Even when the HDCP (High bandwidth Digital Content Protection) master key, which is a core element of the encrytion, was leaked last year the standard has still not been cracked because using it to build an decryption chip is very difficult and costly.

Any technology saying something is uncrackable however is just an invitation for most people to try, and not professor Tim Güneysu and Benno Lomb, a PhD student from the Ruhr University in Germany have used a “man in the middle” approach to crack the encryption for just $350.

Instead of designing and creating an HDCP-capable chip, the two men built a standalone hardware solution that is based on an inexpensive FPGA (Field Programmable Gate Array) board that contains an HDMI port and an RS232 Serial port.  These boards are programmable and designed to be configured by the user.

The purpose of the research was not to crack the HDCP encryption they said.

“Our intention was rather to investigate the fundamental security of HDCP systems and to measure the actual financial outlay for a complete knockout. The fact that we were able to achieve this in the context of a PhD thesis and using materials costing just €200 is not a ringing endorsement of the security of the current HDCP system”

The board modifies all the communications between the Blu-Ray player and a flat screen TV without the interruption being detected.  This is something that some set-top-boxes are already able to do and some boxes that can remove HDCP data from HD video have been available since shortly after the HDMI standard was introduced.  These boxes allow otherwise encrypted high-definition content that is broadcast to be compressed and recorded to disc or a hard drive.

At the moment pirates are using these boxes to copy high-definition content, admittedly in a compressed form.  But there is currently no way for them to intercept the uncompressed raw data from a Blu-Ray disc.

This solution then isn’t much use for pirates at the moment then as what would really be required is a software solution, much in the way DVD John did in 1999 when he and two friends released the DeCSS software that decrypted DVDs.  This hardware solution doesn’t offer anything that’s really useful for pirates, especially as the researchers aren’t saying how they did it.

It does prove though that with some know how and determination anything is crackable, and with a software emulated version of the hardware board a possibility in the future, encrypted Blu-Ray discs could still come under attack from pirates, not to mention the threat this poses to encrypted high-definition digital video downloads in the future.

Where this is of interest is the ease with which the researchers were able to do this and the affordability of the overall parts involved.  To claim something is uncrackable unless significant volumes of money are spent designing a new silicon chip overlooks the fact that much existing technology can emulate this process, providing anybody with full and unfettered access to unencrypted video.

The news first emerged on Friday when they said that the email addresses and dates of birth of customers on its Sega Pass database had been accessed by hackers.  Now the larger admission will be hugely embarrassing to the company.

Sega remain committed to a statement though saying that the credit card details of customers remained safe.  This will come as little comfort though to over a million people who can change their credit card details but not their date of birth or mother’s maiden name.

A spokesperson for the company said “We are deeply sorry for causing trouble to our customers.  We want to work on strengthening security.”

Sega informed customers over the weekend with an email confirming an “unauthorised entry” to their computer systems and announcing that they were conducting an investigation into the breach.

The company said it had automatically reset the passwords of every Sega Pass customer and they urged them to change their log-in details for other websites where they used the same username and password combination.

This data was accessed because, the same as Sony which has also had millions of customer details stolen, the basic information about their customers was not encrypted.  Thus when hackers gained access to the information it was all in plain text and easily steal able.

Nintendo, which has also been the subject of a hacking attack reassured customers afterwards that the hackers had failed to penetrate their systems.

Their will be continued calls now from all sectors and from governments to make sure that all the personal details of every individual, whether they reside on a company or a government server, must be encrypted.  People such as you and I share our personal information with these companies in good faith and expect them to treat it as personal and secure.  We wouldn’t, for instance, pass the information over an insecure website that does not display a padlock and have a current security certificate.  Why then should we assume that the information won’t be encrypted when it arrives at the server at the far end?

This is an appalling mess all round and many people will now be thinking very carefully about what information they share and with which companies they share it.  A debate should also be reiased as to how much of this information companies actually need.  For instance, while it can be argued that games companies need dates of birth to ensure that under-age gamers do not get access to titles that have an age rating that is inappropriate for them, does a credit card with a matching name on the account also provide the same age verification?

The hacking group Lulz Security which has been involved in a number of high-profile attacks, including on Nintendo, denied any responsibility for the Sega hack.  They instead expressed sympathy saying on their Twitter stream “We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”

The breach has not exposed the names, dates of birth and card security codes and all of this information remains safe.

