redelijkheid.com

Apple released the 10.5.5 update last night.
What’s included?

General

• Includes recent Apple security updates.
• Addresses stability issues with video playback, processor core idling, and remote disc sharing for MacBook Air.
• Addresses an issue in which some Macs could unexpectedly power on at the same time each day.
• Resolves a stability issue in TextEdit that could be found when accessing the color palette.
• Improves Spotlight indexing performance.
• Fixes an issue in which contacts might not sync properly with PalmOS-based devices.
• Improves iPhone sync reliability with iCal and Address Book.
• Includes improvements to Active Directory (see this article for more information).
• Improves Speech Dictionary.
• Fixes Kerberos authentication issues for Mac OS X 10.5 clients that connect to certain Samba servers, such as Mac OS X Server version 10.4.
• Includes extensive graphics enhancements.

Mail

• Addresses performance issues related to displaying IMAP messages.
• Resolves an issue with SMTP settings for AIM, Compuserve, Hanmail, Yahoo!, and Time Warner Road Runner email accounts.
• Addresses stability issues that may occur when dragging a file to the Mail icon in the Dock.
• Addresses an issue with the “Organized by Thread” view in which the date does not appear when the thread is collapsed.
• Resolves an issue in which RSS feeds could temporarily disappear from the sidebar.
• Improves Mail robustness when sending messages.
• Improves reliability when saving drafts that have attachments.

Time Machine

• Improves Time Machine reliability with Time Capsule.
• Addresses performance issues that may affect initial and in-progress backups.
• Fixes an issue in which an incorrect alert message could appear stating that a backup volume does not have enough free space.
• Time Machine can now back up iPhone backups that are on your Mac, as well as other items in (~/Library/Application Support).

And much, much more.

Security is a hot issue now-a-days. You get told over and over that no one will ever ask you for your password. Not your bank, not Paypal, and not even your online grocery store. This is to make sure that people won’t be persuaded by phishers and other scumbags in giving them the password.

But why is it that a lot of companies and other initiatives on the Internet seem to store passwords in plain text in their databases? There is NO NEED to do this. Almost every hypertext scripting engine (ASP, PHP, Coldfusion, Perl, Ruby on Rails) supports the hashing of passwords.

COLDFUSION: <CFSET hashedPwd = HASH(password, “SHA-256″) />

When a user logs in with a username and password, they are checked against the credentials in the database. The password gets hashed, and the hash is checked against the stored hash in the database. This way no one will be able to figure out the actual password (especially if a relativley strong hashing algoritme is being used like SHA-256).

If the same user forgets his/hers password you only need a mechanisme to reset the password to a random password, and communicate this with the user (by e-mail, SMS, snail-mail, or whatever) and allow the user to change this new password to one of his own at the next logon.

Another nice feature of hashing passwords is that the user can use a password with lots of printable characters (like !@#$%^&* (){{}|”:;’\][/.,<>?`~), or complete sentences because these won’t be stored. Only the hash (a hexadecimal string) will end up in the database. No matter how long the password/sentence is, the hash will always be a fixed length.

Maximum flexibility for the user, and a secure way of storing the passwords in the database. So if financial institutions or other high profile web-presences fail to do so, they should be made aware, and change their code.

So there’s absolutely no need for anyone to be able to see your (plaintext) password besides yourself. And don’t let them tell you otherwise.

After running ‘chkrootkit’ on one of my Ubuntu server at work, I got a responds:

Checking `bindshell’… INFECTED (PORTS:  4000)

A message which started a ‘mild’ shiver across my back, because the rootkit checker just reported that one of the processes on the server could be compromised.

First I took the server of the network. Just to make sure. After that I searched the Internet for a possible explaination. Nothing substancionally. until I found the following command to see what is occupying the port.

sudo netstat -e -p -n -a | grep 4000

This gave me the following result:

udp6       0      0 :::4000                 :::*
65534      13886      4739/coldfusion8

So it seems that Adobe Coldfusion is using this port. But this can’t be found in any of the official Adobe Coldfusion documentation. There are some (blog)posts related to this, but nothing more.

Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the ‘ordinary’ SSL certificates.

These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.

Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money…..

The problem I run into is that I used to have a ‘yellow-ish’ addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.

I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?

I did find some info on the EV requirements, but these should be ’spoofable’ some way or another…..

UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I’d rather do it by ‘faking’ the specs.

It seems that the OCSP-responder is mandatory for the bars to turn green….

A usenet posting suggests that XS4ALL will provide a filtering service to their subscribers. The filter would consist of 5 levels. Ranging from fully open to ‘fully’ closed. The first will give you the possibility of running your own services at home, and the latter means you’re only able to e.g. surf and e-mail (through the XS4ALL SMTP server).

The filters would give the basic/ignorant user the opportunity of preventing the spreading of malware and other stuff by default. The more tech savvy subscribers can remove the filter for running a bunch of services (webserver, ftp, mail, DNS, etc).

Definitely a good decision. I just hope that the other ISP’s will do something similar, because most of the virus/malware/massmailing ’software’ is running on PC’s run by the average user. Totally ignorant of the malware running on their PC’s.

Yet another ‘thumbs up’ for the quality provider of the Netherlands

Adobe has released Lightroom 2.0.

The new features for this release are (my favorites);

• 64bit support
• >10.000 pixel wide images (finally able to add a decent panorama to Lightroom)
• Multiple monitor support

An overview of the (new) features can be found here.

UPDATE: I’ve been playing with the dual display feature for a couple of hours. This is definitelly a major enhancement. Finally, a real workplace of 2 * 24″ widescreen.

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there’s no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box ’scared’ me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn’t exactly does that at all. Let’s see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

Checkpoint acquired a company called PointSec a while ago. This company made full hard disk encryption software for Windows. Now, Checkpoint has released a hard disk encryption version for the Mac. I guess they are taking OSX seriously.

