One of my favorite training assets is ScreenCastsOnline from Mac pioneer Don McAllister. Each week they produce a full tutorial and a shorter tip video on Mac software and services.

This week, the main tutorial was on a free online service called xkpasswd. This open-source service will produce incredibly secure passwords. There are five settings that you can customize, and based on these settings, the site will generate several passwords from which you may pick one that you like.

The five settings include:
         • Words: set the max number of letters and the number of words
         • Transformations: use the lower and upper case letters on words
         • Separator: a randomly chosen character to separate words
         • Padding Digits: any number of digits before and after the words
         • Padding Symbols: any number of symbols added to the front and back of the password.

After generating several passwords, the site will evaluate the level of safeness of the results. When the strength of the password is good or better, the numbers are shown in green. Less secure results display in red. This immediate assessment gives you the data you need to know that the password you select will be safe and extremely difficult to hack.

The site also has generated several configurations of the above five settings for specific uses. One configuration is designed for Apple ID passwords specifically. The values set are designed to respect the prerequisites that Apple places on Apple ID passwords. But, it also limits the symbols found on the iOS letter and number keyboards, so entering the password is easier.

One other configuration is called SECURITYQ and is designed to create answers to those pesky security questions such as the first name of the maid of honor at your wedding or your mother’s maiden name. Answering these questions with something other than the truth is really important since today’s hackers are getting very good at researching information about their prey. This configuration will help generate good answers to these questions without any relationship to reality.

The site is free, but they do note that the server that is running the application is not free, and they welcome donations.
​
Remember that all of these passwords need to be kept secure with good password management software such as 1Password, LastPass, and Dashlane.

Zoom has reversed its controversial decision to restrict access to end-to-end encryption (E2EE) for some users and will now offer the feature to customers of both its free and premium services.

The video conferencing app said it had consulted with rights groups, child safety advocates, government representatives, encryption experts, and its security council to gather feedback.

“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” the firm’s CEO Eric Yuan said in a recent blog post.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”

Users of the free service will be required to authenticate in a one-off process with information such as their phone number, for the platform to “reduce the mass creation of abusive accounts,” Yuan added.

The news came as rights groups, tech firms, and internet users petitioned the firm to reverse its policy on E2EE.

They argued that E2EE is too essential to be a premium feature, especially in the context of global protests against racial injustice and government oppression. The technology protects activists, journalists, and other vulnerable parts of the population from government repression and surveillance, as well as from cyber-criminals, they said.

Mozilla welcomed the news. The tech non-profit, which wrote an open letter to Zoom earlier in the week signed by tens of thousands of internet users, argued that E2EE should always be the default setting, not a luxury.

“We’re heartened that Zoom listened to consumers, especially at a time when millions of people are relying on the platform to stay connected amid the pandemic and to organize in support of Black lives,” it said in a statement.
​
“Zoom’s decision is part of an emerging trend: Consumers are demanding more of the technology products and services they use every day. And companies are changing their products to meet these demands.”

The potential jurors popped onto the screen one by one. They confirmed their names and told the judge how they were connecting to the court: on laptops, tablets, and iPhones.

There were some wireless issues and camera problems. Still, eventually, 26 Texans in separate boxes raised their hands for the judge and together swore the juror’s oath, beginning the experiment of conducting a civil jury trial entirely over Zoom.

The coronavirus pandemic has crippled courts nationwide, putting many cases on indefinite hold and leaving judges trying to manage some hearings via videoconferencing. The delays have kept some defendants in jail longer, exposing them to possible outbreaks. And the virus even upended how the Supreme Court operates, with the justices hearing oral arguments by phone for the first time in the court’s history.

The test jury-trial-by-video that was held in suburban Dallas recently could reveal a possible path forward in which jurors are kept safely distanced. At the same time, cases are allowed to proceed until the coronavirus threat has receded enough to resume some semblance of normal life.

It also raises complex questions about security, a person’s right to a fair trial, and whether virtual deliberation might prevent 12 people from forming the bonds needed to hash out justice.

“No one is saying tomorrow we’re going to start trying serious felonies over Zoom,” said District Judge Emily Miskel, who coordinated the technology for the trial. “But I think there are many civil trials where parties might agree that this is a good way to resolve it given the uncertainty of when you’re ever going to get an in-person civil jury trial.”

