TIME Security

Former TSA Head: ‘We Should Take the Germanwings Tragedy as a Warning’

People stand in front of candles and flowers placed in front of the Joseph-Koenig-Gymnasium in Haltern, Germany, March 24, 2015.
Imago/Zumapress People stand in front of candles and flowers placed in front of the Joseph-Koenig-Gymnasium in Haltern, Germany, March 24, 2015.

Kip Hawley is the former administrator of the TSA and the author of "Permanent Emergency: Inside the TSA and the Fight for the Future of American Security."

What do we do against an enemy whose intent remains invisible until it's too late?

Finding meaning or solace in the Germanwings tragedy may prove elusive. We should, however, use this horrifying moment to reflect on whether there are lessons here that could enable us to make corrections in our security strategy. I think that there are at least three points highlighted by this tragedy that are worthy of consideration:

  1. Detecting evil intent before the evil action begins is extremely difficult
  2. Counter-measures designed to stop an attack in progress are less effective than those aimed at disrupting a plot before it is operational
  3. Independent, overlapping layers of security are essential in stopping attacks from unexpected directions

It is not clear yet where the Germanwings crash fits in the taxonomy of “safety” versus “security” incidents; the pilot’s motives are simply not known. But we can imagine the same scenario — one person at the controls, locking everyone else out — playing out with a terrorist in the cockpit and a major city as the crash site. The “safety” mitigation measures here are robust and long-standing. Pilots are carefully vetted and assessed by civil aviation authorities, their airlines, and co-workers. In this case, that was not enough. The “security” measures didn’t do any better in stopping this incident, as the reinforced cockpit door, of the type adopted after 9/11, worked as an unintended hindrance.

Obviously, we all want to trust our pilots; and, of course, in the vast majority of circumstances we can. But we also know that is exactly those “trusted” nodes in our security systems that make us most vulnerable when they don’t act the way we expect them to. The Germanwings tragedy puts this fact directly in front of us.

It is not enough to scale-up background checks to combat insider threats. Pre-9/11 security clearances and law enforcement checks were heavily based on the idea of prior performance predicting future activity. Today’s terrorist or mass murderer knows full well that we still hold to that premise. We can pretty much assume that attacks today will be delivered by people who can and have passed background checks. We do not understand ahead of time what drives people to commit acts of mass violence or terrorism, therefore we cannot isolate the traits that reliably predict them.

What do we do against an enemy whose intent remains invisible until it’s too late? Layers of security that act independently from each other are where we need to concentrate. We must continue our investment in intelligence and all the systems that work together ahead of time that might highlight an anomaly — whether it be psychological screening of pilots and crew or behavioral detection at the airport and on the plane. Teamwork among employees, companies, families, authorities, and passengers is the key. The answers involve people, not more hardware or technology.

One layer of security now under pressure at home is the Federal Air Marshal (FAM) program. Misbehavior by some in the FAM program and a buzz about various personnel grievances do not take away from the fact that FAMs represent the most effective and flexible weapon in TSA’s toolkit. If the equivalent of a FAM team was aboard the Germanwings plane, would the result have been different? Maybe. The point is that FAMs, working undercover in airports, boarding areas, and on flights provide a layer of security that is unmatched as far as stopping unexpected attacks while they are unfolding. VIPR teams, where FAMs are very visible, operate thousands of missions a year throughout the transportation system — again, disrupting a planner who thinks that any part of the network is uncovered. Fix the program, but let’s stop talking about diminishing the role of Federal Air Marshals.

Our security risk environment is at an all-time high. Just because the Germanwings tragedy may not be a classic “terrorist” attack, we should not dismiss it when it comes to evaluating our security framework. We can, and should, take it as a warning and heed its lessons.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

Former NTSB Chairman: ‘We Need Cameras in the Cockpit’

A helicopter flies overhead as rescue workers work at the crash site of Germanwings passenger plane near Seyne-les-Alpes, France, on March 26, 2015.
Laurent Cipriani–AP A helicopter flies overhead as rescue workers work at the crash site of Germanwings passenger plane near Seyne-les-Alpes, France, on March 26, 2015.

