EARN IT: the bill to end all encryption

A draft of a recently leaked bill has many across the internet worried about their online privacy when it relates to government surveillance. The “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act” or EARN IT was written by Lindsey Graham and Richard Blumenthal, a bi-partisan effort, with the intent to prevent online abuse and exploitation of children. In order to achieve this, the bill seeks to establish a committee of fifteen members including The Attorney General, The Secretary of Homeland Security, and the Chairman of the FTC. This committee would be responsible for recommending “best practices regarding the prevention of online child exploitation content”.

Richard Blumenthal and Lindsay Graham

So far, this seems reasonable. After all, who wouldn’t get behind a bill that protects children from exploitation. The issue is that the best practices that the committee publishes must only have the support of the committee members and ten other members of congress. Other than that it seems that any “best practice” can be submitted to the Attorney General, who then has the power to “modify if necessary, the recommended best practices” and publish the final version.

Even this would not be a huge cause for concern if these practices were what they sounded like, best recommendations for protecting minors. However these best practices are not recommendations, rather they are seemingly mandatory practices that hold legal weight behind them. Companies that provide online services would be required to comply with these practices within a year of their publication and re-asses their compliance every year after. If they do not and are accused of hosting unlawful and exploitative material in regards to children, the company will be stripped of their section 230 protections. This would open up a floodgate of potential lawsuits that if acted upon, would run many online businesses into the ground.

William Barr sworn in as attorney general, following ...
Current Attorney General William Barr

While this bill is not blatantly attacking on online privacy, it does give an absurd amount of power to the Attorney General and fourteen other members of congress who would now have the power to regulate how much of the internet is run. The current Attorney General, William Barr, has advocated for backdoors to be built into encryption schemes for government use frequently. Many fear that if this bill is passed, he and others will use their new legal powers to force cryptography providers to build these backdoors and essentially give the government access to all of our online communication. Not only does this mean that cryptography would be useless against governing bodies, it also means that it would be severely weakened against bad actors as a backdoor that can only be used by the government simply cannot exist.

It seems as though this bill would not really have any effect on how online child exploitation is prosecuted in terms of those who actually commit the crimes; rather it targets online companies and services unfairly.

While the bill hasn’t been introduced formally, it has caused major uproar from online communities since its leak and it is easy to see why. It gives too much power over something that effects all of us daily to much too few. At best it can be used to protect children and take down exploitative websites, at worst it undermines the security and privacy of all of our online activities and one person essentially gets to decide which end of the spectrum the bill’s practice would fall on. Given the government’s track record of mass online surveillance we should be reluctant to give them more power over our communications.

Written by Grayson Hassell

The bill can be read in its entirety here.

You can take action against the bill here.

Read about the mentioned section 230 protections here.

New York Office of the Attorney General v. Bitfinex

Last year on April 25th, the New York Attorney General Letitia James alleged that Brifinex had defraud its customers, furthering the circumstance by publishing legal filings. The defraud came to be known under the loss of $850 million on the behalf of Brifinex and the underlying siphoning of funds via Tether, a known affiliate, in order to compensate for the substantial loss. Bitfinex and Tether attempted to have the case dismissed under the argument that the New York Attorney General had no jurisdiction over them due to no “New Yorkers” being allowed on their platforms. However the claims were disproved with provided documentation confirming the existing trade account with a New York-based cryptocurrency trading firm.  To further support their defense, Bitfinex states the NYSSC (New York State Supreme Court) made rulings it should not have:

that the NYAG did not have to personally serve the company’s executives with the order outlining the inquiry (the order was instead delivered to counsel); that NYAG has jurisdiction over Bitfinex and Tether; and that the supreme court can try the case without determining whether tethers are securities or commodities.

Each decision on the behalf of the NYSSC is being asked to be reversed.

Beginning in late April of 2019, NYAG alleged that Bitfinex covered up an estimated $1 billion dollar loss held by Crypto Capital, a payment processor. Additionally the executives of the aforementioned payment processor were arrested for facilitating a “shadow banking” service as it relates to cryptocurrency exchanges between companies.

While the decision is certainly a set back for the attorney general’s office investigating Tether, Bitfinex and other related companies, it is not an end to the proceedings. The motion signed by a clerk today is granted on the condition that additional documents pertaining to the broader appeal for dismissal be filed by November 4, 2019. If the case is allowed to proceed actual arguments won’t likely begin until 2020.

