TBR News May 25, 2018

May 25 2018

The Voice of the White House  

Washington, D.C. May 25, 2018:”The news that today President Trump has, again, changed his mind and is in favor of a meeting with North Korea is proof that President Trump is not behaving in a rational manner.

At first, he threatened North Korea with military action because of their testing of long range missiles.

Then he announced that he was willing to meet with the leader of that country to establish normal relations.

Then, for no reason, he claimed North Korea was nasty to him and dropped is participation in the scheduled meeting.

Now today, he has again changed his mind and announced he again wants the meeting.

This waffling has so concerned other world leaders that they are beginning to abandon any cooperation with the United States.

Vladimir Putin has been very quiet during all of this sturm und drang but he must be highly entertained at the unhinged antics of the mercurial, and undependable, American president.”

Table of Contents

  • On again? Trump says still chance of June 12 North Korea summit
  • Is US Bellicosity Backfiring?
  • Regime change in Iran could cost the US trillions
  • Threats “From the South” Prompt U.S. to Base Drones in Greece for the First Time
  • Sick & tired of US foreign policy, Germany is pushed into the open arms of China
  • Putin, Macron bond over shared unease at Trump’s actions
  • Babi Yar
  • New privacy law forces some U.S. media offline in Europe
  • Facebook and Google targeted as first GDPR complaints filed
  • Amazon’s Alexa records and shares private conversation
  • FBI says foreign hackers have compromised home router devices
  • In Apple Mail, There’s No Protecting PGP-Encrypted Messages
  • A century on, why are we forgetting the deaths of 100 million?
  • Secrecy News

On again? Trump says still chance of June 12 North Korea summit

May 24, 2018

by Roberta Rampton and Christine Kim


WASHINGTON/SEOUL (Reuters) – U.S. President Donald Trump said on Friday said it was possible a planned summit with North Korea’s leader Kim Jong Un could still take place on June 12 as originally planned, just a day after he canceled the meeting citing Pyongyang’s “tremendous anger and open hostility.”

Trump welcomed the conciliatory statement from North Korea saying it remained open to talks after on Thursday he called off a summit with North Korea’s autocratic leader, Kim Jong Un.

“It was a very nice statement they put out,” Trump said as he left the White House to deliver a commencement address at the U.S. Naval Academy. “We’ll see what happens – it could even be the 12th.

We’re talking to them now. They very much want to do it. We’d like to do it.”

Earlier on Twitter, Trump had noted “very good news to receive the warm and productive statement from North Korea.”

After decades of tension on the Korean peninsula and antagonism with the United States over its nuclear weapons program, Kim and Trump agreed to meet in what would be the first meeting between a serving U.S. president and a North Korean leader. The plan followed months of war threats and insults from both leaders.

Trump scrapped the meeting on Thursday after repeated threats by North Korea to pull out of the summit in Singapore over what it saw as confrontational remarks by U.S. officials. Trump cited North Korean hostility in canceling the summit.

In Pyongyang, North Korean Vice Foreign Minister Kim Kye Gwan said North Korea’s recent criticisms of certain U.S. officials had been a reaction to unbridled American rhetoric and that the current antagonism showed “the urgent necessity” for the summit.

“His sudden and unilateral announcement to cancel the summit is something unexpected to us and we cannot but feel great regret for it,” Kim Kye Gwan said in a statement on state media.

He added that North Korea remained open to resolving issues with Washington “regardless of ways, at any time.”

North Korea had sharply criticized suggestions by Trump’s national security adviser, John Bolton, and Vice President Mike Pence that it could share the fate of Libya if it did not swiftly surrender its nuclear arsenal. Libyan leader Muammar Gaddafi was deposed and killed by NATO-backed militants after halting his nascent nuclear program.

Kim Kye Gwan said North Korea appreciated Trump for having made the bold decision to work toward a summit.

“We even inwardly hoped that what is called ‘Trump formula’ would help clear both sides of their worries and comply with the requirements of our side and would be a wise way of substantial effect for settling the issue,” he said, without elaborating.

Additional reporting by Doina Chiacu, David Brunnstrom and Matt Spetalnick in WASHINGTON, William Mallard and Nobuhiro Kubo in TOKYO and Ben Blanchard in BEIJING; Writing by Soyoung Kim and Doina Chiacu; Editing by Nick Macfie and Bill Trott


Is US Bellicosity Backfiring?

May 25, 2018

by Patrick J. Buchanan


U.S. threats to crush Iran and North Korea may yet work, but as of now neither Tehran nor Pyongyang appears to be intimidated.

Repeated references by NSC adviser John Bolton and Vice President Mike Pence to the “Libya model” for denuclearization of North Korea just helped sink the Singapore summit of President Trump and Kim Jong Un. To North Korea, the Libya model means the overthrow and murder of Libya strongman Col. Gadhafi, after he surrendered his WMD.

Wednesday, North Korean Vice Foreign Minister Choe Son Hui exploded at Pence’s invocation of Libya: “Vice-President Pence has made unbridled and impudent remarks that North Korea might end like Libya … I cannot suppress my surprise at such ignorant and stupid remarks.

“Whether the U.S. will meet us at a meeting room or encounter us at nuclear-to-nuclear showdown is entirely dependent upon the decision and behavior of the United States.”

Yesterday, Trump canceled the Singapore summit.

Earlier this week at the Heritage Foundation, Secretary of State Mike Pompeo laid out our Plan B for Iran in a speech that called to mind Prussian Field Marshal Karl Von Moltke.

Among Pompeo’s demands: Iran must end all support for Hezbollah in Lebanon, the Houthi rebels in Yemen, and Hamas in Gaza, withdraw all forces under Iranian command in Syria, and disarm its Shiite militia in Iraq.

Iran must confess its past lies about a nuclear weapons program, and account publicly for all such activity back into the 20th century.

Iran must halt all enrichment of uranium, swear never to produce plutonium, shut down its heavy water reactor, open up its military bases to inspection to prove it has no secret nuclear program, and stop testing ballistic missiles.

And unless Iran submits, she will be strangled economically.

What Pompeo delivered was an ultimatum: Iran is to abandon all its allies in all Mideast wars, or face ruin and possible war with the USA.

It is hard to recall a secretary of state using the language Pompeo deployed: “We will track down Iranian operatives and their Hezbollah proxies operating around the world and crush them. Iran will never again have carte blanche to dominate the Middle East.”

But how can Iran “dominate” a Mideast that is home to Turkey, Iraq, Saudi Arabia, Israel and Egypt, as well as U.S. forces in Afghanistan, Iraq, the Persian Gulf, the Arabian Sea and Syria?

To Iran’s east is a nuclear-armed Pakistan. To its west is a nuclear-armed U.S. Fifth Fleet and a nuclear-armed Israel. Iran has no nukes, no warships to rival ours and a 1970s air force.

Yet, this U.S.-Iran confrontation, triggered by Trump’s trashing of the nuclear deal and Pompeo’s ultimatum, is likely to end one of three ways:

First, Tehran capitulates, which is unlikely, as President Hassan Rouhani retorted to Pompeo: “Who are you to decide for Iran and the world? We will continue our path with the support of our nation.” Added Ayatollah Khamenei, “Iran’s presence in the region is our strategic depth.”

Second, Iran defies U.S. sanctions and continues to support its allies in Syria, Iraq, Lebanon, Yemen. This would seem likely to lead to collisions and war.

Third, the U.S. could back off its maximalist demands, as Trump backed off Bolton’s demand that Kim Jong Un accept the Libyan model of total and verifiable disarmament before any sanctions are lifted.

Where, then, are we headed?

While our NATO allies are incensed by Trump’s threat to impose secondary sanctions if they do not re-impose sanctions on Tehran, the Europeans are likely to cave in to America’s demands. For Europe to choose Iran over a U.S. that has protected Europe since the Cold War began and is an indispensable market for Europe’s goods would be madness.