Jim Hall is a former chairman of the National Transportation Safety Board.

We need cameras in the cockpit—and two crew members at all times

The tragic crash of Germanwings Flight 9525 has left the world in mourning. The 150 victims hailed from 18 different countries, including the United States. Right now, the families of the deceased and those investigating the accident are urgently trying to figure out what went wrong. One portion of the crucial black boxes, the cockpit voice recorder, though badly damaged, has been recovered and apparently reveals that the co-pilot was responsible for intentionally crashing the aircraft.

Due to the rugged and inaccessible terrain of the crash site and the high speed of impact, investigators are having a difficult time finding the flight data recorder. Unlike crashes over water, when an aircraft crashes over land, the pingers attached to the black box do not assist in locating the device. These black boxes will have to be recovered by rummaging through the wreckage on site.

When investigators do find the flight data recorder, essential details of Germanwings 9525 descent will be available, and a full picture of the crash will be drawn. But because this appears to be an intentional act, we will never truly understand the motive of the co-pilot. There is no black box for the mind.

During my time as chairman of the National Transportation Safety Board, I led multiple investigations into commercial airliners being intentionally flown into the ground. This history of pilots committing suicide by crashing their planes dates back to the Japanese kamikaze pilots in World War II and continues to this day with the crashes of Mozambique Airlines Flight 470 in 2013, EgyptAir Flight 990 in 1999, and SilkAir Flight 185 in 1997. While checking on the emotional state of pilots is imperfect, it does occur. Pilots are screened during the hiring process: The Transportation Security Administration checks applicants’ backgrounds against terror watch-lists. Pilots are asked to disclose suicide attempts or any other psychological problems during their Federal Aviation Administration-mandated yearly physical exams. The FAA also asks doctors to form a general impression of the pilots’ emotional states. But it can be difficult to diagnose and identify emotional problems, especially if a pilot is not forthcoming.

There are two simple solutions to the problem of unstable pilots. The first is a recommendation made by the NTSB 15 years ago and renewed in January: Require cameras in the cockpit. Currently, the cockpit voice recorder allows investigators to listen to the cockpit. But without video, they cannot fully understand the actions of the pilots or make safety enhancements to prevent similar events from occurring in the future.

The second solution is to require at least two crew members in the cockpit at all times. During the crashes of the Mozambique Airlines, EgyptAir, and SilkAir flight, co-pilots compromised the aircraft while their partners left the cockpit, deliberately crashing the aircrafts and leaving hundreds dead. We still do not know what happened to Malaysia Airlines Flight 370, and an intentional crash is possible in that case, as well. In the U.S., standard policy is that a flight attendant enters the cockpit if a pilot steps out. If two members of the flight crew were present in the cockpit, it is possible these tragedies, as well as Germanwings Flight 9525, could have been prevented.

Flying is an extraordinarily safe form of transportation. The United States government and the aviation community have done an extraordinary job of ensuring the safety of the flying public. But the safety of flying is constantly evolving and can always be improved. The Germanwings tragedy manifests a loophole in safety procedures and must be rectified by requiring cameras and two members of the flight crew in the cockpit.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.


You’ll Be Freaked Out to Learn How Often Your Apps Share Your Location

using smartphone at night

Most of us are unaware of just how much location sharing is going on with our smartphones.

Even for researchers experienced at examining technology that might be invasive, this warning was alarming: “Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”

The warning was sent to a subject as scientists at Carnegie Mellon University were studying the impact of telling consumers how often their mobile phones shared their location and other personal data. Software was installed on users’ phones to better inform them of the data being sent out from their gadgets, and to offer a “privacy nudge” to see how consumers reacted. Here’s how one anonymous subject responded when informed a phone shared data 4,182 times:

“Are you kidding me?… It felt like I’m being followed by my own phone. It was scary. That number is too high.”

Mobile phone users are told about the kinds of things that might be shared when they install apps on their phones, but they have a tendency to “set and forget” the options. That means a single privacy choices, usually made in haste when clicking “install,” governs thousands of subsequent privacy transactions.

