Titled Cryptolog: The Journal of Technical Health, its existence has been known for years, having been mentioned in books about the agency by authors like James Bamford. But its contents, like so much else about the agency and its work, have remained a secret.

That changed today, when the NSA declassified about a quarter century of back issues of the publication running from 1974 to 1997. You can have a look at the results here.

In its first issue, the magazine explains its mission in a “Letter of Introduction” by Maj. Gen. Herbert E. Wolff, who in 1974 — a time when the NSA’s very existence was still a secret — was deputy director of operations, like so:

This is CRYPTOLOG — a new vehicle for the interchange of ideas on technical subjects in Operations.

Operations is a large organization: the skills and talents on which we depend are many, our workings widely scattered and often sequestered in compartments. These conditions argue for special efforts to keep us in touch with each other and with new problems as they arise and new solutions as they are developed.

In the summer of 1997, the most recent issue declassified, there’s a lengthy Q&A interview with an unnamed employee, known by the nickname “Ski,” who was retiring after 50 years of combined service with the NSA and as a military cryptologist. Asked about what it was like to work for the NSA in its early days in the 1950s, the bulk of his answer is: Censored.

And so it is with a lot of the contents of the “declassified” Cryptolog. For all the vaunted talk about declassification and transparency, there are still apparently a lot of secrets to protect.

At other times, Cryptolog reads like an amateur computer club newsletter. Consider this section of a review of the 1996 software textbook “Rapid Development” by Microsoft’s Steve McConnell from an NSA employee whose name has been (thankfully) censored: “I highly recommend this book as the next much-highlighted, marked-in-the-margins, dogeared, no-you-cannot-borrow-it-get-one-of-your-own books for every software developer, team leader and technical manager.”

Here’s the secret it has been hiding all these years: With its multibillion dollar budget, the NSA apparently couldn’t afford to hire an editor.

Kessler’s most recent title at HP was VP of worldwide sales and service for enterprise security products, where he was responsible for running its security portfolio, including ArcSight, TippingPoint and Fortify.

Kessler’s resume includes a stint as the president and COO of Palm back in the late 1990s when it was still a subsidiary of 3Com. (Both Palm and 3Com eventually ended up being acquired, though separately, by HP.) While at Palm, he took primary responsibility for the software business and oversaw the growth of its community of software developers, which went from 25,000 to north of 100,000. He first joined 3Com in 1985.

After 3Com, he ran two storage companies, Intransa and Attune Systems, before landing at TippingPoint, a security company 3Com had acquired in 2004. TippingPoint was one of the primary assets that attracted the interest of HP when it spent $2.7 billion to acquire 3Com in 2009.

Here’s Vormetric’s original announcement.

Enterprise Encryption Leader Taps Proven Business Leader and Security Industry Veteran to Further Accelerate Growth in Domestic and Global Markets

SAN JOSE, Calif. – Nov. 13, 2012 –Vormetric, Inc., the leader in enterprise encryption and key management today announced the appointment of IT startup and public company veteran Alan Kessler as the company’s new President and CEO and member of its Board of Directors. Mr. Kessler will lead Vormetric’s expansion into new markets and extend the company’s leadership position within the data security sector. He joins Vormetric from HP where he was VP, Worldwide Sales and Service for Enterprise Security Products responsible for the success of customers and partners on a global basis.

“Vormetric is firmly established as the enterprise encryption leader, just as the market for data security is taking off. The company has a great team in place and significant opportunities for growth in both our domestic market as well as new untapped geographies,” said Alan Kessler. “It’s a great time to join Vormetric. My goal is to grow the company into a front runner within the data security segment. We will address new high growth use cases including the cloud and big data, expand our share of the federal government space and target key international markets.”

According to findings presented by Gartner, Inc. at the recent Symposium/ITxpoSecurity conference the already large security market is expected to grow by 56% from current levels within five years, while cloud security will almost triple. Vormetric provides strong, easily manageable data security for large organizations in the financial services, government, healthcare and energy sectors including Honeywell, LG, Michelin, Nicor, Prudential, and more. To date, 16 of the Fortune 25 companies have standardized on Vormetric for their data encryption and key management needs.

“Our objective was to recruit a CEO who has leadership experience in the security, enterprise software and storage systems markets, as well as a person with a track record for building and managing global businesses,” said Bob Spinnner, Vormetric Board Member and Managing Director at Sigma Partners. “Alan Kessler meets and exceeds all those criteria. We are extremely pleased that he is onboard and know Alan has the acumen to grow Vormetric in both domestic and international markets.”

Mr. Kessler has more than 20 years of management experience with both entrepreneurial startups and very large technology vendors. Most recently with HP, he set and executed the go-to-market strategy for the full portfolio of products, solutions and associated security services from the Enterprise Security Products business unit. He was responsible for leading the teams that took the award-winning HP ArcSight, HP TippingPoint, HP Fortify, HP Application Security Center and HP Atalla security products to market.

He also served as president of intrusion prevention vendor TippingPoint (a division of 3Com) until it was folded into HP as part of the 3Com acquisition. He led the TippingPoint business through a stage of unprecedented market growth steadily increasing market share at a rate of four times the industry average. Previously, Mr. Kessler was president and CEO of Attune Systems, an enterprise storage systems company. He has also served as the president of Palm Inc. and as president of Palm’s Platform and Products group during Palm’s successful IPO.

Mr. Kessler holds an MBA from the University of California, Berkeley – Walter A. Haas School of Business, and a B.S. in Business from San Jose State University.

