Long-time Slashdot reader schwit1 shares a report from The Intercept: The Heat Initiative, a nonprofit child safety advocacy group, was formed earlier this year to campaign against some of the strong privacy protections Apple provides customers. The group says these protections help enable child exploitation, objecting to the fact that pedophiles can encrypt their personal data just like everyone else. When Apple launched its new iPhone this September, the Heat Initiative seized on the occasion, taking out a full-page New York Times ad, using digital billboard trucks, and even hiring a plane to fly over Apple headquarters with a banner message. The message on the banner appeared simple: 'Dear Apple, Detect Child Sexual Abuse in iCloud' -- Apple's cloud storage system, which today employs a range of powerful encryption technologies aimed at preventing hackers, spies, and Tim Cook from knowing anything about your private files.

Something the Heat Initiative has not placed on giant airborne banners is who's behind it: a controversial billionaire philanthropy network whose influence and tactics have drawn unfavorable comparisons to the right-wing Koch network. Though it does not publicize this fact, the Heat Initiative is a project of the Hopewell Fund, an organization that helps privately and often secretly direct the largesse -- and political will -- of billionaires. Hopewell is part of a giant, tightly connected web of largely anonymous, Democratic Party-aligned dark-money groups, in an ironic turn, campaigning to undermine the privacy of ordinary people.

For an organization demanding that Apple scour the private information of its customers, the Heat Initiative discloses extremely little about itself. According to a report in the New York Times, the Heat Initiative is armed with $2 million from donors including the Children's Investment Fund Foundation, an organization founded by British billionaire hedge fund manager and Google activist investor Chris Cohn, and the Oak Foundation, also founded by a British billionaire. The Oak Foundation previously provided $250,000 to a group attempting to weaken end-to-end encryption protections in EU legislation, according to a 2020 annual report. The Heat Initiative is helmed by Sarah Gardner, who joined from Thorn, an anti-child trafficking organization founded by actor Ashton Kutcher. [...] Critics say these technologies aren't just uncovering trafficked children, but ensnaring adults engaging in consensual sex work. "My goal is for child sexual abuse images to not be freely shared on the internet, and I'm here to advocate for the children who cannot make the case for themselves," Gardner said, declining to name the Heat Initiative's funders. "I think data privacy is vital. I think there's a conflation between user privacy and known illegal content."

Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country's recently passed Online Safety Bill forced Signal to build "backdoors" into its end-to-end encryption. From a report: "We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving," Whittaker said. "And that's never not true." The Online Safety Bill, which was passed into law in September, includes a clause -- clause 122 -- that, depending on how it's interpreted, could allow the U.K.'s communications regulator, Ofcom, to break the encryption of apps and services under the guise of making sure illegal material such as child sexual exploitation and abuse content is removed.

Ofcom could fine companies not in compliance up to $22.28 million, or 10% of their global annual revenue, under the bill -- whichever is greater. Whittaker didn't mince words in airing her fears about the Online Safety Bill's implications. "We're not about political stunts, so we're not going to just pick up our toys and go home to, like, show the bad U.K. they're being mean," she said. "We're really worried about people in the U.K. who would live under a surveillance regime like the one that seems to be teased by the Home Office and others in the U.K."

For over 30 years the EFF has presented awards recognizing those "advancing innovation and championing digital rights," according to its web site, celebrating "the accomplishments of people working toward a better future... both in the public eye and behind the scenes."

This year's ceremony — hosted by Cory Doctorow — didn't just recognize Sci-Hub's founder. The EFF also gave its award for "Communications Policy" to the Signal Foundation — and its "Information Democracy" award to the Library Freedom Project.

From the Electronic Frontier Foundation web site: Since 2013, with the release of the unified app and the game-changing Signal Protocol, Signal has set the bar for private digital communications. With its flagship product, Signal Messenger, Signal provides real communications privacy, offering easy-to-use technology that refuses the surveillance business model on which the tech industry is built. To ensure that the public doesn't have to take Signal's word for it, Signal publishes their code and documentation openly, and licenses their core privacy technology to allow others to add privacy to their own products. Signal is also a 501(c)(3) nonprofit, ensuring that investors and market pressure never provides an incentive to weaken privacy in the name of money and growth. This allows Signal to stand firm against growing international legislative pressure to weaken online privacy, making it clear that end-to-end encryption either works for everyone or is broken for everyone — there is no half measure.

