Author Archives: J. ΞPSTΞÏN

[MultiPlatform] TrueCrypt 6.0 released

TrueCrypt is the leading open-source software to encrypt drive volumes. It supports Windows, MacOS X, and Linux. Version 5.1 has been released just 3.5 months ago in march. Now the Truecrypt team has released version 6.0 with the following features:

  • Parallelized encryption/decryption on multi-core/multi-cpu systems – thus demanding less time for the en- and decryption operations
  • Windows Vista, XP, 2003, 2008: run encrypted operating systems from hidden volumes (!)
  • Windows Vista, 2008: encrypt whole drives (incl. extended/logical partitions)
  • MacOS X: Create hidden volumes

Anyway: Permanent decryption has been removed from TrueCrypt’s bootloader, in order to support hidden operating system volumes. Permanent decryption now has to be done using the boot disk.

Enjoy a major step in to more privacy and download TrueCrypt 6.0 here.

[Anonymity] How To Protect Email Addresses against Spam

The Novel

Since the very beginning of the internet in its occurence as the world wide web (www) in the mid of the 1990s there were bad guys.Those bad guys rapidly realized how to make a quick buck out of the technological inexperience of the new inhabitants of the www. It was the days when people had their first contact with HTML. First projects were showing the people’s dogs and the family and looked kinda ugly – from nowadays view.

So people began to show parts of their privacy to the masses almost without fully realizing that their website from now on was visible all over the world. And they added a contact @ character, hoping that other cool people would send them emails and telling them how cool the website about their dog is. But the people didn’t anticipate the guys who knew how to make money from pulling a fast one on others.

One of the first things the bad guys noticed was the fact that the principle of bulk mails could be easily transferred to the internet. So the bad guys began to manually collect email addresses from the websites of the dogowners and all the others. But what to advertise via email? We nowadays know how this question was answered. Those bad guys began to setup porn websites. They often used illegally copied photos of naked women or sex scenes from magazines.

They sent the dogsowners and all the others invitations for porn- or erotics-sites and appealed to their sexual drives. Many of the early days’ porn site operators were email address collectors themselves. They knew porn would sell till the end of mankind.

It didn’t take long and someone improved the way of collecting email addresses. He coded a robot (spam spider) who was able to scan the websites and search for those two HTML tags:

  • <a href="http://www.linktonextsite.org">Link To Next Site</a>
  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

I bet you can already smell how the story went on. The email addresses were written automatically into databases. And while the internet was growing and the amount of websites escalated virtually thru the roof the amount of people who understood to make a living from sending porn, erotic and viagra mails to the people also increased.

Although the novel above may not be 100% historical accurate, the problem of spam nowadays has become even worse.

Today it is estimated that 90% of the emails sent around the globe are spam.

What can we do about it?

Fight Spam Technically

As we’ve seen how the system works. Bad guys use automated robots to search the www for exploitable email addresses and write them back into their databases. So as a website operator the one and only question to take into consideration is: how to hide the email addresses?

Some time ago we’ve found a very nice way, that we are using for quite some years. We don’t know where we found it – otherwise we would credit the guy who wrote it.

Instead of using

  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

we slightly obfuscate the email address by using Javascript. Every webbrowser nowadays perfectly understands Javascript, Ajax and even more. See here what we do:

  • <a href="#" onclick="mp='@';mp='mymailaddress'+mp;mp+='mywebsite.org';this.href=mp;">Send me a Mail</a>

So what’s happening here?

This integrated javascript reacts after you clicked on the “Send me a Mail” link. It then uses the temporary variable mp to reassemble your email address. By not putting the email address as a string into your HTML source of your website this scripts prevents (almost) any spam robot to recognize your email address. As a matter of course we recommend to use this technique from the first day a website is on the internet.

You can easily modify this javascript by changing the variable to another name or by changing the order.

We hope you had some fun in this lesson and appreciate your feedback.

[MacOS] HowTo Update to MacOS X 10.5.4

Abstract

Just four weeks ago Apple released update 10.5.3. It seems it didn’t hold too long, since 10.5.4 has been released two days ago. Features of 10.5.4 include Apple’s recent security updates, RAW image support for many cameras, Airport bugfixes, iCal bugfixes, Safari bugfixes, Spaces and Exposé bugfixes (read all details here). To sum things up: Apple recommends to apply this update as soon as possible.

So the most unanswered question for us white-box OS X users: how to update my Hackintosh? There are two different ways, depending which revision you’re running currently. If you are on 10.5.3 update is fairly easy. If you are on a revision below 10.5.3 you need to apply some more steps when using the combo update. Follow our short instructions and your are finished virtually before you even started ;-)

Update from 10.5.3

You can simply use the auto-updater from within MacOS X’ Software Update (see picture).

Apple Software Update


Update from 10.5.2, 10.5.1 or even earlier

Get yourself the comboupdate from here: Download,
then apply the instructions we already described here. Because the instructions for updating to 10.5.2, 10.5.3 or using the 10.5.4 combo update are the same.

Enjoy and tell us about your experiences.

[iPhone] Swisscom to Offer iPhone 3G as Prepaid Mobile Phone

For all the people around the world, who desperately wanna get that new gadget called iPhone 3G, this is good news. Swisscom – (attention pleonasm) the swiss carrier – announced to offer the iPhone 3G with a prepaid contract. Using a prepaid tariff, prices for the iPhone 3G will vary from 519 CHF (=510 US$, =325€) for the 8GB version to 619 CHF (=610US$, =385€) for the 16GB version.

