Possible National Quarantine? How Deadly Is This Virus?

Reports and rumors have been surfacing that President Trump is currently mulling over a plan for a national shutdown. Such a shutdown would be unprecedented in U.S. history.

The plan would allow President Trump to mobilize the National Guard to help enforce a two-week quarantine of the public and require everyone to “stay at home..” This would also urge all businesses, other than grocery stores and pharmacies to close for the time being. According to the source named in the Washington Examiner article, this plan would not be announced until early next week.

This comes on the heels of more and more states and cities taking drastic measures on Friday to combat the ongoing spread of the coronavirus, which so far has infected roughly 14,000 Americans. 

COVID-19: Life After the Pandemic

E pluribus unum. Out of many, one. A fitting motto for the melting pot that is the United States and a fitting view of the world, whose frailty, humanity and interdependence has been laid bare by an invisible virus. While ground zero for coronavirus seems to have shifted from Asia to Europe and is now making its way to the U.S., whose level of national awareness has only recently kicked into gear with a presidential emergency declaration, it is not too soon to begin asking ourselves what life should look like after this moment of global and national solidarity.

Coping with the pandemic will be agonizingly hard for the global economy and for many millions of people who do not enjoy the inherent security and resilience of adequate healthcare coverage, savings, paid medical leave and other benefits. The societal trade off we now face is stark. As financially vulnerable people grapple with the false choice of complying with calls for social distancing to protect the medically at risk and themselves, while doing so at the peril of their own economic survival. In this environment, facing a 100-year pandemic threat that has grounded the global economy to a halt in 90 days (with governments throwing trillions of dollars at the invisible many-headed hydra that has once vibrant free moving societies on lockdown), basic benefits and social compliance are our best defense.

Shabaab Tries to Assassinate US Diplomat

A suicide bombing in Mogadishu today was an assassination attempt on the UN Special Envoy to Somalia, an American diplomat, according to Shabaab.

Several people were killed or wounded when a Shabaab suicide bomber walked into the Mogadishu mayor’s office and detonated his explosives. Somali officials were meeting with the UN Special Envoy to Somalia, James Swan, prior to the attack.

According to the Associated Press, however, Swan and many others had left the building just minutes before the suicide bomber arrived. Other Somali officials were not as lucky, including Mogadishu’s mayor, who was reportedly rushed to a hospital in critical condition.

Big Cable Owns Internet Access. Here’s How to Change That.

Surveying the landscape of internet access, one could be forgiven for a single dank conclusion: Winter is coming.

We know that Big Cable’s plan for high-speed internet access is to squeeze with “usage-based billing” and data caps, so as to milk ever-growing profits from their existing networks rather than invest in future-proof fiber optics. We’re also seeing that Big Cable has won the war for high-capacity, 25Mbps-download-or-better wired internet access, leaving AT&T and Verizon to concentrate primarily on mobile wireless. Indeed, Big Cable’s share of new and existing wired-access subscribers has never been greater — cable got both all new net subscribers in the third quarter of 2015 and captured millions of subscribers fleeing DSL — and its control over this market is growing faster than ever.

Wall Street analyst Craig Moffett predicts that, in the end, unless things change, cable will have 90 percent of subscribers in areas where it faces competition from only traditional DSL and will have the lion’s share of subscribers in areas where cable faces competition from souped-up copper-line DSL and fiber-to-the-node (aka “fiber to the neighborhood”).

We’re already seeing the deadening effects of this. Pew reports that home adoption of high-speed internet access has plateaued, while the percentage of smartphone-only users in the United States is growing. Just 8 percent of Americans were smartphone only in 2013. That number is now 13 percent—mostly lower-income households, minorities, and rural Americans. What’s the reason for nonadoption? Mostly cost: The monthly fee for high-speed internet is the main reason most of these people don’t have access at home. Smartphone-only users just don’t have same the quality of access as home high-speed internet subscribers. We are amplifying and entrenching existing inequality by not taking on this country’s internet access problem.

Islamic State fighters number far more than first thought, says CIA

US officials are shocked at the “Islamic State’s rapid growth.” Now, the CIA estimates that the Islamic State has somewhere between 20,000 to 31,500 fighters within its ranks. That number may include “some 15,000 foreign fighters in Syria alone, including 2,000 Westerners,” Al Jazeera reported, which noted the estimate is “far more than first thought.”

Islamic State fighters in Iraq and Syria number around 20,000 to 31,500 — a figure far higher than previously estimated, the Central Intelligence Agency has said.The new calculation includes some 15,000 foreign fighters in Syria alone, including 2,000 Westerners, a U.S. intelligence official told the AFP news agency on Thursday.

“The number is much higher than a previous estimate of 10,000,” Al Jazeera continues.