It has been a long time since anyone thought seriously about the encryption debate that hung over the discussion around privacy rights in the 1990s. It has also been a long time since Phil Zimmermann — creator of the Pretty Good Privacy software that so many people adopted to encrypt their email — was the target of a federal criminal investigation that derived from his making it widely available for download. The government dropped its case in 1996. Today, PGP is the most widely used encryption program in the world. PGP, the company, is part of Symantec, and encrypting your email is now super easy, though most people don’t go to the trouble of doing it.

PGP is the reason Zimmermann is going to be inducted into the Internet Hall of Fame today, at a dinner in Geneva. Which, of course, raises the question: What is he doing these days?

The answer: Launching a new venture. It’s called Silent Circle, for which Zimmermann has teamed up with two former Navy SEALs and one of his PGP Corp. co-founders. The plan is to offer encrypted email, encrypted mobile calls, encrypted VOIP teleconferencing and encrypted instant messaging, all in one place.

Joining Zimmermann in Silent Circle are Mike Janke, a former Navy SEAL sniper, special operations communications expert and privacy advocate; Vic Hyder, another former Navy SEAL and founder of Maritime Security; and Jon Callas, a cryptographer and Zimmermann’s co-founder of PGP Corp., whose current day job is CTO at Entrust.

Silent Circle will offer services both to consumers and corporations, but also to human-rights groups, dissidents and nongovernmental organizations working in dangerous or sketchy places where governments tend to monitor communications. There’s also a promise of no backdoors offered for any individual, organization or government.

Though Silent Circle is now running a private beta, the plan, as I understand it, is to launch a public beta on July 15. We’ll hear more about it then.

Update: I initially spelled Zimmermann’s name with only one N. Sorry about that.

Now, a new app, called Enlocked, says it’s going to make email encryption at the consumer level even easier, by introducing a mobile and Web application that adds a one-tap encryption button to an existing email account.

Enlocked works by offering an encryption option that can be applied on a message-by-message basis. A user who has downloaded the Enlocked app would see the “secure send” option as they’re sending an email. If the sender opts to send it with encryption, the recipient then receives two emails: One informing him or her that an encrypted email is about to come through, and another that is the actual email.

The catch is that the first one prompts the user to download Enlocked in order to read the encrypted email (click on the image at left).

On mobile, Enlocked is available for iOS and Android devices; the company expects a BlackBerry app to become available in about 60 days. In terms of Web-based email services, Enlocked is available on Chrome, Firefox and Internet Explorer, with a Safari plugin in the works, and it works with Gmail, Yahoo Mail, Windows Live or AOL email. Interestingly, it also works with Microsoft Outlook (including Microsoft Exchange systems).

The big question with a “vanishing email” service like Burn Note is how or whether e-messages are recoverable. With Enlocked, the question might be how long a user would be able to send encrypted emails from a work-related Outlook account, before it grabs the attention of network administrators. The app can be applied to corporate Outlook accounts, said Enlocked CEO Guy Livneh, making it so email administrators can’t read sent emails. Even if someone were to hack into an account, the message would still be scrambled in outgoing mail.

It’s currently free to use, and Livneh says the plan is to keep the consumer-facing apps free, but Enlocked may eventually offer a premium service at a cost. The company said it doesn’t plan to serve up targeted ads in emails as a way to monetize the service. (Enlocked also said it doesn’t store copies of encrypted emails sent through its app.)

Enlocked was launched this week by co-founder Livneh, formerly of database security company Sentrigo, which was acquired by McAfee last year; McAfee’s CTO of database security, Slavik Markovich, is an investor and board member.

Livneh acknowledged that the standard, open-sourced PGP-encryption method behind Enlocked isn’t new. What is new, Livneh said, is how accessible they’re making it to consumers.

“We think we’ve created an easier barrier to entry,” he said. “The magic is supposed to be in the usability for consumers.”

There are other ways that people can send encrypted emails from personal accounts, though Livneh insists that Enlocked’s mobile apps and Web plugins are more convenient to use. There’s Hushmail, for one, but that’s an entirely separate email service and not an application that you apply to your existing email account, such as your Gmail or Yahoo mail. There’s also Sendinc and Lockbin. As with Hushmail, Lockbin requires users to employ its application for sending emails.

(Image courtesy of Flickr/MJ Nault Photography)

“I didn’t want the password to live in an email somewhere. I started thinking, what if there was something that would allow me to destroy the email?” Robbins said in an interview.

The thought stayed with him, and by summer, Robbins had dropped the other project to turn his full attention to building a service for hyper-secure email exchanges. He named the service Burn Note.

Burn Note, which opens up to the public today, allows the sender of an email to set a time frame in which the receiver can read an email before the email disappears.

At that point, the email no longer exists — anywhere.

Burn Note’s Web site says the service uses no binary logging, which means there are no standby servers, or backup copies of emails. The company uses a storage engine that has no journaling capabilities, and an underlying file system that logs metadata but not the content of the notes themselves.

While grabbing an image of the email might seem like a simple workaround, Robbins said he has introduced two methods to the service that make it extremely difficult for recipients to quickly copy the text of an email for posterity. Burn Notes can include Web links, but can’t send attached files, though Robbins has said attachments are in the works.

“I think there are a lot of legitimate uses for why people would want an off-the-record conversation,” Robbins said. “The message goes away, but it’s still been communicated to the recipient, which is the point.”

Robbins most recently served as the head of software development for Facebook-acquired Drop.io; he said the Burn Note service was partly inspired by that cloud-storage service. “There was a feature that we considered, but ultimately didn’t turn on, where a file could have a certain number of views before it self-destructed,” Robbins said.

