Interesting concept, and one that's probably well over due, but I get the feeling it may be a little like implementing DNSSEC or IPv6... Who knows, maybe the Snowden leaks will provide the push necessary to overcome the inertia.

http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-darkmail-alliance-to-thwart-e-mail-spying/

http://www.darkmail.info/

Interesting look at some of the security architecture in the new Mega site

http://fail0verflow.com/blog/2013/megafail.html

I think the key message here is that if you are going to implement cryptographic systems, even standards based ones, you need to understand the limitations of that particular implementation and it's correct uses.

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)

"Criminals are a superstitious cowardly lot" said none other than the caped crusader, Batman. But it seems they're a lazy lot too. The Register has an article on how 'belief that they won't get caught' and laziness has meant that the feared widespread use of cryptography by criminals has not come about.

It was this fear that has lead governments (most notably the US) to float the idea of criminalizing the use of encryption software or requiring the Government hold a key in escrow (such as with the Clipper chip).

A few years go the UK passed a law ("RIPA section 49")requiring suspects to hand over encryption keys when requested or face fines and up to two years jail. They have since charged suspects under it.

A great piece on the controversy of whether encryption is harmful or not is also available here.

Cryptography is a tool and can be used for good or for ill. Personally I don't believe in a system where the Government holds keys in escrow without unprecedented transperancy around who is accessing keys (and why!) and don't believe such a system would ever be workable. Make Cryptography illegal? Well the 'bad guys' are already breaking the law and only law-abiding citizens would be disadvantaged.

Oh, and I'm more than happy for criminals to remain a lazy, overconfident and superstitious cowardly lot!

An interesting article over at the New York Times (original site here) on 'self destructing' messages (self encrypting and throw away the key really).

The researchers at the University of Washington have developed a system to help control how long user data is available 'in the cloud'. Recognising that end users have little control over where their data in the cloud is stored, or even who has access to it, the Vanish system is designed to help the users control how long anyone (themselves included) can access the data.

The system works by encrypting the data with a key distributed in bits throughout a peer-to-peer network.
Now encryption is nothing new, but the difference with Vanish is that neither the sender nor the recipient hold the key in the long term.

While an interesting piece of research with some long term potential, this certainly doesn't eliminate the dangers of storing your data in the cloud.

Just ask twitter who learned the hard way a couple of weeks ago that someone determined (or bored!) enough will find the weakest link and exploit it.

Information Security is often described as 'asymmetrical warfare', a battle in which the good guys have to find and plug all the holes and the bad guys only have to find one poorly defended point.....