Image for post
Image for post

Hi! Glad to see you popped in! Please find an update on where to read us.

As information flow grows larger each and every day, we want to lessen this pressure on our readers.

As usual, we are to deliver hardcore crypto engineering posts to our blog, and from now — to the developers’ community on and invite you for a discussion there.

We are thankful to Medium, and to our followers for their continuous engagement, and hope to stay in contact further on.

Follow and ping us on Twitter, LinkedIn, and Facebook to chat, or drop us a line in case you need any cryptographic assistance. We will be glad to answer because we care :)

Image for post
Image for post

More and more data is outsourced to remote (cloud) storage providers fuelled by “software as a service” trends in enterprise computing. Data owners want to be certain that their data is safe against thefts by outsiders, internal threats, and untrusted service providers alike. To safeguard the data, encryption is used.

However, encryption makes it harder to search over data once it is encrypted, which is both what encryption is needed for and a huge operational downside. …

Image for post
Image for post

We always strive to make high-end security tools available to general developer audience in a convenient fashion. Only by making data security accessible, we can ensure real security of sensitive data everywhere.

As another step towards our mission, we are proud to announce that Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace.

DigitalOcean is known for its caring attitude towards development teams of any size. We share the same values and are delighted that Acra is the first data security tool on DigitalOcean Marketplace.

How to improve your database security


You hear the sound of an alarm clock. The first thing you see after you wake up is a notification. The entire user base of your WordPress* app has leaked into Darknet. According to GDPR, you’re both data controller and processor so now you’re facing a number of fines and court hearings. Not fun at all.

Image for post
Image for post

In the “bargaining” phase of Kübler-Ross grief coping stages, you’re going through the logs of your leaked web app, coffee in hand. The following is what you’re most likely to see.

Day 1: SQL Injections

SQL injection (SQLi) is one of the most common web attack mechanisms used…

What are poison records and how you can detect massive database breaches and leaks using them.

Imagine you’re storing a table containing a lot of sensitive data: customer names, emails, biometric information, etc… No matter how hard you work on security, at some point an SQL injection or a malicious insider will try to execute a SELECT * statement in an attempt at downloading the table. In some cases, they will succeed. What can you realistically do to prevent that? For instance, you can use poison records. Uhm, what?..

Poison records are decoy database records created to resemble actual database…

Top Curious Cases of Governments Opposing Encryption and Secure Means of Communication

Image for post
Image for post

The recent ban of Telegram in Russia and basically the end of freedom of speech brought by the new legislation in Egypt inspired us to create a little paranoia-driven hit parade of countries banning secure communication tools.

“Don’t steal — Government doesn’t like competition” states a famous anonymous quote. Trying to fully secure your communication also seems to be rubbing the various world governments the wrong way. Although the theoretic concepts of banning or getting a backdoor to the E2EE (currently used in many popular messengers) are laughable…

Image for post
Image for post

Most known security issues arise from undetected inaccurate behaviour that doesn’t visibly break the main functionality of the software. As a result, buggy software gets shipped and used. Such bugs are of the most cunning kind — they don’t surface easily because everything seems to be working as intended. Separate testing that ensures that new commits and builds don’t introduce security problems is an essential practice to be applied to software with high demands to security. And in the modern landscape, everything is security-sensitive, or at least it should be.

The merits of continuous security testing

Security tests are just like any other kinds of tests…

Image for post
Image for post

A Very Subjective List of the notable security and, specifically, cryptographic fails of the year

While half of the world is still busy getting over the seasonal festivities and the other part is only getting ready to celebrate, we decided to share the list of our favourite (and extremely subjective) security/crypto fails of the year that’s ending.

Explaining crypto is hard, explaining crypto in simple words is harder. Explaining Zero Knowledge Proof to a child? Easy! So here you go — ZKP explained with some Halloween candy.

Previously in the series: Explain Like I’m 5: End-to-end Encryption

Zero Knowledge Protocol

Zero Knowledge Protocol (or Zero Knowledge Password Proof, ZKP) is a way of doing authentication where no passwords are exchanged, which means they cannot be stolen. This is cool because it makes your communication so secure and protected that nobody else can find out what you’re communicating about or what files you are sharing with each other.

ZKP allows you…

A closer look at the well-documented, but rarely implemented properties of end-to-end encryption.


Security architectures and trust models are frequently defined and redefined. The Web with its questionable code runtime, virtualised assets, and remote secret storages, constantly introduces new interesting risks and security challenges.

Looking back, it could be safe to say that one of the most overlooked ideas in the realm of building secure systems is an actual understanding that it’s not workflows that should fit the available algorithms, but rather the algorithms should be combined into systems that enable securing real-world scenarios. The greatest impacts of cryptography and…

Cossack Labs

Focus on growing your business — while we take care of sensitive data risks, security engineering challenges, and compliance rqmts.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store