While there currently aren’t any mobile apps for Burn Note, Robbins said that it’s a mobile-optimized Web site, so it can be accessed from a phone with a Web browser.

Highly encrypted or “vanishing” email services aren’t new. In 1999, Canada-based Hush Communications launched Hushmail, a free Web-based email system for individuals and businesses that sent PGP — Pretty Good Privacy — encrypted emails. As Wired reported, it was originally stated that “uniquely-coded” Hushmails were so encrypted that not even Hush employees with access to servers could read the emails.

But in 2007, Hush turned over a dozen CDs of emails, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The evidence was requested as part of a U.S. federal prosecution of alleged steroid dealers. The company subsequently acknowledged that Hushmails could, in some instances, be decrypted.

In 2009, the New York Times wrote about a group of scientists at the University of Washington who developed software that would make email messages disappear after a period of time. The software, called Vanish, would rely on a key-based encryption system that differed from the usual key cryptography used in digital communications, by making the “keys” erode over time.

A couple of months after that, “Freedom to Tinker,” which is hosted by Princeton’s Center for Information Technology Policy, released a paper detailing a series of experimental attacks against the Vanish prototype. The paper stated that Vanish should be considered too risky to rely on.

On a Web site for Vanish, the group acknowledged that the implementation on which Vanish was based was not adequately protected against attacks, and says it’s “investigating new directions and architectures for self-destructing data.”

Burn Note’s Robbins says Hushmail’s service and the Vanish project are different from Burn Note because those products rely on encryption keys, while Burn Note is effectively reengineering the default settings of computer systems and server systems so that nothing at all is saved.

When asked what Burn Note’s protocol would be for handling requests from law-enforcement officials for email exchanges, Robbins replied, “Burn Notes aren’t emails.”

He went on to say that the exchange of Burn Notes is more comparable to phone calls in that, unless they’re recorded, the exchange itself can’t be retrieved.

But Burn Note — unlike phone companies — doesn’t keep a log of who is communicating with whom. Robbins said the company plans to compile and study anonymous usage data, but will keep two separate logs — incoming messages and outgoing messages — rather than a log of messages exchanged between users. According to the company’s explanation of its technical procedures, even the time stamp on the message is anonymized: Burn Note rounds the times to the nearest hour so that timing cannot be used as a unique identifier.

“A lot of services launch to acclaim that they’re going make digital communications disappear,” said Paul Ohm, an associate professor of law focused on information privacy at the University of Colorado Law School. “But they sometimes become that place where bad people go to exchange information, or a haven for criminals. In order for this work, you have to stay on the side of legitimacy.”

“It’s never a complete dead end,” Ohm added. “There has to be data living somewhere, and there’s always a way to engineer around these systems.”

While Burn Note will at first be marketed to the average email user, Robbins said he hopes to attract attention from the enterprise market. “I think there’s a really interesting set of use cases around banks, especially if it can be made to plug in to existing systems,” he said.

When asked how Burn Note might comply with the record-keeping obligations of U.S. financial institutions have, Robbins said it would require a case-by-case evaluation.

“I don’t have a good answer for that, because it will require review by a legal professional before we can fully work through that type of situation,” Robbins said. He pointed to the company’s privacy policy, which plainly states:

“If you have a legal obligation to preserve data, do not use Burn Note.”

In response, Square’s CEO Jack Dorsey said the claims weren’t “fair or accurate,” and that VeriFone was overlooking all of the protections already built into your credit card.

VeriFone’s awareness campaign may be considered a little unconventional.

The company went as far as to launch a web site, record a video, and develop a mock-iPhone app that demonstrates how easy it was to use Square’s dongle to skim information off of a credit card.

Reactions to VeriFone’s approach largely sided with Square.

In comments on our site and on other venues, including Twitter, respondents mostly waived off the concerns, saying that VeriFone was feeling threatened by Square’s progress in the market.

In an exclusive interview, VeriFone’s CEO Doug Bergeron explained why the company felt it was necessary to launch the campaign.

Actually, the interview was positioned as a way to “clear the air,” although as you’ll see, those were not his words, but rather the phrase his public relations people chose to use in pitching us.

Here is our conversation, which has been edited for length and some context, but is largely as it happened.

Duryee: I was told you want to “clear the air” about VeriFone’s actions last week.

No, I don’t think that’s the way I would put it.

I believe that’s a direct quote from your PR person.

Well, I can’t help what they say.

But this is a very interesting time in mobile commerce. There’s a lot of things happening, and a lot of innovation that is happening, and yet, and yet a lot of historical issues that haven’t gone away.

[Skipping ahead in the interview] How is your smartphone product different than Square’s?

We’ve been selling PAYware Mobile for about a year, and it is selling well. Square is the only one that I know of that doesn’t encrypt their data.

We don’t use a dongle. We use a sleeve, or basically it’s a small cradle that the phone sits in. What’s different is that we encrypt the data, which means it costs $25 to $35 more to provide that technology. We aren’t creating fraud. We want consumers to be able to accept credit cards. But if you cut corners it causes problems.

We’ve been mentioning it for awhile, but we thought we needed to be heard.

Did you approach Square directly?

We’ve been in several conversations–not just with Square–but with the industry, and not just about Square, but about hypothetical devices.

We don’t want an industry that’s been moving toward simplicity, which we think is good, to move toward technology that’s allowing fraud. We don’t want it to go in wrong direction.

Did you give Square a heads-up that you were going to do what you did?

I don’t know who our PR folks talked to or didn’t.

Your PR folks told me that you had a meeting with Square’s CEO Jack Dorsey the week before.

I did see him in New York. We were at a similar meeting. I brought up the security issue, and asked him how are you addressing security? The answer was still, the networks will take care of it.