Disk encryption is available today for the Mac (TrueCrypt, PGP), but these aren’t able to encrypt the boot partition. Only partitions are by the use of containers. This type of software was available to Windows only primarily.

Now that the ‘trick’ has been done, I guess more will follow.

I do wonder if it’s still possible to use SuperDuper for cloning a bootdisk….

As you might have noticed, I run some ads on my website. Today I ran into an add for a new Nikon D300 with a price of 799 euro’s.

Note that at the moment a relatively cheap Nikon D300 costs at least 1400 euro’s, and if it sounds to good to be true, it probably is. Since I have no intention of buying a second D300, I decided to check the add out.

The add links to this page this page this page. A nice overview of the available Nikon D300.

A bit of research reveals the following about this site;

• Company is based in China, and uses MSN to communicate.
• The user comments on the D300 page aren’t very encouraging.
• Payments are only done through Western Union Money Transfers (or other services which guarantees you 100% that you’ll never be able to get your money back)
• Returning goods is done by sending them to another company (escgate.com; ‘Save Moeny Now!! )
• Every piece of hardware is almost half the regular price
• Oh and, there are real world experiences with escgate.com (dutch forum) -> Babelfish translation

Anyway, more than enough warnings if you ask me.

B.t.w. Western Union money transfers are a great way of sending people money in e.g. Africa. It’s not all that bad, just as long as you don’t expect anything in return

UPDATE: found another naughty website. Same products (same product database [1, 2]), same conditions, but different layout and name.

The following list are webshops which are as ‘real’ as the first one I found.

• http://www.ecnnow.com [offline]
  
• http://www.shop-beijing.com [offline]
• http://www.leonoshop.com
• < your website here?? >

No matter what you do, there are always social rejects (and this is saying it nice) trying to sabotage you. I’ve been getting various virus alerts on my CA import tool for mobile phones. Every on of them seems to be an attempt to upload a trojan. Thankfully, the AV software intercepts them.

Just to reassure you all; each upload is given a unique name (8 characters). If such a filename already exists, it will be overwritten. So the chance of you getting someone else’s file is (almost) zero. Just make sure that you use the correct name / URL when you’re trying to download the certificate on your phone.

The CiscoVPN client (v4.9.01.0100) for Apple OSX throws an error every once in a while. Mainly when I just rebooted, or when I was forced to quit some hanging application (which also occurs on Macs). The error is:

Error 51: Unable to communicate with the VPN subsystem

Somehow, the VPN software looses contact with the network adapter (wired AND wireless). After this there are two things you can do;

1. Reboot
2. or restart the Cisco VPN Service manually.

The first is kinda obvious (it’s almost a MS Windows strategy :)). The second one is done via the Terminal (Finder -> Applications -> Utilities -> Terminal). Just type the following command (followed by your password);

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

The thing I don’t understand is; Why hasn’t Cisco incorporated this in the VPN client?

IF (Error 51 == TRUE)
DO CiscoVPN.restart

It seems that this ‘bug’ is present since the release of the Mac OSX version of the software.

It seems that public key authentication isn’t as save as you might have thought. That is if you’re using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;

• Debian (duh )
• Ubuntu
• Kubuntu
• etc.

The problem is that the random number generator (which is of vital importance in generating key-pairs) isn’t as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.

So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;

• OpenVPN
• DNSSEC
• OpenSSH
• Certificates used in TLS connections
• etc.

More info on the subject can be found here [1, 2, 3].

There are lot’s of people who complain about the updates on the Windows platform, but Apple tries to compete I guess. In the last 3 days there was a big security update, Safari 3.1 (both Windows and OSX), Time machine and Airport Updates, and now a Camera RAW update for OSX 10.5.2.

Thankfully no problems on my side with the updates.

Looking for other updates from Apple? Just go here.

Since I have an iMac with OSX 10.5 (Leopard), I use TimeMachine for my backups. This works great actually. But I also need an off-site backup of some sort. Just in case the house burns down or that some f*cker decides to steal my hardware.
So I bought an external Freecom 160GB USB2 drive (USB powered) for my off-site backups.

I encrypted the entire harddisk with TrueCrypt 5.0 on my iMac, and copied the data I needed to preserve. After that I wanted to access the data from my work laptop (Windows XP SP2 with TrueCrypt v5.0)….. This didn’t work. TrueCrypt didn’t recognize the password, or the encrypted disk (AES / SHA-256 full disk encryption).
I tried to access the data on my Mac and everything worked, so there’s no data corruption of some sort. Eventually, I recreated the encrypted drive on my Windows XP laptop (lost the backup in the process). This time the disk would mount, and could also be read/mounted by my Mac.

So, I guess that TrueCrypt is Cross-platform, but with the current version (v5.0a) you need to make sure to create the volume on Windows if you also want to mount it on OSX.

I reported this through their bug-reporting tool to the developers. No idea if there are similar problems with Linux.

UPDATE: Pretty soon they released v5.0a, and today v5.1 was released. So development goes on

The TrueCrypt developers have scheduled the release of v5.0 for Januari Februari 2008. This release will also have Mac OSX version. Now we’re getting somewhere. Finally, true cross-platform (Windows, Linux, and OSX) encryption, and it’s completely free.

TrueCrypt 5.0
Release scheduled for: January 2008

• Windows system partition encryption with pre-boot authentication
• Mac OS X version
• GUI for Linux versions of TrueCrypt
• Parallelized and pipelined read/write
• and more.

The following features are planned to be implemented in future versions:

• Support for external authentication modules (cryptographic tokens)
• ‘Raw’ CD/DVD volumes
• TrueCrypt API
• and more.