Vladimir Putin appears to want no part of an Iran-Israel or U.S.-Iran war and has told Bashar Assad that Russia will not be selling Damascus his S-300 air defense system. Putin has secured his bases in Syria and wants to keep them.

As for the Chinese, she will take advantage of the West’s ostracism of Iran by drawing Iran closer to her own orbit.

Is there a compromise to be had?

Perhaps, for some of Pompeo’s demands accord with the interests of Iran, which cannot want a war with the United States, or with Israel, which would likely lead to war with the United States.

Iran could agree to release Western prisoners, move Shiite militia in Syria away from the Golan Heights, accept verifiable restrictions on tests of longer-range missiles and establish deconfliction rules for U.S. and Iranian warships in the Persian Gulf.

Reward: aid from the West and renewed diplomatic relations with the United States.

Surely, a partial, verifiable nuclear disarmament of North Korea is preferable to war on the peninsula. And, surely, a new nuclear deal with Iran with restrictions on missiles is preferable to war in the Gulf.

Again, we cannot make the perfect the enemy of the good.


Regime change in Iran could cost the US trillions

May 24, 2018

by William Hartung


(CNN) — Secretary of State Mike Pompeo’s speech this week on next steps in US policy toward Iran read more like a call to war than a carefully crafted foreign policy stance. So much so that the obvious next question is what it might cost if the Trump administration seeks to provoke regime change in Iran.

That’s tough to answer, since it depends entirely on how the Trump administration chooses to go about it, if it indeed chooses to go down that disastrous road. Pompeo’s threat to bring Iran to its knees with punishing economic sanctions clearly won’t get the job done, especially since the Trump administration has just alienated its most important potential partners by withdrawing from the Iran nuclear deal. Good luck getting France, or the United Kingdom, or Germany, much less Russia or China, to join in a campaign of maximum economic pressure on Tehran after the Trump administration has walked away from a painstakingly negotiated multilateral deal that was working to achieve its only stated objective — stopping Iran from developing a nuclear weapon.

Next-level steps could include supporting anti-regime groups like the Mujahadeen-e-Khalq (MEK), which was for many years on the US list of terrorist organizations. But its ability to win over influential supporters like John Bolton does not mean that the MEK has either the capacity or the support to overthrow the Iranian government. To think that an organization that the New York Times has rightly described as a “fringe dissident group” could overthrow the government of Iran is a fantasy.

Non-violent, internal opponents of the Iranian regime would most likely be hurt more than helped by overt US support. And the last time the US launched a coup in Iran — installing the Shah of Iran in place of the democratically-elected government of Mohammed Mossadeq in 1953 — the results were counterproductive, to put it mildly. Twenty-five years of dictatorship followed by the rise of an Islamic fundamentalist regime can hardly be called a foreign policy success.

So that leaves military action. A bombing campaign could kill thousands of Iranians, but it would be extremely unlikely to undercut Tehran’s ability to restart its nuclear weapons program, and might even accelerate that effort. Last but not least, as one analyst of the region has noted, a full-scale war against Iran would make the Iraq and Afghan conflicts look like “a walk in the park.”

It’s impossible to say with any level of precision what a US attempt to overthrow the Iranian government might cost, but our experience with Iraq offers some clues. Economic sanctions hurt millions of ordinary Iraqis. But Saddam Hussein was able to manipulate the shortages caused by sanctions to posture his regime as the sole source of sustenance for the population. As veteran journalist David Rieff noted in a detailed analysis of the 1990s sanctions regime, they “palpably failed to dislodge his [Saddam’s] government and in fact strengthened him politically.”

After sanctions failed to displace Hussein’s government, many proponents of regime change in Iraq placed their faith in Ahmed Chalabi and the Iraqi National Congress (INC), an exile group whose main achievement was to supply misleading intelligence about Iraq’s nuclear program. When backing Chalabi and the INC failed to undermine Saddam Hussein’s regime, the neoconservatives who populated the top ranks of the Bush administration pressed for an invasion.

Bush administration officials assured the American public that a war with Iraq would be cheap and easy, a “cake walk” that could cost as little as $50 to $60 billion. So far, as the Costs of War Project at Brown University has calculated, the post-9/11 wars pushed by George W. Bush and his advisors have cost $5.6 trillion, and counting — more than 100 times the Bush administration’s initial claims. More importantly, the wars have cost hundreds of thousands of lives on all sides, including an estimated 200,000 civilians. Is that the kind of regime change the Trump administration has in mind for Iran?

Bearing the Iraq example in mind, what would the different options for pursuing regime change in Iran cost?

The Trump administration’s ditching of the Iran nuclear deal has already cost Boeing a major airline sale to Iran worth $20 billion. The negative consequences of ratcheted up sanctions could cost the US economy billions more by causing a hike in global oil prices, higher prices at the gas pump and a possible reduction in domestic tourism and travel.

Funding internal opponents of the regime could cost an exorbitant amount over a multi-year period. And if unsuccessfully attempting to train 500 “moderate” Syrian fighters cost over $500 million, training a force to attack Iran could run to several billion or more. Lobbing dozens of cruise missiles at Iran to “send a message,” as Trump has done twice in Syria, could cost a few hundred million dollars.

A bombing campaign similar to the one waged against ISIS in Iraq and Syria would cost about $8.3 million a day, or about $3 billion per year. A major bombing campaign like the one inflicted on Iraq in the 1990s would run into the tens of billions. And, judging from the experience in Iraq, a full-fledged invasion could cost trillions, not to mention creating a level of chaos in the region that would make current conflicts worse even as new ones are sparked.

The underlying question, of course, is whether the Trump administration should seek to overthrow the Iranian government in the first place. From a security perspective, the answer should be a resounding no. If the administration is nonetheless determined to pursue such an option, the American public should at least be given a sense of what it might cost in both blood and treasure. But don’t hold your breath waiting for John Bolton, Mike Pompeo or anybody else in the Trump administration to give you a straight answer.


Threats “From the South” Prompt U.S. to Base Drones in Greece for the First Time

May 24 2018

by Nick Turse

The Intercept

As part of its ongoing expansion of operations in and around Africa, the U.S. military has recently begun operating drones from a Greek airfield.

MQ-9 Reapers, the more advanced replacement for the venerable Predator drone, deployed last month to Larissa air base in eastern Greece near the Aegean Sea “on a temporary basis as they transition to a different location,” according to Auburn Davis, the chief of media operations for U.S. Air Forces in Europe and Air Forces Africa, who noted that the remotely piloted aircraft, or RPA, are unarmed and engaged in intelligence, surveillance, and reconnaissance missions known as ISR.

“This is the first time that ISR capabilities have been temporarily deployed to Greece,” Davis told The Intercept. Due to “operational security considerations,” the Air Force declined to release details about the missions for which they’ll be used beyond referencing “foreign policy security objectives in the region, specifically to address threats emanating from the south.” The Reaper drones are ordinarily based in Africa, according to Pentagon spokesperson Eric Pahon.

“The U.S. has previously deployed drones or drone operations support personnel to Italy and Tunisia to support operations over Libya. This deployment to Larissa, Greece, is also most probably in support of U.S. objectives in Libya, where the U.S. has for several years used drones to mitigate the threats posed by Islamic militant groups and to support local partners,” Dan Gettinger, co-founder and co-director of the Center for the Study of the Drone at Bard College, told The Intercept. The U.S. has conducted at least nine airstrikes in Libya since President Donald Trump took office.