That’s not the way the rest of the world is treating this.

Networks have programs that monitor transactions, and they’ll call you if you are traveling, and there’s systems that can identify things post-facto, but that’s after the fact. The rest of the world has used smart cards and other mechanisms to stop fraud where it happens.

So, the networks can take care of it?

It’s not good enough. We should be joined arm-and-arm to make sure customers trust these systems and make sure that fraud goes down. I don’t think retailers like paying the highest interchange rates in the world, that’s not fair.

Was your open letter fair to Square?

[He laughs.] Listen it’s a competitive world. We take our role as a leader in the industry seriously. We gave them a heads up and free advice that you shouldn’t be allowing systems out there, unencrypted. If that’s fair or not, it’s not the issue here. We collectively need to create new technology to reduce fraud, whether you are a venture-backed business or a big businesses. We are both responsible for our own decisions and should be able to fend for ourselves.

Were you worried they were gaining traction in the market?

No, not at all. We don’t know what traction they’ve seen. We might be doing more than them. I have no idea. It is worth noting that we do less than a couple of million dollars a year with micro-merchants, such as garage sales or Girl Scout cookies. But that’s not the essence of VeriFone. This is not our massive attempt to protect two million in revenue. If that’s what you think, you are missing the point.

We are not worried about competition in one of our $2 million segments, but we are worried about the industry not being concerned about the third rail of skimming, which is smartphones not using encrypted data.

Still, a lot of the feedback in the comments on our site and on Twitter was that you felt threatened by Square.

I notice Verizon and AT&T advertise whose systems don’t work. Oracle advertises against HP, by saying their systems have more processing power. I’m not quite sure how this is different. We have a solution that encrypts data and reduces fraud. If that’s not worthy of identifying and knowing, what’s wrong with that?

Well, maybe you went too far by making the faux iPhone application available for download on the site?

If we didn’t, we would have been accused of blowing smoke. The fact that we could do it [build one] in an hour demonstrates how serious of a problem it is.

[NOTE: PR jumps into the conversation, adding that the application on its site was only for demonstration purposes. No one could actually download it and skim credit card information with it. It was only to show it was possible, but there was no actual risk.]

You really believe that the Square dongle will be used for harm?

They certainly could. It’s a skimmer that doesn’t look like a skimmer. You might be using a merchant that you trust, and they are skimming right in front of you and don’t even have to go in the back room.

Now that you’ve voiced your concerns, what happens?

I don’t know. We all continue to go along our paths and try to improve paying at the pumps, and paying at the table, and try to continue to promote that smartphones are great and that the data should be encrypted…

We have a competitive reason to do so, and we believe we have a differentiated product. This can be solved. This isn’t rocket science. They can add encryption and they’d be done.

There is no next step. We’ll continue to sell the most robust in the industry, and reduce fraud and feel good about it, and they’ll continue to do what they do.

[From earlier in the interview. Bergeron provided the company's historical context in the industry, which led them to the decision to write the open letter last week.]

Without the benefit of 30 years of watching historical issues, it’s easy to see how our campaign last week was considered unconventional. But the reality is we are speaking to a very seirous issue here.

The first has to do with the ongoing concern–even worry–that retailers large and small are having with conventional card brands.

It plays out like this: I see you give me a lot of value to accept debit and credit because customers like it, but this notion that I’m paying the highest interchange rates in the world in America–15 to 25 percentage points of my revenue. Whereas, the rest of the world on average pays 10 percent. As a retailer, I’d say I’m just not getting how the 25 percent that I’m giving up to the card ecosystem is valuable.

The response is: The reason you pay the highest interchange rates in the world is because there’s a lot of fraud in the system.

Some of it goes to profits and managing the network, but a big piece of it is a pooled risk to cover the fraud in the system. The reason European retailers pay significantly less is because there’s a lot less fraud in the system. Ditto Canada and Australia.

Every other country has taken technology to eliminate or reduce the incidence of fraud and skimming. Therefore there’s less fraud and interchange rates come down.

Every day of the week, I hear them [retailers] complaining about interchange. I defend it. We are what we are, and there’s fraud in the system–that is what it is. We have made it our mission to go after the sources of fraud.

There’s two big areas of fraud, and the unregulated smartphone dongle is creating the third.

What are the two big sources?

The two biggest sources, which Forrester, IDC and NPD would all agree, is gas pumps and restaurants.

And there’s a reason for that.

Gas pumps received a waiver from Visa and other card companies.

They were leaned on by the oil companies, which claimed that meeting PCI compliance at each gas pump would have been really painful for the gas stations. And therefore at the 800,000 pumps today, unlike most stores you go to which use compliant technology sold by VeriFone or others, there’s nothing protecting your data there.

These pumps are serviced in the middle of the night by independent operators. It turns out that there’s a few master keys running around, which open up hundreds of thousands gas pumps, and then skimmers are inserted in the pumps and the data is captured.

Fraud gets created, and interchange has to stay high.

I thought gas stations experienced high fraud because the credit card has already been stolen, and can easily be used at the pump?

No, the signature doesn’t act as a deterrent. There’s a lot of unattended systems, where there’s not a person there, and they are all compliant and are encrypted. Only in America do these pumps exist.

And, what about restaurants?

The second area where there is a lot of fraud happening is in restaurants. You give your card up to the waiter, and they copy it. We agree [with Square] that copying cards down is a form of skimming.

Restaurants are the last frontier. Restaurants are the only place, where you give your card to a stranger and they go in the back room. So much happens in restaurants. They can get the number on the back, or run it through a skimmer, which are commonly available.

