Without repetition, hesitation or deviation WPA WiFi Encryption has been cracked wide open - in just a minute. Yep, Japanese researchers at Hiroshima and Kobe universities have reportedly managed to break the WPA encryption found on wireless routers in less than 60 seconds.

Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University will be explaining all to an eager audience in Hiroshima at a technical conference towards the end of September. It is, I am led to believe, the first time that previously purely theoretical WPA hacking techniques have been moved into the seriously practical realm. So whereas previous WPA attacks have been able to crack a relatively small set of routers, and took an admittedly still rather worryingly quick 15 minutes or so, the new method is said to be far more wide reaching and a whole heap quicker despite it using a similar approach in targeting the TKIP algorithm.

As far as I am aware, both WPA2 and AES remain safe from the techniques involved.

I have to admit that I am not entirely surprised by the new claims, only surprised that it has taken so long to destroy the integrity of what was only ever meant to be a stop gap encryption measure. Anyone serious about securing their WiFi networks would surely have moved to WPA2 yonks ago and dumped WPA with TKIP at the earliest opportunity. Indeed, it has been some three years now since all WiFi certified products have been required to support WPA2 so it is no new thing. Heck, it’s even relatively simple to step up from TKIP to AES on a lot of older WPA only routers. Mind you, even WPA2 encryption has come under attack recently with a Russian security company claiming it can crack WPA2 passwords quickly with a little help from NVIDIA graphics cards.

The full report “A Practical Message Falsification Attack on WPA” regarding the latest WPA attack methodology can be found here.

“It’s been approved” says the Apple spokesperson. “They’ve been great” says the CEO on Twitter. It’s true, Spotify for the iPhone is going to be a reality real soon now, and that could mean the death of iTunes, eventually. Spotify has already taken music loving European desktop users by storm, bringing streaming music to their computers for free in an ad-supported version. Now it is finally coming to the iPhone and that could change everything.

Of course, it changes the whole free music thing for a start. While the iPhone Spotify application itself will be free of charge, using it will most certainly not be. It will only be available to ‘Premium@ Spotify subscribers who will have to cough up £9.99 per month for the ad-free privilege.

But more importantly it changes how you get music onto your iPhone, and that means how you get music onto your iPod as well. So instead of paying 79p per track as with iTunes, users will be able to have all they can eat, streamed from an impressive library of millions of songs and all for that single monthly subscription fee.

Daniel Ek, the CEO of Swedish outfit Spotify Twittered that “I can confirm that Apple has approved the app” going on to diffuse some of the arguments that have been raging online that Apple would not approve the app due to fears of compromising the iTunes position (or duplicating core features of the iPhone) by stating “We’re happy but have had a great dialogue with Apple all the way. They’ve been great!”

Apple and iTunes can breathe easy as far as the US market is concerned and it’s not yet available there yet although it is expected to launch later in the year. Expect an Android version to follow before long as well. With 2 million users in the UK and 6 million across Europe it may not be quite in iTunes territory yet but Spotify is growing fast, making friends in the music business who like the revenue stream potential and perhaps most telling of all it has geek street cred, something that iTunes falls somewhat flat on.

Now we just have to wait and see what will happen with the Google Voice iPhone app although I must confess I am not holding my breath…

Reading the Apple response to the Federal Communications Commission questions regarding the non-appearance of Google Voice at the iPhone App Store is a bit like listening to a child explaining to the teacher why homework was not handed in on time.

What Apple has used so far are a vast range of reasons as to why Google Voice has not been granted App Store approval. It’s still being evaluated, is the core excuse. It raises privacy concerns is another good one.

My favourite has to be that it changes the iPhone user experience. Here’s how Apple explained that one according to the written response by Catherine Novelli, Apple Vice President: by replacing the core mobile phone voice functionality as well as the Apple iPhone interface it makes things different. Yes that is it, in a nutshell. Like almost every app in fact, it makes things different. That’s kind of the point of them, don’t you think? But no, Novelli insists that “Apple spent a lot of time and effort developing this distinct and innovative way to seamlessly deliver core functionality of the iPhone” and obviously anything that makes it better is bad, m’kay.

And who can argue that wrapping up telephone numbers, voicemail, SMS, calls and contacts via a neat interface and from the one Google Voice number doesn’t make the iPhone experience a whole lot better?

Oh yes, Apple can, apparently.

If Google Voice does not make an appearance soon, I fully expect Apple to tell us that it is because the dog has eaten it.

I thought I had experienced more than my fair share of Xbox 360 problems (see here and here for details and then add to that a failed DVD drive on a new machine for good measure) but a new survey would seem to suggest my life with the Xbox has been pretty much par for the course.