The U.S. has also built an extensive network of airfields and bases across the northern tier of Africa, flying drones out of Djibouti, Cameroon, Tunisia, and Niger in recent years. The U.S. is currently expanding an air base in Agadez, Niger for more extensive operations by MQ-9 Reapers. As The Intercept first reported in 2016, Niger was the “only country in NW Africa willing to allow basing of MQ-9s,” according to formerly secret U.S. military documents. The documents went on to note: “President expressed willingness to support armed RPAs.” The temporary nature of the deployment “could be related to the fact that the opening of the U.S. drone base at Agadez, Niger, has faced delays,” Gettinger told The Intercept.

In its hunter-killer capacity, the Reaper can be armed with Hellfire air-to-ground missiles, laser-guided bombs, and joint direct attack munitions, or JDAMs: conventional “dumb” bombs that have been converted into guided “smart” bombs. In ISR operations, such as those to be launched from Greece, the MQ-9 can fly for up to 14 hours at altitudes of up to 50,000 feet, according to Air Force and Pentagon documents.

The deployment of U.S. drones to Greece was first reported by the To Vima, a local newspaper. According to their sources, Greece and the United States are relying on either a 1992 military cooperation agreement, “or one of 100 other bilateral agreements, as the legal basis for the stationing of the drones, without requiring approval from the Greek parliament.” The MQ-9 Reapers, according to Davis, “only transit through Greece on routes that have been approved by the Greece government.”

The tilt toward the Hellenic Republic comes at a time of strained relations between the U.S. and Greece’s neighbor and rival Turkey following the 2016 coup attempt by members of the Turkish military.

Earlier this year, top Greek military officials met with Gen. Tod Wolters, the commander of the U.S. Air Forces in Europe and Air Forces Africa, to discuss “further strengthening of our air force-to-air force relationship,” according to Geoffrey Pyatt, the U.S. ambassador to Greece. Just last week, while praising Greece’s military and emphasizing its partnership with U.S. armed forces, Pyatt said, “It’s been a path-breaking year in our military relationship.”

Larissa air base now joins other European localesm including Miroslawiec air base in Poland, Sigonella air base in Italy, and Incirlik air base in Turkey, among others, that host MQ-9 Reapers.


Sick & tired of US foreign policy, Germany is pushed into the open arms of China

May 25, 2018

by Darius Shahtahmasebi


Germany has had enough of American foreign policy. Angela Merkel’s visits to Russia and China are a testament to that.

On May 10, 2018, German Chancellor Angela Merkel openly said that Europe can no longer count on the United States to protect it, hinting that the European continent would begin to “take destiny into its own hands.”

The comments were, of course, a direct reference to US President Donald Trump’s ludicrous but anticipated decision to completely nuke the Iranian nuclear accord, also known as the Joint Comprehensive Plan of Action (JCPOA).

“It is no longer such that the United States simply protects us, but Europe must take its destiny in its own hands. That’s the task of the future,” Merkel reportedly said during a speech honoring French President Emmanuel Macron.

Eerily enough, approximately a year ago, Merkel offered almost the exact same sentiments, stating that Europe “really must take our fate into our own hands.”

In the weeks since, Merkel has certainly proved that this was no idle threat. The German chancellor has made trips to both Russia and China, and the outcomes of those meetings appear to suggest a complete restructuring of the balance of power in Europe and Asia respectively.

China and Germany see eye to eye

Just this Thursday, China has already said it would “open its door wider” to German businesses after giving Merkel a warm reception. Both China and Germany have a common interest in defeating Trump’s plan to kill trade surpluses that countries have with the United States, as they are both equally affected by Trump’s threats. Each time Trump opens his mouth, it seems that European and Asian businesses are instantly affected. Germany is the largest auto exporter to the US out of any European country, and is China’s biggest European trading partner which was worth $179 billion just last year alone.

Both Merkel and Macron tried their hand at persuading the Trump administration not to abandon the Iranian nuclear deal completely. The leaders even issued a joint statement with British Prime Minister Theresa May, someone whose hawkish attitude towards Iran should not go unnoticed. Not surprisingly, according to Reuters, German officials have said that “Trump’s America First’ trade policy, his administration’s professed disdain for the World Trade Organization, as well as his withdrawal from the Iran nuclear deal, have pushed China and Germany into closer alignment.”

It is not clear if the Trump administration is that incompetent or if this is done on purpose, in full knowledge that its actions will only further isolate the United States on the world stage and push states that previously held more adversarial positions closer and closer together. If it is done on purpose, one has to wonder what sort of mindset is behind the leadership which is on a self-destruct mission, and how it expects to maintain its worldwide empire, all the while irking its traditional allies. It is quite clear that Trump’s decision to axe the Iran deal will only pave the way for China to take advantage of the financial opportunities flowing out of Iran if sanctions present a buffer to German interests. China has already been assisting Iran to out-maneuver US-led sanctions through, for example, the use of credit lines using the Yuan.

In that context, does Donald Trump want to contain China or empower it? You can only go so far serving the interests of Saudi Arabia and Israel while ignoring strong European states who would rather ink financial deals than turn Iran into a glass crater, a strong point of difference between Merkel and say, newly appointed US national security adviser John Bolton.

The lifting of sanctions on Iran already led to an increase in trade between Germany and Iran from €2.7 billion in 2014 to €3.5 billion last year. It is also worth noting that Iran will now start accepting euros for its oil in an attempt to not only avoid the US dollar, but in a move that will directly threaten it. This topic is probably best suited for another article, but it is definitely something worth keeping an eye on – and will most likely only bolster Germany’s resolve to protect Iran.

Either way, Germany and China have both agreed to stick to the Iran deal. Think for a second what this means: John Bolton openly warned European companies and countries against continuing business with Iran, stating that they could be targeted by sanctions. The newly appointed ambassador to Germany, Richard Grenell, also immediately warned Germany directly that German companies must halt their business activities with Tehran or face sanctions. The German-Chinese announcement also came just after Iran’s leader, Ayatollah Khamenei, issued a set of demands of its own, stating that the Europeans also could not be trusted.

Germany and China have essentially given the US the political middle finger in response, and arguably kowtowed to Iranian interests instead.

German-Russian relations to continue

Not too long ago, the US also warned Germany that sanctions may also target the German-Russia pipeline known as the Nord Stream 2 Project. If you ever needed proof that the underlying reasons for US-led wars were driven by money and natural gas, this is it. Why prevent Germany and Russia from working on this monumental project? Germany needs the gas, and Russia, relatively close-by, can supply it.

Despite the fact that the two countries continue to hold a number of disputes (including sanctions that continue to target Russia), Merkel’s meeting with Russian President Vladimir Putin demonstrates that it is still possible to meet with one’s counterpart and discuss those issues amicably, an idea that seems almost completely lost on the current Trump administration.

“If you want to solve problems, you have to talk to each other,” Merkel said alongside Putin midway through the talks.

One Russian presidential aide reportedly suggested that the meeting went ahead because the two world leaders now found themselves on the same page, stating that “when opinions coincide, then countries at the very least become a bit closer to one another.”

According to a senior German official with knowledge of the chancellery’s strategy, rapprochement with Russia is now a core policy objective in Berlin. Polls are already suggesting that Germans trust Russia under Putin more than they trust the United States under Trump. That is some amazing 4D chess President Trump is playing.

It is also worth noting that Germany did not participate in Trump, Macron, and Theresa May’s grandiose attack on Syria in April this year. Perhaps Germany is seeing less and less in common with the US, and has less of an intention of waging war to see its interests met, unlike the US, which apparently sees violence as the logical solution to all its problems.

Not to mention that – agitating Germany even further – in a recent cabinet meeting in Washington attended by NATO Secretary General Jens Stoltenberg, Trump singled out Germany as a country not contributing enough, all the while warning that countries allegedly not paying their dues will be “dealt with.”