The case is still ongoing and both parties are to present their cases sometime this year.







Written by Killiaun Blatche

COVID-19 Vaccine Test Center Hit By Ransomware Attack: Refuses to Submit to Cybercriminal’s Demands

The Maze group, an anonymous cybercrime group who pledged not to target any medical organizations during the worldwide pandemic, broke their promise and carried out a ransomware attack against Hammersmith Medicines Research. Hammersmith Medicines Research is a British vaccine test center that is on standby to perform clinical trials on potential vaccines for the COVID-19 virus.

The attack took place on March 14th, which was just days before the Maze group announced on March 18th that they would not target any medical organizations during the pandemic. The clinical director of  Hammersmith Medicines Research, Malcolm Boyce, stated that the attack was noticed in progress and was able to be stopped without causing any downtime. However, the Maze group was able to exfiltrate patient data which they are using to extort the vaccine test center.

Boyce expressed that his company would not be giving into the demands of the cybercriminals, and as a result, the Maze group leaked some of the patient data on the dark web on March 21st. The publishing of the data online completely violated their public statement that they would not continue to attack medical organizations during the pandemic.

“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” Boyce said. If the Maze group follows their typical pattern, they will continue to release the stolen data on a staggered basis until the company pays the ransom or all of the data has been released.

On a more optimistic side, security companies such as Emsisoft and McAfee are providing free assistance to medical organizations being hit by cyber attacks. These companies are providing threat analysis, development of decryption tools, and even negotiating with cyber attackers.


Written By: Spencer Roth





VMware Compromised

VMware is ubiquitous, to put it mildly. It is used in many sections to the tech industry around the world. Therefor, a major vulnerability to VMware would be a cause for great alarm. So, of course, a major vulnerability in VMware was recently discovered. VMware’s directory service, vmdir, has a major information-disclosure bug that could leave many companies vulnerable in the near future.

vmdir is part of VMware’s vCenter Server, a provider of centralized management of virtual hosts and machines. Specifically, it is a part of the Single Sign-On mechanism used by admins. The problem is that, according to VMware’s security advisory on the topic, “Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller, does not correctly implement access controls.” VMware went on to state that they have evaluated the severity of the issue to be a 10.0 on the CVSSv3 scale.

Any attacker that can access a system through this vulnerability would be able to gain access to a great deal of highly sensitive information, according to threatpost . threatpost also noted that the information could be used to compromise the vCenter Server itself along with other services dependent on vmdir for authentication. This vulnerability will, without a doubt, have massive ongoing effects as companies who are too slow to update find themselves losing data. Just another reason to keep your software up to date, I suppose.

VMware’s Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0006.html

Tara Seals’ article from threatpost: https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/

Introducing WireGuard: the new official VPN of Linux

While end-to-end encryption dominates the headlines in light of recent legislative efforts, the encryption of our data in transit is also now more relevant than ever before. As a significant chunk of the American population continues to work from home, VPN traffic from private networks has soared by a whopping 34%, according to Verizon. Many companies have decided on the VPN software they will use to help stay afloat. But for many Linux users, WireGuard has already become the preferred weapon of choice after an exciting announcement made late last year: its official integration into the Linux kernel.

While there are several different VPN implementations to choose from, few come close to the simplicity of WireGuard’s open-source tunneling protocol. Compared to other protocols such as IPSec and OpenVPN, WireGuard is notorious for being lightweight, easy to set up, and (most importantly) highly secure. While it is also available for multiple different operating systems, including Windows, macOS, and FreeBSD, it now has a unique home inside the Linux kernel itself. As of version 5.6, users no longer need to manually download and include the VPN as a kernel module (add-on).

News of WireGuard’s merge could not have come at a more appropriate time. As millions around the globe rely on remote connections to access corporate resources from home, WireGuard becomes the de-facto new standard for point-to-point encryption on Linux. Not only does this decision advance the interests of privacy and confidentiality among users, but has also received overwhelming support among the Linux community, including none other than the creator of Linux himself, Linus Torvalds, referring to WireGuard as “a work of art.”

Written by: Conrad Schneggenburger