Paul Hardwick: Macintosh

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Apple Works To Stave Off Big Mac Attack.

Fri, 16 Feb 2007 15:54:56 GMT

Apple Works To Stave Off Big Mac Attack.

Apple Inc. on Thursday issued patches to plug five separate security holes in software included on its Mac OS X computers. Mac users can download the free updates through the Mac's built-in software update feature or directly from Apple downloads.

The five flaws were vulnerabilities identified in January as part of the controversial Month of Apple Bugs project. Among those addressed in this go-round's batch are bugs in iChat, Apple's built-in instant messaging software and Finder, the Mac's ubiquitous file-search capability.

Mac users hope that Apple soon will issue a remedy for the flaw the MoAB curators detailed in the software update function on Apple. That's the same program that the company uses to push security fixes to its customers. I've received a half dozen e-mails from Mac users wondering how to mitigate the threat from this particular flaw. By my count, Apple still has to address at least 15 Mac-specific vulnerabilities highlighted in the MoAB project. But it's not clear which, if any, of these flaws are serious.

While there are scant indications that any nefarious characters are busy exploiting the weaknesses noted by the MoAB crew, it might benefit Apple and their customers if the firm explained how users could minimize their exposure to any of these potentially serious vulnerabilities.

"It should be very interesting to see what security changes Apple institutes in OS X 10.5, and if they dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull. "Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."

[Security Fix]

RIAA urges Apple to spread DRM far and wide.

Thu, 08 Feb 2007 17:22:06 GMT

RIAA urges Apple to spread DRM far and wide.

Steve, you're so smart

The RIAA has seized on the weakest part of Steve Jobs' anti-DRM manifesto by banging on Apple to license its FairPlay technology to other companies.

[The Register - Music and Media]

Apple Patches First 'Month of Apple Bugs' Flaw.

Fri, 26 Jan 2007 17:23:34 GMT

Apple Patches First 'Month of Apple Bugs' Flaw.

Apple Inc. on Tuesday released a software patch to fix an extremely serious security hole in its QuickTime media player program, one that could be exploited to install malicious software on Microsoft Windows or Mac OS X systems just by convincing a user to click on a specially crafted Web link.

Mac users of QuickTime can download the free updates using OS X's Software Update feature, or directly from Apple Downloads.

But what about a patch for Windows users of QuickTime? Apple says: "For Windows 2000 Service Pack 4 / XP: The update is available via the 'Apple Software Update' application, which is installed with the most recent version of QuickTime or iTunes."

I have this updater application installed on one of my Windows machines thanks to a recent re-install of iTunes, but it did not detect a new version of QuickTime when I ran it this morning.

Worse still, Apple doesn't appear to have changed a single thing in the latest QuickTime version for Windows, according to the SANS Internet Storm Center, which is currently advising Windows users to simply uninstall QuickTime altogether. I don't know why Apple can't just include a link to a patched Windows version of QuickTime in their advisories the same way they do for Apple users. Many Windows users probably do not have this software update utility installed, and while an auto-updater is always a welcome step, Apple should not force its largest user base to install another application to install a patch.

Anyway, the security hole Apple plugged was the very first flaw showcased in this month's highly polarizing Month of Apple Bugs project, which promised that for each day in January it would highlight a previously undocumented security hole in OS X or in an application built for the Mac operating system.

Security Fix is long overdue in revisiting this project, which is now more than two-thirds completed. This endeavor has engendered a huge amount of controversy in addition to quite a bit of drama within the security community, mainly because the co-curators of the project -- researcher Kevin Finnestere and a hacker identified only by his online nickname "LMH" -- have chosen to not only point out previously unidentified flaws but also to post computer code that could potentially allow anyone with the right skills to use the flaws to conduct their own attack against Mac users.

[Security Fix]

Apple Patches QuickTime.

Fri, 26 Jan 2007 15:29:25 GMT

Apple Patches QuickTime. Hackers could exploit media player during streaming to run malicious code. [PC World: Latest Technology News]

Putting a Bug in Apple's Ear.

Wed, 17 Jan 2007 20:31:37 GMT

Putting a Bug in Apple's Ear. Hell hath no fury like a security researcher scorned, and other lessons from the Month of Apple Bugs. By Quinn Norton. [Wired News: Top Stories]

Critical QuickTime Flaw Discovered.

Thu, 04 Jan 2007 07:48:33 GMT

Critical QuickTime Flaw Discovered. Apple's media player leaves Windows and Mac users open to attacks from malicious Web sites. [PC World: Latest Technology News]

QuickTime Flaw Kicks Off Month of Apple Bugs.

Tue, 02 Jan 2007 02:18:54 GMT

QuickTime Flaw Kicks Off Month of Apple Bugs.

A previously undocumented flaw in Apple's QuickTime media player could be exploited remotely by attackers to install malicious software on computers running either the Windows or Mac OS X operating systems, according to the inaugural posting by the Month of Apple Bugs project, a month-long effort that promises to feature a newly described security hole in Apple's software each day for all of January.

The advisory on the MoAB page states that the vulnerability stems from the way QuickTime implements a media streaming communications standard known as the "real time streaming protocol," or RTSP for short. By convincing an unsuspecting user to click on a specially crafted, very long hyperlink that begins with "rtsp://", and an attacker could install unwanted software on the victim's computer.

I am far from an expert on OS X, but the test exploit link I obtained from LMH -- the hacker handle of the secretive researcher who is co-curator of this project -- launched QuickTime on my test OS X Tiger system and then quickly crashed the application. When I manually re-launched QuickTime, it froze the entire computer, and the operating system threw up a message telling me that I need to restart. I learned later that the test exploit was written to work on Intel-based Macs, whereas my install of Tiger is on top of an older PowerPC. According to LMH, however, the exploit could also be made to work just as reliably on PowerPC based Macs.

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, said the exploit appears to be fairly solid and easy to use, noting that its potential for abuse presents a serious security threat to both Windows and Mac users.

"Apple [has] an advantage in that users typically do not run as administrators," Ullrich said. "But this still puts the user's personal data at risk." Threats more typically found on Windows machines, such as bot or keystroke logging programs, could be installed via this flaw even if a Mac user is running a less powerful user account, Ullrich said.

LMH said the Windows and Mac QuickTime Version 7.1.3 and the Player Version 7.1.3 are vulnerable, and that earlier versions also are likely to be vulnerable. QuickTime users can mitigate the threat from this bug by not opening links that begin with "rtsp://" or by disabling the display of streaming files in QuickTime. To do that on a Mac, open QuickTime, go to "Preferences," then click on the "Advanced" tab. You should see a "Mime Settings" button; click on that, and then uncheck the box next to "Streaming - Streaming Movies." For Windows users of the most current QuickTime version, click on "Edit," then 'Preferences," and then "QuickTime Preferences". Click on the "File Types" tab, and then on the plus sign next to "Streaming - Streaming Movies" and uncheck the box next to "RSTP stream descriptor".