We have tech solutions to solve the two big problems, which would go a long way to reducing fraud, and probably reducing interchange.

Which leads us to how you believe Square is creating a new unencrypted point of sale?

We fear it is the third place, where data is being transmitted through a non-payment device without encrypting it before it goes in.

We have an iPhone product called PAYware Mobile.

We are on a mission here to reduce interchange for retailers by increasing the use of technology at the point of sale. We’ve been telling the story to card associations, customers and major retailers for the past year…It’s not just about reducing interchange for retailers when customers get their identity stolen, it’s a major pain in the you-know-what.

We think we are on the cusp of mobile payments, and there’s going to be more and more done with the phone. We want to make sure it is done securely because if there’s a major pandemic of fraud using cellphones, it’s going to slow the adoption.

We not only support mobile payments fully, we were great proponents of the use of smartphone as credit cards and acceptance systems–our point is let’s be consistent with the rest of the industry.

The technology already exists to make this happen, he says; the problem will be in making it simple enough for ordinary people to get the most out of the product.

The device, which he has dubbed the Freedom Box, will be a combination data storage device, wireless Internet router and communications platform–all of it encrypted, so that only its owner and authorized recipients could read the data it contained or transmitted. Users will typically plug it into a simple wall socket, but it could also run on two double-A sized batteries, meaning it could be used even during a blackout.

Read the rest of this post on the original site

The tool, called uProtect.it, works like this: Users get the app and activate it on Facebook with a bookmark. Then they write a comment and choose which of their friends can see it. Instead of the comment being posted normally on Facebook, uProtect.it posts a message saying that the comment is encrypted and can be seen by clicking on a link. Only those friends who are allowed to see the message can decode it when the link is clicked; even Facebook doesn’t have access.

“Essentially you’re creating an encrypted atmosphere on Facebook, and Facebook can’t control it,” said Michael Fertik, the founder and chief executive of Reputation.com Inc., which makes the app.

Read the rest of this post on the original site

It has given wireless carriers in the country the ability to intercept messages sent over its BlackBerry Messenger (BBM) service and BlackBerry Internet Service (BIS) if requested by the government. “The lawful access capability now available to RIM’s carrier partners meets the standard required by the government of India for all consumer messaging services offered in the Indian marketplace,” RIM said in a customer update.

Well, not quite.

The Indian government also wants access to communications sent over RIM’s corporate service. The company hasn’t yet provided that and continues to argue that it’s impossible to do so.

“No changes can be made to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys,” RIM explained in its customer update.

In other words, the solution RIM has provided is a partial one. It still hasn’t met one of the Indian government’s key demands. Will this concession on BBM and BIS be enough to mollify it?

It would seem, then, that RIM is on target to provide India’s Home Ministry with a solution that will allow it to “lawfully” monitor BlackBerry services by the January 31 deadline the two parties have agreed on.

According to RIM, that’s not the case at all. In fact, says the company, it has no plans to make any changes to the security architecture for BlackBerry Enterprise Server customers since A) it professes to maintain a consistent global standard for lawful access requirements and doesn’t make specific deals with individual countries and B) it couldn’t provide its customers’ BES encryption keys to curious governments even if it wanted to.

“RIM has once again found it necessary to address certain media reports in India containing inaccurate and misleading statements and information based on unsubstantiated claims from unnamed sources,” the company said in a statement given to me. “Our customers can be reassured that the BlackBerry Enterprise Solution continues to be the gold standard for security-conscious organizations in India and worldwide. All our discussions with the Government of India have been and continue to be productive and fully consistent with the four core principles we follow in addressing lawful access matters around the world. Any suggestion to the contrary is false.”

Despite that rather terse rejoinder, RIM says its negotiations with India are moving forward. “Our discussions with the Government in India have been and continue to be productive and we fully expect the matter to be satisfactorily resolved,” said a spokesperson.

The deadline for compliance had been Oct. 31, but India’s Home Ministry has extended it to give RIM (RIMM) a bit more time to provide a solution that would allow it to “lawfully” intercept encrypted corporate information. The new deadline: January 31. Evidently, the two parties have settled on a solution; RIM just needs more time to implement it–at least that’s what these minutes from a recent Home Ministry meeting suggest.

“RIM would be asked to adhere to the timeline of January 2011 to give the final solution wherein lawful access for BlackBerry messenger will not involve the overseas data path. Intelligence Bureau (IB) and National Technical Research Organisation (NTRO), which had attended the discussions, found that the solutions offered by RIM (for BlackBerry messenger) are prime-facie agreeable. The timelines of January 2011 were also agreeable.”

That bit about lawful access not involving an overseas data path seems to suggest that RIM has, at the very least, agreed to host a server in India. What it’s planning to do beyond that remains to be seen. Company execs continue to insist that there’s no technical solution to allow lawful access to its BlackBerry Enterprise Service. This is the second time RIM has won a reprieve from the Indian government. It seems doubtful there will be a third.

Earlier this week the kingdom’s Communication and Information Technology Commission ordered a suspension of some BlackBerry services that was to begin today and continue until Research in Motion (RIMM) addressed the national security concerns it raised about lack of access to BlackBerry data. Yet after a temporary outage this morning, BlackBerry service appears to be operating normally, and customer service reps at some Saudi carriers say they haven’t yet been told that a ban would be implemented. “If there are any changes to the service, all the customers will get a text message alerting them of that, but as of now nothing has changed,” a Mobily rep told The Wall Street Journal.

