Google just added a new method to their two-step verification security layer implementation, allowing users to merely tap “OK” from within the Google app on their mobile phones to authorize a login:

We know that security is one of your top concerns as a Google Apps admin and that many of you require your employees to turn on 2-Step Verification (2SV) to keep their accounts safe. There are multiple ways your end users can approve sign-in requests via 2SV—by tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone.

Your employees can now choose any of these options in the Sign-in & Security > Signing in to Google > 2-Step Verification section of My Account. The Help Center will be updated with detailed instructions soon; check back here for links to the relevant articles.

The only rather obvious requirement is the phone must have a data connection to receive the notification for approval. This is a smart alternative to SMS-based two-step verification, because the SMS messages themselves can be surveilled, redirected, or stolen, in-transit.

The ostensible Obama administration’s war against Apple and Google providing device encryption on by default has gotten uglier with the prospect that the companies could potentially be held liable for providing material support to terrorists (emphasis added):

Benjamin Wittes, editor-in-chief of the LawFare blog, suggested that Apple could in fact face that liability if it continued to provide encryption services to a suspected terrorist. He noted that the post was in response to an idea raised by Sen. Sheldon Whitehouse, D-R.I., in a hearing earlier this month.

“In the facts we considered,” wrote Wittes and his co-author, Harvard law student Zoe Bedell, “a court might — believe it or not — consider Apple as having violated the criminal prohibition against material support for terrorism.”

FBI Director James Comey and others have said that end-to-end encryption makes law enforcement harder because service providers don’t have access to the actual communications, and therefore cannot turn them over when served with a warrant.

Wittes and Bedell argue that Apple’s decision to “move aggressively to implement end-to-end encrypted systems, and indeed to boast about them” after being “publicly and repeatedly warned by law enforcement at the very highest levels that ISIS is recruiting Americans” — in part through the use of encrypted messaging apps — could make the company liable if “an ISIS recruit uses exactly this pattern to kill some Americans.”

The blog compares Apple’s actions to a bank sending money to a charity supporting Hamas — knowing that it was a listed foreign terrorist organization.

“The question ultimately turns on whether Apple’s conduct in providing encryption services could, under any circumstances, be construed as material support,” Wittes and Bedell write. The answer, they say, “may be unnerving to executives at Apple.”

In cyber security business news, CrowdStrike has received a $100M investment from Google Capital along with an investment from Rackspace and a few other partners for a total of $156M in Series C funding:

Cybersecurity company CrowdStrike announced the completion of a $100 million Series C funding round yesterday (July 13), led by Google Capital. Rackspace also participated in the round, along with existing investors Accel and Warburg Pincus, bringing the company’s total funding raised to $156 million.

CrowdStrike specializes in offering a Software-as-a Service (SaaS) based endpoint protection platform, which allows organizations to detect, prevent and respond to attacks at any stage.

“It’s extremely gratifying to bring in a high-caliber investor like Google Capital which shares our passion for innovation and sees the opportunity to completely transform the security industry,” said George Kurtz, CrowdStrike’s co-founder and CEO, in a company release.

“As we continue to experience hyper-growth, this capital injection will help us firmly establish our SaaS-based endpoint protection platform as the leading solution to address today’s sophisticated attacks and will allow CrowdStrike to further accelerate our domestic and international expansion, ” Kurtz added.

With the diminishing success of traditional antivirus and malware security approaches, CrowdStrike sets itself apart by focusing on endpoint protection as the primary way to curb cyber attacks, the company statement explained.

According to CrowdStrike, global deployments of its Falcon platform have fueled the growth of its total billings and employees, which have tripled year-over-year, while also increasing its customer base.

Traditional anti-virus on the desktop is not dead; it is useful to a certain extent but endpoints, like networks, require a layered defense-in-depth posture. Couple anti-virus with a host-intrusion prevention system, application whitelisting, and a desktop-oriented sandboxing technology and you have a recipe for success.