The Collin County court held the so-called summary trial – a one-day civil proceeding with a non-binding verdict – on Monday as an experiment in restarting parts of the justice system that ground to a halt because of the coronavirus. It was over a disputed insurance claim that was originally set to be heard in-person in March. According to the National Center for State Courts, which has tracked court functions during the pandemic, it’s the first remote jury trial ever in the United States.

Those involved seemed pleased with the process.

Jury selection was streamed live on YouTube, but most of the rest was private because summary trials are confidential civil proceedings meant to give the parties the option of settling before an actual trial.

During jury selection, lawyers for both sides asked people on the call to raise their hands in response to questions about potential bias. When a hand popped onto the screen, the lawyers would ask follow-ups or note the juror’s number.

Matthew Pearson, a San Antonio lawyer for the plaintiff, said the comfort of their homes seemed to make the jurors more responsive to questions. They were attentive as he presented evidence by sharing his computer screen over Zoom, Pearson said, and his firm saved money because it didn’t have to fly in an expert witness from Minneapolis.

“Overall, it was a better experience than I was expecting,” he said.

Deliberation proved a little more tricky.

The jurors were broken into two groups of six and put in separate virtual rooms where they could talk privately and look at the evidence in Dropbox folders. They ultimately returned two verdicts meant to give the parties more information to assess whether to go to trial.

At one point, things were delayed a few minutes when a juror who’d stepped away to make a phone call during a break couldn’t hear the judge calling him back to his computer. The same type of thing happens in the courthouse, Keith Dean, the retired judge who presided over the trial, told the others.

Miskel, the other judge, joined the deliberation “rooms” a few times to help jurors access evidence, which she said would normally cause attorneys to “freak out.” Typically, jurors send notes asking the judge for help, and a member of the staff goes into the jury room with pieces of evidence.

But lawyers worry that virtual deliberation cuts out the casual interaction among jurors that some see as essential to building group trust. And defense attorneys are especially skeptical of e-court for criminal cases, where they already struggle to speak privately with their clients during routine hearings held remotely.

“It would just be too difficult, too many constitutional hurdles to clear for a defendant to be brought to a virtual trial,” said Randy Gioia of Massachusetts’ public defender agency. “There is no substitute for an in-person, face-to-face three dimensional hearing with a judge.”

Security is a concern too. As tens of millions of people have turned to video conferencing to stay connected during the pandemic, hackers have derailed many calls with threats, bigoted comments, and pornographic images.

If more courts turn to video trials, ensuring people with poor or no wireless could serve as jurors would also be a challenge. Rare cases that require juries to be sequestered might have to take place in-person.

Even when cases do return to the courthouse, the virus may have changed things. Cross examinations will be different if attorneys and witnesses are wearing masks. And Miskel suggested courts might blend in-person and online – doing trials over video but bringing jurors to court to deliberate.

Dean reminded jurors at the start of the proceedings that the online setting made their duties no less important.
​
“The courthouse came to you,” he said.

This week, Senate Democratic Leader Chuck Schumer (D-NY), Sen. Todd Young (R-IN), Rep. Ro Khanna (D-CA), and Rep. Mike Gallagher (R-WI) unveiled the Endless Frontier Act (EFA).

This newsletter doesn’t usually cover new legislation, much less proposed bills. But EFA is an exception since it seeks to turbocharge American “discovery, creation, and commercialization of critical tech.” By that, the lawmakers mean every technology you read about in this newsletter. 

EFA’s core proposals. There are three principal parts to the proposed bill:

• Restructure the National Science Foundation into the National Science and Technology Foundation (NSTF)
• In the NSTF, stand up a Technology Directorate that receives $100 billion over five years and operates like DARPA
• Hand the Commerce Department $10 billion to invest across 10-15 regional tech hubs over five years

This is great news for U.S. universities and businesses because EFA would pad R&D budgets, establish new scholarships, and create cutting-edge labs and fabrication plants. 

What’s driving the frontier mindset? The private sector overtook Washington in R&D investment four decades ago. EFA’s sponsors want to expand the pool of capital so that all of Washington’s tech priorities are advanced in the U.S.