I put in a query about this with Apple and will update the blog if I hear anything from them.

I've been playing around with this RTSP protocol, and it appears as though in its default configuration, Firefox 2.0 doesn't know what to do with links that begin with "rtsp://" and will throw up an error message saying so if you try to visit such a link. However, Internet Explorer and Safari, the default Web browsers on Windows and OS X machines, respectively, will happily render them via QuickTime.

I mention this because if the advisory is correct, this vulnerability does not strictly rely on tricking the would-be victim into clicking on a maliciously-crafted hyperlink. The exploit could be inserted into a video embedded in a Web page, one that loads automatically when the user visits the site. It also can be invoked inside of Macromedia Flash code or through Javascript commands (see the Security Fix post about the QuickTime worm on MySpace.com for a demonstration of the power of Javascript).

[Security Fix]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Coming in January: "Month of Apple Bugs".

Wed, 20 Dec 2006 02:47:13 GMT

Coming in January: "Month of Apple Bugs".

A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

The "Month of Apple Bugs" project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias "LMH." This is the same researcher who in November ran the "Month of Kernel Bugs" project. LMH's partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years.

The current craze for featuring a new bug each day for a specific time period began this summer with researcher HD Moore's "Month of Browser Bugs," which highlighted unpatched security holes in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari browser, and even Opera. With most of the browser bugs, Moore alerted the affected software vendors prior to publishing his findings.

To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.

"Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," LMH said.

It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.

[Security Fix]

How Not to Distribute Security Patches.

Thu, 07 Dec 2006 18:23:25 GMT

How Not to Distribute Security Patches.

Over the weekend MySpace was hit by a password-stealing computer worm that took advantage of a weakness in Apple's QuickTime media player to spread rapidly among the online community's users. On Tuesday, MySpace administrators sent around a memo urging millions of users to download and install a new Apple patch to prevent future copycat attacks.

I think MySpace and Apple deserve credit for a prompt response to an obvious and serious security problem. That said, it appears as though both sides completely fumbled this patch rollout.

The memo, from MySpace's ubiquitous employee "Tom," says: "Hey, you're seeing this message because we detected that you have Quicktime on your system. Quicktime lets you watch movies on your computer. There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole. You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom"

This was a genuine message sent by MySpace admins urging certain users to apply a patch that was just released (well, sort of...more on that later). But you could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid. Check out some of the questions and comments on just one of several MySpace user forum threads from puzzled users.

According to this CNet.com story, Apple was expected on Tuesday to release a patch (as requested by the folks at MySpace), but that MySpace would be responsible for distributing the update.

Come again?

To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute its patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of nasty and malicious software by disguising it as an official-looking "security update."

Likewise, Apple should not let social-networking sites distribute its patches, even if it turns out to be some kind of custom-made-for-MySpace-users patch, which I seriously doubt. Apple should host its own software fixes on its own servers, period. And MySpace should simply suck it up and disable QuickTime videos until Apple is ready to host an update; people still running the older version of QuickTime could be prompted to fetch the patch directly from Apple's site.

Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without said feature? I put a query in to Apple, and will update this blog when I receive more information.

Finally, the MySpace memo urged users to click on an exceptionally long link that appears to have several layers of encoding in it -- making it unclear where the user will end up after clicking (hover over the link included in Tom's message above to see what I mean). MySpace admins grooming the masses to install patches by clicking on seemingly random links in messages is an unfortunate kind of conditioning that may well encourage further attacks against MySpace users.

[Security Fix]

Nike + iPod poses threat to personal security.

Mon, 04 Dec 2006 19:01:49 GMT

Nike + iPod poses threat to personal security.

Could aid stalking and burglary

One of this year's must-have gadgets for music-crazy runners is a security nightmare that could help someone track your movements with relative ease, according to researchers at the University of Washington.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Apple Patches 31 Security Holes.

Wed, 29 Nov 2006 20:05:27 GMT

Apple Patches 31 Security Holes.

Apple Computer today released software updates to fix at least 31 separate security flaws in computers powered by different versions of its Mac OS X operating systems. Users can download the free updates using OS X's Software Update feature, or directly from Apple Downloads.

The first update listed in Apple's advisory addresses a problem with the built-in wireless cards on certain Mac systems that researcher HD Moore detailed earlier this month and which can be exploited by attackers to install malicious software. Apple said the vulnerability is present in eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card; systems with the AirPort Extreme card are not affected.

Other fixes released today mend easily exploitable conditions, such as bugs that attackers could use to install malicious code just by convincing the user to visit a specially crafted site or font files. Among the many other updates included in this bundle are fixes for ClamAV (an antivirus program) for Mac OS X Server, as well as those to mend a slew of problems with the OS X utility used to unzip compressed files.

[Security Fix]

Exploit Released for Unpatched Apple Wi-Fi Flaw.

Thu, 09 Nov 2006 01:58:53 GMT

Exploit Released for Unpatched Apple Wi-Fi Flaw.

Update, 4:35 p.m. ET: Lynn Fox over at Apple called back with the following statement:

"We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs. We are currently investigating the issue."

Original Post From Earlier Today:

Security researcher HD Moore today released computer code showing how attackers can exploit an unpatched flaw present in the wireless drivers in some Apple Macintosh computers.

"With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD'ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," said LMH (the alias of the hacker who runs the Kernelfun blog) -- referring to an Apple wireless driver issue covered by Security Fix earlier this year (the links in the quote are his).

Moore said he tested the exploit on a 1.0Ghz PowerBook running Mac OS X 10.4.8 with the latest updates (Halloween, 2006). "The fastest way to trigger this bug is to place the card into active scanning mode. This can be accomplished by launching Kismac [a wireless network scanning program] with the active scanning driver, or by using the 'airport' utility provided with OS X."

While Apple released updates in September to fix at least three problems in its wireless drivers, there is currently no fix available from Apple for the flaw detailed by Moore.

I exchanged a series of e-mails with Moore today to ask about some of this exploit's more technical details, which can be viewed here for anyone interested. In a nutshell, he says the exploit is somewhat unreliable as written, but that it could be made more so if someone spent a bit more time finessing it. He also said "it may be possible to make this exploit reliable by hammering the Airport driver with requests while triggering the bug."