The Library Freedom Project (LFP) is radically rethinking the library professional organization by creating a network of values-driven librarian-activists taking action together to build information democracy. LFP offers trainings, resources, and community building for librarians on issues of privacy, surveillance, intellectual freedom, labor rights, power, technology, and more — helping create safer, more private spaces for library patrons to feed their minds and express themselves. Their work is informed by a social justice, feminist, anti-racist approach, and they believe in the combined power of long-term collective organizing and short-term, immediate harm reduction.

The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is "technically feasible" to do so, postponing measures that critics say threaten users' privacy. Financial Times: A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour bid by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users' security. The statement is set to outline that Ofcom, the tech regulator, will only require companies to scan their networks when a technology is developed that is capable of doing so, according to people briefed on the plan. Many security experts believe it could be years before any such technology is developed, if ever.

"A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content," the statement will say. The online safety bill, which has been in development for several years and is now in its final stages in parliament, is one of the toughest attempts by any government to make Big Tech companies responsible for the content that is shared on their networks.

An anonymous reader quotes a report from BleepingComputer: Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich. FIDO2 is the second major version of the Fast IDentity Online authentication standard, and FIDO2 keys are used for passwordless authentication and as a multi-factor authentication (MFA) element. Google explains that a quantum-resistant FIDO2 security key implementation is a crucial step towards ensuring safety and security as the advent of quantum computing approaches and developments in the field follow an accelerating trajectory.

To protect against quantum computers, a new hybrid algorithm was created by combining the established ECDSA algorithm with the Dilithium algorithm. Dilithium is a quantum-resistant cryptographic signature scheme that NIST included in its post-quantum cryptography standardization proposals, praising its strong security and excellent performance, making it suitable for use in a wide array of applications. This hybrid signature approach that blends classic and quantum-resistant features wasn't simple to manifest, Google says. Designing a Dilithium implementation that's compact enough for security keys was incredibly challenging. Its engineers, however, managed to develop a Rust-based implementation that only needs 20KB of memory, making the endeavor practically possible, while they also noted its high-performance potential.

The hybrid signature schema was first presented in a 2022 paper (PDF) and recently gained recognition at the ACNS (Applied Cryptography and Network Security) 2023, where it won the "best workshop paper" award. This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO U2F and FIDO2 standards. The tech giant hopes that its proposal will be adopted by FIDO2 as a new standard and supported by major web browsers with large user bases. The firm calls the application of next-gen cryptography at the internet scale "a massive undertaking" and urges all stakeholders to move quickly to maintain good progress on that front.

"It was difficult to maintain a poker face when the leader of a big US tech firm I was chatting to said there was a definite tipping point at which the firm would exit the UK," writes a BBC technology editor: Many of these companies are increasingly fed up. Their "tipping point" is UK regulation — and it's coming at them thick and fast. The Online Safety Bill is due to pass in the autumn. Aimed at protecting children, it lays down strict rules around policing social media content, with high financial penalties and prison time for individual tech execs if the firms fail to comply. One clause that has proved particularly controversial is a proposal that encrypted messages, which includes those sent on WhatsApp, can be read and handed over to law enforcement by the platforms they are sent on, if there is deemed to be a national security or child protection risk...

Currently messaging apps like WhatsApp, Proton and Signal, which offer this encryption, cannot see the content of these messages themselves. WhatsApp and Signal have both threatened to quit the UK market over this demand.

The Digital Markets Bill is also making its way through Parliament. It proposes that the UK's competition watchdog selects large companies like Amazon and Microsoft, gives them rules to comply with and sets punishments if they don't. Several firms have told me they feel this gives an unprecedented amount of power to a single body. Microsoft reacted furiously when the Competition and Markets Authority (CMA) chose to block its acquisition of the video game giant Activision Blizzard. "There's a clear message here — the European Union is a more attractive place to start a business than the United Kingdom," raged chief executive Brad Smith. The CMA has since re-opened negotiations with Microsoft. This is especially damning because the EU is also introducing strict rules in the same vein — but it is collectively a much larger and therefore more valuable market.

