Anthony Vance

I recently read an excellent presentation (click here for the PDF) entitled “VileFault” on the cryptographic mechanics of Mac OS X’s FileVault, a disk encryption utility. This is the first independent assessment I have read of FileVault. Other blog entries about FileVault can be found here, here, and here.

FileVault is a Mac OS X disk encryption utility that encrypts a user’s entire home directory (which contains all of a users documents and files but not programs). The Enterprise and Ultimate editions of Windows Vista contain a similar program called BitLocker Drive Encryption. An excellent open source drive encryption program, TrueCrypt, also exists. I think all of these programs mark a favorable trend toward more secure mobile computing.

To summarize the presentation, FileVault can be considered secure if it is used properly. To use FileVault effectively, users must avoid three vulnerabilities. First, users should use encrypted swap files by checking the “use secure virtual memory” setting in the security system setting panel.

Second, users should disable the Safe Sleep feature in OS X. Safe Sleep, like the Windows Hibernate feature, saves whatever is in memory to disk when the laptop battery gets too low. Unfortunately, the Safe Sleep file is not encrypted, allowing others to search for sensitive information using the “strings” or other string parsing tool.

Third, like many encryption solutions, the weakest link is usually the user’s password. The best encryption in the world can’t secure against simple passwords that can be cracked by a computer program in a matter of minutes. If you use a weak password, don’t bother using FileVault or any other form of encryption.

Interestingly, developer builds of Mac OS X Leopard show that FileVault has been significantly updated. It would be interesting to see another cryptographic assessment of FileVault after Leopard is release.

I following is an easy way to ensure that Wordpress file permissions are correctly set using the find and xargs commands. I learned this technique from Dan Miessler’s excellent Find command primer.

Ensure each directory has the correct permissions set:

find . -type d -print0 | xargs -0 chmod 755

Ensure that each file has the correct permissions set :

find . -type f -print0 | xargs -0 chmod 644

The above cartoon by Peter Steiner was published in the July 5, 1993 issue of The New Yorker, just as the World Wide Web and the Internet in general was gaining widespread popularity. The cartoon conveys the freedom of anonymity that communicating over the Internet provides?no one knows who you really are.

However, this is only true in a very superficial sense and only for casual purposes. For any serious person, institution, or government, identities of Internet users are relatively transparent given enough determination. This is because of the nature of the technology–the Internet was not designed with anonymity in mind. For instance, the TCP/IP protocol (the main protocol of the Internet) requires computers to use an IP address, which is by definition a unique identifier.

Fortunately, there are several open source tools that do make robust anonymity on the Internet possible. Steven Gibson on Security Now highlights two of these: TOR and Freenet. I’ve written about TOR before (which works great) but Freenet was new to me.

Freenet is an anonymous distributed database containing files scattered over users’ hard drives all over the world. Users of Freenet are required to make a portion of their hard drive available to store parts of other users’ files. However, these files are encrypted so there is no way to tell what being is stored on your hard drive. Further, when downloading from Freenet, there is no way to tell who you are downloading from.

This technology is very powerful and allows fully anonymous communication, ostensibly encouraging free speech. Unfortunately, this same technology can be used to harbor and distribute criminal information of all kinds. As with other powerful technologies, good is enabled as well as the bad.

I’ve recently discovered DD-WRT, the free Linux firmware for many network routers. My wife just got an old iMac G4 without wireless capability and I was looking for a wireless solution for it. I already have a wireless router at home and thought that the best way to wirelessly connect the iMac would be by creating a wireless bridge.

I have good experience with Linksys routers in the past, so I bought a WRT5GS assuming that it would have bridge mode capability. However, I was surprised to find out that the WRT54GS didn’t have this functionality and that I would have to spend much more for a Linksys model designed to be a bridge.

I remembered reading about DD-WRT, a third-party, open source Linux firmware for routers. With DD-WRT, an ordinary router suddenly gains the features of much more expensive routing equipment. I’ve been very impressed. The interface is very professional, and my little wireless router now has an amazing feature list.

DD-WRT doesn’t work on most Linksys routers on the market now, as Linksys has successively reduced their router’s flash memory to the point that DD-WRT can no longer be installed. Fortunately, there are many other routers on the market that are DD-WRT-friendly. The returned the Linksys router for a Buffalo router that the DD-WRT wiki recommend. It works great. I don’t think I’ll buy a networking gear again that can’t run third-party Linux firmware.

My favorite podcast currently is FLOSS Weekly, which stands for Free as in Libre Open Source Software. The hosts are Leo Laporte and Chris Dibona. Chris Dibona is the open source program manager at Google and is in charge of Google Code, the Summer of Code, and keeping up good relations with the OSS community.

The format of the show is an interview with a prominent member of the OSS community, and because of Dibona’s contacts, the interviewees are top notch. Recent podcasts have featured Guido Van Rossum (creator of Python), Rasmus Lerdorf (creator of PHP), Randal Schwartz & Chromatic (key Perl developers/gurus), and Miguel de Icaza (creator of GNOME, and the Mono project).

The latest podcast interviews Eben Moglen, General Counsel of the Free Software Foundation, who talks about the history and significance of the GPL, and the importance and potential world impact of GPL v3. Really fascinating stuff. If you have any interest in Linux or OSS in general, I highly recommend it.

Today I attended a lecture on privacy given by Les Seagraves, Chief Privacy Officer at Earthlink. During the Q&A, I asked him if he had noticed a rise in the usage of anonymization tools like TOR. He replied that he had noticed a rise in the use of tools like TOR, and attributed the growing popularity to customer’s increasing concerns for privacy.

