FAQ: New national security law – Hong Kong

Mullvad

We frequently get questions about HK and its new security law.
The most common question is “Why haven’t you already pulled out of HK altogether?”, but some customers emphasize the need of servers in HK and voice their concern that we might withdraw.

Our VPN service, as well as our relays and bridges, can be used for many reasons and in many different ways. However, if you have privacy concerns, it might be good to choose a server location in a jurisdiction YOU prefer. Also consider using Multihop. Deciding on a location could be based on jurisdiction, network quality, blocking and throttling, and many other factors.

For instance, you can use our bridge service with Singapore as an entry location and the U.S. as an exit location if that’s a combination that fits your needs. Alternatively, you can use the Multihop function in WireGuard. The traffic will be encrypted from your computer to the exit server, and the bridge or WG server in the middle will just route traffic to the exit node without being able to decrypt it. Depending on your threat model, using two locations with different jurisdictions might be beneficial.

EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy

Electronic Frontier Foundation

The European Union’s highest court today made clear—once again—that the US government’s mass surveillance programs are incompatible with the privacy rights of EU citizens. The judgment was made in the latest case involving Austrian privacy advocate and EFF Pioneer Award winner Max Schrems. It invalidated the “Privacy Shield,” the data protection deal that secured the transatlantic data flow, and narrowed the ability of companies to transfer data using individual agreements (Standard Contractual Clauses, or SCCs).

Despite the many “we are disappointed” statements by the EU Commission, U.S. government officials, and businesses, it should come as no surprise, since it follows the reasoning the court made in Schrems’ previous case, in 2015.

Back then, the EU Court of Justice (CJEU) noted that European citizens had no real recourse in US law if their data was swept up in the U.S. governments’ surveillance schemes. Such a violation of their basic privacy rights meant that U.S. companies could not provide an “adequate level of [data] protection,” as required by EU law and promised by the EU/U.S. “Privacy Safe Harbor” self-regulation regime. Accordingly, the Safe Harbor was deemed inadequate, and data transfers by companies between the EU and the U.S. were forbidden.

Since that original decision, multinational companies, the U.S. government, and the European Commission sought to paper over the giant gaps between U.S. spying practices and the EU’s fundamental values. The U.S. government made clear that it did not intend to change its surveillance practices, nor push for legislative fixes in Congress. All parties instead agreed to merely fiddle around the edges of transatlantic data practices, reinventing the previous Safe Harbor agreement, which weakly governed corporate handling of EU citizen’s personal data, under a new name: the EU-U.S. Privacy Shield.

Full article

EFF Launches Searchable Database of Police Agencies and the Tech Tools They Use to Spy on Communities

Electronic Frontier Foundation

San Francisco—The Electronic Frontier Foundation (EFF), in partnership with the Reynolds School of Journalism at the University of Nevada, Reno, today launched the largest-ever collection of searchable data on police use of surveillance technologies, created as a tool for the public to learn about facial recognition, drones, license plate readers, and other devices law enforcement agencies are acquiring to spy on our communities.

The Atlas of Surveillance database, containing several thousand data points on over 3,000 city and local police departments and sheriffs’ offices nationwide, allows citizens, journalists, and academics to review details about the technologies police are deploying, and provides a resource to check what devices and systems have been purchased locally.

Users can search for information by clicking on regions, towns, and cities, such as Minneapolis, Tampa, or Tucson, on a U.S. map. They can also easily perform text searches by typing the names of cities, counties, or states on a search page that displays text results. The Atlas also allows people to search by specific technologies, which can show how surveillance tools are spreading across the country.

Built using crowdsourcing and data journalism over the last 18 months, the Atlas of Surveillance documents the alarming increase in the use of unchecked high-tech tools that collect biometric records, photos, and videos of people in their communities, locate and track them via their cell phones, and purport to predict where crimes will be committed.

While the use of surveillance apps and face recognition technologies are under scrutiny amid the COVID-19 pandemic and street protests, EFF and students at University of Nevada, Reno, have been studying and collecting information for more than a year in an effort to, for the first time, aggregate data collected from news articles, government meeting agendas, company press releases, and social media posts.

Full article

KeePassXC 2.6.0 Free Password Manager Released With New Light And Dark Themes, Password Checks

Linux Uprising

KeePassXC 2.6.0 was released recently with improvements like an overhauled user interface with new light and dark themes, new offline password health check, check passwords against the Have I Been Pwned online service, and more.

KeePassXC is a free and open-source password manager started as a community fork of KeePassX (which itself is a fork of KeePass), which is not actively maintained. The application is built using Qt and runs on Linux, Windows and macOS.

The application uses the KeePass 2.x (.kdbx) password database format as its native file format in versions 3.1 and 4 using AES encryption with a 256 bit key; version 2 of the database can be opened, but it’s upgraded to a newer format when opened, while KeePass 1.x (.kdb) databases can be imported into a .kbdx file as a one-way process.

For easily entering passwords in a web browser, KeePassXC comes with browser extensions for Mozilla Firefox and Chrome-based web browsers (Google Chrome, Chromium, Vivaldi).

One feature that’s missing is build-in password cloud synchronization. This can still be easily achieved though, using a third-party cloud storage and synchronization service like Nextcloud, Dropbox, Google Drive, OneDrive, and so on, by simply storing the KeePassXC database in the shared cloud folder.

Full article

Our comment

Never store your password manager file, encrypted or not, in the cloud!

Google will ban ads for stalkerware starting August 11

Bleeping Computer

Google will update its Google Ads Enabling Dishonest Behavior policy to globally ban advertising for spyware and surveillance technology known as stalkerware starting with August 11, 2020.