The other reason for EFA, which its sponsors explicitly call out: China. While Beijing’s bid for tech supremacy is better described as a “slow burn” rather than a “Sputnik moment,” the country’s tech industrial base is now a genuine contender with the U.S. There’s more to come: 

• China plans to invest $1.4 trillion in emerging tech over the next six years. 
• Chinese chipmaker SMIC recently announced a $2 billion investment from state-backed funds. 
• Tencent will spend $70 billion on tech infrastructure over the next five years. 
  ​
  

“The U.S. needs to pursue with all-of-the-above strategy and intensify efforts,” a person familiar with the legislation said in a recent interview.

As Bill of Schoolhouse Rock’s “I’m Just a Bill” could tell you, EFA may never see the light of day. But adding $$$ to tech R&D and accelerating the U.S.-China tech decoupling are bipartisan priorities.

Attackers can steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted, according to security researcher Björn Ruytenberg (via Wired). Using a relatively simple technique called “Thunderspy,” someone with physical access to your machine could nab your data in just a few minutes with a screwdriver and “easily portable hardware,” he wrote.

Thunderbolt offers breakneck transfer speeds by giving devices direct access to your PC’s memory, which also creates several vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.

However, Ruytenberg’s attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What’s more, the hack leaves no trace, so the user would never know their PC was altered.

If you intend to use Thunderbolt connectivity, it is strongly recommended that you Connect only your Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screen-locked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).

He developed something called an “evil maid attack,” referring to an attacker who gets physical access to a PC in a hotel room, for instance. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired. “All of this can be done in under five minutes.”

The attack only requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. “Three-letter agencies would have no problem miniaturizing this,” Ruytenberg said.

Intel recently created a Thunderbolt security system called Kernel Direct Memory Access (DMA) Protection that would stop Ruytenberg’s Thunderspy attack. However, that protection is only available on computers made in 2019 and later, so it’s lacking in any models manufactured before that. Also, many PCs manufactured in 2019 and later from Dell, HP, and Lenovo aren’t protected, either. This vulnerability might explain why Microsoft didn’t include Thunderbolt in its Surface laptops.

Intel just released a blog post giving its perspective on the issue.

Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg.
​
The researchers disclosed the vulnerabilities to Intel on February 10th, 2020, and Apple on April 17th. To find out if you’re vulnerable, there is a verification tool called Spycheck. To protect yourself, you should “avoid leaving your system unattended while powered on, even if screen-locked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.

Given the level of concern many users have had with Zoom’s security and privacy, the company has been hard at work during the first two weeks of April to bring better control to its video conferencing software. The first changes transformed the safety profile of using its service, albeit with additional overhead for hosts and people joining meetings. On April 8, Zoom’s CEO, Eric Yuan, told NPR, “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important–even at the cost of multiple clicks.”

Here is a synopsis of the recent changes.

Passwords required. All free-tier accounts, free upgraded education accounts, and single-host paid accounts now need a password. It’s generated automatically and may be changed but cannot be removed. This blocks access by those who obtain the meeting ID but not the password, and it prevents access through bots trying to join randomly generated meeting IDs in the reasonable hope of connecting to a password-free session.

Meeting ID hidden. The meeting ID no longer appears in the title bar of Zoom apps to prevent it from appearing in screen captures posted on social media or elsewhere.

Waiting Room enabled. By default, the Waiting Room feature is now enabled for all accounts, even those that previously had the option turned off. The Waiting Room puts participants who attempt to join the meeting into a holding position. The host must admit them. It’s fussy, and if it’s unnecessary in your environment, you can override the default on a per-meeting or per-host basis.

Meeting locks. With a click of the new Security button, hosts can lock a meeting at any point to prevent new participants from being added to the Waiting Room or joining directly. Another click unlocks the meeting.

Name change prevention. Hosts can prevent participants from changing the name that appears when they join or request to join a meeting. Some people—both unwanted visitors and students who thought it was funny—were changing their names to derogatory or abusive forms during meetings.