“The vast majority of people have no clue about what’s going on,” said Norman Sadeh, a professor in the School of Computer Science’s Institute for Software Research, who helped conduct the study.

But when consumers are reminded about the consequences of choices they make, “they rapidly act to limit further sharing,” the researchers found.

The study covered three weeks. During week one, app behavior data was merely collected. In week two, users were given access to permissions manager software called AppOps. In week three, they got the daily “privacy nudges” detailing the frequency at which their sensitive information was accessed by their apps.

Researchers found that the privacy managing software helped. When the participants were given access to AppOps, they collectively reviewed their app permissions 51 times and restricted 272 permissions on 76 distinct apps. Only one participant failed to review permissions. The “set and forget” mentality continued, however. Once the participants had set their preferences over the first few days, they stopped making changes.

But privacy reminders helped even more. During the third week, users went back and reviewed permissions 69 times, blocking 122 additional permissions on 47 apps.

Nudges Lead to Action

“The fact that users respond to privacy nudges indicate that they really care about privacy, but were just unaware of how much information was being collected about them,” Sadeh said. “App permission managers are better than nothing, but by themselves they aren’t sufficient … Privacy nudges can play an important role in increasing awareness and in motivating people to review and adjust their privacy settings.”

Of course, it’s hard to say if the research participants would have kept futzing with their privacy settings, even inspired by nudges, as time wore on. Sadeh suspected they would not: Privacy choices tend to wear people down. Given the new types and growing numbers of apps now in circulation, “even the most diligent smartphone user is likely to be overwhelmed by the choices for privacy controls,” the study’s authors said.

The findings will be presented at the Conference on Human Factors in Computing Systems in Seoul, South Korea, next month. The research is supported by the National Science Foundation, Google, Samsung and the King Abdulaziz City for Science and Technology.

For now, what can smartphone users do to better protect themselves? It’s not easy. For example: A study by IBM earlier this year found that roughly two-thirds of dating apps were vulnerable to exploitation, and in many cases, would give attackers location information. The AppOps software used in the Carnegie Mellon study used to be available to Android users, but was pulled by Google in 2013. The firm said the experimental add-on to the Android operating system had a tendency to break apps. So Android users are left to manually review app permissions one at a time — not a bad way to spend time the next time you are waiting for a bus. It’s always a good idea to turn off location sharing unless you know the software really needs it, such as map applications. IPhone users have the benefit of privacy manager software, but it doesn’t offer great detail on how data is used, and it doesn’t offer privacy nudges or any other kinds of reminders. A manual review is best for iPhone users, too.

More from Credit.com

This article originally appeared on Credit.com.

TIME Crime

Letter Sent to White House Tests Tentatively Positive for Cyanide

The envelope has tentatively tested positive for cyanide

(WASHINGTON) — An envelope addressed to the White House has tentatively tested positive for cyanide after two rounds of analysis, the Secret Service said Tuesday. Additional testing will be necessary to confirm the finding.

The letter was received Monday at a facility that screens mail for the White House and is located away from the grounds of the executive mansion and its surrounding buildings in the heart of downtown Washington.

Initial biological testing came back negative, said agency spokesman Robert Hoback.

Additional testing conducted Tuesday returned a “presumptive positive” for cyanide.

The sample has been taken to another facility for further testing.

The Secret Service, which is responsible for the safety and security of President Barack Obama and his immediate family, said its investigation into the letter was continuing and it will have no additional comment on the matter.

Suspicious letters often are sent to some of the country’s leading politicians, including the president. Some test positive for hazardous substances while others include threats of death or other physical harm.

In June 2013, a West Virginia man was indicted on charges of threatening to kill Obama and his family in a letter that included profanity and racial slurs. A federal judge later dismissed the charges after forensic handwriting analysis conducted by the Secret Service showed that 20-year-old Ryan Kirker, of McMechen, West Virginia, didn’t write the letter.