Moore has since folded the exploit into Metasploit 3.0, a free software tool built to help users exploit security flaws against a variety of operating systems and third-party software applications.

The vulnerability is the first in a series of daily bug details to be released over the next 29 days as part of the "Month of Kernel Bugs" project. LMH said we can expect at least five more Apple kernel bugs to be detailed in the coming days, as well as kernel flaws in Linux, BSD, and Solaris 10 systems.

The "kernel" is probably the most vital and fundamental area of any computer system, as it handles the transfer of information between hardware and software on a machine, among other things. Kernel flaws are serious vulnerabilities, but kernel flaws that are exploitable remotely are extremely dangerous, because an attacker can use them to completely subvert the security of the target machine, usually regardless of the presence of security software or the system privileges of the user account the victim happens to be running at the time.

I put a call in to Apple spokeswoman Lynn Fox and will update this post if I hear back from the company. I also pinged David Maynor from SecureWorks to determine if this was related to the exploit I saw at the BlackHat security conference in Las Vegas this summer, but I've not yet received a response from him either.

I did catch up with Maynor's co-presenter, Johnny "Cache" Ellch, who said the bug Moore released today is unrelated to the flaw detailed at Black Hat.

[Security Fix]

Apple Says Some iPods Shipped With Virus.

Wed, 25 Oct 2006 03:50:21 GMT

Apple Says Some iPods Shipped With Virus.

Apple Computer this week warned customers that some Video iPods sold over the past five weeks were shipped with a computer virus capable of infecting computers running Microsoft Windows and exposing them to attacks by hackers.

Apple said the virus was embedded in less than 1 percent of the Video iPods available for purchase after September 12, 2006. Greg Joswiak, vice president of iPod product marketing at Apple, said the company traced the virus back to a Windows machine used to test iPod software in the manufacturing process.

Joswiak declined to say how many devices were affected, citing the potential impact on investors closely watching the company's earnings reports today. But he said Apple has corrected the problem and that all video iPods the company is currently shipping are virus-free.

The virus (more accurately, a computer worm) variously dubbed "RavMonE.exe" and "W32/Rjump.worm" by different anti-virus vendors, first surfaced in June and attempts to spread to all memory storage devices attached to an infected computer. It also opens a "back door" on infected PCs that criminals can use to gain access to the machines.

Joswiak said affected Windows users should be able to clean up the problem with up-to-date anti-virus software. Because the virus spreads to all removable media attached to an infected machine, any media inserted into the PC after the acquisition of the Video iPod should also be scanned for infection.

From Apple's advisory: "After installing an anti-virus application, you should attach your Video iPod to your Windows computer and run the anti-virus program. If your Windows system is infected with this virus, an alert will be triggered and inform you that the virus has been detected and either quarantined or removed. You should then use iTunes 7 to easily restore the software on your newly purchased Video iPod."

Apple said it has received fewer than 25 reports about the problem. But Ed Felten, director of the Center for Information Technology Policy at Princeton University, said many Windows users who have this virus on their machines may not have noticed, as it silently installs itself when the users merely plugs the device into their computer.

"This type of thing is a risk that follows from fact that these are storage devices, but also that Windows is designed to accept programs from storage devices very easily," Felten said. "Twenty-five complaints translates into who knows how many people infected."

Eric Gaertner, 19, of East Brunswick, N.J., said he noticed his Video iPod was infected on Oct. 6 when his anti-virus program threw up a warning after he plugged the week-old device into his Windows XP computer.

Gaertner said he was able to delete the virus and the three infected files it installed, but that he remains bitter about the whole ordeal.

"I paid $250 for this thing, and it's pretty ridiculous that Apple's quality control is not better than that, because a lot of people who might get an iPod probably don't have up to date anti-virus [software] installed," he said.

The iPod news comes just days after McDonald's Japan recalled MP3 players it gave away as prizes to customers after learning that the devices shipped with spyware designed to steal sensitive data that users entered at financial and e-commerce Web sites. Last year, multimedia giant Creative acknowledged that roughly 4,000 of the company's Zen Neeon MP3 players shipped with a Windows computer worm embedded inside.

One final note: I took a look this morning at the Internet servers (located in China) that the virus is designed to connect back to, but at the moment they do not appear to be online or accepting any connections.

Update, 4:11 p.m. ET: The above post was edited to include comments from an individual whose PC was infected after plugging in a brand new Video iPod.

[Security Fix]

Apple Patches 15 Security Flaws.

Wed, 11 Oct 2006 04:08:38 GMT

Apple Patches 15 Security Flaws.

Apple Computer on Friday issued a bundle of updates to fix at least 15 different security holes in its Mac OS X software applications.

Mac OS X v10.4.8 and Security Update 2006-006 corrects flaws in OS X Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, and Mac OS X Server v10.4 through Mac OS X Server v10.4.7.

Apple says the Software Update utility "will present the update that applies to your system configuration. Only one is needed, either Mac OS X v10.4.8 or Security Update 2006-006," available from Apple Downloads.

The updates include fixes for several remotely-exploitable flaws, including four bugs in the Mac version of Adobe's Flash player, as well as some that could be exploited just by viewing a maliciously crafted image file or visiting a nasty Web site.

[Security Fix]

Safe Storage, Mac Style.

Thu, 21 Sep 2006 17:11:52 GMT

Safe Storage, Mac Style. Disk-level encryption provides a safety net without a hassle

[CSO Online Data Security Briefing]

Apple, Microsoft Release Software Patches.

Thu, 14 Sep 2006 18:35:44 GMT

Apple, Microsoft Release Software Patches.

Apple and Microsoft today released updates to fix security problems in their software, including a patch bundle for the popular QuickTime media player, as well as fixes for computers running Windows and Microsoft Office.

The QuickTime update, available for both Mac and Windows systems, mends seven security holes that Apple said could let attackers install malicious programs if a user opened specially crafted media files. The newest version is QuickTime 7.1.3, and it is available at this link.

Microsoft issued two patches to fix flaws in Windows, one of which the company said could let bad guys hijack vulnerable PCs. The more serious of the two affects Windows XP systems. Another patch corrects a critical flaw in Microsoft Publisher. If you use a Windows system and do not have your machine set to fetch Windows updates on its own via Automatic Updates, point Internet Explorer over to Microsoft Update to download and install these updates.

Microsoft also re-released two patches that it issued in August, including the Internet Explorer update that caused problems for some people running IE on Windows 2000 and Windows XP systems that do not have Service Pack 2 installed. In addition, it re-issued another patch that was creating glitches for some users of Windows Server 2003 and Windows XP Professional 64-Bit systems.