Anyway it has been confirmed that Swisscom’s iPhone will definitely be SIM-locked to the Swisscom network. Since nobody actually knows how to circumvent the new bootloader (only a few people just got their hands on a new iPhone) – we recommend not to buy an iPhone 3G early after release.

[iPhone] Debitel to Sell 3G iPhone in Germany

The german resell provider Debitel will sell the new iPhone 3G. Contracts have been closed between T-Com and Debitel. Debitel is now allowed to distribute iPhone thru their own Dug stores and thru the Metro-Group’s electronic markets Media Markt and Saturn. Karstadt and Galeria-Kaufhof stores may follow soon. Though it is rumored that Debitel’s iPhones tariffs won’t differ from the original T-Mobile tariffs. Anyway we can now expect it to become a gadget really for everyone here in germany. Good buy then, snobbish avantgarde…

[e-Biz] Sony to offer Copy Protected DivX Movies online

Sony – one of the leading companies in nowadays media world – announced to offer movies for direct download. Sony Pictures and Television International (SPTI) will use the DivX codec in combination with a copy protected container. Currently it is not known in which countries this service will be established.

Wait a sec… can this really be true?

It is 2008 and movies are getting (illegally) copied thru the internet using p2p technology for the last 10 years. No copy protection, no laywer and no law suit ever stopped the majority of people from copying content.

It seems like the movie companies did not really learn their lessons by heart. We really like Sony (Pictures) a lot. Sony is the leading company behind the Bluray disc and the Playstation 3 is a console of its own kind.

But using copy protections on movies in this situation may be very risky. Consumers are willing to pay for content but we would not expect the mass of consumers to be tolerant of copy protected content that cannot be played on home DVD players but on PC only.

iTunes for example is only tolerated by the masses because it has the well known loophole that allows to create unprotected audio CDs. These audio CDs can then be re-ripped hassle free and converted to any unprotected format.

The guys behind the music portal Bleep (http://www.bleep.com) for example got that imponderability in their heads from the very beginning and therefore they are offering music as unprotected mp3’s and in lossless FLAC. There is no other music portal that we are aware of that got such a huge catalogue and offers lossless compressed music.

Concepts containing DRM (Digital Rights Management) are the past, wake up ol’ boys, kick the lawyers and invest into your company’s future.

[MacOS] Trojan horse uses MacOS X ARD vulnerability

Last week we reported about the vulnerability of the Apple Remote Desktop (read here). Now Brian Krebs of the Washington Post (read here) found out that readymade scripts are available yet on the net.

The scripts are compiled into an exploit tool called “Applescript Trojan Horse Template”. The scripts allow any user to run programs without having legitimate privileges. The template is designed to be bundled with any software. This means by downloading software from dark places on the net you may be in danger of being attacked stealthy.

After installation a keystroke logger (keylogger) is installed and and a VNC (virtual network computing) server is installed, that allows attackers to remotely access a victim’s computer. Moreover a PHP shell gets installed that allows tracking the victim’s computer using dynamic DNS services.

Our recommendation: get yourself a Mac virus scanner as soon as possible. The virus free time is almost over. Apple gains market shares and hackers become more and more interested in Mac based machines…

[MacOS] Rumors about EFI-X Prices and Shipping date

The EFI-X thing turns into quite a never ending story (see our recent reports here and here). So although june, 23rd – originally announced EFI-X release date – has passed by without any astonishing news on the EFI-X website, there have been some rumors in forums.

Forums tell EFI-X will be priced at 80€ (~125USD). EFI-X will not sell to consumers. See a privisional list of countries selling EFI-X here – though yet no retail stores have been named either. They want to start shipping in about 4 weeks (end of july).

Moreover it seems like only Gigabyte motherboards are fully supported by that device. We hope to receive an NFR copy of EFI-X soon to keep you updated with details.

[Berlin] Big Brother is Watching us Berlin People

In Germany the Berlin Police admits having wiretapped 1,100 telephone mainlines in 2007, thus they listened to 1million phone calls. In 2006 only 540 mainlines have been tapped. The main entertained suspicion for eavesdropping was drug related crime.

The police explains that a large number like 1,100 mainlines was necessary, because the 500 assumed suspects are  using more than one phone. One question remains: can police decide what reasonable suspicion is – or who does?

[e-Biz] Nokia strikes back

Nokia – the market leader in cell phone industry – is about to challenge Google. Wait a sec? Google? Yes, Google. The keyword is “mobile internet”. It is expected that in the near future more people will go online using their mobile devices than using a computer at home. Google therefore heavily pushes their cell phone operating system Android. With Google entering the cell phone market another new competitor emerges for Nokia. Last year it’s been the iPhone and now it is Google’s Android.

The only way out of this attack is to strike back. In mid 2007 Nokia announced to restructure Nokia into an internet company. Since then Nokia bought companies in the field of online advertisments, music downloads, games, digital mapping and eventually they presented Ovi (Ovi translates in english to “door”). Ovi is a portal that integrates all Nokia’s efforts to metamorphose.

But one problem still remained: the open source operating system Android. Nokia now announced to take over Symbian. Together with Sony-Ericsson, Motorola, LG, Vodafone, AT&T, NTT Docomo, ST Microsystems and Texas Instruments Nokia will set up a foundation to further improve Symbian OS – as license fee free open source operating system for mobile devices.

The german Handelsblatt today reports that the Symbian foundation in the meantime announced to release their open platform during the next two years. Well, two years is quite a long time for striking back forceful against Apple and Google…