Sheez. It should be no wonder that in this context, Germany has been secretly building a European Army of its own, already announcing the integration of its armed forces with Romania and the Czech Republic, baby steps to creating a European army under German leadership.


Putin, Macron bond over shared unease at Trump’s actions

May 25. 2018

by Michel Rose and Denis Pinchuk


ST PETERSBURG, Russia (Reuters) – Russian President Vladimir Putin and his French counterpart Emmanuel Macron on Friday found a common cause in their shared unease at U.S. President Donald Trump’s actions on Iran, climate change and international trade.

France is at odds with the Kremlin over its annexation of Crimea from Ukraine four years ago, and allegations that Moscow meddled in a French presidential election in support of one of Macron’s opponents.

But there were only fleeting signs of those differences when Macron met Putin at the St Petersburg International Economic Forum, an annual showcase for investment in Russia that the Russian leader hosts in his home town.

Instead, the two leaders focused on concerns about the future of a multinational deal on Iran’s nuclear deal program, now in jeopardy after Trump pulled the United States out of it.

Washington’s withdrawal from the pact raises the prospect that Russian or French companies doing business with Iran could be hit with unilateral U.S. sanctions.

Speaking at a question-and-answer session in front of an audience of business executives and Russian officials, Putin said the U.S. withdrawal was damaging and counter-productive.

He also railed against the United States applying its laws beyond its borders to punish foreign companies. “This is unacceptable and it has to end,” he said.

Macron, who had traveled to Washington in an unsuccessful bid to persuade Trump to keep faith with the Iran deal, did not explicitly criticize the U.S. leader.

He said he had a strong relationship with Trump, but he acknowledged there are “issues on which we have differences”.

He said he would try to convince Trump to return to talks about Iran’s nuclear program, and was also critical of Trump’s decision to move the U.S. embassy in Israel to Jerusalem, out of step with the stance of most European governments.

“That was not desirable,” Macron said, adding that the embassy move played a part in sparking fatal clashes between Palestinian protesters and Israeli security forces.


During the session, Macron sat alongside Putin, referred to him as “Dear Vladimir”, and the two men nodded in agreement with each other about a range of issues

Macron said that Trump had, de facto, lost an international argument over the Paris climate change agreement because the international consensus in support of the accord had held, even though Trump had decided to exit the deal.

Trump’s administration last month imposed sanctions on a raft of major Russian companies. The step also hurt European and other international firms who had to cut off business ties with the sanctioned entities for fear of punitive action by Washington.

As he sat alongside Putin, Macron referred repeatedly to the need to establish “European financial sovereignty” – a jab at European economies’ reliance on the U.S. financial system.

He also arrived in St Petersburg with a large delegation of French business executives keen to sign deals with Russia, despite the new U.S. sanctions.

Putin accused the United States of undermining global trade rules by using sanctions as a weapon in its drive towards protectionism.

The Russian leader pointed to the presence of large numbers of foreign executives at the event as evidence that the U.S. sanctions were failing to achieve their aim.

Additional reporting by Tom Balmforth, Maria Tsvetkova and Vladimir Soldatkin in Moscow and Katya Golubkova in St Petersburg; Writing by Christian Lowe; Editing by Alison Williams

Babi Yar

May 25, 2018

by Germar Rudolf

Babi Yar is the name of a ravine situated just outside the city of Kiev, capital of  the Ukraine.  At the time that the events depicted below took place, Kiev was part of the USSR.  In the early hours of June 22, 1941, the armed forces of the Third Reich streamed across its eastern border with the USSR, initiating a military conflagration codenamed Operation Barbarossa, a conflict that in terms of the numbers of fatalities, wounded, barbarities committed,  human suffering, both military and civilian, and the scale and scope of its international implications, most probably has no equal in human history.  Kiev fell to the German forces on September 19.  Prior to evacuating the city the Soviet security services had left explosives in a number of buildings set  to detonate between September 24 and 28.   The buildings in which they had been placed were commandeered by the military administration  and substantial casualties were sustained.

At a meeting which was attended by the military governor, the Higher SS and Police Leader, SS-Obergruppenführer Friedrich Jeckeln, the commanding officer of Einsatzgruppe C, SS-Brigadeführer Dr. Otto Rasch, and the commanding officer of Sonderkommando 4a, SS-Standartenführer Paul Blobel, it was decided that the appropriate response to this would be the elimination of the Jews of Kiev.   They, needless to say, had absolutely nothing to do with the explosions.  Sonderkommando 4a, included Security Service (Sicherheistdienst), Waffen-SS, and police battalion personnel.  Other police battalions and Ukrainian auxiliay police were drafted to assist in the operation.

On September 28, the Germans posted a notice all over town that read:

All [Jews] living in the city of Kiev and its vicinity are to report by 8 o’clock on the morning of Monday, September 29th, 1941, at the corner of Melnikovsky and Dokhturov Streets (near the cemetery). They are to take with them documents, money, valuables, as well as warm clothes, underwear, etc.

Any [Jew] not carrying out this instruction and who is found elsewhere will be shot.

Any civilian entering flats evacuated by [Jews] and stealing property will be shot.

Beginning on September 29, the Jews of Kiev were assembled and marched to the vicinity of the ravine.  Not far from its edge they were told to strip off their clothes and remove their valuables.   In groups of ten they were marched to to the edge, whereupon they were shot and fell into the Yar. The accepted estimate is that 33,771 Jews were executed in this manner.

Babi Yar continued to be an execution spots for many months subsequently.  Jews from other parts of the Ukraine were brought there for execution.  So to were Roma and Sinti, and Soviet prisoners of war.  The Soviet authorities estimated that approximately 100,000 corpses lay strewn across the bed of Babi Yar.  Beginning in July 1943 SS personnel were given the task of eliminating all evidence of the massacre.  To achieve this the corpses were exhumed and burnt.  The task of exhumation, moving and burning the corpses, was forced on inmates of the concentration camp Syretsk, 100 of whom were Jewish. Aided by landmoving machinery, the task was completed in six weeks.  No trace, apparently, was left.  With the exception of fifteen prisoners who new what their ultimate fate was likely to be, and who escaped, the concentration camp inmates who had carried out this work were executed by the SS.

Although this method of eliminating Jews in areas occupied by the Germans post-June 22, 1941, was repeated on a massive scale by personnel of the Einsatzgruppen, various auxiliary forces, and police battalions in the occupied areas of the USSR, resulting in some 1.5 million Jewish dead, as well as the dead of members of other ethnic and national groups, the destruction of Kiev Jews at Babi Yar has come to symbolise the methods and incomprehensible barbarity of this phase of the Final Solution of the Jewish Question in Europe.

The Müller Reports

The Official German RSHA Daily Reports on the Action of all Einsatzgruppen engaged in Anti-Partisan Warfare on the Eastern Front 23 June 1941 through 21 May 1943 inclusive

The information in the following tables comes directly from twelve folders of IV A 1 Lagezimmer and are the only surviving originals of Ereignismeldung UdSSR. Numbers 1-195 from 23. June 1941 through 24 April 1942 by CdS/Amt IV A1 and Meldungen aus den besetzeten Ostgebeiten, Numbers 1-55 between 1 May 1942 and 31 May 1943 by CdS Kommando stab. Copies of these important documents can be found in the U.S. National Archives, Rolls T-175 No’s 233 through 236, the Berlin Document center in Berlin and the Institut für Zeitgeschichte in Munich.

With the invasion of Soviet Russia on 21 June 1941, Reinhard Heydrich, Chief of the RSHA instituted these reports into a comprehensive daily summery of the various daily reports submitted by the Einsatzgruppen and Einsatzkommandos. “Sammelmeldung UdSSR, Nr. 1” was prepared by SS-Gruppenführer Heinrich Müller, head of Amt IV, the Gestapo. They were classified as “Geheime Reichssache” or Secret State matters and circulated to a limited distribution list (at first 10 copies, then distribution was expanded successively.)