Two months earlier, letters sent to Obama, Sen. Roger Wicker, R-Miss., and Mississippi judge Sadie Holland tested positive for the poison ricin. The letters addressed to the president and to the senator were intercepted before delivery, but one letter reached Holland. She was unharmed.

James Everett Dutschke of Tupelo, Mississippi, pleaded guilty in January 2014 to sending the letters and was sentenced to 25 years in prison.

The Intercept website, which first reported on Monday’s letter to the White House, said it bore the return address of a man who has sent multiple packages to the executive mansion since 1995, including one that was covered in urine and feces and another that contained miniature bottles of alcohol.

MONEY Security

Why Your Smile Might Be Your Next Password

Online services and tech manufacturers are turning to biometrics for verification. You can use your hands, face — even your voice — to log in.

MONEY identity theft

Yahoo Gets Rid of Passwords

Yahoo! screen on mobile phone
Anatolii Babii—Alamy

The tech giant offers a new way to sign into your email account.

If you use Yahoo, you can quit trying to remember your password or having to change it every time a company you do business with is hacked.

The tech company on Sunday announced that it is now offering “on-demand” email passwords that will be sent to you via your cellphone.

The process is similar to “two-step verification” security models already used by other businesses, which requires you to enter a fixed password first, followed by another code sent to you by the company via text message. Yahoo’s system skips that whole first step.

At its unveiling Sunday at the South by Southwest festival in Austin, company vice president Dylan Casey called this “the first step to eliminating passwords,” and said he doesn’t think the industry “has done a good enough job of putting ourselves in the shoes of the people using our products,” according to a report by the Guardian.

The company also released a blog post detailing exactly how to sign up for the optional service, which is currently available only in the United States.

Learn more about why to set up two-factor authentication and how to protect your online money accounts here. And until you do, use this handy chart to create a harder-to-crack password that you can still remember.

Screen Shot 2014-08-06 at 10.06.24 AM
TIME Innovation

Five Best Ideas of the Day: March 13

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. Amid the rancor and theatrics in Washington, it’s easy to forget how remarkable it is that the U.S. and Iran are talking at all.

By George Perkovich at the Carnegie Endowment for International Peace

2. A critical step in drug research is understanding the impact on the heart. That’s why bioengineers built a beating heart on a silicone chip.

By Sarah Yang at the University of California at Berkeley

3. Americans are quitting their way to a stronger economy.

By Aaron Nathans in the Daily Economy

4. Just because we’re able to edit the DNA of tomorrow’s children, does that mean we should?

By Antonio Regalado in MIT Technology Review

5. America has its own ion collider, and its funding is in danger.

By Natalie Walchover in Quanta

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.


How to Email Like Hillary Clinton

Hillary Clinton
Adam Berry—Getty Images Hillary Rodham Clinton, former United States Secretary of State, U.S. Senator, and First Lady of the United States, speaks during the presentation of the German translation of her book 'Hard Choices' ('Entscheidungen' in German) at the Staatsoper in the Schiller Theater on July 6, 2014 in Berlin, Germany.

Many people have at least two email addresses: There’s the one you get for work, then there’s the one you use for personal business. And you might even have one to give all the companies who will send you junk mail until the world ends.

But these accounts don’t physically exist in your office, home, or city dump, respectively. They’re typically off someplace in the cloud — unless, like former Secretary of State Hillary Clinton, you decide to host your own email service in your home. While heading up Foggy Bottom, the potential presidential hopeful exclusively used an email server registered to her home in Chappaqua, New York, according to the Associated Press and New York Times.

The situation has quickly became problematic for Clinton. Public officials are supposed to be archiving their correspondence under open records rules, so the revelations have raised questions over why Clinton opted to use a private email setup rather than the State Department’s service.

While Clinton’s move to use a private email solution might seem like an unusual choice, it’s technologically easy enough for most people to set one up — check out this explainer from Ars Technica for the wonky details. But few people bother with a private email server. Why not?

“The big caveat is that you must know what you’re doing in terms of setting it up securely, and that’s a fairly difficult, non-trivial problem for most people,” says Katie Moussouris, chief policy officer for San Francisco-based HackerOne, a company that works with friendly hackers to help organizations like Yahoo, Twitter, and even government agencies detect vulnerabilities in their own technology.