Microsoft pushed out an advisory on an important update for Adobe's Flash Player program, which is installed by default on millions of PCs running Windows. In May, Microsoft pushed out a Flash update to fix a couple of serious security holes in prior versions of Flash, a version of which ships with all Windows XP systems. Today, Redmond called attention to an Adobe update that mends three newly disclosed flaws in Flash Player version 8.0.24.0. The newest version -- v. 9.0.16.0 -- fixes those problems and is available from Adobe's site.

To see which version of Flash you have installed, go to this link on Macromedia's site. If you run Flash on your machine, try not to put off updating: Vulnerability watcher Secunia rated the Flash flaws "highly critical," as they could be exploited just by convincing a user to visit a malicious Web site.

Finally, I mentioned last week that Microsoft was going to issue a couple of high-priority, non-security related updates for Windows. When I scanned my Windows XP machine at Microsoft Update, it presented me with two non-security updates, including one to fix what Microsoft says is an audio problem that could cause stability issues for Windows XP users. The other one addresses errors that some Windows users have been seeing when trying to download updates via Microsoft Update, Windows Update, and Automatic Updates.

[Security Fix]

Slashdot | iTunes v6 FairPlay DRM Cracked

Thu, 31 Aug 2006 19:39:05 GMT

luaine writes with an Engadget article claiming the cracking of iTunes v6 FairPlay DRM. From the article: "[A] new app called QTFairUse6 looks like it can now be used (with some amount of difficulty) to dump iTunes version 6.0.4 - 6.0.5 files of their chastely protection." At present this is a Windows-only tool for those who are "not afraid to get [their] hands dirty with a little python." Engadget does not provide a link to QTFairUse6, and neither will we. We've run several DRM stories recently, but it's been 19 months since Cracking iTunes' DRM with JHymn.

The Black Hat Wireless Exploit Interview, Verbatim.

Wed, 16 Aug 2006 18:38:59 GMT

The Black Hat Wireless Exploit Interview, Verbatim.

I've received an overwhelming amount of hate mail from Mac enthusiasts over two previous posts on a wireless-device-driver presentation at the Black Hat hacker conference, with people accusing me of all kinds of nasty things. Rather than respond to every wild accusation under the sun, I thought it best to give readers all of the information that I have on this. I am posting here a word-for-word transcription of a taped interview I had with David Maynor of SecureWorks in his hotel room on Tuesday, Aug. 1 -- the eve of his presentation at Black Hat.

I've been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook -- but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in. As far as I'm aware, only one other person at the conference saw the demo the way I saw it (a Black Hat staff member whom I'm not at liberty to name); the discrepancy over the wireless card is probably the biggest reason why the Mac community was so confused and upset by my original post. I tried to clarify that in a follow-up, and am posting the contents of that interview -- verbatim -- to give the public all of the information I have about this particular exploit.

As I turned the tape on, Maynor was just beginning to demonstrate the exploit for me.

Maynor: OK, so the first step in this is we want to turn this [Windows laptop] into a wireless access point.

BK: Oh, so you do have to have it connected?

Maynor: No, this is just for the demo. This is the way we've developed the demo. If I explained it any other way, you wouldn't see anything. It would just say, "Exploit done." This way you can see the results of it.

[Maynor runs the connect-back script that leverages the flaw in the Macbook's wireless device drivers to connect back to the Windows laptop to which it was already associated.]

Maynor: So, I'm going to place a file on the desktop here on the Macbook using this machine here. What should I call it?

BK: I dunno. How about "owned"? [A text file named "owned" shows up on the Macbook desktop.] Wait, OK. Explain to me exactly what you're exploiting in here. Is it a flaw in the Macbook itself?

Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]

BK: Oh. OK, well, then aside from this Macbook example, how many other machines have you been able to find this kind of --

[Security Fix]

Apple Mac Pro Users Urged to Apply Security Updates.

Thu, 10 Aug 2006 18:48:08 GMT

Apple Mac Pro Users Urged to Apply Security Updates.

Apple today issued two additional security patches for users who recently bought a new Mac Pro. On Aug. 1, Apple pushed out fixes to plug 26 security holes in different versions of the Mac OS X operating system. Turns out the new Mac Pro product ships with all but two of the patches included in last week's patch bundle, and Apple is re-releasing those updates for Mac Pro users to download and install.

From the Apple advisory: "The new Mac Pro product ships with Mac OS X v10.4.7 Build 8K1079. Also, the existing Xserve hardware is now shipping with ... Build 8K1079. The fixes provided in Security Update 2006-004 (August 1 release) are contained in Build 8K1079, with the exception of the ones listed below for ImageIO and OpenSSH. The fixes for these issues were not fully tested in time for the manufacturing of the Mac Pro, and are being provided via this security update. This update is a proper subset of the full Security Update 2006-004 released on August 1. Existing systems that have already applied Security Update 2006-004 (Aug 1 release) do not need to install this update."

Affected users can apply this update either using the Software Update feature or manually by visiting Apple Downloads.

[Security Fix]

Hijacking a Macbook in 60 Seconds or Less.

Wed, 02 Aug 2006 17:21:31 GMT

Hijacking a Macbook in 60 Seconds or Less.

If you want to grab the attention of a roomful of hackers, one sure fire way to do it is to show them a new method for remotely circumventing the security of an Apple Macbook computer to seize total control over the machine. That's exactly what hackers Jon "Johnny Cache" Ellch and David Maynor plan to show today in their Black Hat presentation on hacking the low-level computer code that powers many internal and external wireless cards on the market today.

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook -- and presently not publicly disclosed -- Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market."

Maynor said he and his colleague opted in favor of a videotaped demonstration versus a live one because of the possibility that someone in the audience could intercept the traffic sent to a potentially live target and deconstruct the attack -- possibly to use the exploit in the wild against other Macbook users.

One of the dangers of this type of attack is that a machine running a vulnerable wireless device driver could be subverted just by being turned on. The wireless devices in most laptops -- and indeed the Macbook targeted in this example -- are by default constantly broadcasting their presence to any network within range, and most are configured to automatically connect to any available wireless network.

But according to Maynor and Ellch, this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful. That's a trivial demand, given that most wireless devices embedded in laptops these days are switched on by default and are configured to continuously seek out available wireless networks.

Because the software that powers these wireless devices operates at such a fundamentally low level of the operating system, traditional system safeguards like firewalls and anti-virus software most likely will not stop the operating system from accepting a maliciously crafted network probe from an attacker seeking to exploit device driver-specific flaws. The result, said Maynor, is that a system using poorly designed device drivers is vulnerable to compromise just by doing what it was programmed to do.

