Archive for the ‘security’ Category


Because let’s face it: A game that is published by EA, which now expects that players of offline games are always connected to servers for DLC and whatnot and logs (for those titles) numerous online statistics about every abstract detail of user activity AND is distributed, amongst other things, by Steam, certainly doesn’t want to raise awareness for privacy concerns and possible consequences for serious lack of them. :P

Or short: Oh the irony

Define “Check for a solution”. What would an option, called like that, probably do, considering the wording? I (once upon a time) actually believed this would mean, the software would go and check for a “solution”, if I selected that. But what actually happens (as well), is that an error report is sent. Is this supposed to be some sort of newspeak? Where does “checking” include “transferring data”? Someone give them a dictionary, so they can learn what actually is synonymous. This dialog appears every time on Windows 7, after a program crashed/stopped working correctly. The action taken can be configured through 4 degrees of various intensity, reaching from complete automation (sending without user prompt) and sending “everything” to doing absolutely nothing/skipping this dialog.

I got put on this track, when I used the BitDefender Online Scanner and decided to get a second opinion. I remembered reading about the “Microsoft Security Essentials” – which is supposed to be a “basic” virus scanner. Again, the title security essentials tells anyone it’s a virus scanner at first glance… Its first action was to enable Windows Update again without telling me (there is a patchday once a month, so it doesn’t make lots of sense, to have WU check for patches more often, let alone every day…), but what I really disliked, was the Microsoft SpyNet (Yes, I know! They really called it that! Awesome!). The difference between Microsoft SpyNet and the formerly mentioned Windows 7 “solution checking” is, that the program wasn’t intended to work without sending data back home. This time there are only 2 settings, allowing to send “some”, or “even more” information (The information will be automatically collected and sent.).
Of course the text says, that Microsoft will never use the collected information to identify or contact users, but when a program crashes while writing a letter (or something like that) the name might be sent anyway – along with the rest and (even current, let alone future) memory capacities can only suggest it will never be deleted again, only archived.

The sole thing that’s getting transparent here, is: MSE is free of charge* software, but it’s not free of charge like – I don’t know – VirtualDub is or other stuff like Password Safe, Replacer, InfraRecorder, Audacity, yadi and VLC. Stuff like this can just be downloaded, tested, used, discarded or whatever, without any further consequences. And to me, this is suddenly changing now (almost in a surge), for more and more products.
Look at Steam, how it collects data about players gaming times and hardware, or even offline/single-player games like Dragon Age: Origins, that now require the player to stay logged in for access to some of their (fully paid for) content.
The sheer number of software that changes this way makes it appear to be more than just a few products altering their behavior (as they always do), but rather than a general change of policy in the entire mass market software world.

*FREE of charge – because you MIGHT end up paying by other means.


How much sense many “security” decisions make, was demonstrated to me again via the half-open connections fix in MS operating systems. XP was introduced to this with SP2 – slower virus spread this and that. Vista, beginning with SP2, dropped it again – just like that. Windows 7 never had it. Are we supposed to believe now, that Vista SP2/7 is less secure than XP with SP2? Or that it was BS all along?


New Features for 3.18

* [2793283] Allow entry to override doubleclick setting.
* [2793280] Browse+Autotype added to configurable double click actions.
* Implement Virtual Keyboards for multilingual passphrase entry.
* DragBar now has ToolTips to inform user of its use.
* User can close the currently open database via the System Tray menu.
* Improved Merge reporting.

Changes to Existing Features in 3.18

* New toolbar icon set has been replaced with icons based on famfamfam’s silk set.
* Reworked Add and Edit dialogs into Property Pages.

Bugs fixed in 3.18

* [2795428] Browse+ on Toolbar now inactive if no URL present
* [2795427] Duplicate of “Display Subset of Password” removed from Context Menu (right-click on entry).
* [2789873] Status bar now updated properly after Browse to URL and other actions that copied data to the clipboard.
* [2782413] No longer crashes when loading 0302 formatted headers (from ~v3.08).
* [2779705] Reserved shortcuts (Ctrl+Q, Alt+F4 and F1) now work.
* Run Command now correctly copied via Drag & Drop.
* Allow all fields to be selected for Compare function.
* Fixed crash if renaming an entry to one that already exists.



TrueCrypt 6.2a


June 15, 2009

Improvements and bug fixes:


Improved file container creation speed on systems having issues with write block sizes greater than 64 KB. (Windows)

The ‘Device not ready’ error will no longer occur when the process of decryption of a system partition/drive is finished. (Windows)

Other minor improvements and bug fixes. (Windows, Mac OS X, and Linux)




TrueCrypt 6.2


May 11, 2009

New features:

  • The I/O pipeline now uses read-ahead buffering, which improves read performance especially on solid-state drives, typically by 30-50%. (Windows)

Improvements, bug fixes, and security enhancements:

  • The boot loader now supports motherboards with BIOSes that reserve large amounts of base memory (typically for onboard RAID controllers). Note: In order to be able to take advantage of this improvement under Windows Vista, you will have to install Service Pack 1 or higher first. Service Pack 1 for Windows Vista resolved an issue causing a shortage of free base memory during system boot. (Windows Vista/XP/2008/2003)
  • Mounting using the ‘Auto-Mount Devices’ feature may take significantly less time as partitions containing unencrypted filesystems are now skipped. (Windows)
  • When volumes that are mounted as read-only or removable are saved as favorite volumes, they are mounted as read-only and/or removable when ‘Mount Favorite Volumes’ is used.
  • When a multiple-pass wipe algorithm is selected when performing in-place encryption of a non-system volume, the header areas will be wiped before the encrypted headers are written to the disk. Note: On an existing volume, you can perform such an operation by changing its password and/or keyfiles. (Windows)
  • Many other minor improvements, bug fixes and security enhancements. (Windows, Mac OS X, and Linux)



Black Hat: new ways to attack SSL


12 February 2009 (Darwin’s 200th birthday)

Password Safe 3.16






Similar to TrueCrypt, this version of the Spybot brings MC support.


TrueCrypt 6.0a

Every time after a major version change they do an a. :P However, the major change in this release is support of multi-core platforms. Even on my rather old machine AES now makes up to 200 MB/s, something my drives are far from reaching. So the bottle neck is now somewhere else. Good for me. On a rather fast machine, it’s really attractive to use it now, the performance shouldn’t decline very noticeable any longer.


Enclosed, but not encrypted


Possible vulnerability in TrueCrypt 5.1