In the UK, proposed amendments to the Investigatory Powers Act, which included tech firms getting Home Office approval for new security features before worldwide release, incensed Apple so much that it threatened to remove Facetime and iMessage from the UK if they go through. Clearly the UK cannot, and should not, be held to ransom by US tech giants. But the services they provide are widely used by millions of people. And rightly or wrongly, there is no UK-based alternative to those services.
The article concludes that "It's a difficult line to tread. Big Tech hasn't exactly covered itself in glory with past behaviours — and lots of people feel regulation and accountability is long overdue."

"Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography," writes Chrome's technical program manager for security, Devon O'Brien.

"Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success." As a step down this path, Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115. This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:

X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
Kyber-768 — a quantum-resistant Key Encapsulation Method, and NIST's PQC winner for general encryption

In order to identify ecosystem incompatibilities with this change, we are rolling this out to Chrome and to Google servers, over both TCP and QUIC and monitoring for possible compatibility issues. Chrome may also use this updated key agreement when connecting to third-party server operators, such as Cloudflare, as they add support. If you are a developer or administrator experiencing an issue that you believe is caused by this change, please file a bug.
The Register delves into Chrome's reasons for implementing this now: "It's believed that quantum computers that can break modern classical cryptography won't arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?" said O'Brien. "The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves." O'Brien says that while symmetric encryption algorithms used to defend data traveling on networks are considered safe from quantum cryptanalysis, the way the keys get negotiated is not. By adding support for a hybrid KEM, Chrome should provide a stronger defense against future quantum attacks...

Rebecca Krauthamer, co-founder and chief product officer at QuSecure, told The Register in an email that while this technology sounds futuristic, it's useful and necessary today... [T]he arrival of capable quantum computers should not be thought of as a specific, looming date, but as something that will arrive without warning. "There was no press release when the team at Bletchley Park cracked the Enigma code, either," she said.

British technology minister Michelle Donelan defended plans to require messaging apps to provide access to encrypted private messages when needed to protect children from abuse, which major platforms say would undermine the privacy of their users. From a report: Donelan told the BBC that the government was not against encryption, and the access would only be requested as a last resort, under Britain's Online Safety Bill which is expected to become law later this year. "I, like you, want my privacy because I don't want people reading my private messages. They'd be very bored but I don't want them to do it," said Donelan, minister for science, innovation and technology. "However, we do know that on some of these platforms, they are hotbeds sometimes for child abuse and sexual exploitation. And we have to be able access that information should that problem occur."

Speaking of SMSes, Google announced today it's making its Messages by Google app more secure with improvements to RCS, or Rich Communication Services -- a protocol aimed at replacing SMS and is more on par with the advanced features found in Apple's iMessage. From a report: The company says it will now make RCS the default for both new and existing Messages app users. In addition, end-to-end encryption for group chats is now fully rolled out to all RCS users. The latter had launched into an open beta earlier this year after earlier tests, but was not fully launched until now. With this update, all conversations between users in Messages, whether 1:1 or group chats, will now be kept private, Google says.

Since rolling out RCS to U.S. Android users in 2019, Google has been campaigning in an effort to pressure Apple into adopting the technology in its own messaging service, iMessage. It even launched a website last year to explain why RCS benefits consumers, noting "It's not about the color of the bubbles. It's the blurry videos, broken group chats, missing read receipts and typing indicators, no texting over Wi-Fi and more."

Federal regulators continued their crackdown against employees of Wall Street firms using private messaging apps to communicate, with 11 brokerage firms and investment advisers agreeing Tuesday to pay $549 million in fines. From a report: Wells Fargo, BNP Paribas, Societe Generale and Bank of Montreal were hit with the biggest penalties by the Securities and Exchange Commission and the Commodity Futures Trading Commission. Together, the brokerage and investment advisory arms of those four financial institutions accounted for nearly 90 percent of the fines, according to statements released by the regulators.