But that explanation eclipses the larger point that Maynor and Ellch said they are trying to get across: Namely, that wireless device drivers are largely developed and written by an odd mix of hardware and software developers in an environment where time-to-market often trumps any thorough code review for potential security flaws.

Apple -- like many computer manufacturers -- outsources the development of its wireless device drivers to third parties. In Apple's case, the developer in question is Atheros, a company that devises drivers for a number of different wireless cards, each designed with drivers specific to the operating systems on which they will be used.

Maynor and Ellch also found two different device driver flaws for wireless products aimed at Windows systems. This is notable because it points out a security loophole in the way that Microsoft has traditionally processed device drivers. Any time a Windows XP user tries to install a device driver, the system checks whether that driver has been "signed" or approved by Microsoft so as not to cause system stability problems. Many third-party wireless cards designed for Windows systems are not signed by Microsoft, and the system will throw up a warning to that effect any time a user tries to install an unsigned device driver.

But according to Maynor and others, Microsoft only recently began testing whether its approved or "signed" device drivers introduced unforeseen security weaknesses into the system. Microsoft is trying to rectify that problem with Windows Vista -- the next version of its operating system by only allowing the installation of device drivers that have met the company's security testing procedures.

After the demo, Ellch (who is currently pursuing his master's degree in computer security at the Naval postgraduate school in Monterey, Calif.) will talk about a new tool he's developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

"I'm getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that 'x' number are running them on a Windows box with a specific version of the driver," Ellch said. "The userful thing for that information is that if you have a device driver exploit and it's version-specific, you could tweak [the exploit] before you launch it."

Maynor said he and Ellch have been in contact with Apple, Microsoft and other companies responsible for vetting the device drivers that power the embedded or third-party wireless card devices meant for those systems, and that both companies are working with wireless card vendors and original equipment manufacturers (OEMs) to remedy the problems. Assuming the wireless device driver makers affected by these flaws fix the problems, it may be an uphill battle for those vendors to find an easy way for users to upgrade that software.

I should note here that while the bad guys may or may not have known about these security weaknesses for some time, there is not a single shred of evidence that these flaws have been exploited "in the wild" (as security companies like to say). That said, it might not be terrible idea to take advantage of the button your laptop that allows you to turn off the machine's constant search for wireless networks when you're not actively trying to go online.

[Security Fix]

Apple Issues Bundle of Security Updates.

Wed, 02 Aug 2006 17:06:52 GMT

Apple Issues Bundle of Security Updates.

Apple today released a bundle of software updates to fix more than two-dozen security weaknesses in computers powered by its Mac OS X operating system.

Apple issued updates to address 26 distinct security issues, by my count anyway. The patches fix problems in a slew of OS X programs, including several flaws that could be exploited by attackers just by getting the user to load a specially crafted image file in their Web browser or on the operating system.

Updates are available for Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.7 and Mac OS X Server 10.4.7. Users can update via the Apple Software Updates feature or by visiting Apple Downloads.

[Security Fix]

Apple widget checks raise eyebrows | CNET News.com

Mon, 10 Jul 2006 14:15:54 GMT

Apple's Dashboard Advisory verification software was designed as a security feature, a company representative said. "Apple takes protecting user privacy very seriously. The Dashboard Advisory feature is a security tool that ensures that the correct version of a widget has been downloaded from a third-party site and no personal information is transmitted back to Apple," the company said in a statement.

Dashboard Advisory looks at just widgets, not the rest of the operating system. Widgets available on Apple's Downloads page are actually hosted by the companies that developed the widgets, not Apple. The verification feature is designed to ensure that the widget advertised on Apple's Download page is the same widget that gets installed on a Mac, or to prevent someone from spoofing a link to trick a user into downloading a different program.

Red Sweater Blog - Apple Phones Home, Too

Sat, 08 Jul 2006 16:16:15 GMT

Lately I've heard a lot on technical podcasts about the public outrage over "Microsoft Genuine Advantage" and the fact that it "phones home" every day.

Apple released Mac OS X 10.4.7 last week, and ever since I installed it, I've been noticing Apple's own modest home phoning behavior. In this case it's ostensibly to provide users with the opportunity to check whether the Dashboard Widgets you download are identical to ones featured on Apple's site. Sort of a security debriefing, I guess. From the 10.4.7 release notes:

You can now verify whether or not a Dashboard widget you downloaded is the same version as a widget featured on (www.apple.com) before installing it.

The problem is this feature popped up without my permission, and there's no obvious way for me to turn it off. This is how companies, even fairly trustable ones (IMHO) like Apple, make users paranoid and suspicious of them. This phoning home is done by a new process called "dashboardadvisoryd." I don't know the exact schedule, but it appears to be very frequent: twice today in a seven hour period. If I didn't run Little Snitch I wouldn't have any idea this was going on, because Apple made no point of informing me of the new feature and what it would entail.

New Mac OS Feature Raises Privacy Concerns

Sat, 08 Jul 2006 16:10:04 GMT

Is your Mac "phoning home"?

That's the question some Apple users are asking after installing an updated version of the company's Mac OS Xâo[per thou]Version 10.4.7âo[per thou]that aims to help authenticate desktop widgets. According to at least one blog, Apple's efforts to help identify and validate end users' desktop widgets may have also introduced a new privacy-related issue.

The Fourth of July, 2006 is Privacy Digest's 7th Anniversary

Mon, 03 Jul 2006 17:14:11 GMT

Tomorrow, The Fourth of July 2006, Privacy Digest will have been publishing as this domain for seven years. We were actually around a bit longer as part of another blog. But on July 4, 1999, I decided that the issue was important enough to warrant it's own dedicated domain.

If you would like to help out my Amazon wishlist has a few things I need. More ideas on ways to support us can be found here.

Exploit Out for Newly-Patched Mac OS X Flaw.

Sun, 02 Jul 2006 13:58:03 GMT

Exploit Out for Newly-Patched Mac OS X Flaw.

Symantec is warning that it has detected a new piece of malware that tries to exploit a flaw in Mac OS X systems that Apple released a patch to fix just two days ago.

"OSX.Exploit.Launchd," exploits a security hole in the "launchD" service, which controls which programs should boot up whenever a user restarts a Mac. According to Symantec, this exploit provides the attacker root access -- or total control -- over any Mac system running OS X version 10.4.6 or earlier. Read Symantec's alert here.

Security vulnerabilities can be difficult to exploit on Mac systems because of the way the operating system was designed: Namely, the default account that the average person uses to browse the Web and use the system does not have full privileges to change system settings. In most cases, even if a Mac user were to accidentally download a piece of malware that tries to take advantage of a flaw in OS X, it would still not have permission to delete files or change system settings, unless the user first provided their password (which in theory should alert that user that something is goign on.)