Stalkerware tech allows third-parties to monitor one’s mobile device without the user’s knowledge, as well as to collect sensitive user information related to the user’s location and online activity later to be used for blackmail or various other malicious purposes.

Full article

China TikTok violated Children’s privacy policy in United States

Cybersecurity Insiders

It is already a known fact that the US Government is planning to impose a ban on the Video Sharing and Social Networking app TikTok because of National Security concerns. But fresh reports have emerged in media that a probe carried out by the Federal Trade Commission and the US Justice Department have found that the business subsidiary of Chinese Company ByteDance has failed to adhere to the 2019 planned rules by United States aimed to protect Children’s privacy and so is likely to face harsh punishment from the data watchdog.

Henceforth, the company popular among teens for its short videos, has witnessed a latest bump in its American business as a tough scrutiny has been ordered by the National Security focused Committee on TikTok’s Investment in the United States.

Going deep into the allegations, in the next few days FTC will probe into the facts on whether TikTok has failed to delete videos and sensitive information related to children below 13 and younger living in United States- as it was required as per the agreement made in 2019 with FTC.

TikTok has denied all these allegations and stated that it has and will adhere to the rules meant to safeguard the privacy of its users and will take extra safety and privacy precautions for audiences of younger age.

Full article

Hong Kong’s Security Law Puts Big Tech at a Crossroads

WIRED

Photograph: Isaac Lawrence/AFP/Getty Images

A new national security law has turned Hong Kong into a battleground for the United States and China’s escalating war over control of the global internet. Whether Hong Kong eventually falls behind China’s Great Firewall will depend on how strictly Beijing enforces the regulation, and how willing technology platforms are to stand up in the face of Communist Party pressure—particularly when their business interests are at stake. Some tech giants like Google and Facebook have already paused accepting requests for data from Hong Kong authorities. Others, like Chinese-owned TikTok, have decided to pull out of the region altogether.

The new law was imposed by the Chinese Communist Party with little input from local Hong Kong officials, and went into effect on the evening of June 30. It establishes a wide-reaching security apparatus with the power to crack down on a range of political actions, including separatism and subversion of state power. Civil rights groups around the world quickly decried the measure, and over the past week, activists, researchers, and other vulnerable groups began scrambling to protect themselves from its potential legal consequences.

Full article

Video: The production of Nitrokeys – A look behind the scenes

Nitrokey

In 2015, when we transferred our hobby project Crypto Stick to the professional company Nitrokey, it was clear to us from the beginning that we would carry out the serial production of Nitrokeys in Germany. Of course we also buy components on the world market. But the final production of all Nitrokeys takes place in Germany. So we can ensure that the production meets our safety requirements. In addition, production remains flexible, so that we can produce customer-specific firmware and logos on request, even for relatively small quantities.

For us as a small company, it is a special challenge to produce manageable quantities in a high-priced country while keeping production costs competitive. We have successfully mastered this challenge through a high degree of automation. Instead of using high-priced or unsuitable industrial robots, we have developed tailor-made automation systems ourselves.

A self-developed three-axis automatic machine programs and tests up to 250 nitrokeys sequentially and fully automatically. Compared to manual work, only four minutes of working time are required instead of four hours. Thus we can produce up to 8000 Nitrokeys in one day.

Initializing the encrypted mass storage of the Nitrokey storage with random numbers is a lengthy process that takes up to 1.5 hours per Nitrokey. A sequential processing would take several weeks. Therefore we have developed a system that initializes 49 Nitrokeys in parallel and can be easily enlarged if necessary.

Full article

Police Arrested Hundreds of Criminals After Hacking Into Encrypted Chat Network

The Hacker News

In a joint operation, European and British law enforcement agencies recently arrested hundreds of alleged drug dealers and other criminals after infiltrating into a global network of an encrypted chatting app that was used to plot drug deals, money laundering, extortions, and even murders.

Dubbed EncroChat, the top-secret encrypted communication app comes pre-installed on a customized Android-based handset with GPS, camera, and microphone functionality removed for anonymity and security.

EncroChat phones aim to securely exchange data and messages with pre-loaded apps for secure instant messaging, VOIP calling, self destruct messages, and includes a ‘kill code’ functionality to let users remotely wipe complete data in times of trouble.

The handset and its services, which cost around £1,500 for a six-month subscription, had 60,000 users worldwide and approximately 10,000 users in the United Kingdom.

EncroChat phones were presented to customers as guaranteeing perfect anonymity (no device or SIM card association on the customer’s account, acquisition under conditions guaranteeing the absence of traceability) and perfect discretion both of the encrypted interface (dual operating system, the encrypted interface being hidden so as not to be detectable) and the terminal itself (removal of the camera, microphone, GPS and USB port).

Europol

Full article

In addition the above you can read a blog post at europol.europa.eu.

How to configure the Ubuntu Firewall (UFW)

FOSS Linux

We recommend ufw together with the graphic tool gufw for all users regardless if you are a Linux novices or an experienced Linux geek.

privacynow.eu team

A properly configured firewall is a crucial part of establishing preliminary system security. Keeping this in mind, here we will go over how to configure the firewall on your Ubuntu PC.

Now, by default, Ubuntu comes with a dedicated firewall configuration tool known as UFW or Uncomplicated Firewall. It is an intuitive front-end system designed to help you manage iptables firewall rules. With UFW, you will be able to use almost all the necessary firewall tasks without having to learn iptables.

As such, for this read, we will be using UFW to help set up a firewall for our Ubuntu PC. We have also put together a detailed step-by-step tutorial on how to use UFW to perform.

Full article