The scope of the operation, including the territory covered, indicates that tens of thousands of ISIS fighters participated in the recent fighting. The group is estimated to have anywhere around 50,000 members, thousands of foreign fighters and is more of an army rather than a smaller extremist group.

What’s the matter with PGP?

Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extensionThis is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs.

So great work by Google and Yahoo! Which is why following complaint is going to seem awfully ungrateful. I realize this and I couldn’t feel worse about it.

As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die.

In the remainder of this post I’m going to explain why this is so, what it means for the future of email encryption, and some of the things we should do about it. Nothing I’m going to say here will surprise anyone who’s familiar with the technology — in fact, this will barely be a technical post. That’s because, fundamentally, most of the problems with email encryption aren’t hyper-technical problems. They’re still baked into the cake.

How the U.S. Could Escalate Its Name-and-Shame Campaign Against China’s Espionage

Chinese companies believed to be benefiting from stolen secrets could be the next target of U.S. action to curb industrial espionage.

Earlier this week the U.S. Department of Justice indicted five Chinese military officers for industrial espionage, accusing them of leading attacks on the computers of U.S. companies including U.S. Steel and Westinghouse to gather material to be passed on to Chinese companies.

The move puts U.S. policy in line with experts who have argued that only naming and shaming the perpetrators, and pursuing them through legal action, will rein in such attacks. Digital IP theft is now normal for U.S companies, although few victims disclose the fact.

Dmitri Alperovitch, cofounder and chief technology officer (see “TR35: Dmitri Alperovitch”) of the security company Crowdstrike, a company that offers new ways to trace and fight back against cyberattacks, told MIT Technology Review’s Tom Simonite how the U.S. could use its new strategy to increase the pressure on China even further.

Attack of the Week: Triple Handshakes (3Shake)

The other day Apple released a major security update that fixes a number of terrifying things that can happen to your OS/X and iOS devices. You should install it. Not only does this fix a possible remote code execution vulnerability in the JPEG parser (!), it also patches a TLS/SSL protocol bug known as the “Triple Handshake” vulnerability. And this is great timing, since Triple Handshakes are something I’ve been meaning (and failing) to write about for over a month now.

But before we get there: a few points of order.

First, if Heartbleed taught us one thing, it’s that when it comes to TLS vulnerabilities, branding is key. Henceforth, and with apologies to Bhargavan, Delignat-Lavaud, Pironti,  Fournet and Strub (who actually discovered the attack*), for the rest of this post I will be referring to the vulnerability simply as “3Shake”.

On a more serious note, 3Shake is not Heartbleed. That’s both good and bad. It’s good because Heartbleed was nasty and 3Shake really isn’t anywhere near as dangerous. It’s bad since, awful as it was, Heartbleed was only an implementation vulnerability — and one in a single TLS library to boot. 3Shake represents a novel and fundamental bug in the TLS protocol.

The final thing you should know about 3Shake is that, according to the cryptographic literature, it shouldn’t exist.

How do you know if an RNG is working?

Last week, Edward Snowden spoke to a packed crowd at SXSW about the many problems (and limited solutions) facing those of us who want to keep our communications private. Snowden said a number of things — including a shout out to Moxie’s company Whisper Systems, who certainly deserve it. But instead of talking about that, I wanted to focus on (in my opinion) one of Snowden’s most important quotes:

We need all those brilliant Belgian cryptographers to go “alright we know that these encryption algorithms we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them?”

Now it’s possible I’m a little biased, but it seems to me this cuts to the core of our problems with building secure systems in an increasingly hostile world. Namely: most encryption relies on some source of “random” numbers, either to generate keys or (particularly in the case of public key encryption) to provide semantic security for our ciphertexts.

What this means is that an attacker who can predict the output of your RNG — perhaps by taking advantage of a bug, or even compromising it at a design level — can often completely decrypt your communications. The Debian project learned this firsthand, as have many others. This certainly hasn’t escaped NSA’s notice, if the allegations regarding its Dual EC random number generator are true.

All of this brings us back to Snowden’s quote above, and the question he throws open for us. How do you know that an RNG is working? What kind of tests can we run on our code to avoid flaws ranging from the idiotic to the highly malicious? Unfortunately this question does not have an easy answer. In the rest of this post I’m going to try to explain why.

Can Hackers Decrypt Target’s PIN Data?

Slightly longer answer: it depends on whether they have access to the encryption key, or to a machine that contains the encryption key.

In case you have no idea what I’m talking about: there was recently a massive credit card breach at Target. If you’re like many people you probably heard about this three times. First in the news, then again in your email when Target notified you that you were a victim, and finally a third time when you checked your credit card bill. Not a proud day for our nation’s retailers.

The news got a bit messier today when Target announced the thieves had also managed to get their hands on the PIN numbers of unfortunate debit card customers. But this time there’s a silver lining: according to Target, the PIN data was encrypted under a key the hackers don’t have.