PaulSpoerry.com

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

Read the rest of this entry »

The advertisement wars are really heating up, with Microsoft going on the full assault against Apple with several TV advertisements. I think the latest round of Microsoft ads are probably the only really affective ads we’ve seen since Windows 95. It’s about time too, because Apple has been mocking Microsoft with its “I’m a PC” campaign for a while now (and those ads are just genius). Now the Linux Foundation is getting into the game and announced the winner of the “We’re Linux” contest.

The “We’re Linux” contest was set up by the Linux Foundation to encourage Linux users to demonstrate in 1 minute videos why they used Linux, and why others should try it as well. There were 90 contest entries, and a combination of community voting and a panel of judges led to one winner, and two runner-ups. Here’s the winner:

Personally, I find that one to be… sucky.

The runner up video though is actually pretty damned slick:

However, these ads fail in a major way. The average user has no concept of “free softare” or “open source”. They have no concept of the principles that Linux is built on. So while when I watch the ad it makes sense and I think “wow that was a good ad” my mom would just scratch her head and have absolutely no idea what they’re talking about. The ads don’t describe how an open source application could benefit them. They call it “free” but don’t really hit the same nerve as the Microsoft ads… which paint out something easy to understand “this PC is cheaper than this Apple product”. They also fail to even describe what the heck *IS* Linux. Again, makes perfect sense to me but my mom or my sister would have no clue. Still, it’s good to see that the Linux folks are jumping on board… competition is a good thing.

VMware has finally decided to open-source its client for virtual desktops, releasing it under the LGPL. This was in response to intense pressure from the growing number of Linux distros that include virtualization by default. From the post:

The CEO replacement who entered VMware last year was Paul Maritz, a long-time Microsoft executive with intimate familiarity with how Windows swallowed up entire categories of utility software as it grew up by simply wrapping free utilities into the operating system. Paul knows about that, and he had to have seen last year the dual threats to VMware of open source virtualization offerings and virtualization on board in operating systems. The VMware View Open Client allows businesses to host virtualized desktops in the data center, and users can access their desktops from any device. Going with an open source solution like this was VMware’s only choice, especially as Microsoft includes Hyper-V virtualization in Windows Server. I’m sure Maritz was very focused on the Microsoft threat, because he used to be behind similar threats. VMware can grab market share with this move, stave off Microsoft’s dominance, and offer support and services around its open source offering.’

You can get VMware View Open Client here, licensed under the Lesser GPL. It’s essentially a bet that customized user desktops are hosted in data centers, and that businesses will take to the idea that they can save money by centralizing custom solutions in data centers for desktop users to take advantage of through virtualization.

Image via venturebeat.com

Everyone has been predicting a Google OS to compete with Windows for years, yet it never managed to show up. It turns out that a Google OS is ALREADY OUT. It’s called Android. In it’s current form Android is being rolled out as a mobile phone operating system, but it turns out that’s not it’s only intended application. Google intends to expand it to be a sort of universal operating system that will span set-top boxes for televisions, mp3 players and other communication and media devices and services. The image to the right is Android running on an Asus EEEPC 1000H netbook.

So what right? I’m sure that’s not what Microsoft is thinking at this point. The price point for a netbook is pretty low already. Without having to pay for Windows (yes yes I know there are other Linux variants out there… which are ALSO cheaper) they’d be even cheaper. Since Android is designed to run on mobile phones, the footprint must be small… implying that less hardware is required to make it run. Imagine a super cheap, ultra portable computer running the same familiar OS as your phone. Now think of Chrome, Google’s web browser, and the richness it allows developers to build into the browser’s relationship with the desktop — all of this could usher in a new wave of more sophisticated web applications, furthering the distance and reliance on the traditional desktop as we know it. Before we get to ahead of ourselves… don’t expect this puppy to run Photoshop, Windows and the desktop aren’t going to be dead by 2010. But Google is positioning itself to attack Microsoft head on with the combination of it’s already dominant search, applications like GMail, a designed-from-the-ground-up browser for the web 2.0 world called Chrome, and now Android.

You can read how Venturebeat got Android running on the Asus Venturebeat.com.

Wubi is an officially supported Ubuntu installer for Windows users that can bring you to the Linux world with a single click. Wubi allows you to install and uninstall Ubuntu as any other Windows application, in a simple and safe way. Are you curious about Linux and Ubuntu? Trying them out has never been easier! With Wubi you have a safe and easy way to give Linux a shot without damaging your Windows installation. No terminal commands, disk partitioning or disk formatting is needed. The best part is that the installation itself takes about one hour. So why try Wubi?

• No need to burn a CD. Just run the installer, enter a password for the new account, and click “Install”, go grab a coffee, and when you are back, Ubuntu will be ready for you.
• You keep Windows as it is, Wubi only adds an extra option to boot into Ubuntu. Wubi does not require you to modify the partitions of your PC, or to use a different bootloader, and does not install special drivers. It works just like any other application. Wubi is spyware and malware free, and being open source, anyone can verify that.
• Wubi keeps most of the files in one folder, and if you do not like it, you can simply uninstall it as any other application.
• Wubi and Ubuntu cost absolutely nothing (free as in beer), but yet provide a state of the art, fully functional, operating system that does not require any activation and does not impose any restriction on its use (free as in freedom).

Read the rest of this entry »