So what’s going on? Obviously some last-minute talks among all the parties involved, evidently talks that may result in RIM locating a server inside Saudi Arabia that would allow authorities there to access encrypted BlackBerry communications. “We are testing technical solutions with RIM…servers to be more exact,” a source familiar with the matter told Reuters.

The United Arab Emirates late Sunday said it will suspend BlackBerry mobile services like email, instant-messaging and Web-browsing unless Research in Motion (RIMM) agrees to make them easier to surveil. “BlackBerry data is immediately exported offshore, where it’s managed by a foreign, commercial organization,” the country’s Telecommunications Regulatory Authority said in a statement. “Blackberry data services are currently the only data services operating in the UAE where this is the case. Today’s decision is based on the fact that, in their current form, certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national-security concerns.”

Ironic that RIM’s encryption system, one of the chief reasons for its success in the enterprise world, is working against it in countries whose governments view it as a potential threat to national security

Saudi Arabia appears to be following the UAE’s lead. Sources in the kingdom’s Communications and Information Technology Commission tell Reuters it is ordering a suspension of BlackBerry messenger services as well.

Analysts estimate that together the two gulf states have between 500,000 and 1 million Blackberry subscribers. That’s not a huge number–about two percent of RIM’s subscriber base– but it’s large enough that the company will almost certainly work out an agreement before the bans go into effect.

For years, there have been software programs and Web sites that try to corral portions of this information. Some of these digital products offer to organize your online IDs and passwords. Others focus on financial, health, or other information.

But a couple of relatively new products aim to digitally collect your important data in all these categories in one easy-to-access place: either on your computer or on the Web. One is Orggit, launched last fall by a Chicago-based company called Morgan Street Document Systems. The other is InformationSafe, launched in January by New York company Ascend Partnerships.

Orggit, available at orggit.com, costs $50 a year. InformationSafe, available at infosafe.com, is $50 for a desktop version or $50 a year for a Web version. A backup service for the desktop version of InformationSafe is $30 a year.

I’ve been testing both, and found each fairly easy to use and potentially very valuable, especially as your life gets more complicated. It’s a real bonus to be able to find everything in one place, even scanned paper documents. Both products work on either Windows PCs or Macs.

They also share some important downsides. As you might expect, they are only effective if you take the time and effort to enter all your information, from passwords to credit-card information to all the medications you take, and more. That can be a chore, even though both products try to make it easier with predefined templates for each type of data.

Another downside: security. Anything stored digitally, especially online, is vulnerable to criminal hackers. Both products offer multiple log-in plans, not just passwords but things like photos or important dates in your life that you must identify. Both also use a tough form of encryption typically favored by the government and banks. But there are no guarantees.

On this issue, InformationSafe has the edge. While it offers a Web-based version, it also comes in a version that exists only on your local computer, or on a removable drive. The company says this local version is chosen by 80% of its users. Orggit is purely Web-based, and can be accessed from any computer or from Orggit’s nicely designed free iPhone app.

InformationSafe’s desktop version is less convenient, because it can’t be accessed remotely. But it’s more secure. Still, even data stored only on a local computer or drive can be compromised by a determined hacker who targets it when the machine is online, or if it is lost or stolen and falls into the wrong hands.

Orggit’s iPhone app

You could use InformationSafe on a PC that you never connect to the Internet, but you’d be unable to use the company’s optional backup service and could lose everything if the hard disk fails, unless you faithfully back it up locally.

Each product is divided into logical sections, such as finance, health, insurance, passwords, and so forth. Orggit has a simpler layout, with colorful icons and a quicker, easier way to download reports on what’s in your wallet and on your health data. InformationSafe has many more canned templates, but you can enter almost anything into Orggit as well.

Each allows you to type in your information using the templates, or to upload digital or scanned documents, such as a living will or the image of a driver’s license. Each also allows you to type notes on everything you store.

Orggit has a special health feature InformationSafe lacks. Once you sign up, you get a physical wallet card with a toll-free number that can be called by emergency or medical personnel to gain access to your vital medical information. This phone number also is displayed in the iPhone app.

Also, Orggit allows you to store separate sets of information for up to 10 family members or other people, who can share some or all of their information with each other. InformationSafe allows the entry of information about other people, but it is basically designed for a single user; and sharing, while possible, is more limited.

InformationSafe has a more staid look and feel, but it isn’t hard to navigate. However, its local and Web versions aren’t connected, are purchased separately and don’t synchronize with each other even if you have both.

You can get Web backup of the local version for a fee, but this backup isn’t visible from the Web. The company says it is working on this feature.

If you’re comfortable with digital storage, these two products offer an effective way to organize the details of your life.

Find all of Walt Mossberg’s columns and videos online, free of charge, at the All Things Digital Web site, walt.allthingsd.com. Email him at mossberg@wsj.com.

]]> http://allthingsd.com/20100512/gathering-vitals-of-your-so-called-scattered-life/feed/ 0 http://allthingsd.com/20100507/nokia%e2%80%99s-new-focus-is-mobile-services-sure-its-note-lawsuits-against-apple/ http://allthingsd.com/20100507/nokia%e2%80%99s-new-focus-is-mobile-services-sure-its-note-lawsuits-against-apple/#comments Fri, 07 May 2010 15:42:06 +0000 John Paczkowski http://digitaldaily.allthingsd.com/?p=40051 Nokia might not be able mount a reasonable challenge to Apple in the smartphone market, but it can certainly mount one in court. The company escalated its legal battle with the iPhone maker this morning, lodging a fourth patent-infringement complaint against it.

Filed in Federal District Court in the Western District of Wisconsin, the suit alleges that Apple’s (AAPL) iPhone and iPad 3G infringe on five Nokia (NOK) patents related to enhanced speech and data transmission, the use of positioning data in applications, and innovations in antenna configurations.