The only known copies of these daily summaries was from the IV A 1 Lagezimmer. A typical; Ereignismeldung contains a list of Standorte of each HSSPF, KdS, Einsatzgruppe, Einsatzkommando, and Sonderkommando reporting, accounts of Bandenbekämpfung operations, including the shooting of Jews and Soviet Political Commissars, and reports on political and economic conditions much like those to be found in standard SD reports.

Since a great deal of fictional data has been presented concerning the number of Jews who died as a result of interactions with the Einsatzgruppen and their subgroups, it is instructive to study all of these daily, highly classified reports, and set down the actual numbers of the casualties on the Soviet Russian side. It is clearly obvious from reading through these over 4,000 pages of detailed reports that Jews were singled out for murder both because they were Jews but also because they were basically allied with the Soviet Partisan movement and were killed in combat with German security units.

It should be noted that these Müller reports were classified as highly secret and had a very limited circulation within the organs of the Third Reich. As Müller was noted for his accuracy and thoroughness, it is not possible that he invented these figures in the event that future scholars would be mislead by their contents

Very often numbers of Communist party officials and the dreaded Commissars were executed by the SD units when they were captured. As there were a significant number of Jews in these organs, it has been impossible to differentiate between the makeup of the totals. The reports of executions were, in a number of cases, marked: Execution of Communist officials and Jews.

The following several examples of messages are from the Einsatzgruppen Reports.

The number of the report and the date will be noted with each excerpt. The Einsatzgruppen reported on their activities to their respective headquarters which sent the information to Berlin. There the RSHA compiled concise reports in the name of the Chief of Sipo and the SD. Copies were distributed to high- ranking army, police and SS officers, diplomats, members of the foreign office an even to industrialists as they related to economic factors in the Soviet territories.  The Einsatzgruppen Reports were discovered by the U.S.Army in Gestapo headquarters in Berlin after the war. They were initially impounded by a research analyst attached to the Berlin branch of the Office of the Chief of Council for War Crimes. They were sealed and transported in the custody of the US Army to Nuremberg. During the first days of the Einsatzgruppen Trial, the authenticity of the reports was established beyond doubt and none of the German defendants challenged their validity.

After the trial, the original reports were sent to the National Archives in Washington, DC. In 1960 they were given to the Bundesarchiv in Koblenz. Photocopies of all the reports remain in the National Archives, the Bundesarchiv in Koblenz , the Institute for Contemporary History in Munich and at Yad Vashem in Jerusalem.

     Examples of the Einsatzgruppen Reports

Operational Situation Report USSR No. 17


According to instructions by RSHA, liquidations of government and party officials, in all named cities of Byelorussia, were carried out. Concerning the Jews, according to orders, the same policy was adopted. The exact number of the liquidated has not as yet been established.

 Operational Situation Report USSR No. 19


In Kaunas, up to now a total of 7,800 Jews have been liquidated, partly through pogroms and partly through shooting by Lithuanian Kommandos. All of the corpses have been removed. Further mass shootings are no longer possible.  Therefore, I summoned a Jewish committee and explained that up to now we had no reason to interfere with the internal arrangements between the Lithuanians and the Jews.

Operational Situation Report USSR No. 106


In agreement with the city military command, all the Jews of Kiev were ordered to appear at a certain place on Monday, 29 September, by 6 o’clock. This order was publicized by posters all over the town by members of the newly organized Ukrainian militia. At the same time, oral information was passed that all the Jews of Kiev would be moved to another place. In cooperation with the HQ of the Einsatzgruppen and two Kommandos of  Police Regiment South, Sonderkommando 4a executed 33,771 Jews on September 29 and 30.

[NOTE: This took place outside of Kiev and is known, post-war as the so-called Babi Yar massacre.]


New privacy law forces some U.S. media offline in Europe

May 25, 2018


LONDON (Reuters) – Major U.S.-media outlets including the LA Times and Chicago Tribune were forced to shutter their websites in parts of Europe on Friday following the roll out of stringent new privacy regulations by the European Union.

The European Union General Data Protection Regulation (GDPR) came into effect on Friday, forcing companies to be more attentive to how they handle customer data with severe penalties for breaching consumers’ privacy rights.

Privacy advocates have hailed the new law as a model for personal data protection in the internet era. But opponents say the new rules are overly burdensome and have warned of costly business disruption.

By mid-morning, European readers trying to access the websites of media outlets owned by the U.S. Tronc publishing group were greeted by a message saying they were “unavailable in most European countries.”

The message did not explicitly name the reason for the problem but included “GDPR” in the redirected web page address.

Tronc, headquartered in Chicago, owns some of America’s biggest newspapers, including the LA Times, Chicago Tribune, New York Daily News and Baltimore Sun.

“We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market,” said the error message displayed in response to attempts to access the LA Times website in London and Brussels.

“We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”

Reporting by Jack Stubbs; Editing by Douglas Busvine/Keith Weir


Facebook and Google targeted as first GDPR complaints filed

Users have been forced into agreeing new terms of service, says EU consumer rights body

May 25, 2018

by Alex Hern

The Guardian

Facebook and Google have become the targets of the first official complaints of GDPR noncompliance, filed on the day the privacy law takes effect across the EU.

Across four complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.

Max Schrems, the chair of Noyb, said: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button – that’s not a free choice, it more reminds of a North Korean election process.”

If upheld, the complaints could result in more than £3bn in fines for each company – the maximum possible under the new law being the higher of €20m (£17.5m) or 4% of an organisation’s annual revenue.

The complaints, filed on behalf of unnamed users of the sites, were sent to Facebook’s Irish headquarters and Google’s home in Mountain View, California.

In a statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU general data protection regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”

Facebook’s chief privacy officer, Erin Egan, told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on 25 May. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

A Noyb spokesman said: “We are confident that these first complaints will trigger an immediate response by the EU data protection supervisory mechanism and that the relevant supervisory authorities will carry out a robust and in-depth investigation into the particular circumstances of the complaints.

“What we are expecting is a strong, clear and determined decision, which will not hesitate, in case of an infringement, to hold companies accountable and subject them to the strict fines the new legislation foresees, as well as provide further guidance on the practical implementation of the GDPR requirements, set an example for other companies seeking to, directly or indirectly, negate data subjects’ consent, and will ultimately uphold users’ fundamental right to the protection of their personal data.”

The issue at stake is whether the processing of data for targeted advertising can be argued to be necessary for the fulfilment of a contract to provide services such as social networking or instant messaging, Noyb argued. If not, then that processing requires separate consent, which the user must be able to decline.

“In our view, these companies sought to tie consent to such (unnecessary) processing purposes and operations in their terms and then asked data subjects to ‘take it or leave it’,” the spokesman said. “Considering the powerful position these companies have and the consequent pressure the data subject is put under, to agree to irrelevant processing/advertising purposes, we believe that any such consent obtained should be considered invalid.”

Schrems has a history of holding Silicon Valley to account. In October 2015, the Austrian privacy campaigner won a two-year legal fight to rule that data transfer to the US was not allowed under a pre-existing “safe harbour” agreement, since American laws provided inadequate protection for EU citizens’ data, particularly with regards to state surveillance.

Amazon’s Alexa records and shares private conversation

The US tech giant has said a series of miscues picked up by its voice-activated Echo speakers prompted the device to record a US couple’s private conversation and then send it to an acquaintance without their knowledge.

May 25, 2018

by Uwe Hessler (with material from Bloomberg News)


Amazon confirmed the mishap in a statement on Thursday, saying an “unlikely” string of events prompted its Echo personal assistant device to record the family’s private conversation and then send it out.

