"As best as we can determine, if your Apple ID isn't a widely known e-mail address with an easy-to-guess password (Apple now requires a combination of uppercase and lowercase letters and numbers, at a minimum), your iCloud data is effectively "safe" from hackers or prying third parties. E-mail and notes are not as secure as other data, though it doesn't appear to be any less secure than other common IMAP e-mail providers. If you require HIPAA-level security compliance, you'll need a different solution for e-mail—but then again, you likely wouldn't be using a personal e-mail address for such purposes in the first place. And you could use standard S/MIME encryption such as PGP to secure e-mail messages from sender to receiver."

"Again, I repeat the saying I've heard came from inside the NSA: "Attacks always get better; they never get worse.""

"The more we work to create truly secure communications, the more likely will be a reactionary response that goes beyond encouraging or coercing corporate cooperation with surveillance. In some places already, including the UK, police can demand that people turn over personal encryption keys or go to jail, an outrageously invasive violation of liberty. At some point, we can expect authorities will demand restrictions on conversations they can't tap and understand in real time. This is an old debate, actually – one we'd thought settled in America in the 1990s, when the Clinton administration put forward a plan to require all mobile phones to include chips that would enable the government to spy on all calls. Security experts explained then that the idea was both impractical and dangerous to actual security, and the plan was shelved. It will come back in some form. The world's governments are terrified of the idea of unbreakable communications. (Even visible ones worry paranoid leaders; British Prime Minister David Cameron's call for banning some kinds of discussions on social networks is an especially ludicrous suggestion.) If I'm right, it will soon be illegal to have a genuinely private conversation, unless you're whispering in someone's ear in a language only the two of you understand. Never mind that it won't work, and that it will lead to less, not more, security for everyone."

Nathaniel Borenstein: "The real problem here is that nearly everyone has unrealistic assumptions and beliefs about what is secure, and what it means to be secure. The fact is, unless the encryption is being done under your control, as close to you as possible, and unless only the encrypted form is being transmitted to the cloud provider, your security and privacy will never be absolute. The sooner and more clearly people are educated about this, in my opinion, the better. My own assumption is that any file that ever leaves my computer is potentially visible to the whole world. (Files on my computer are also potentially visible, though a bit less so -- though that's another story.) Thus if I ever have a file that I really care to keep secret from a determined opponent -- which I generally don't -- I will use pgp or something similar to encrypt it on my personal computer, and I will only store it or transmit it in that form, and I will guard my keys and password like the crown jewels. We would do our users more of a service by educating them in this semi-paranoid manner of behavior than by giving them assurances of security and privacy that simply can't hold up under a court order. And that includes any form of encryption that is performed in the cloud, because the provider needs to be able to decrypt it as well, and therefore can be compelled to do so under a court order. This is a message that no one wants to hear, so no vendors are giving it. Instead, they are lying, or at least heavily shading the truth. Encryption in the cloud is almost certainly adequate for certain kinds of secrets, such as cheating on your spouse. It is generally adequate for others, such as most corporate proprietary data. It is absolutely not adequate for anything that you want to keep from a government with applicable jurisdiction, or from serious, determined hackers. What dropbox provides is more than adequate for most users. Those with a more stringent need for privacy -- most often because they are breaking either a just or unjust law -- need to take responsibility for their own privacy, not count on a remote, third party service to provide it."

"What the revelations, complaints, accusations and responses have demonstrated is the need for better education about which set of encryption and security choices are most appropriate for what sort of data. The average user simply does not know what he is letting himself in for, or how to gauge the risks involved. As noted computer scientist Nathaniel Borenstein quipped in the comments to a blog post by Mr Soghoian: "What Dropbox provides is more than adequate for most users. Those with a more stringent need for privacy—most often because they are breaking either a just or unjust law—need to take responsibility for their own privacy, not count on a remote, third party service to provide it.""

"If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user. … What is missing from the firm's website is a statement regarding how the company is using encryption, and in particular, what kinds of keys are used and who has access to them. … from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file. … I also urge the company to abandon its deduplication system design, and embrace strong encryption with a key only known to each user. Other online backup services have done it for some time. This is the only real way that data can be secure in the cloud."