An attack that leveraged this flaw in launchD, however, would give the attacker full system rights just by convincing the recipient to execute the malicious code (no password needed).

Eric Sites, with Web security firm Sunbelt Software, said the trojan was likely to end up in a mass mailed e-mail worm at some point.

"Once you have root access you can do anything you want to Mac OS or the user's data files," Sites said. That would include the ability to wipe all data from the hard drive, completely reconfigure the system, install a rootkit to maintain control over the system indefinitely, he sadded.

Symantec's write-up is fairly limited at the moment, but the company says it should have more information shortly. The company said it its automated Web crawlers spotted the malware, but I wonder if it didn't just pull down a copy of exploit code for this vulnerability that was posted to a popular hacker site just two days ago. At any rate, I will update this post as more information becomes available.

Update: 3:05 p.m. ET: As I suspected, Symantec didn't find anything actually wielding this exploit in the wild, even though called the thing "a Trojan horse." In an interview just now, the company acknowledged that its sensors were in fact triggered by the exploit code published earlier this week online.

"What this will allow is for malicious code to embed itself deeper into the operating system than may have been possible previously," said Oliver Friedrichs, director of emerging technologies at Symantec Security Response. "But I don't see this turning into the next big Internet worm or anything."

[Security Fix]

Apple Updates Fix Five Flaws for Mac OS X.

Wed, 28 Jun 2006 03:05:58 GMT

Apple Updates Fix Five Flaws for Mac OS X.

Apple today released five software updates to mend security holes in its various programs for certain computers powered by the Mac OS X operating system. This update affects systems running OS X and OS X Server versions 10.4 through 10.4.6.

OS X 10.4.7 includes fixes for at least three flaws that Apple said could let attackers execute malicious programs on a vulnerable machine. The three most serious updates apply to ClamAV anti-virus for Mac, a potenitally dangerous image viewing application flaw, as well as a glitch in "launchd" a program that manages the startup and shutdown of certain system services on OS X.

As always, Mac users can update by fetching the patches from Apple Downloads or by using the Software Update pane in "System Preferences."

[Security Fix]

Secure Voice over IP: Zfone by Phil Zimmerman

Mon, 22 May 2006 22:05:03 GMT

21 May 2006 - I've just released a new public beta for Zfone, a new product that takes a new approach to make a secure telephone for the Internet. Zfone lets you whisper in someone's ear, even if their ear is a thousand miles away.

Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors.

How to get the Zfone Public Beta (Yes, we've got Windows!)

Yes, we finally have a Windows XP version , as well as a new Mac OS X and Linux version. To get your hands on the Zfone public beta software, click here:
Get Started with Zfone Now!

In keeping with the long-standing PGP tradition, the source code is also available to download for peer review.

Mac Security: The Evil DRM Chip Is Bolted Inside The New Intel Macs? - Robin Good's Latest News

Wed, 05 Apr 2006 15:40:52 GMT

The basic idea of Trusted Computing is that security on a computer is obtained via hardware, through a specific chip dedicated exclusively to this task and called Trusted Platform Module (TPM). It's a very controversial project, as I wrote four years ago. Originally sold as a beneficial security system for users (which is partially true), trusted Computing and Palladium risks to open the doors to inviolable copy-protection systems and to censorship and surveillance issues to unprecedented levels.

The analysis by Electronic Frontier Foundation is inexorable and rigorous; although also the IBM refutation is worth reading.

Adobe Fixes Critical Flash Vulnerabilities.

Fri, 17 Mar 2006 22:39:21 GMT

Adobe Fixes Critical Flash Vulnerabilities. Both Windows and Mac systems are affected. [PCWorld.com - Latest News Stories]

Mac Skeptic: More on Mac Security.

Mon, 13 Mar 2006 15:12:29 GMT

Mac Skeptic: More on Mac Security. Some advice after a handful of mostly harmless worms shows that Macs are vulnerable to attack. [PCWorld.com - Latest News Stories]

Editor: The author(like many in the press) seems a bit confused on the difference between a worm and a Trojan, but the article does contain some useful info.

U of Wisconsin's Mac OS X Security Challenge.

Tue, 07 Mar 2006 16:47:57 GMT

U of Wisconsin's Mac OS X Security Challenge. digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." --- Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet [Slashdot]

Apple Fixes Critical Safari Bug, 16 Other Flaws (TechWeb).

Sat, 04 Mar 2006 18:29:26 GMT

Apple Fixes Critical Safari Bug, 16 Other Flaws (TechWeb). TechWeb - Apple Computer releases its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines. [Yahoo! News: Apple/Macintosh News]

Mac OS X Worm Wiggles Into the Wild.

Wed, 22 Feb 2006 05:05:29 GMT

Mac OS X Worm Wiggles Into the Wild. Worm spreads via iChat IM client and causes applications to run improperly. [PCWorld.com - Latest News Stories]

The Mac Skeptic: Straight Talk on Mac Security Risks.

Wed, 08 Feb 2006 02:59:28 GMT

The Mac Skeptic: Straight Talk on Mac Security Risks. Macs have a reputation for being more secure than Windows boxes. Is that reputation deserved? [PCWorld.com - Latest News Stories]

CNN.com - Apple changes iTunes feature - Jan 23, 2006

Tue, 24 Jan 2006 16:37:30 GMT

SAN JOSE, California (AP) -- Apple Computer Inc. has altered its iTunes software after users raised privacy concerns over a new spy-like song-recommendation feature in the music jukebox program.

The Cupertino, California-based company last Tuesday switched the so-called "MiniStore" feature to give users the choice of turning it on, rather than having it automatically activate with its new version update of iTunes.

The company introduced the recommendation feature two weeks ago. The MiniStore window pane with music or video suggestions pops up as users play songs from their libraries.

iPod Owners Not Thieves.

Sun, 15 Jan 2006 20:50:39 GMT

iPod Owners Not Thieves. An anonymous reader writes "Remember last year when Microsoft head Steve Ballmer said iPod owners were music thieves and their iPods were full of stolen music? It turns out they're actually less likely to download music using filesharing software than owners of other MP3 players. A lot less likely." --- From the article: "A survey of US and UK music buyers reveals that although 25 per cent of people admit to downloading music from file-sharing services, only seven per cent of iPod owners do so. Proving that iPod users are either scrupulously honest or more paranoid they'll get sued by RIAA than owners of lesser music players." [Slashdot]

iTunes MiniStore "phone home" feature part of a dangerous trend in data collection.