The latest round of fines adds to the nearly $2 billion in penalties against big Wall Street banks announced last year for similar violations. In all, the regulators have now penalized more than two dozen banks and investment firms for not properly policing employees use of "off channel" messaging services like WhatsApp, iMessage and Signal. The S.E.C. charged the financial institutions for failing to properly "maintain and preserve" all official communications by their employees. Federal securities laws require banks and investments firms to maintain records and make sure their employees are not conducting company business using unauthorized means of communication.

For storing passwords, Slashdot reader eggegick has a simple, easy solution: "I use Vim to keep my passwords in an encrypted file."

But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?

I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.
Share your own suggestions and thoughts in the comments.

What's the best (encrypted) password manager?

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation." The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service." In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."

In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won't keep hold of users' personal data. From a report: The group, Cult of the Dead Cow, has developed a coding framework that can be used by app developers who are willing to embrace strong encryption and forsake revenue from advertising that is targeted to individuals based on detailed profiles gleaned from the data most apps now routinely collect. The team is building on the work of such free products as Signal, which offers strong encryption for text messages and voice calls, and Tor, which offers anonymous web surfing by routing traffic through a series of servers to disguise the location of the person conducting the search.

The latest effort, to be detailed at the massive annual Def Con hacking conference in Las Vegas next week, seeks to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments. Called Veilid, and pronounced vay-lid, the code can be used by developers to build applications for mobile devices or the web. Those apps will pass fully encrypted content to one another using the Veilid protocol, its developers say. As with the file-sharing software BitTorrent, which distributes different pieces of the same content simultaneously, the network will get faster as more devices join and share the load, the developers say. In such decentralized "peer-to-peer" networks, users download data from each other instead of from a central machine.

Slashdot reader storagedude writes: A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.

That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.

"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."

And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."

Monday a researcher with Google Information Security posted about a new vulnerability he independently found in AMD's Zen 2 processors. Tom's Hardware reports: The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via JavaScript on a webpage...

AMD added the AMD-SB-7008 Bulletin several hours later. AMD has patches ready for its EPYC 7002 'Rome' processors now, but it will not patch its consumer Zen 2 Ryzen 3000, 4000, and some 5000-series chips until November and December of this year... AMD hasn't given specific details of any performance impacts but did issue the following statement to Tom's Hardware: "Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment..."

AMD describes the exploit much more simply, saying, "Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."
The article includes a list of the impacted processors with a schedule for the release of the updated firmware to OEMs.

The Google Information Security researcher who discovered the bug is sharing research on different CPU behaviors, and says the bug can be patched through software on multiple operating systems (e.g., "you can set the chicken bit DE_CFG[9]") — but this might result in a performance penalty.

Thanks to long-time Slashdot reader waspleg for sharing the news.

A group of cybersecurity researchers has uncovered what they believe is an intentional backdoor in encrypted radios used by police, military, and critical infrastructure entities around the world. The backdoor may have existed for decades, potentially exposing a wealth of sensitive information transmitted across them, according to the researchers. From a report: While the researchers frame their discovery as a backdoor, the organization responsible for maintaining the standard pushes back against that specific term, and says the standard was designed for export controls which determine the strength of encryption. The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute. "There's no other way in which this can function than that this is an intentional backdoor," Jos Wetzels, one of the researchers from cybersecurity firm Midnight Blue, told Motherboard in a phone call.

The research is the first public and in-depth analysis of the TErrestrial Trunked RAdio (TETRA) standard in the more than 20 years the standard has existed. Not all users of TETRA-powered radios use the specific encryption algorithim called TEA1 which is impacted by the backdoor. TEA1 is part of the TETRA standard approved for export to other countries. But the researchers also found other, multiple vulnerabilities across TETRA that could allow historical decryption of communications and deanonymization. TETRA-radio users in general include national police forces and emergency services in Europe; military organizations in Africa; and train operators in North America and critical infrastructure providers elsewhere.

Google today announced its support for interoperable end-to-end encrypted communication between large messaging platforms, with plans to integrate the MLS protocol into Google Messages and Android. 9to5Google reports: Google says it is "strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms," which is presumably in reference to the European Union's Digital Markets Act. That regulation would require iMessage to be interoperable with other messaging platforms. To achieve this, Google says this interoperability requires "open, industry-vetted standards, particularly in the area of privacy, security, and end-to-end encryption." If not, end-to-end encrypted group messaging and other advanced features would be "impossible in practice." Specifically, "group messages would have to be encrypted and delivered multiple times to cater for every different protocol." [...]