According to the Game Informer magazine survey of close to 5000 readers, the Nintendo Wii has a failure rate of just 6.8 percent, and the Sony PlayStation 3 a tad more on 10.6 percent. But the Microsoft Xbox 360 is likely to break five times as often as the PS3 on a stunningly poor failure rate of 54.2 percent.

According to the survey, the Xbox 360 was also the most used of the three consoles with it being used between 3 to 5 hours every day by 40 percent of users, while 37 percent of PS3 owners said the same. Most Wii players, 41 percent, played for less than 1 hour per day meanwhile.

So, given my own poor experience with the Xbox 360 have I stopped playing? No. Have I vowed never to buy another Xbox? No. In fact, despite all the problems with the hardware it has one thing going for it that is like a drug to games players: games. Yep, the games just keep me coming back for more. In fact, my Sony PS3 sees more use as the family Blu-ray player than it does for actual game-play it has to be said. My view seems to tally with the Game Informer survey as only 3.8 percent of Xbox 360 owners said that enough was enough and hardware failures meant they were giving up on the console.

Does that give Microsoft a pass? Not on your nelly. Come on Microsoft, play the game and get your hardware act together. I honestly cannot imagine any other manufacturer of any other hardware in any other genre surviving this kind of failure rate.

Last month I published an editorial about ‘the problem with the Palm Pre‘ which concentrated on handset returns due to build-quality issues. Things would appear to have gone from bad to worse, but this time it is the double whammy of privacy problems and the Apple iPhone 3GS that seem to be to blame.

The 3GS has been an undoubted success, with 02 selling out within a week and Apple claiming a million units sold in the first three days alone. Although it has had it’s problems, such as the much publicised hot handset issue and complaints about poor battery life. Now it seems that the heat might be coming off of Apple as it gets turned up on Palm and the Pre.

Could this be the start of a Palm Pre media backlash I wonder? Certainly that feeling of undying love, so prevalent as reviewers flocked to the ‘iPhone killer’ phone has been blunted somewhat by a row over user privacy.

It all started, as so many good stories do these days, with a blog entry which detailed how one otherwise happy user noticed that his Palm Pre was, well, phoning home every now and then. He investigated the WebOS code, the browser-focussed operating system that drives the Pre, and discovered that his Pre was sending his GPS location to Palm as well as detailing which applications he ran and for how long. It was, the blogger says, doing all this every day. Nothing illegal going on here, it is all covered in the Palm Pre privacy policy that users of the handset agree to when they get started with the smartphone after all. But anything that is hidden away in legalese or detailed in the kind of document that most people should, but don’t, read is pretty much guaranteed to get the blogosphere yelling. Which means that the mainstream media is not going to be far behind, and it all adds up to bad publicity at the worse time for Palm.

Especially as it comes at the same time as reports are circulating that Pre sales are plummeting as a result of the iPhone 3GS effect. An analyst for Morgan Joseph has apparently advised clients to sell, rather than hold, Palm stocks. Ilya Grozovsky is reported as noting Pre sales were around 100,000 units in July which was half of the June figure, and predicting even lower numbers for August. Grozovsky says this points to a price cut soon, which could be good news for smartphone buyers but bad for Palm shareholders.

As for the privacy allegations, Palm remains adamant that it takes privacy seriously and provides a way for Pre users to disable the data collection that has been blogged about. To be fair, read the Palm privacy policy and it does make it quite clear that when using location based service “we will collect, transmit, maintain, process, and use your location and usage data (including both real time geographic information and information that can be used to approximate location) in order to provide location based and related services, and to enhance your device experience” which is pretty much what I would expect for such a device. Do iPhone users imagine anything different when using location based services on their 3GS for example? I know I don’t, it is part and parcel of using such a device to perform such a job. While I am not advocating that Scott McNealy was right when, 10 years ago now, he said that you have zero privacy and should get over it, I do concur with Google which, when forced into a corner by Mr and Mrs Boring conceded that complete privacy no longer exists.

I’m not talking about ID Card privacy stuff or those behind he user’s back Phorm and BT snooping trials, but rather your every day interaction with things technological. Unless you are a sandals and ponytail type who thrives on mung beans and bongos while shunning technology and the modern world. Which would mean you are not reading this, so I guess not. My privacy is important to me, but mainly from the perspective that I want to choose how I control it - and that means that if I want to know which way I am facing in my office without looking out the window and don’t mind sharing that information with Apple and Google then I’ll probably hit the compass icon a couple of times on my 3GS. Palm Pre users make the same kind of decisions, balancing the myth of total privacy against the fact of technological functionality.

Don’t they?