I’ve written before about TOR–a means of accessing the Internet anonymously. Whereas typical web browsing can be easily tracked by Internet Service Providers or governments, TOR sends traffic through a random, encrypted mesh of routers so that data is very difficult to track. Until now, TOR has required some technical know-how to set up. However, a new web browser, Torpark, has made anonymous web browsing easy and transparent.

Torpark is a modified version of the excellent Firefox web browser. It has TOR technology built into it so all you have to do is use Torpark to browse the web and you will do so anonymously. Plus, Torpark doesn’t need to have components installed on a computer, so it can be stored and run from a USB key at public kiosks. Below is a screenshot of Torpark accessing the Hidden Wiki, a web page that can only be accessed through the TOR network. As of now, Torpark only runs on Windows.

Every once in a while a killer app debuts, a software application so useful that it alone justifies the purchase of the supporting hardware. Witness Parallels Desktop for Mac, a virtual machine software that allows multiple operating systems to be installed on a single machine. This means a Mac running OS X can now also run Windows at the same time.

This is a huge boon for people wanting to switch to Macintosh but who have been forced to stick with Windows because of one or two critically important programs that only run on Windows. Parallels makes use of virtualization technology in Intel’s new Core Duo processors so that Windows runs next to OS X at near- native speeds. Essentially a Mac with Parallels is equivelent to two laptops–one a Mac and the other a PC. This is what makes Parallels a killer app.

However, Parallels can run many more operating systems than Windows XP. Parallels can also run Linux, OS/2, Solaris, FreeBSD, NeXTStep, Windows 3.1?virtually anthing that runs on x86 hardware.

On my laptop, I can run OS X side-by-side with Windows XP and Ubuntu Linux. Further, thanks to an open source program called VirtueDesktops, I can switch simultaneously between these three operating systems. To see how cool this is, check out this video.

I recently moved from Ubuntu Linux on a Dell Inspiron to Mac OS X on a MacBook. Interestingly, the day before I made my purchase, Tim O’Reilly observed that a few long-time Mac-using programers had recently moved from Mac OS X to Ubuntu Linux. Because I was about to make the swich the other way, I posted the following reponse on O’Reilly’s blog:

Tim, I think your radar sense is on to something again. However, I’d like to offer myself as a counter example in that I am moving from Ubuntu to OS X this weekend when I purchase a MacBook.Ubuntu has impressed me as the most polished and feature-rich Linux distro I’ve used so far (among SUSE, Fedora, Debian, and Mandriva). I love that it improves on the robust Debian distro, offering fast development releases and an emphasis on usability. Ubuntu has improved a great deal in just its first two years of existence, and I fully expect alpha geeks and savvy tech users to adopt Ubuntu in favor of Mac OS X in the future. However, there are still several limitations to Ubuntu and Linux in general that are prompting me to move to OS X.

First, I find that Linux still requires a large degree of administration to work properly. I use several applications that require a kernel recompile every time a new version of the Linux kernel is released. Although I like the freedom of compiling my own kernel, the necessity of compiling the kernel in order to use the applications I need can be very frustrating.

Second, Linux lags behind Mac OS X and Windows in multimedia. Great strides have been made in recent years, but managing multimedia content is still difficult. Video editing and DVD authoring are especially salient sore points. Aside from the newly released Picasa for Linux, even managing photo albums is not as simple as it should be. Further, although Linux is so far DRM-free, this also means that Linux is shutout from online media content vendors such as iTunes and other music download services, and Warner Bros, Vongo, and others’ new movie download services.

Third, although software integration has improved, the large majority of software for Linux continues to feel disjointed and fragmentary when taken as a whole. Most applications don’t interoperate well with others. Simple things like dragging an image from a web page to an office document don’t work. As a result, the Linux desktop is a patchwork of powerful individual applications that never quite coordinate well enough to provide a satisfying user experience.

Fourth, neither Gnome nor KDE are as usable or as graphically appealing as Mac OS X or even Windows. I recognize that UI aesthetics and usability are not important for everyone, but I along with others note that the Linux UI is in many ways inferior to that of Windows XP, much less Vista or Mac OS X. Yes, XGL is becoming widely available, but XGL strikes me as a 3D-rendering novelty without good underlying usability justification.

I could list more complaints and others could doubtlessly add their own Linux quibbles as well. In sum, although I expect Ubuntu in time to become the power user’s distro of choice, Mac OS X still remains an unparalleled combination of UNIX and polished user experience.

This week Insecure.org released the 2006 results of the top 100 security tools survey. The survey was performed by polling 3,243 active NMAP users (one of the most popular network security programs) on their preferred security tools. Most of the tools are free and open source and many were designed for the Unix/Linux platform.

It is a curiosity that the list of top 100 security programs could easily be called the top 100 hacking programs?both security practitioners and hackers use nearly the same toolset. For this reason it is useful to peruse this list and become familiar with the more popular tools in order to understand available capabilities for ensuring/defeating system security.

This week Ethereal, one of the most popular security and network tools, has had its name changed to WireShark. As this article explains, Gerald Combs, the creator of Ethereal, has moved to a new company and the former employer holds the copyright for the name Ethereal. Because the two parties couldn’t come to an agreement, Combs changed the name to WireShark.

WireShark is a packet sniffing tool that allows people on a local area network (LAN) to “eavesdrop” on other users’ Internet activity. WireShark is a real eye-opener for those unfamiliar with the inherent insecurity of Ethernet-based LAN’s (by far the most dominant LAN technology). For example, a person using WireShark (or a score of similar tools) could easily “listen” to the network traffic in a hotel or wireless hotspot and capture people’s emails, passwords, or other sensitive information.

WireShark and others like it take advantage of the openness of the Ethernet protocol, which was designed for a friendlier computing era, as were so many other network technologies. Fortunately, packet sniffing can be protected against by using a VPN.