Domain contacts visibility. Zoom no longer treats every user with the same domain in their email address as belonging to the same organization. Previously, anyone with a given address could view account information or add everyone to their contacts who had the same domain, excluding some significant ISPs and mail hosts, like Gmail and iCloud. That feature is now disabled for free tier and paid single-host accounts, and must be enabled on higher-tier paid accounts.
​
Traffic routed through China. The paths that data travels is a political, regulatory, and business question, not just a technical one. Citizen Lab’s report revealed that Zoom was routing some traffic that didn’t involve any participants in China through servers in that country. Zoom explained that it was an error in load balancing, which seemed plausible given the quick scaling of operations it needed to have. The company said it made permanent changes to prevent data passing through Chinese servers from outside the country. A new feature for paid users starts April 18, and those users will be able to select which of several regions data may pass through. Free users are locked to data centers in the region from which they subscribed. Apart from concerns about China, some people outside the United States don’t trust the National Security Agency or other US intelligence groups.

For more than a decade, security experts have had discussions about what's the best way of choosing passwords for online accounts.

There's one camp that argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's the other camp, arguing for password length by making passwords longer.

This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office positioned itself on the side of longer passwords.

"Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said.

"This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."

The idea behind the FBI's advice is that a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.

Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password encryption.

Academic research published in 2015 supports this argument, explaining that "the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity]."

The FBI's advice echoes a now-infamous XKCD webcomic that made the concept of passphrases-over-passwords widely known among internet users.

Furthermore, NIST password recommendations issued in 2017 have also urged websites and web services to accommodate more extended password fields of up to 64 characters for this same reason – to let users choose passphrases instead of short passwords.
​
The same NIST guideline also recommended using passphrases over passwords when possible, a recommendation also picked up in a DHS security tip issued in November 2019, also urging users to give passphrases a try.

Apple’s new credit card has a curious security feature that will make it much more challenging to carry out credit card fraud.

The aptly-named Apple Card is a new credit card, built into your iPhone Wallet app, which the company says will help customers live a “healthier” financial lifestyle. The card is designed to replace your traditional credit card and give you perks, such as daily cash. Chief among the benefits is a range of security and privacy features, which Apple says – unlike traditional credit card providers – the company doesn’t know where a customer shopped, what they bought, or how much they paid.

But there’s one feature – a one-time unique dynamic security code – that will make it nearly impossible for anyone to use the credit card to make fraudulent purchases.

That three-digit card verification value – or a CVV – on the back of your credit card is usually your last line of defense if someone steals your credit card number, such as if your card is cloned or skimmed by a dodgy ATM or taken from a website through a phishing attack.

But rotating the security code will increase the difficulty for an attacker to use your card without your permission.

The idea of a dynamic credit card number first came about a few years ago with the Motion Code credit card concept, built by Oberthur Technologies, which included a randomly generating number built into a tiny display on the back of the card. The only downside is if someone steals your physical card.

Since then, other credit card makers – including Mastercard, the issuing payment provider for Apple Card – have worked to integrate biometric solutions instead. By enabling a fingerprint sensor on the card, powered by the card machine into which it is inserted, it was hoped that fraudulent purchases would be impossible. Other credit cards have worked to roll out biometric-powered credit cards. Again – a big letdown was online fraud, which still accounts for a vast proportion of fraud.

Apple Card seems to meld the two things: a virtual credit card with a rotating security code, protected by a biometric, like Touch ID or Face ID in newer devices. Better yet, the company’s debut physical titanium credit card won’t even have a credit card number.
​
Now, if someone wants to commit fraud, they need to steal your phone and your face or fingerprint.
Like other sensitive data – such as health, financial, and biometric data – any banking and credit card data is stored on the device’s security chip, known as the secure enclave.

For better and for worse, our lives have been revolutionized by the internet. But a new high-tech innovation known as 5G is set to transform everything once again.

The internet plays a pivotal role in our lives, thanks to broadband piped through our homes. But 'fifth generation' 5G will take this a giant step forward.

It will enable mobile phones to use wireless broadband that matches the best fiber optic speeds. We will be able to rip out old phone lines and internet cables that clutter the house – and instead use mobile reception for all our needs.

Experts believe 5G will lead to an explosion of new 'smart' gadgets that talk to our mobile phones through more reliable superfast signals – offering everything from fridge cameras that order groceries when the contents are running low, to robot chauffeurs that can take us around in a self-driving car.

The possibilities of this connection of gadgets – known as the ‘Internet of Things' (IoT) – seem almost limitless.