Sat, 14 Jan 2006 00:17:20 GMT

iTunes MiniStore "phone home" feature part of a dangerous trend in data collection.

This week at MacWorld, Apple unveiled version 6.0.2 of iTunes, which it simply claimed "includes stability and performance improvements over iTunes 6.0.1." Among these so-called improvements is the Apple iTunes MiniStore -- a localized "recommendation" engine that would look at what you listen to and then suggest additional songs and artists you might like. The MiniStore arrives turned on by default without asking a user's permission first.

However, as news reports have revealed this week, it appears that the MiniStore also automatically transmits your listening information over the Internet back to the Apple Mothership. What Apple does with this information is unknown, although Apple has represented that they are not collecting data on its users -- yet. Nor has Apple disclosed the steps they take to prevent disclosure or leakage of the information to third parties.

Ironically, this news comes on the heels of the recent Sony BMG DRM fiasco, a part of which included an undisclosed "phone home" feature of its own. Is the Apple MiniStore a rootkit DRM? Not from what we can tell, but it is part of a dangerous trend EFF has been witnessing in the digital music space market. When companies like Apple and Sony BMG start adjusting or installing software to micro-monitor our personal and private actions, even under the rubric of convenience, it is just one short stop down the road toward attempting to condition and control our behavior. All it takes is an enforcement protocol to turn recommendations into restrictions overnight.

If companies like Apple are truly about user empowerment, they must watch this trend closely and remain on the right side of it. Allowing users to upload information voluntarily and expressly with adequate privacy protections is pro-user; surreptitiously siphoning it into a remote database without any privacy guarantees is not. It's time for Apple to pick a side of the line and walk it.

Note: You can turn off the Apple MiniStore by hitting Shift-Command-M, or choose Edit: Hide MiniStore. EFF recommends that iTunes users do so until Apple at least comes clean about its MiniStore data practices.

[EFF: Deep Links]

BetaNews | New iTunes Prompts Privacy Concerns

Thu, 12 Jan 2006 18:39:31 GMT

Web sites and Internet forums are abuzz with news that a new feature recently added in version 6.0.2 may be communicating information on the song you are listening to Apple, raising privacy concerns from some users.

A "Mini Store" pane has been added to the main iTunes window that provides more information on the song being played, as well as additional available tracks from the artist, and a list of other songs that users who own the track have bought.

Cory Doctorow of the Boing Boing Web log posted about the issue early Wednesday. "At the very least, Apple must deliver information about whether iTunes gathers and transmits your data when the Mini-Store is switched off, and about what it does with the data the Mini-Store transmits when it's loaded," he wrote.

At the current time, Apple provides no information as to how the information is gathered or used, which is sure to anger privacy advocates. An option is available to turn the new feature off, which stops iTunes from transmitting information, according to reports.

Happy New Year 2006 !!

Mon, 02 Jan 2006 04:27:02 GMT

Happy New Year 2006 !!

NORAD keeping an eye on Santa !!

Sat, 24 Dec 2005 18:51:55 GMT

Merry Christmas to all ... and to all a Good Night!!

Don't forget The Annual NORAD Tracks Santa Claus Website .They also support :French,Spanish, Deutch,Italian and Japanese.NORAD tracks Santa every Christmas eve, following his trek around the world for children everywhere. Some portions of the site require RealPlayer to work. The free version is fine.

The server I use for Privacy Digest has been hacked/compromised.

Sat, 24 Dec 2005 06:20:32 GMT

Editor: Sorry about being gone for a bit. It seems that my server has been hacked, and used as part of a DOS attack. I have replaced the system OS and am in the process of reloading/recreating all the content in Privacy Digest and the other hosted domains. Since in my opinion my ISP has been on the slow side in responding to my trouble ticket. It looks like I will be putting things back together over the night when I should be sleeping. There have hundreds of brute force attacks fended off, but this time someone got in. I will put the most visible/critical data up first, and some may have to wait till I get some sleep.

Merry Christmas and Happy New Year !!

Apple Update Patches 13 Flaws.

Thu, 01 Dec 2005 19:01:01 GMT

Apple Update Patches 13 Flaws. Apple has issued a bundle of security fixes to mend 13 separate security flaws in several versions of its Mac OS X operating system, including quite a few holes that attackers could use to seize control over vulnerable machines. Nine of the 13 vulnerabilities reside in various Web-facing applications, including the Apache Web server. [Security Fix]

I wonder where the readers of Privacy Digest hang out?

Mon, 14 Nov 2005 23:14:49 GMT

Administrivia: If you don't mind admitting that you read Privacy Digest and making info publicly available (some of you won't want to do this I'm sure), there is a new service called Frapper that assigns users to locations on a map. If you want you can also attach a photo. Don't worry, the photo doesn't have to be of you. I'm doing this primarily to get a feel for where my readers are. Just click on the ICON if you are interested.

Administrvia - No updates for a bit.

Mon, 24 Oct 2005 07:25:14 GMT

Administrvia: Just wanted to let you know that there will probably not be any updates for a few days. It looks like I will be without net access for my CMS/Blog update software. If you see anything big send me an e-mail so I can put it up when I get back online.

Firefox and Mac security sanctuaries 'under attack' | The Register

Tue, 20 Sep 2005 14:49:12 GMT

Symantec has attacked the perceived security advantages of Firefox and Apple Macs by drawing unfavourable comparisons with Microsoft's software and describing Mac fans as living in a "false paradise". According to the latest edition of Symantec's Internet Security Threat Report, 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer in the first half of 2005.

Graham Pinkney, head of threat intelligence EMEA at Symantec, said that switching from IE to Firefox as a way of minimising security risks was no longer valid advice. "Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE," Pinkney told an IDC security conference last week ahead of the publication of Symantec's threat report today. John Cheney, chief executive of email filtering firm BlackSpider, replied that the release of Firefox had "helped Microsoft to raise its game" in terms of browser security.

As well as making comments that will doubtless irk Firefox fans, Symantec has renewed its assault of the perceived security advantages of Apple Macs. "Mac users may be operating under a false sense of security as a noteworthy number of vulnerabilities and attacks were detected against Apple Mac's operating system, OS X," Symantec said, reflecting comments in the previous edition of its threat report that OS X was an emerging target for attack.

Open Firmware Security for Mac Workstations.

