted data, Apple decided to simply turn off encryption services in the UK rather than risk exposing its customers to snooping.

Apple had previously allowed end-to-end encryption of data on UK devices through its Advanced Data Protection (ADP) tool, but that ended Friday, a spokesperson said in a lengthy statement.

"Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature," Apple said.

Read full article

Comments

In an unprecedented step, Apple caved to a reported U.K. government’s demand to prevent users from using end-to-end encryption in iCloud.

© 2024 TechCrunch. All rights reserved. For personal use only.

Talk of backdoors in encrypted services is once again doing the rounds after reports emerged that the U.K. government is seeking to force Apple to open up iCloud’s end-to-end encrypted (E2EE) device backup offering. Officials were said to be leaning on Apple to create a “backdoor” in the service that would allow state actors to […]

© 2024 TechCrunch. All rights reserved. For personal use only.

Security experts say the ‘draconian’ order would have global ramifications that make this a privacy ‘emergency for us all’

© 2024 TechCrunch. All rights reserved. For personal use only.

Apple is likely to stop providing its encrypted cloud service to U.K. users

© 2024 TechCrunch. All rights reserved. For personal use only.

A little over two weeks ago, a largely unknown China-based company named DeepSeek stunned the AI world with the release of an open source AI chatbot that had simulated reasoning capabilities that were largely on par with those from market leader OpenAI. Within days, the DeepSeek AI assistant app climbed to the top of the iPhone App Store's "Free Apps" category, overtaking ChatGPT.

On Thursday, mobile security company NowSecure reported that the app sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it's in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said.

Basic security protections MIA

What’s more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok. While some of that data is properly encrypted using transport layer security, once it's decrypted on the ByteDance-controlled servers, it can be cross-referenced with user data collected elsewhere to identify specific users and potentially track queries and other usage.

Read full article

Comments

Let's Encrypt has been providing free "wildcard" certificates for websites for nearly seven years, enabling HTTPS connections for millions of domains and doing the whole Internet a real solid.

Now the nonprofit is ending a useful service, but in an exceedingly rare happenstance, it's probably a good thing for everyone. Starting June 4, 2025, Let's Encrypt will no longer notify its subscribers that their certification is about to expire and needs renewal. Some hosting providers automatically obtain and manage certificates from Let's Encrypt, so there's not much for them to do. Everyone else will have to do something, and likely it will still be free and automated.

Let's Encrypt is ending automated emails for four stated reasons, and all of them are pretty sensible. For one thing, lots of customers have been able to automate their certificate renewal. For another, providing the expiration notices costs "tens of thousands of dollars per year" and adds complexity to the nonprofit's infrastructure as they are looking to add new and more useful services.

Read full article

Comments

The move to urge Americans to use end-to-end encrypted apps comes as China-backed gangs are hacking into phone and internet giants.

© 2024 TechCrunch. All rights reserved. For personal use only.

Thousands of victims have sued Apple over its alleged failure to detect and report illegal child pornography, also known as child sex abuse materials (CSAM).

The proposed class action comes after Apple scrapped a controversial CSAM-scanning tool last fall that was supposed to significantly reduce CSAM spreading in its products. Apple defended its decision to kill the tool after dozens of digital rights groups raised concerns that the government could seek to use the functionality to illegally surveil Apple users for other reasons. Apple also was concerned that bad actors could use the functionality to exploit its users and sought to protect innocent users from false content flags.

Child sex abuse survivors suing have accused Apple of using the cybersecurity defense to ignore the tech giant's mandatory CSAM reporting duties. If they win over a jury, Apple could face more than $1.2 billion in penalties. And perhaps most notably for privacy advocates, Apple could also be forced to "identify, remove, and report CSAM on iCloud and implement policies, practices, and procedures to prevent continued dissemination of CSAM or child sex trafficking on Apple devices and services." That could mean a court order to implement the controversial tool or an alternative that meets industry standards for mass-detecting CSAM.

Read full article

Comments