“Nokia has been the leading developer of many key technologies in mobile devices,” said Paul Melin, general manager, Patent Licensing at Nokia. “We have taken this step to protect the results of our pioneering development and to put an end to continued unlawful use of Nokia’s innovation.”

Nokia first sued Apple in October 2009, claiming the iPhone violated 10 of its patents covering various wireless data, speech coding, security and encryption technologies.

Then, in December, Nokia filed a complaint with the U.S. International Trade Commission alleging that Apple infringes its patents “in virtually all of its mobile phones, portable music players and computers.”

Shortly thereafter, the company sued Apple in U.S. District Court in Delaware, making similar allegations.

Apple declined comment, but counterclaims Apple filed against Nokia last December offer a bit of insight into what its thinking on the matter might be.

In 2007, Apple introduced the iPhone a ground-breaking device that allowed users access to the functionality of the already popular iPod on a revolutionary mobile phone and Internet device. The iPhone is a converged device that allows users to access and ever expanding set of software features to take and send pictures, play music, play games do research, serve as a GPS device and much more….The iPhone platform has caused a revolutionary change in the mobile phone category.

In contrast, Nokia made a different business decision and remained focused on traditional mobile wireless handsets with conventional user interfaces. As a result, Nokia has rapidly lost share in the market for high-end mobile phones. Nokia has admitted that, as a result of the iPhone launch, “the market changed suddenly and [Nokia was] not fast enough changing with it.

In response, Nokia chose to copy the iPhone, especially its enormously popular and patented design and user interface….

As Anssi Vanjoki, Nokia’s executive Vice President and General Manager of Multimedia, stated at Nokia’s GoPlay event in 2007 when asked about the similarities of Nokia’s new offerings to the already released iPhone: “[i]f there is something good in the world, we copy with pride.” True to this quote, Nokia has demonstrated its willingness to copy Apple’s iPhone ideas as well as Apple’s basic computing technologies, all while demanding Apple pay for access to Nokia’s purported standards essential patent. Apple seeks redress for this behavior.

Five dollars and a dusty old Nokia 1100 says this thing settles out of court.

]]> http://allthingsd.com/20100507/nokia%e2%80%99s-new-focus-is-mobile-services-sure-its-note-lawsuits-against-apple/feed/ 0 http://allthingsd.com/20100127/premium-buys-encryption-for-evernote/ http://allthingsd.com/20100127/premium-buys-encryption-for-evernote/#comments Wed, 27 Jan 2010 23:06:06 +0000 Walter S. Mossberg http://mailbox.allthingsd.com/?p=546 Your review of the Evernote notes-storage service last week made it sound tempting. But do they encrypt my notes on their servers so a hacker can’t steal them? And what happens to my notes if they go out of business?

A: Evernote isn’t a purely cloud-based (Internet-based) system. It does store your notes on its servers, for Web access, but it also exists as a synchronized local application on Windows, Mac and every major smart phone. So your notes are stored locally on the hard disks of your various computers. Local storage is available on the iPhone app, and the company says it plans to add local storage to Android phones soon. Thus, even if the company went out of business, the notes on your Mac or PC or iPhone would be safe.

Evernote says it doesn’t encrypt data on its servers because it indexes all your notes for quick searching, and performs image recognition on photo notes, and it claims encryption would prevent that. Your user name and password, however, are always encrypted in transit, according to the company, and passwords aren’t stored on its servers—even if you have a free account. For premium users ($5 a month or $45 a year) all of the data, not just user names and passwords, are encrypted.

Also, the service allows users to encrypt all, or any part, of any note, and the company says it doesn’t receive the key to decrypt this material. The only part of a wholly encrypted note that the company would hold on its server would be its title and tags, if any.

I’m looking for a lightweight laptop, ideally under five pounds and with long-lasting battery life. I’m confused by all the models. Can you help me to narrow it down to a handful?

A: Unless you are looking for a tiny netbook, I suggest you consider a couple of options. One is a new category of Windows laptops variously called things like “ultrathin” and “thin and light.” All are well under five pounds in weight and many have good battery life. I reviewed three of these laptops—models from Toshiba, Hewlett-Packard (HPQ) and Lenovo—back in November, and you can read the column at http://bit.ly/m3JQn.

The second option worth considering is a Mac, which I believe has superior software and security, albeit at a higher price. Apple’s (AAPL) MacBook and 13″ MacBook Pro, while heavier than this new batch of Windows machines, weigh slightly under five pounds and have strong battery life. My review of the latest MacBook, from October, is available at http://bit.ly/7brVJk.

You can find Mossberg’s Mailbox, and my other columns, for free at the All Things Digital site, http://walt.allthingsd.com.

]]> http://allthingsd.com/20100127/premium-buys-encryption-for-evernote/feed/ 2 http://allthingsd.com/20091022/nokia-sues-apple/ http://allthingsd.com/20091022/nokia-sues-apple/#comments Thu, 22 Oct 2009 17:06:35 +0000 John Paczkowski http://digitaldaily.allthingsd.com/?p=27260 If you can’t beat ’em, sue ’em. That seems to be the thinking at Nokia.

Today, the Finnish cellphone giant, which has been struggling to develop a worthy competitor to the iPhone, filed suit against Apple, claiming the popular smart phone infringes upon a number of Nokia patents.

Specifically at issue here: 10 patents covering various wireless data, speech coding, security and encryption technologies. Nokia claims that every iPhone model shipped since 2007 has violated them.