No, seriously, please stop. Yes, you. New research suggests that one in every six people click on spam. I don’t, and I’ve asked the four other people in the office if they do and they say no as well. So it must be you.

According to the Messaging Anti-Abuse Working Group (MAAWG) the people who do click are doing so because they are “curious” although I prefer to think of them as just being morons. It does not take a genius to work out that the more spam gets those click-throughs then the more spam will be churned out, often directly to the link-clicking morons in question. It only requires a small spark of common sense to realise that the same spam links can often lead to more than just an offer of some fake Viagra, and the curious clicker gets added to a botnet for good measure.

Yet the MAAWG survey results suggest that 80 percent of users doubt their computers were at risk of bot infection. Morons. Especially when the security industry is, with alarming regularity, revealing exactly how much of the spam that we get is actually being distributed by spambots. MessageLabs Intelligence, for example, recently stated that the Donbot, Cutwail and Mega-D botnets were sending up to 21 billion spam messages each day.

Disturbingly, two-thirds of the consumers surveyed considered themselves “very” or “somewhat” knowledgeable in Internet security.

“Spamming has morphed from an isolated hacker playing with some code into a well-developed underground economy that feeds off reputable users’ machines to avoid detection. Consumers shouldn’t be afraid to use email, but they need to be computer smart and learn how to avoid these problems” said MAAWG Chair Michael O’Reirdan.

The complete 60-page survey report, “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course I Never Reply to Spam, Except Sometimes’” includes graphs, detailed findings and analysis, and it’s downloadable from MAAWG free of charge.

Security expert Graham Cluley recently described a Distributed Denial of Service (DDoS) attack as being like “15 fat men trying to get through a revolving door at the same time”.

I wonder, in the case of the attack aimed at Twitter this week, if those would be 15 fat Russian men?

Unlike the previous Twitter willy waving massacre which we reported upon, this one was not aimed at followers but the service itself and succeeded in pretty much grinding it to a halt for much of the day.

The Twitter status pages yesterday first reported that the service was “defending against a denial-of-service attack” followed by the site coming back up but “continuing to defend against and recover from this attack”. Twitter head honcho Biz Stone blogged Twitter was “working closely with other companies and services affected by what appears to be a single, massively coordinated attack”. As to the motivation behind the event, Stone prefers not to speculate. Others are not so shy.

Take the aforementioned Mr Cluley, for example, who has asked the question “was Twitter denial-of-service targeting anti-Russian blogger?”

Cluley bases his question around the fact that the attack happened on the first anniversary of Georgian troops moving into South Ossetia, and the military conflict which followed. Twitter ground to a halt, but it looks like Facebook, LiveJournal, and Google’s Blogger services were also targeted.

Amazingly, there is now what appears to be informed speculation that the attacks were not so much against the services as against a single user of those services: an unlucky blogger and anti-Russian activist by the name of Cyxymu who hails from Tbilisi.

Max Kelly, the Chief Security Officer at Facebook has even gone on the record telling CNET News that Cyxymu was the target of the DDoS attack, with all his different accounts spread across the impacted sites being attacked at the same time.

Cluley points out that “Cyxymu’s YouTube channel is still available” and “contains a number of videos, many related to skirmishes between Russians and Georgians” before asking “could these have been the webpages that the denial-of-service attack was trying to blast off the internet?”

Twitter has managed to survive the likes of Moonfruit marketing and Koobface infections but surely it should have done better in protecting itself against the fat blokes in the revolving door? After all, Facebook and Google seemed to manage OK.

With most of the media coverage from the Black Hat Las Vegas conference covering the Apple iPhone SMS hacking story there is always a danger that some other really rather important news gets rather buried away. Such as the small point that security researchers at Black Hat were demonstrating some really rather worrying vulnerabilities that impact upon that most sacred of security protocols, the Secure Sockets Layer.

Moxie Marlinspike showed how man-in-the-middle attacks can fool web browsers and email clients into thinking a fake site was legit, courtesy of flaws in SSL by intercepting traffic by way of a null-termination certificate. Marlinspike has adapted his SSLSniff tool to get spoofed SSL pages and log all incoming and outgoing traffic instead of it going via an encrypted channel. While Firefox 3.5 is protected against the attack, earlier versions are not, nor is Chrome or IE8 although because the latter has code signing certificates as an additional security layer it is harder to pull off.

Dan Kaminsky, yes the same Dan Kaminsky who uncovered the biggest DNS flaw ever last year, was also presenting on SSL insecurity. Along with Len Sassamna he managed to fool one Certificate Authority into issuing a certificate for a domain he did not own by using a naming trick that exploits a vulnerability in the X.509 protocol for generating SSL connections.