“As unlikely as this string of events is, we are evaluating options to make this case even less likely,” the company said.

On Wednesday, a woman in Portland, Oregon, told KIRO-TV that two weeks ago an employee of her husband had contacted them to say he thought their device had been hacked. He told them he had received an audio file of them discussing hardwood floors, she said.

“I felt invaded,” the woman, identified only by her first name, Danielle, told the station. “A total privacy invasion. Immediately I said, ‘I’m never plugging that device in again, because I can’t trust it.'”

The Portland couple used Amazon’s voice-activated devices throughout their home to control heat, lights and security. The family unplugged the devices and contacted Amazon after they had learned the recording had been sent.

Watch your words (in the presence of Alexa)

In its statement, the US tech giant said the conversation had been inadvertently recorded and sent because the Echo device interpreted a word in the background conversation as “Alexa” — a command that triggers recording.

The speaker later heard “send message” during the conversation, at which point the device asked, “to whom?” The pair continued talking in the background and the Echo system interpreted part of the chat to identify a name in the couple’s contact list. Alexa then asked aloud if they wanted to send a message to that contact and heard “right” in more background conversation.

The report invigorated privacy concerns as online devices like the Amazon Echo become omnipresent in homes. Amazon in 2014 introduced the new line of devices, which can also stream music and order goods from Amazon via voice command.

Ryan Calo, an associate law professor at the University of Washington, said the incident was alarming since a private conversation had been recorded and sent to a third party.

“Think about how uncomfortable the millions of people who own these things now feel,” Calo told Bloomberg News. “The real harm is the invasion into solitude people now experience in their homes.”

Not so smart homes

Amazon and rivals Apple, Google and Sonos have been pushing to integrate voice technology into all kinds of devices in the home, from speakers to cameras, thermostats and doorbells. The Seattle, Washington-based company recently unveiled a partnership with homebuilder Lennar to showcase its technology in model homes, dubbed “Amazon Experience Centers.”

According to market research group eMarketer, more than 60 million US consumers will use a smart speaker at least once a month this year, with more than 40 million of them using Amazon’s devices.

The incident highlights the risk that inadvertent software bugs or intentional hacks can invade privacy as devices with sensors become more commonplace. Last year, a glitch was discovered in some Google Home Mini speakers that allowed the devices to constantly record, even if they had not been activated.

Some manufacturers are responding to consumers’ privacy concerns by building devices that have physical switches to turn off sensors such as cameras and microphones.


FBI says foreign hackers have compromised home router devices

May 25, 2018

by Sarah N. Lynch


WASHINGTON (Reuters) – The FBI warned on Friday that foreign cyber criminals had compromised “hundreds of thousands” of home and small office router devices around the world which direct traffic on the internet by forwarding data packets between computer networks.

In a public service announcement, the FBI it has discovered that the foreign cyber criminals used a VPNFilter malware that can collect peoples’ information, exploit their devices and also block network traffic.

The announcement did not provide any details about where the criminals might be based, or what their motivations could be.

“The size and scope of the infrastructure by VPNFilter malware is significant,” the FBI said, adding that it is capable of rendering peoples’ routers “inoperable.”

It said the malware is hard to detect, due to encryption and other tactics.

The FBI urged people to reboot their devices to temporarily disrupt the malware and help identify infected devices.

People should also consider disabling remote management settings, changing passwords to replace them with more secure ones and upgrading to the latest firmware.

Reporting by Sarah N. Lynch; Editing by David Gregorio


In Apple Mail, There’s No Protecting PGP-Encrypted Messages

May 25 2018

by Micah Lee

The Intercept

It’s been nearly two weeks since a group of European researchers published a paper describing “EFAIL,” a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. And developers of email clients and encryption plugins are still scrambling to come up with a permanent fix.

Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content

Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was “easy to mitigate” by disabling the loading of remote content in GPGTools.

But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL. I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Böck also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.

If you’re an Apple Mail user who relies on PGP-encrypted email, and completely disabling PGP for the time-being, like the Electronic Frontier Foundation recommends, isn’t an option for you, then your best course of action is to temporarily stop using Apple Mail and switch to Thunderbird, at least until GPGTools releases an update that fixes this issue.

Thunderbird is an open source email client that works on Macs, and the latest version of the Enigmail plugin, which adds PGP support to Thunderbird, successfully mitigates the EFAIL attack, at least as far as is publicly known. If you’re using Thunderbird, you should also configure it to only view emails in plaintext format instead of HTML format. Disabling HTML in your email will will prevent most, or maybe all, future variants of this attack from working against you. You can do this by clicking View > Message Body As > Plain Text

Unfortunately, Apple Mail does not have an option to disable viewing HTML emails.

Two Weeks of EFAIL History

In a nutshell, the EFAIL attack works like this: First, the attacker needs a copy of a message that’s encrypted to your public key. They could get this by hacking your email account, hacking your email server, compelling your email provider to hand it over with a subpoena or National Security Letter, intercepting it while spying on the internet, or other ways. PGP was specifically designed to protect against this — the promise of PGP is that even attackers with copies of your encrypted messages can’t decrypt them, only you can. When you receive an email that’s encrypted to your public key, your email client automatically uses your secret key to decrypt it so that you can read it. The EFAIL researchers discovered that they could craft a special email that secretly includes a stolen encrypted message within it, and then send it to you. When you receive the malicious email, your email client uses your secret key to automatically decrypt the pilfered message within the malicious email, and then sends a decrypted copy of the stolen message back to the attacker, for example through a web request to load an image into the email.

On May 14, the research team behind EFAIL published its paper. At that point, both Thunderbird with Enigmail and Apple Mail with GPGTools were vulnerable for users who were using the default settings.

That day, EFF published a blog post stating that the proof-of-concept exploit provided in the EFAIL paper “is only one implementation of this new type of attack, and variants may follow in the coming days” and that “EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now.” This advice — to uninstall PGP software until the situation is resolved — caused a controversy in the digital security world. Non-profits in this space pushed back against EFF’s stance, like in this blog post from Privacy International and in this blog post from the ACLU. (In my opinion, both sides make good points, but more on that below. Also, I worked previously at EFF.)

Also on May 14, GPGTools tweeted instructions to work around the vulnerability: disable loading remote content in emails. While this at first appeared to mitigate the problem, in reality it didn’t. Like EFF predicted, GPGTools is still vulnerable to a variant of the EFAIL exploit, as my exploit demonstrates

On May 16, Enigmail released an update that mitigated the EFAIL vulnerability — only it turns out, this mitigation didn’t work either. The following day, Böck, the German security researcher, tweeted that he found a “trivial bypass” in Enigmail’s new version, and he disclosed his bypass to the Enigmail developers so they could fix it.

On May 21, Enigmail released yet another update to mitigate EFAIL. On Twitter, Böck confirmed that this new version actually prevents his exploit from working, adding that “I’m still not happy with the mitigations” and “disabling HTML mail is still a good idea.”

My GPGTools Exploit

I personally know many journalists, free software developers, and activists around the world that rely on Apple Mail and GPGTools for encrypted email on a daily basis. So I decided to write my own EFAIL exploit against Apple Mail. My initial exploit, which I announced on May 15, worked only if the user clicked the “Load Remote Content” button

Later, I became curious if Böck’s technique to bypass Enigmail’s initial EFAIL fix would work against Apple Mail and GPGTools even with the suggested mitigations. After Enigmail released a patch, he agreed to privately share his technique with me.

It took me about 10 minutes to modify my initial exploit to work against Apple Mail and GPGTools as well, even when remote content is disabled. As soon as I confirmed that my exploit worked, and recorded a little video showing it working, I disclosed this vulnerability to the GPGTools developers in order to make sure that whatever update they’re working on will block this variant of the attack as well. (Since creating the video, I have discovered a separate simple variant of the EFAIL attack that also works against GPGTools with remote content disabled.)