An obviously clueless Japanese Judge orders Google to delete links to a man’s previous under-age sexual solicitation arrests from the search engine in an attempt to hide his embarrassing past from the world:

In 2012, the man was arrested for paying a girl under the age of 18 for sexual favors. He was charged with violating child prostitution laws and fined 500,000 yen. However, his name and news reports regarding the arrest still come up in Google searches.

Claiming that this was an infringement upon his personal rights, the man petitioned to have the information deleted from the search engine. His lawyer told the court his client had been rehabilitated and that it was difficult to get on with his life as long as his arrest record remains online.

In handing down the ruling, the presiding judge said such relatively minor crimes do not hold any particular significance to the public and therefore continuing to display such information three years after the incident does not have much merit for society at large.

Someone needs to learn how Google and the internets work. Deleting links from Google’s search engine will not make the stories go away nor will it make them more difficult to find. In fact, this ruling will likely shed more light on his asshattery.

As an aside, I find it quite interesting how the presiding judge considers underage sexual solicitation to have been a “relatively minor crime” considering how damaging it likely will be to her for the rest of her life. Unbelievably out of touch.

Welcome to the Streisand Effect.

re/code on famed security researcher Mudge – aka Peiter Zatko – leaving Google to join US government service to help automate software security assurance:

Peiter Zatko, a respected computer security researcher better known by the nickname Mudge, says he’s leaving his job at Google to explore ways to help U.S. government make software more secure.

Zatko announced the move on Twitter.

An Obama Administration official tells Re/code that recent advances in using automated methods to analyze software code for vulnerabilities have spurred interest in government circles to see if there’s a way to standardize how software is tested for security and safety. “The Administration has had some discussions about the potential pros and cons of such a system and how it might be implemented,” the official said. The administration is interested supporting a feasibility study to determine if such techniques could work, the official said, but stressed that no plans have been finalized.

A former researcher with DARPA, the research arm of the U.S. Department of Defense, he joined Google along with fellow DARPA alum Regina Dugan to work on security research at the search giant’s Advanced Technologies and Projects Group.

This appears to be a big win for the US government, which is in bad shape lately and in need of brighter minds to help it close the many remaining open gaps.

Intercept on how the DoJ gagged Google over surveillance of a Wikileaks volunteers Gmail account and the tough legal battle that ensued (emphasis added):

The Justice Department argued in the case that Appelbaum had “no reasonable expectation of privacy” over his email records under the Fourth Amendment, which protects against unreasonable searches and seizures. Rather than seeking a search warrant that would require it to show probable cause that he had committed a crime, the government instead sought and received an order to obtain the data under a lesser standard, requiring only “reasonable grounds” to believe that the records were “relevant and material” to an ongoing criminal investigation.

Google repeatedly attempted to challenge the demand, and wanted to immediately notify Appelbaum that his records were being sought so he could have an opportunity to launch his own legal defense. Attorneys for the tech giant argued in a series of court filings that the government’s case raised “serious First Amendment concerns.” They noted that Appelbaum’s records “may implicate journalistic and academic freedom” because they could “reveal confidential sources or information about WikiLeaks’ purported journalistic or academic activities.”

However, the Justice Department asserted that “journalists have no special privilege to resist compelled disclosure of their records, absent evidence that the government is acting in bad faith,” and refused to concede Appelbaum was in fact a journalist. It claimed it had acted in “good faith throughout this criminal investigation, and there is no evidence that either the investigation or the order is intended to harass the … subscriber or anyone else.”

Google’s attempts to fight the surveillance gag order angered the government, with the Justice Department stating that the company’s “resistance to providing the records” had “frustrated the government’s ability to efficiently conduct a lawful criminal investigation.”

So the United States Department of Justice’s position is if a company fights back against a request for user data rather than just handing it over haplessly, they consider that act to frustrate their ability to efficiently conduct a lawful criminal investigation?

Privacy Online News on creepy ass Google Chrome secretly installing audio listening software and transmitting audio data back to Google:

This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.

Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.

Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places.

It seems like almost weekly we read a new story about how much creepier and more invasive Google is becoming, for the noble goal of helping us get the results we need so we can work smarter, quicker, and easier.

The question remaining is this: is this privacy invasion trade-off worthwhile in the longrun?