The 5G technology will start by making pin-sharp video phone calls the norm so we can ditch our landlines if we haven't already.

And with broadband download speeds of perhaps 200 Megabits per second (Mbps) – which is more than four times faster than the current average home broadband speed – the technology will also help us economize and be more secure.

Smartphone apps controlled by 5G will monitor our heating and lights – turning gadgets off when not needed – while providing 24-hour security with cameras viewed from our phones.

Get It to Everyone. But all of the good that is forecast for 5G will only happen when 5G is available to everyone.  In the UK, where 5G is moving more quickly than in the U.S., Ernest Doku, a technology expert at comparison website uSwitch, said, “5G has the potential to transform the way we live – but at this stage, it is no silver bullet as we still need to ensure everyone has access to the connection before it can change the world.”

Last year, it started was rolled out in several major cities though connectivity was still small and patchy. And you need an expensive new smartphone such as the Samsung Galaxy S10 to gain access.

So far, Apple devices cannot connect to the 5G network, and the revolution cannot begin in earnest until they do – which may happen when the latest iPhone models come out in September.

Beware New Malware. New 5G technology offers an exciting opportunity to improve our networks – but it also opens a new door for fraudsters.

One of the critical concerns is the threat of so-called ‘stingrays.’ This is where a criminal intercepts your mobile signal with a copycat aerial that tricks it into sharing encrypted identifying data about the phone.

Using this information, the fraudster knows what handset you are using, can track your exact whereabouts, and might even be able to hack into your phone operating system’s software.

Cybersecurity expert Colin Tankard, of Digital Pathways, said, “The public needs to be aware of the dangers of this new technology – and with more gadgets being hooked up to 5G, it increases the risk of problems if you should get hacked.”

Tankard believes those that embrace 5G must ensure they add a layer of security to their smartphones by downloading ‘virtual private network’ (VPN) software on to their handsets via an app and using a subscription service. 

Doku says: “Although it may be exciting to be among the first people to embrace this new technology, prices for 5G phones and access to the 5G network should both fall if you hold on for at least 12 months.”

Also, as a newbie, you may initially be disappointed as national coverage is still poor, and the number of gadgets connecting to 5G is limited.
​
But the potential for 5G to transform the way we live and manage our homes is really exciting.

In the UK, all Internet of Things (IoT) and smart consumer devices will need to adhere to specific security requirements, under new government proposals.

The legislation aims is to help protect citizens and businesses from the threats posed by cybercriminals increasingly targeting Internet of Things devices.

By hacking IoT devices, cybercriminals can build an army of devices that can be used to conduct DDoS attacks to take down online services, while poorly secured IoT devices can also serve as an easy way for hackers to get into networks and other systems across a network.

The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK's National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people's privacy and safety," said Matt Warman, minister for digital and broadband at DCMS.

They also follow on from the previously suggested voluntary best practice requirements. Still, the legislation would require that IoT devices sold in the UK must follow three particular rules to be allowed to sell products in the UK. They are:

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability, and it will be acted on promptly.
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in-store or online.

It is currently unclear how these rules will be enforced under any future law. While the government has said that its "ambition" is to introduce legislation in this area, and said this would be done "as soon as possible," there is no detail on when this would take place. A DCMS spokesperson said that the department would be working with retailers and manufacturers as the proposals move forward.

Many connected devices are shipped with simple, default passwordswhich in many cases can't be changed. At the same time, some IoT product manufacturers often lack a means of being contacted to report vulnerabilities – especially if that device is produced on the other side of the world.

In addition to this, it's been known for IoT products to stop receiving support from manufacturers suddenly, and by providing an exact length of time that devices will be supported will allow users to think about how secure the product will be in the long-term.

If products don't follow these rules, the new law proposes that these devices could potentially be banned from sale in the UK.

"Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cybersecurity is built into these products by design," said Warman.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people's privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought," he added.

"Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed," said Nicola Hudson, Policy and Communications Director at the NCSC.

"It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past."
​
The UK isn't alone in attempting to secure the Internet of Things – ENISA, the European Union's cybersecurity agency, is also working towards legislation in this area. At the same time, the US government is also looking to regulate IoT to protect against cyber-attacks.