An outgoing email generally follows this route: It’s stored in a server, sent by a client (software ranging from Microsoft Outlook on your computer to the Mail app on your smartphone), and traverses various networks en route to its destination, where it’s received by the recipient’s client and stored by their email server. (And vice versa for incoming email.) Setting up your own email service lets you control the two closest parts of this path — your local server and client. That can help make your data safer, especially if you encrypt the data stored on your server and the messages you send.

But doing all this still means three-fifths of your email’s path runs through areas over which you have no control. In fact, the only way that emails sent to or from Clinton’s account would remain truly secure would be if they went to or came from accounts that were similarly locked down. Then “you would have all of the infrastructure under your direct control,” says Moussouris, who has more than 15 years experience in Internet security and has also worked as a hacker-for-hire.

Despite these security holes, there are still reasons that a person would want to set up their own email service. As that Ars explainer points out, if your email is hosted in the cloud —say, by Gmail — “it’s not yours.” If you control the servers, you own the content — though governmental policies surrounding transparency and police search and seizure rules certainly weigh in here.

But most people aren’t trying to protect sensitive State Department data. Instead, one reason people run their own email services is so they can use their own domain name in their email address. If this was a reason for Clinton, it was a foolhardy one, argues Moussouris. If being a high-value target for hackers is a reason for using an (allegedly) more secure private email service, choosing an domain name like clintonemail.com, as Clinton did, only gave her a higher profile.

“Such an obvious name would make it an interesting target for a hacker,” says Moussouris. “People with that high of a profile, whether it’s a politician, celebrity, or high-level executive, they should already be operating with that in mind.”

Besides, consumer-based services not only allow users to use their own domain name while hosting their emails in the cloud, they also provide end-to-end encryption, ensuring that their messages stay safe while traveling through the web.

But if you still want to email like Hillary Clinton, Moussouris recommends relying on an expert — if you can find one. “Qualified security people are very rare,” she says. And that’s one of the problems with this setup for Clinton.

“I couldn’t imagine a top-notch security person going to work for anyone in Washington, let alone an individual in, essentially, a non-technical function,” Moussouris says. “We have a scarcity of talent in the security industry, and we see this when we try to hire good people all the time.”

As a result, Moussouris assumes whoever set up Clinton’s private email server was a staffer, unless they were very well paid. And if that’s the case, the best way to email like Hillary Clinton is to spend a lot of money.

TIME 2016 Election

Hillary Clinton Ran Email Server Out of New York Home

Clinton is under fire for using a personal email address for official State Department business

(WASHINGTON) — The computer server that transmitted and received Hillary Clinton’s emails — on a private account she used exclusively for official business when she was secretary of state — traced back to an Internet service registered to her family’s home in Chappaqua, New York, according to Internet records reviewed by The Associated Press.

The highly unusual practice of a Cabinet-level official physically running her own email would have given Clinton, the presumptive Democratic presidential candidate, impressive control over limiting access to her message archives. It also would distinguish Clinton’s secretive email practices as far more sophisticated than some politicians, including Mitt Romney and Sarah Palin, who were caught conducting official business using free email services operated by Microsoft Corp. and Yahoo Inc.

Most Internet users rely on professional outside companies, such as Google Inc. or their own employers, for the behind-the-scenes complexities of managing their email communications. Government employees generally use servers run by federal agencies where they work.

In most cases, individuals who operate their own email servers are technical experts or users so concerned about issues of privacy and surveillance they take matters into their own hands.

Clinton has not described her motivation for using a private email account — hdr22@clintonemail.com, which traced back to her own private email server registered under an apparent pseudonym — for official State Department business.

Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.

But homebrew email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems and redundant communications lines.

A spokesman for Clinton did not respond to requests seeking comment from the AP on Tuesday. Clinton ignored the issue during a speech Tuesday night at the 30th anniversary gala of EMILY’s List, which works to elect Democratic women who support abortion rights.

