We’ve just pushed out a beta of Knox 1.6. The major feature is support for Mac OS X 10.5 Leopard’s "sparse bundle" vault format. This format improves reliability and is much faster to compact. Please try it out and report any issues you encounter!
Recently in MK&C Category
We just opened the doors to flightagenda.com, a small but useful site we've been working on for a while now. With flightagenda.com, you can enter in your upcoming flights and get back an iCal calendar with all the flight details. The focus has been on making the site as small and as quick to use as possible, and I'm pretty happy with the results: you can go from sign up to having a shared flights calendar in less than a minute (yes, we've timed it).
We're calling the site an alpha for the time being, but there are no known issues. Sign up and let us know what you think!
I’ve moved this blog to a new address to make way for a brand new MK&C web site. Some long-overdue updates to the blog are coming as well. My apologies for the fact that you are likely to see all my old posts again in your feed reader due to the source change.
Back in May, we discovered and reported to Apple a serious vulnerability in Mac OS X. The issue was silently fixed in Leopard, but yesterday Apple made fixes available for 10.3 and 10.4 as well. Here’s how Apple describes the issue:
An issue exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected. This update addresses the issue through improved validation of certificates. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this issue.
This generic language often used in vulnerability descriptions doesn’t really drive home the impact of the issue. To start, I’d change “may be able” to “is able” and “could allow” to “allows”. This vulnerability is exploitable every time. Here’s a real world example:
- You connect your MacBook to a Wi-Fi access point, such as a T-Mobile HotSpot. But the access point isn’t really what it seems — someone’s just announcing a rogue network with the “tmobile” SSID. This could happen anywhere.
- When you start surfing, the access point redirects you to the login page as normal. Before the SSL-encrypted login page is downloaded, however, a non-encrypted redirection page appears for a fraction of a second. Again, this is normal. But this time, the page includes a 1x1 pixel image from a server the attacker has a real SSL certificate for. Let’s call it www.validcertificate.example. Real SSL certificates that are trusted by Mac OS X are available from a number of vendors without any verification of the site’s identity.
- Loading that single image from www.validcertificate.example has now “seeded” that certificate as being trusted by the system. From this point on, the affected Mac OS X systems will trust this certificate no matter which domain name it is being served from.
- Since the owner of the rogue hotspot controls your DNS as well, he can now direct all your traffic through his own servers. The T-Mobile login page, PayPal.com, your web email — all will appear in their correct addresses, with SSL enabled, and with the SSL lock icon on the corner of your Safari window. Everything seems to be just fine, but behind the scenes, all of those sites are using the www.validcertificate.example certificate and the owner of the hotspot is recording all of your seemingly-encrypted traffic.
Scary? Yeah. If you’re still on Tiger or Panther, install the software update immediately. If you can’t, at least click the SSL icon on all sites you navigate to — the certificate details will not be right if you are being spoofed. For more info, keep checking the DHS’s National Vulnerability Database for their take on the issue (not online yet).
Here’s a quote from Apple’s ADC Membership Agreement, the contract that governs the use of pre-release seeds of Leopard:
Further, you certify that you will not transfer or export any product, process or service that is the direct product of any Apple pre-release software and that final testing will be done with any finished product that will be released to the mass market. [emphasis ours]
So, yes, a couple more days before the free Leopard update for Knox. We’re very far in its development, but only got the final Leopard DVDs today. Please bear with us as we work to bring this update to you.
The Open Directory Project is a co-operatively edited directory of the web, launched in the nineties by Netscape to counter the Yahoo! directory behemoth, and since adopted by hundreds of portal sites as the basis for their content.
The highest profile ODP user is Google. If a site is listed in the ODP, Google uses the ODP description of the site in search results. Here’s how Knox appears in Google:
Too bad the description is completely wrong. Knox isn’t a compression utility and Knox doesn’t sync. If I encountered that link when looking for encryption utility, I’d just skip to the next one. I’m afraid people do just that.
In theory, help is near: just visit the directory page for the offending entry, hit “Update listing”, and plead your case. Right after I did just that, the volunteer editor of the Mac OS Security category quit. I can just assume that my update request was the straw that broke the camel’s back.
So to fix Google’s glaringly wrong description of our flagship product, we’d now need a volunteer to take up the job of managing the Mac OS Security category, hope that this person agrees to change the description of the Knox site, and then wait something like a month or two (or three) for the change to propagate to the users of the data, including Google. Sigh.
Would anyone here like to volunteer for step one?
The new MK&C Forum is now open at forum.karppinen.fi. It’s based on Beast, and as such is the first Ruby on Rails application we have deployed here at MK&C. We’ll see how it goes.
The old forum, living in our FogBugz installation, never really got off the ground, and I think part of the reason was the lack of common forum features such as sticky topics. I’ll be making good use of those in the new forum, putting together Frequently Asked Questions lists and other help resources.
As a side note, we’re in the middle of a pretty convoluted server migration process, so the new forum is temporarily running on a Mac mini, next to the television at my home. Performance seems to be just fine so far — watching EyeTV doesn’t seem to affect the forum experience :)
Go get yours. Knox 1.5 is a big update – our first in almost 14 months – and it adds an awesome new feature: full disk encryption of non-boot disks.
In short, you can reformat a USB stick or any other external drive as a Knox vault. When you hook up the drive, a password prompt appears and the vault is opened; when you close the vault, the drive is ejected and you can disconnect it safely. I made a screencast demonstrating this a few months ago; it’s not good enough to post on the main Knox site, but it illustrates the whole-disk vault feature adequately.
What you don’t see in the screencast is what happens if you don’t have Knox installed and hook up a disk encrypted by Knox. Each Knox-encrypted disk comes with two things: a copy of Knox, and an encrypted disk image for the content. You can just double-click the Knox copy on the disk and be off to the races.
We also changed the Knox licensing a bit to support the new full disk encryption. An unlicensed Knox copy can now be used indefinitely as a vault opener/manager — meaning that you can have a Knox-encrypted USB drive and share it among as many users and machines as you like. It’s an amazingly convenient way to share files securely.
There’s only one downside to this release, and it’s the fact that Mac OS X Tiger is now required. Supporting Panther just wasn’t feasible for us anymore — my apologies if you’re affected by this. If you are a Panther user, I suggest you continue to use Knox 1.1.1 until Leopard is released. I’ve rigged the automatic update check to not report the new version for Panther users, so that you won’t be bothered by the notifications.
Thanks for everyone who reported that the new Safari 3 Beta broke Pyro. Pyro 1.6, fresh off the compilers, seems to fix this issue. Visit the Pyro site for the download and list of changes.
Update: It seems there are still problems with running Pyro (and Campfire) with the Safari 3 beta, and the reasons are not obvious at this point. (We’re all at WWDC, which means debugging this is hard at the moment.) Our current recommendation is to stay with Safari 2 (or downgrade to it). Sorry about that.