“The basic principle in the mobile industry is that those companies who contribute in technology development to establish standards create intellectual property, which others then need to compensate for,” said Ilkka Rahnasto, vice president of legal & intellectual property at Nokia (NOK). “Apple is also expected to follow this principle. By refusing to agree appropriate terms for Nokia’s intellectual property, Apple is attempting to get a free ride on the back of Nokia’s innovation.”

To that point, Nokia says it has entered into license agreements with about 40 companies for these patents. Only Apple (AAPL) has refused. The obvious endgame here, then, is to force the iPhone maker to change its mind.

“We believe that Nokia is not seeking an injunction; rather, we believe that the company has been in talks with Apple concerning a patent royalty payment for over a year,” Piper Jaffray analyst Gene Munster said in a bulletin to clients. “With today’s announcement, it appears that the companies have not come to a resolution and Nokia is attempting to hasten the process. Nokia is likely looking to obtain a patent royalty of 1-2 percent ($6 to $12) on every iPhone sold in compensation for its IPs concerning GSM, 3G and WiFi technologies on mobile devices.”

Interesting that news of the suit comes just days after Apple announced its most successful financial quarter ever at a time when Nokia is posting nasty losses.

I’ve asked Apple for comment and will update here if I’m offered one.

]]> http://allthingsd.com/20091022/nokia-sues-apple/feed/ 2 http://allthingsd.com/20091014/grammy-judges-vet-nominees-online/ http://allthingsd.com/20091014/grammy-judges-vet-nominees-online/#comments Wed, 14 Oct 2009 21:35:25 +0000 Marisa Taylor http://voices.allthingsd.com/?p=16599 Grammy judges will be listening to the upcoming award nominees online, thanks to a partnership with Yangaroo, a Canadian media-distribution start-up.

The company’s technology encrypts music files with a watermark and lets record labels share them securely with radio stations and other destinations. The watermark allows Yangaroo to identify each person who has downloaded a track, so if a song is leaked, it can trace its origin.

Cliff Hunt, Yangaroo’s operating chief, used to work in music production and management but helped to start the company in 2004 after seeing a presentation about Biopassword. The biomarker system, now called AdmitOne Security, identifies a person’s unique typing rhythm. Mr. Hunt acquired the rights to use it for music and advertising.

Read the rest of this post on the original site

]]> http://allthingsd.com/20091014/grammy-judges-vet-nominees-online/feed/ 0 http://allthingsd.com/20070315/securing-a-wireless-network/ http://allthingsd.com/20070315/securing-a-wireless-network/#comments Thu, 15 Mar 2007 00:01:40 +0000 Walter S. Mossberg http://mailbox.allthingsd.com/20060315/securing-a-wireless-network/ There’s no other major item most of us own that is as confusing, unpredictable and unreliable as our personal computers. Everybody has questions about them, and we aim to help.

Here are a few questions about computers I’ve received recently from people like you, and my answers. I have edited and restated the questions a bit, for readability. This week my mailbox contained questions securing a wireless network, adapters that play the music stored on a PC through a stereo and voice-recognition software.

---

Last week you advised readers that, in order to stop people from piggybacking on a wireless network using a Linksys router, they should simply set up a password and keep it private. But don’t they need to enable an “encryption key?”

Yes. Most nontechnical folks would consider an encryption key as a kind of password, and that’s the word I used because I always try to write my columns in plain, conversational English. In this case, however, my use of the term may have caused confusion, because there are, in effect, two kinds of passwords on Linksys routers and most other brands of routers. One just prevents strangers from changing the router’s settings. The other — the one to which I was referring — is required to actually access the wireless network. That’s the one that’s technically called a “key.”

To enable the encryption key, use the router’s setup software to turn on security. On newer models, the strongest security system is called WPA, and on older models, it’s called WEP. Once it’s enabled, only people who know the key can get onto your network. There are further steps you can take, like hiding your network’s name (called an SSID) from others, or even restricting access to the network to specific computers with specific identification codes (called MAC addresses, a term that has nothing to do with Apple’s brand of computers.)

For more details, go to Linksys.com, select “Learning Center” at the top of the page, and click on “Network Security” from the menu that appears. And then click on the link called “How to Secure Your Network.”

Is there a stereo that I can buy that can wirelessly connect to my computer and play the same music I play with Apple’s iTunes on that computer?

Yes. If you literally mean a stereo, rather than an adapter for a stereo, the best I know of is called Sonos ZonePlayer 100. It involves a module you connect to your computer that links wirelessly to stereo units with built-in amps in remote rooms of your house. It has a beautiful remote control with a color screen and many other great features.

But it’s expensive — about $1,200 for the starter package, without speakers — and can’t play copy-protected music you buy from iTunes, only music you import from your CDs or other unprotected files. Information is at sonos.com. For much less money, you can also buy adapters that can play the music on a PC, or an iPod, through an existing stereo.

I have been keeping a journal or diary. It is hand written but I would like to make the journal more readable by others. Is there voice-recognition software that you would recommend, so I can dictate the entries?

It has been years since I reviewed voice-recognition software, but Dragon Naturally Speaking, a Windows program, works well. For more information, see nuance.com. And Microsoft’s new Vista operating system has a decent built-in voice recognition system. If you are using a Macintosh, one widely known speech-recognition program is called iListen, but I haven’t tested it. Information is at macspeech.com.

* * *

Because of the volume of e-mail I receive, I can’t routinely answer individual questions by e-mail, or consult on individual problems or purchasing decisions. I read all questions I receive and select three each week to answer in the column.

• Write to Walter S. Mossberg at mossberg@wsj.com

]]> http://allthingsd.com/20070315/securing-a-wireless-network/feed/ 0