It was unclear whom Clinton hired to set up or maintain her private email server, which the AP traced to a mysterious identity, Eric Hoteham. That name does not appear in public records databases, campaign contribution records or Internet background searches. Hoteham was listed as the customer at Clinton’s $1.7 million home on Old House Lane in Chappaqua in records registering the Internet address for her email server since August 2010.

The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential Internet account as Mrs. Clinton’s email server. The former president’s full name is William Jefferson Clinton.

In November 2012, without explanation, Clinton’s private email account was reconfigured to use Google’s servers as a backup in case her own personal email server failed, according to Internet records. That is significant because Clinton publicly supported Google’s accusations in June 2011 that China’s government had tried to break into the Google mail accounts of senior U.S. government officials. It was one of the first instances of a major American corporation openly accusing a foreign government of hacking.

Then, in July 2013, five months after she resigned as secretary of state, Clinton’s private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top Internet security company.

The New York Times reported Monday that Clinton exclusively used a personal email account it did not specify to conduct State Department business. The disclosure raised questions about whether she took actions to preserve copies of her old work-related emails, as required by the Federal Records Act. A Clinton spokesman, Nick Merrill, told the newspaper that Clinton complied with the letter and spirit of the law because her advisers reviewed tens of thousands of pages of her personal emails to decide which ones to turn over to the State Department after the agency asked for them.

In theory but not in practice, Clinton’s official emails would be accessible to anyone who requested copies under the U.S. Freedom of Information Act. Under the law, citizens and foreigners can compel the government to turn over copies of federal records for zero or little cost. Since Clinton effectively retained control over emails in her private account even after she resigned in 2013, the government would have to negotiate with Clinton to turn over messages it can’t already retrieve from the inboxes of federal employees she emailed.

The AP has waited more than a year under the open records law for the State Department to turn over some emails covering Clinton’s tenure as the nation’s top diplomat, although the agency has never suggested that it didn’t possess all her emails.

Clinton’s private email account surfaced publicly in March 2013 after a convicted Romanian hacker known as Guccifer published emails stolen from former White House adviser Sidney Blumenthal. The Internet domain was registered around the time of her secretary of state nomination.

Rep. Trey Gowdy, R-S.C., chairman of the special House committee investigating the Benghazi attacks, said the committee learned last summer — when agency documents were turned over to the committee — that Clinton had used a private email account while secretary of state. More recently the committee learned that she used private email accounts exclusively and had more than one, Gowdy said.

President Barack Obama signed a bill last year that bans the use of private email accounts by government officials unless they retain copies of messages in their official account or forward copies to their government accounts within 20 days. The bill did not become law until more than one year after Clinton left the State Department.


Associated Press writer Stephen Braun contributed to this report.

TIME Security

Apple, Android Browsers Vulnerable to ‘FREAK Attack’

Apple iPhone 6
Roman Vondrous—AP Apple iPhone 6

Millions of people may have suffered a "FREAK" attack

(SAN FRANCISCO) — Millions of people may have been left vulnerable to hackers while surfing the web on Apple and Google devices, thanks to a newly discovered security flaw known as “FREAK attack.”

There’s no evidence so far that any hackers have exploited the weakness, which companies are now moving to repair. Researchers blame the problem on an old government policy, abandoned over a decade ago, which required U.S. software makers to use weaker security in encryption programs sold overseas due to national security concerns.

Many popular websites and some Internet browsers continued to accept the weaker software, or can be tricked into using it, according to experts at several research institutions who reported their findings Tuesday. They said that could make it easier for hackers to break the encryption that’s supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.

About a third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some government agencies, the researchers said. University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.

Apple Inc. and Google Inc. both said Tuesday they have created software updates to fix the “FREAK attack” flaw, which derives its name from an acronym of technical terms. Apple said its fix will be available next week and Google said it has provided an update to device makers and wireless carriers.

A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Matthew Green, a computer security researcher at Johns Hopkins University.

But some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.

“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.

Your browser is out of date. Please update your browser at http://update.microsoft.com