Sun, 14 Aug 2005 16:28:46 GMT

Open Firmware Security for Mac Workstations. Securing a workstation means more than locking it down physically, says columnist Ryan Faas. In another in a series of columns on Macintosh security issues, he takes a look at Open Firmware security and how to make it work for you. [Computerworld Security Holes News]

No updates at Privacy Digest for a while

Tue, 19 Jul 2005 09:28:18 GMT

Editor: There will be no updates here at Privacy Digest for a bit, possibly till the end of the month. I am not going to have net access for my CMS (Content Management System) so I will have no way to update my site/feed. So if you find something very interesting please forward me a link to the material so I can include it when I get back. You can send it to editor(-at-)PrivacyDigest(-dot-)com

If you would like to help me pay for the creation/running of this site, you can either get something from the "Privacy Digest Wish List" or maybe Support Privacy Digest another way.

Today is the the Sixth anniversary for Privacy Digest - Happy Independence day America!!

Mon, 04 Jul 2005 15:44:40 GMT

Happy Independence day America!!

The Hypertext Declaration of Independence.

BTW Its the Sixth anniversary for "Privacy Digest" also Back on July 4,1999 I split the privacy news collection off from another weblog and gave it its own domain. Enjoy the holiday. Have a BBQ and enjoy the fireworks. If you would like to help me celebrate you can either get something from the "Privacy Digest Wish List" or maybe Support Privacy Digest another way.

JavaScript Flaw Leaves Every Browser Open to Attack.

Thu, 23 Jun 2005 15:49:31 GMT

JavaScript Flaw Leaves Every Browser Open to Attack. Don't assume you're safe. This bug puts even o Mac OS X users at risk. [PCWorld.com - Latest News Stories]

What Does Apple's Switch to Intel Mean for DRM?

Wed, 08 Jun 2005 14:41:00 GMT

What Does Apple's Switch to Intel Mean for DRM?

Apple fans who don't like digital rights managment (DRM) have been fretting about Apple's announcement Monday that it will move from the "PowerPC" to the Intel architecture. The Intel hardware platform is seen as more DRM-laden because of Intel's high-profile involvement in various DRM initiatives (something it's quite proud of). Intel has also promoted "trusted computing" projects (TCG and the LaGrande Technology) that can be used to strengthen DRM alongside traditional computer security applications. Does Apple's move mean more, or stronger, DRM in the Macintosh of the future?

We don't know yet. Using Intel platform features for DRM requires software support; since Apple appears set to continue its strategy of close control over both Macintosh hardware and the MacOS operating system, it has a lot of choices to make. Apple's current position on DRM in iTunes doesn't offer a lot of encouragement. There has also been speculation that Apple may be interested in using DRM-like hardware authentication features to prevent the Intel MacOS port from running on non-Macintosh hardware. The ability to do that effectively would be the culmination of DRM engineers' ongoing research into breaking emulation, a trend that started in the video game console market and has begun to spread to the PC.

It would be the height of irony if some existing DRM-like Macintosh applications written for PowerPC fail to run under Apple's "Rosetta" translator -- because they successfully detect the fact that they aren't running in a genuine PowerPC Macintosh environment.

[EFF: Deep Links]

Minnesota court takes dim view of encryption | CNET News.com

Wed, 25 May 2005 15:31:45 GMT

"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.

Randall favorably cited testimony given by retired police officer Brooke Schaub, who prepared a computer forensics report--called an EnCase Report--for the prosecution. Schaub testified that PGP "can basically encrypt any file" and "other than the National Security Agency," nobody could break it.

The court didn't say that police had unearthed any encrypted files or how it would view the use of standard software like OS X's FileVault. Rather, Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser.

Dashboard Leaves Macs Vulnerable.

Wed, 11 May 2005 15:40:22 GMT

Dashboard Leaves Macs Vulnerable. A new feature in Mac OS X Tiger contains a potential security hole that's just crying out to be exploited. By Daniel Terdiman. [Wired News: Security Blanket]

Malicious Web Pages Can Install Dashboard Widgets.

Mon, 09 May 2005 15:18:22 GMT

Malicious Web Pages Can Install Dashboard Widgets. bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari. [Slashdot]

Editor: So just remember to update the settings to turn off automatic activation of downloaded widgets.

Apple mega-patch fixes 19 flaws.

Sat, 07 May 2005 06:37:17 GMT

Apple mega-patch fixes 19 flaws.

The fix is in

Apple this week posted security updates to fix 19 security vulnerabilities in its Mac OS X operating system. Both client and server versions of a widely used version of its software - Mac OS X v10.3.9 - need patching.

[The Register - Security]

Mac More Secure When It Comes To Malware.

Tue, 05 Apr 2005 17:55:32 GMT

Mac More Secure When It Comes To Malware. Compared to the Windows/Intel Win32 platform, Mac OS X looks like an attractive alternative, at least when malware is the deciding factor. [Security Pipeline]

Symantec: Mac OS X Becoming a Malware Target.

Tue, 22 Mar 2005 17:56:12 GMT

Symantec: Mac OS X Becoming a Malware Target. tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." --- Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products. [Slashdot]

Mac Users Getting USB Security Dongles.

Sun, 20 Mar 2005 06:04:18 GMT

Mac Users Getting USB Security Dongles. The Zenkey looks like a USB thumb drive. When it's plugged into the Mac, the computer operates normally, but when it's removed, the computer no longer accepts input from the keyboard or mouse. [Security Pipeline]

Security researchers at Immunity say they have discovered several vulnerabilities in Darwin, the Unix core of Mac OS X

Wed, 19 Jan 2005 23:18:13 GMT

Security Firm Uncovers Flaws in Mac OS X's Darwin. Security researchers at Immunity say they have discovered several vulnerabilities in Darwin, the Unix core of Mac OS X. [eWEEK Security]

Apple patches 'highly critical' iTunes bug.

Fri, 14 Jan 2005 19:37:40 GMT

Apple patches 'highly critical' iTunes bug.

Playlist peril

Apple updated its iTunes software this week following the discovery of a security bug that leaves open a way to compromise vulnerable systems.âo[oe]

[The Register - Security]

Thu, 09 Dec 2004 00:16:24 GMT

CryptoHeaven 2.4.4. Secure email, online filesharing/storage, and secure chat, HIPAA compliant. [freshmeat.net - Mac OS X]

Security bugs take a bite out of Apple | The Register

Tue, 07 Dec 2004 18:46:16 GMT

Apple has posted security updates to fix 16 security vulnerabilities in its Mac OS X operating system. Both client and server versions of the software need patching. The bugs stem from flaws Apache web server software, QuickTime Streaming Server and Apple's Safari web browser, for example. Security firm Secunia describes the patches as "highly critical".

Fri, 03 Dec 2004 20:06:01 GMT

Apple Patches 17 Bugs In Mac OS X. Apple Computer on Thursday posted security updates for client and server editions of its Mac OS X that fix 17 vulnerabilities, the second patch in the last five weeks. [Security Pipeline]