The TrueCrypt team just introduced version 5.0 of it’s disk encryption software. It now supports pre-boot authentication to get full disk encryption.

Mac OS X is supported for the first time, so you can have full disk encryption on your Mac as opposed to Apple’s FileVault implementation, which only encrypts the user partition.

I will test it and post a summary and test report as soon as the site is back online.

8(!) month ago a vulnerability was discovered in the ADSL-WiFi-Router “Speedport W700V” manufactured by Siemens, allowing remote users to access the web interface of the router remotely. Funnily enough the router shows the default password at the login screen. The router is given away for free with a contract with the German Internet Provider T-Online (German Telekom). A firmware update already exists fixing the hole. Some days ago, users of T-Online discovered that they couldn’t make connections on TCP-port 8085 anymore.

Here is the clue: T-Online admitted that they are blocking port 8085 for outgoing connections by now, but affecting only T-Online users.

What’s the security business about? Plenty of people sit in dark rooms and search software for vulnerabilities. When they discover one, they normally inform the software vendor about it and after that make it available to the public. The vendor releases a patch, the exploit gets published to the net. What does the security analyst get for it? Nothing but a bit of fame.

That’s supposed to change. Started on Tuesday, the first official* marketplace for security flaws opened. If you discover a vulnerability, you can register at WabiSabiLabi and sell it there in an auction or for a fixed price. The sellers and buyers must verify themselves, so no script kiddies bad guys may buy an exploit there. Of course one may ask it this is morally ok? I came to the conclusion that it is, because the software vendors then spent the money they saved by dropping quality and security checks of their software, so it should be zero in sum. And the guys sitting in their dark rooms get what they deserve.

* of course there has been a market for vulnerabilities in the underground for a long time

I suppose most of you have already heard or read about MOAB – The Month of Apple Bugs, a project initiated by LMH and Kevin Finisterre (the guys that already held the Month of Browser/Kernel Bugs). They publish vulnerabilities of Mac OS X or other Apple software and other apps for Mac OS X (like VLC, OmniWeb) together with 0day demo exploits before informing Apple. There is some controversy about whether this is the right way to disclose serious security issues before Apple has a chance to react and provide bugfixes. I personally like it and think it’s a chance for Apple to strengthen security in Mac OS X and promote it as a feature. I can also understand LMH’s and Kevin Finisterre’s frustration about Apple reacting on bugreports, I also submitted several bugreports and one of them is still open – for 1 1/2 years by now.

Some of the vulnerabilities are really serious so some guys formed a group moabfixes to write patches for these exploits using the Application Enhancer utility which gives the ability to manipulate applications running in Mac OS X. Funnily enough, today’s MOAB vulnerability MOAB-08-01-2007 was found in even this app (Application Enhancer) and the authors of MOAB strongly advise users to stay away from it. Obviously they dislike the team of moabfixes surrounded by Landon Fuller to fix the bugs and steal some attention.

To refer to the post title and the keynote in about 10 minutes again: I am pretty sure Steve Jobs will mention the Month of Apple Bugs project as a sidenote (in the way he always mentions current news in the days before keynotes – making a joke about it), but I wish he will take it seriously this time and give a statement on Apple’s security measures and plans regarding software security and Mac OS X.

Lets see. cordney*