Google says MLS would make possible "practical interoperability across services and platforms, scaling to groups of thousands of multi-device users." This could "unleash a huge field of new opportunities for the users and developers of interoperable messaging services that adopt it."; It is also flexible enough to allow providers to address emerging threats to user privacy and security, such as quantum computing. Google plans to build MLS into its Messages app, which offers E2EE 1:1 and group RCS chats today, and "support its wide deployment across the industry by open sourcing our implementation in the Android codebase." How RCS factors into this remains to be seen.

Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new proposals are made law and acted upon. From a report: The government is seeking to update the Investigatory Powers Act (IPA) 2016. It wants messaging services to clear security features with the Home Office before releasing them to customers. The act lets the Home Office demand security features are disabled, without telling the public.

Under the update, this would have to be immediate. Currently, there has to be a review, there can also be an independent oversight process and a technology company can appeal before taking any action. Because of the secrecy surrounding these demands, little is known about how many have been issued and whether they have been complied with. But many messaging services currently offer end-to-end encryption - so messages can be unscrambled by only the devices sending and receiving them.

An anonymous reader quotes a report from TechCrunch: The Biden administration has launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the myriad of security risks associated with internet-connected devices. The program, officially named the "U.S. Cyber Trust Mark," aims to help Americans ensure they are buying internet-connected devices that include strong cybersecurity protections against cyberattacks. The Internet of Things, a term encompassing everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a weak cybersecurity link. Many devices ship with easy-to-guess default passwords and offer a lack of security regular updates, putting consumers at risk of being hacked.

The Biden administration says its voluntary Energy Star-influenced labeling system will "raise the bar" for IoT security by enabling Americans to make informed decisions about the security credentials of the internet-connected devices they buy. The U.S. Cyber Trust Mark will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria. This criterion, established by the National Institute of Standards and Technology (NIST), will require, for example, that devices require unique and strong default passwords, protect both stored and transmitted data, offer regular security updates, and ship with incident detection capabilities.

The full list of standards is not yet finalized. The White House said that NIST will immediately start work on defining cybersecurity standards for "higher-risk" consumer-grade routers, devices that attackers frequently target to steal passwords and create botnets that can be used to launch distributed denial-of-service (DDoS) attacks. This work will be completed by the end of 2023, with the aim that the initiative will cover these devices when it launches in 2024. In a call with reporters, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation. Amazon and Best Buy are some of the first major U.S. retailers to have signed up for the initiative. Others include Cisco, Google, LG, Qualcomm and Samsung.

The U.S. Department of Energy also said it is working with industry partners to develop cybersecurity labeling requirements for smart meters and power inverters.

A bill requiring social media companies, encrypted communications providers and other online services to report drug activity on their platforms to the U.S. Drug Enforcement Administration (DEA) advanced to the Senate floor Thursday, alarming privacy advocates who say the legislation turns the companies into de facto drug enforcement agents and exposes many of them to liability for providing end-to-end encryption. From a report: The bipartisan Cooper Davis Act -- named for a Kansas teenager who died after unknowingly taking a fentanyl-laced pill he bought on Snapchat -- requires social media companies and other web communication providers to give the DEA users' names and other information when the companies have "actual knowledge" that illicit drugs are being distributed on their platforms.

Many privacy advocates caution that, if passed in its current form, the bill could be a death blow to end-to-end encryption services because it includes particularly controversial language holding companies accountable for conduct they don't report if they "deliberately blind" themselves to the violations. Officials from the DEA have spent several months honing the bill with key senators, Judiciary Committee Chairman Dick Durbin (D-IL) said Thursday. Providers of encrypted services would face a difficult choice should the bill pass, said Greg Nojeim, Senior Counsel & Director of Security and Surveillance Project at the Center for Democracy and Technology. "They could maintain end-to-end encryption and risk liability that they had willfully blinded themselves to illegal content on their service and face the music later," Nojeim said. "Or they could opt to remove end-to-end encryption and subject all of their users who used to be protected by one of the best cybersecurity tools available to new threats and new privacy violations."