Hopefully GPGTools will release an update soon that fixes this issue. But because the details of the EFAIL vulnerabilities have been public for weeks, and because this and related exploits are relatively simple, and it’s likely that others have already discovered them, we decided that it’s in the public interest to warn Apple Mail PGP users sooner rather than later that there is currently no available mitigation to EFAIL. This is especially true when some security experts are falsely claiming that disabling remote content in Apple Mail will mitigate the problem, such as in the statement co-signed by Zimmermann, which was also co-signed by the founders of Enigmail, the encrypted email service ProtonMail, and Mailvelope, a browser add-on for encrypted webmail.

One difference between this EFAIL variant and the proof-of-concept that the researchers published in their paper is that the user needs to click something to get exploited. “I think a lot of non-expert users do things like click on links they receive from trusted senders,” said Matthew Green, a cryptography professor at Johns Hopkins University. “They should feel comfortable and safe doing that, and they shouldn’t have to worry about losing their data to an attacker.” He expects that people could find more EFAIL exploits in email clients.

This EFAIL variant is “pretty serious in the sense that one click means you lose the very thing that PGP is supposed to protect,” EFF international director Danny O’Brien said, “and there’s nothing you can do to defend against it — apart from remembering never to click anything in email ever again.”

Even with Enigmail updates, EFF isn’t confident that PGP is safe to rely on again yet, but it’s getting safer. “I want to stress that everybody in the PGP ecosystem has been working on this problem, and every day exploiting EFAIL gets harder,” O’Brien said. “Two weeks ago, you didn’t need to click for EFAIL to work. With the latest updates to Enigmail and Thunderbird, security researchers like Hanno [Böck] can still trigger it — but it takes more social engineering than just a single click.” He added that donating to projects like GPGTools and Enigmail would help too because, “These people are almost all volunteers.”

You Think PGP Has Problems? S/MIME is Much Worse Off

Before I go into more details about EFAIL and how it affects the PGP ecosystem, I want to take a moment to discuss S/MIME, a different encrypted email standard that is far more vulnerable to attacks described in the EFAIL paper than PGP is, and that also presents more obstacles to mitigation.

Unlike PGP, which is decentralized and uses a model called “web of trust” where users deal with key management and identity verification themselves, making  PGP notoriously confusing, S/MIME uses “certificate authorities,” where an organization (like your employer) centrally manages identity verification for its users, making S/MIME ideal for deploying encrypted email to large organizations.

S/MIME is widely deployed in banks, major corporations, and government agencies around the world, including the U.S. Department of Defense. It’s built-in to all major email clients, including Outlook and the default email apps on macOS, iOS, and Android, without requiring a plugin. At the time of writing, as far as I can tell, no email clients have released an update that mitigates EFAIL for S/MIME, leaving all S/MIME users currently vulnerable to these attacks.

The reason I’m focusing primarily on PGP instead of S/MIME is because it’s what I and the communities I work with having been using for years.

Why Didn’t GPGTools and Enigmail Fix EFAIL Vulnerabilities Months Ago?

EFAIL has demonstrated how bad the encrypted email ecosystem is at responding to vulnerabilities in a timely matter. According to this timeline compiled by security researcher Thomas Ptacek, Enigmail was first notified about the EFAIL research in November 2017 and GPGTools was first notified in February 2018. Yet by May 14, when the researchers published their paper, both of these projects were still vulnerable.

Compare this to recent pair of vulnerabilities found in Signal Desktop earlier this month: Researchers discovered a remote code execution — hackerspeak for “very bad” — vulnerability in Signal Desktop on May 10 and they disclosed it to the developers on May 11. Later that same day, the Signal developers fixed the problem and released an update. But their fix wasn’t complete; on May 14 researchers discovered a second way of exploiting the vulnerability. An hour later they disclosed it to the developers, and less than two hours after that, a new Signal Desktop update was released which finally solved the problem. Signal Desktop automatically updates itself, so nearly all users should have gotten the updates the day they were released.

Despite having several months of lead time, the Enigmail and GPGTools projects failed to fix the EFAIL vulnerabilities before the paper was made public. In all likelihood, the majority of PGP users are probably still vulnerable, two weeks later.

But to be fair, the Enigmail and GPGTools developers have a much harder job than the Signal developers. On one side, they must work with an ancient crypto system; PGP dates to 1991, it was standardized as OpenPGP in 1995, and the popular PGP/MIME system was first standardized in 1996. On the other side they must deal with the ancient messaging systems out of which email is constructed and on which it travels, including the message sending protocol SMTP, first standardized in 1982, and MIME, a standard for attachments that emerged in 1992. They also need to ensure that their software works seamlessly with all other PGP software, in all its diversity. These standards all contain a multitude of obsolete, and often insecure, features in order to maintain backwards compatibility.

If Signal developers had to deal with decades of technical baggage and handle dozens of possible message formats instead of just one it would take them more than a few hours to fix similar vulnerabilities too.

Based on all of this, the “temporary, conservative stopgap” that EFF suggests — uninstall or disable PGP, and switch to secure messaging apps like Signal or Wire until the encrypted email ecosystem solves the EFAIL problems — sounds like pretty solid advice.

But unfortunately, for many of us it’s not that simple.

Why Giving Up On Encrypted Email Isn’t an Option

Several communities of users have grown dependent on encrypted email to get their daily work done, including civil society communities like human rights and internet freedom activists, hacker and open source developer communities like the Debian project, and increasingly, journalists and researchers who collaborate and work with sensitive sources.

Secure messaging apps are not a substitute for email, and they never will be. You can keep old archives of emails, and you can search these archives years later when you need to look something up. With email, you can participate in mailing lists, have threaded conversations, forward messages around, and leave things marked as unread until you have time to deal with them. After you publish a blog post, article, or academic paper, people can email you feedback, but you might not have time to reply right away, and you definitely don’t want this feedback making your phone buzz at 3am.

For many of us, maintaining our same email habits but sending them in plaintext is simply not a viable option. Asking us to temporarily stop using PGP for a while is the same as asking us to stop using email — it’s just not practical without completely changing how we’ve been working for years.

And while the fact that email and PGP are based on open standards makes it more difficult to maintain and fix security vulnerabilities, it also adds an enormous benefit: Email servers inter-operate with each other. You can send an encrypted email to my theintercept.com address from your gmail.com address and I’ll be able to read it, but you’ll never be able to send a message to my Wire account from your Signal account. Because email is an open, federated system that has been around for as long as the internet, everyone has an email address, but only some people use Signal, and others use Wire, WhatsApp, or Telegram, and some are only reachable on Facebook. None of these systems work with each other.

In my imagination there exists a brand new email-like system: It uses modern cryptography like Signal does; it only supports a single, sane messaging format instead of endless permutations; and it has all the other qualities that email has, like the ability to maintain and organize an archive of old messages, and different servers that can communicate with each other. It doesn’t have decades of cruft to maintain and, importantly, it’s impossible to use it insecurely. But since this email-like system only exists in my imagination, and not in reality, we’re stuck with PGP for the moment.

If you’re one of these PGP-dependent people like me, then make sure you pay close attention to the EFAIL developments, always keep your software up-to-date, and if at all possible, disable viewing HTML emails. If you’re not one of these people, then by all means, just use Signal or similar messaging apps when you need to communicate securely.

But it’s also possible that I’m just biased. I would have an entirely different life right now if it weren’t for PGP.

On January 11, 2013, I received a PGP-encrypted email from an anonymous stranger. “I’m a friend,” the email read, once I decrypted it. “I need to get information securely to Laura Poitras and her alone, but I can’t find an email/gpg key for her. Can you help?” I didn’t know at the time, but this stranger was Edward Snowden, and he was in the early stages of blowing the whistle on the National Security Agency.