"Dropbox, which has more than 25 million users, revised its website claims about its data security April 13, from: "All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password." to "All files stored on Dropbox servers are encrypted (AES 256)." … The complaint additionally alleges that Dropbox misleads users of its mobile app, by claiming that its product uses an encrypted HTTPS connection to communicate between a user’s device and Dropbox’s servers. In fact, the mobile device does not encrypt all the traffic."

"Here's a statement attributed to CTO Arash Ferdowsi: "In our help article we state that Dropbox employees aren't able to access user files. This is not an intentionally misleading statement -- it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user's permission. We can see, however, why people may have misinterpreted "Dropbox employees aren't able to access user files" as a statement about how Dropbox uses encryption, so we will change this article to use the clearer "Dropbox employees are prohibited from accessing user files"."

http://groups.csail.mit.edu/mac/classes/6.805/articles/crypto/cypherpunks/may-crypto-manifesto.html. http://cryptome.quintessenz.org/mirror/dcdsn.htm

http://twitter.com/evgenymorozov/statuses/11612217615060992: "Anyone accusing Assange of wanting to end all secrecy needs to reconcile this view with his work on Rubberhose http://goo.gl/qqxas". http://twitter.com/evgenymorozov/statuses/11612552681234432: "If the US govt already had an Internet freedom fund back when Assange was working on Rubberhose, they'd want to be his best friends".

"What I found surprising all through this process was the lack of any kind of standard process for managing key escrow as part of estate planning. Military-grade crypto has been in civilian hands for decades now, and yet every lawyer I spoke to about this was baffled (and the cypherpunks I spoke to were baffling – given to insanely complex schemes that suggested to me that their executors were going to be spending months unwinding their keys before they could get on with the business of their estates, and woe betide their survivors, who'd be left in the cold while all this was taking place). Meanwhile, I'm left with this conclusion: if you're not encrypting your data, you should be. And if you are encrypting your data, you need to figure this stuff out, before you get hit by a bus and doom your digital life to crypto oblivion."

via http://www.hyperorg.com/blogger/2009/05/26/berkman-chris-soghoian-on-privacy-in-the-cloud/. PDF: http://files.cloudprivacy.net/cloud-paper-draft-seville.pdf

"On Monday, a government agency that the Obama administration -- but that is probably the National Security Agency -- added to a standard blackberry a super-encryption package.... and Obama WILL be able to use it ... still for routine and personal messages. ... Obama and other officials won't be able to use Instant Messaging in the White House." + http://news.bbc.co.uk/1/hi/world/americas/us_elections_2008/7846232.stm

"it is very difficult to secure data when the attacker has physical control of the machine the data is stored on. … it's a hard problem."

"a tool for creating and sharing encrypted messages"

"argues that the alternative of having an "open" DRM system is impossible. Jobs is less than clear here. … DRM only works because the key is secret. Open DRM is an oxymoron."

"I have a Sandisk Cruzer Micro USB thumb drive that I carry around with me. Last weekend I spent a bit of time setting it so that all my data is securely encrypted using the excellent open source software called TrueCrypt."

"Run Torpark.exe and it will launch a Tor circuit connection, which creates an encrypted tunnel from your computer indirectly to a Tor exit computer, allowing you to surf the internet anonymously. How much does Torpark cost? IT'S FREE."

"boz allows you to: * post private bookmarks unlike other web bookmarks, these are encrypted on your own browser, even the server does not know what you are bookmarking: they are truly private"

"suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks … manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range"

"I'm going to get right down to the nitty gritty of OS X password implementation on 10.2, 10.3, and 10.4"

"salts are used to make attacking multiple passwords more difficult, and makes generating rainbow tables practically impossible"

"The codes resisted the best efforts of the celebrated Allied cryptographers based at Bletchley Park during the war. Now one has been solved by running code-breaking software on a "grid" of internet-linked home computers."

"Free open-source disk encryption software for Windows XP/2000/2003 and Linux"