A century on, why are we forgetting the deaths of 100 million?

The 1918 Spanish flu outbreak killed more people than both world wars. Don’t imagine such a thing could never happen again

May 25, 2018

by Martin Kettle

The Guardian

This year marks a century since some women got the vote; a century since the end of the First World War; 50 years since the 1968 revolts; 70 since the founding of Israel and the NHS. All have been well marked. So it is striking that the centenary of one of the most devastating events in human history has been allowed to pass thus far with almost no public reflection of any kind.

This year is the 100th anniversary of the Spanish flu pandemic of 1918. Estimates about its impact vary. But when you read that a third of the entire global population probably caught the Spanish flu and that it killed between 50 and 100 million people in all corners of the globe – up to 5% of all human beings on the planet at the time – you get an inkling of its scale.

By the time the pandemic finally ended, it had killed around 25 times more people than any other flu outbreak in history. It killed possibly more people than the first and second world wars put together. As Laura Spinney puts it in her new book, Pale Rider – the best modern account of the Spanish flu crisis – “the flu resculpted human populations more radically than anything since the Black Death”. Think about that. Not the western front, not Hitler’s invasion of Russia, not Hiroshima. But the flu.

In the face of such figures, it seems unbelievable that we forget or look away. Yet we do. Perhaps that is because, unlike equality for women, a disease has no ultimate prize to win and celebrate. Perhaps it is because, while wars have victors, pandemics leave only the vanquished, as Spinney puts it. Perhaps too, as the critic Walter Benjamin once argued, silences about public horrors can permit human societies to cope with collective recovery and to progress. Or perhaps, as Spinney also reflects, the Spanish flu has been consigned to the footnotes because its onslaught did not occur in public but in private, behind closed doors in millions of homes.

Yet the Spanish flu epidemic was a public event too. It changed the course of the first world war (the Germans thought it robbed them of victory). It brought Switzerland – yes, Switzerland – to the brink of civil war over the inadequacy of the official response. The way it was mishandled in colonial India gave a major boost to the independence movement. It led to Madrid football club changing their name to Real Madrid, at the behest of the King of Spain as part of a public health drive. In Britain, in a sense, it triggered a concern about public health that would lead, 30 years later, to the NHS.

The flu struck the rich and the poor, the young and the old, women and men, black and white. Among those who caught it but recovered were the British prime minister David Lloyd George, the US president Woodrow Wilson, the German kaiser, and King Alfonso XIII of Spain – whose country gave its name to the disease for no better reason than that the French, unable to learn about the scale of the infection in their own country because of wartime censorship, thought wrongly that it had started on the far side of the Pyrenees. The naming has caused offence in Spain from that day to this – and has belatedly led to greater care in the naming of subsequent strains and outbreaks that cross borders.

For this was a disease that scorned all human frontiers. It killed from Alaska to Zanzibar. Groucho Marx caught the flu in New York and Mahatma Gandhi in Ahmedabad. The future Mustafa Kemal Atatürk went down with it in Vienna. Haile Selassie fell ill in Addis Ababa. TS Eliot got the flu in London – he wrote The Waste Land as he recovered. Other victims who recovered included Franklin Roosevelt, Lillian Gish, Franz Kafka, DH Lawrence, Béla Bartók, Walt Disney, Ezra Pound and the aviator Amelia Earhart. In Colorado, Katherine Anne Porter’s black hair fell out as a result of flu. When it grew back her hair was white and Porter went on to write a memoir, Pale Horse, Pale Rider about the pandemic.

The list of those who died of the flu is less storied than those who recovered from it. It is headed by the painter Egon Schiele and his wife. The Parisian poet Guillaume Apollinaire succumbed too, as did one of Lenin’s right-hand men, Yakov Sverdlov. So did Lawrence of Arabia’s father, Arthur Conan Doyle’s son and Donald Trump’s grandfather. A celebrated British casualty was the diplomat Mark Sykes – now famous (or infamous) for the secret Sykes-Picot agreement he struck over spheres of western influence in the Middle East.

Ten years ago, in 2008, Sykes’s coffin, lead-lined because of the virulence of the disease, was disinterred from his grave in Yorkshire. The purpose was to enable researchers to take samples, from his remains, of the H1N1 virus strain that caused the Spanish flu. Such samples, now under high-security lock and key in Atlanta, have been examined for clues as to why this strain was so potent and how a future pandemic might be contained.

For there will be another Spanish flu pandemic one day. The 1918 outbreak occurred because the viral strain acquired the ability to infect humans and then to become transmissible among humans. Other strains have that potential too. Global warming may empower the strongest ones still further. The world of 2018 is infinitely more interconnected than that of 1918. The potential for blaming particular social groups for pandemics is vast.

Last week the Ebola virus spread from a remote rural part of the Democratic Republic of the Congo to the busy river port town of Mbandaka. A few hundred kilometres downstream from Mbandaka lies DRC’s capital, Kinshasa, a mega-city of some 11 million people. Unlike flu, which is airborne, Ebola is transmitted through contact with bodily fluids. That is threat enough in war-torn cities without proper sewerage.

So far, the DRC outbreak appears controllable. Yet more than 11,000 people died in west Africa from an Ebola outbreak in 2014. And imagine if Ebola manages one day to become airborne, as flu did. If something like that happened in the modern world, we would quickly find we were living in a fools’ paradise. And our present habit of forgetting and looking in the other direction would seem a catastrophic act of global folly.

Secrecy News

From the FAS Project on Government Secrecy

Volume 2018, Issue No. 37

May 25, 2018


The US is no longer complying with the Iran nuclear deal and is poised to re-impose some previously lifted sanctions on Iran and its trading partners.

But the legal basis for that action is a bit murky and contested. A new analysis from the Congressional Research Service tries to make legal sense of what has happened.

“The legal framework for withdrawal from an international pact depends on, among other features, the type of pact at issue and whether withdrawal is analyzed under domestic law or international law,” the report says. See Withdrawal from the Iran Nuclear Deal: Legal Authorities and Implications, CRS Legal Sidebar, May 17, 2018.

Other new and updated reports from the Congressional Research Service include the following.

Iran’s Foreign and Defense Policies, updated May 23, 2018

Israel: Background and U.S. Relations In Brief, updated May 21, 2018

Bilateral and Regional Trade Agreements: Issues for Congress, May 17, 2018

Covert Action and Clandestine Activities of the Intelligence Community: Framework for Congressional Oversight In Brief, May 15, 2018

Military Construction: Process, Outcomes, and Frequently Asked Questions, updated May 16, 2018

The Federal Budget: Overview and Issues for FY2019 and Beyond, May 22, 2018

Violence Against Journalists in Mexico: In Brief, May 17, 2018

Venezuela’s 2018 Presidential Elections, CRS Insight, May 24, 2018

DACA Rescission: Legal Issues and Litigation Status, CRS Legal Sidebar, May 23, 2018

Coast Guard Polar Icebreaker Modernization: Background and Issues for Congress, updated May 23, 2018

Advanced Pilot Training (T-X) Program: Background and Issues for Congress, updated May 21, 2018

The International Monetary Fund, updated May 24, 2018

Prescription Drug Monitoring Programs, updated May 24, 2018

Vehicle Fuel Economy and Greenhouse Gas Standards: Frequently Asked Questions, May 24, 2018

Is There Liability for Cross-Border Shooting?, CRS Legal Sidebar, May 22, 2018

Maritime Territorial and Exclusive Economic Zone (EEZ) Disputes Involving China: Issues for Congress, updated May 24, 2018

Internet Freedom in China: U.S. Government Activity, Private Sector Initiatives, and Issues of Congressional Interest, May 18, 2018




No responses yet

Leave a Reply