The breach reportedly occurred in May and Citibank have been criticised for not alerting customers earlier.  Around 200,000 customers have been affected but the bank has said it could affect up to 1% of it’s 21 million customers.

In a statement to the news organisation Reuters, a spokesperson said “We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event.”  The bank has not yet detailed how the hack occurred.

Citybank is the latest company to be hit by hackers.  The most high profile was electronics and gaming giant Sony, where the details of millions of customers were stolen.  A similiar attack recently on Nintendo was unsuccessful.

Yesterday Sony revealed additional information, and boy does it look back. Information about the situation are provided to all customers of the service in an email.

The email speaks of an “illegal and unauthorized intrusion” in which certain “service user account information” were stolen by the attackers.

The important part follows with a list of information that have been stolen. This includes:

name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.

Please note that the email address, login and passwords have been stolen. This is likely going to turn ugly considering that many users on the web use the same email and password combination on a lot of sites.

If you are a customer of PSN or Qriocity you need to immediately change your passwords on site where you may have used the same password, and on your email account.

Sony furthermore says that it is possible that profile data may have also been obtained by the attackers, which would include purchase history and billing address. Even worse, they cannot eliminate the possibility that created card data was taken as well.

That’s the worst case scenario, and there is not lot that users of the network can do at this time, but to actively monitor their credit card bills to check for unauthorized payments.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

The data stolen could also be used in custom attacks as the attackers could use the user’s name and other information to make requests look legit.

Sony asks all users to change their PSN passwords as soon as the service goes online again.

A frequently asked questions section has been uploaded to the Playstation website which contains further information and support phone numbers.

To paraphrase: PSN users need to change their web account passwords immediately, especially if they are identical to their PSN password. They also need to change the password of their email accounts if identical, and need to monitor their credit card statements and account statements to make sure that no unauthorized payments are made from the accounts.

Since the hack has been first noticed on April 17, it is advised to look at your account statements for April to see if you find any unauthorized payments.

Sony is still investigating the issue at this point in time. The hack is a marketing fiasco for Sony, and more than a nuisance for customers of the service who now have to fear that their data gets abused by the hacker.

With 70 million users, the data alone could be worth a fortune on the black market. Spammers would love to get their hands on email addresses, names and countries for instance to send out personalized spam to those users.

Then there is the issue of who you host your email and other services with such as online document editing. The argument here is exactly the same however this is less about clutter and more about interoperability. It’s great when things just work well together, and bringing all these things together with a single service provider can often achieve that.

So it might come as no surprise to hear that I also believe in sticking with a single cloud-services backup provider if at all possible. More so, I’d recommend that this cloud backup provider should be the very same company that you host your email, documents and everything else online with.

So why you might ask am I being so stupid? Only this week Amazon became the latest company to experience huge issues with its cloud services. Also if you wanted everything hosted with Google what about the privacy concerns over services such as Streetview and Buzz, and the repeated hacking of GMail by the Chinese government. After all, if the Chinese can hack Google’s email service, surely so can any other determined group.

It stands to reason, quite logically then, that if you store everything with a single provider that if something were to go wrong the potential impact could be astonomical, and I agree that under a worst case scenario (the worst case obviously being a very, very worst thing that could ever happen, ever) this would indeed be the case.

However… Online backups are supposed to be just that, backups. I am hearing from an increasing number of people who are looking for a good service online to store their digital photographs. Be this Flickr, Google, Facebook or another service this is a terrible approach. We should not be looking to move our lives wholesale into the cloud, rather we should just be looking at the cloud as a way to back it all up with the added convenience of then being able to access those files from anywhere we like.

This is where services such as Dropbox and Mozy win out. They’ll automatically and invisibly synchronise the files on your PC with those in the cloud. The only problem with these services, and others such as Amazon’s S3 cloud backup, is that the companies that offer these don’t also offer all the other cloud services that we need and use on a day to day basis.

In truth, nobody else does either with the possible exception of Microsoft, and even there it’s complete online storage solution of 25Gb is not yet available to Windows users due to the technical limitations of having to merge two different online storage solutions, Live Mesh and Live Sync, into a single entity. It’ll happen and will no doubt be in place by the time Windows 8 comes around, but it’s far from available yet.

Google is even worse, not offering any kind of online backup at all (unless you count the Picasa online photo albums) and neither does Yahoo! and yet here we’re talking about three of the world’s largest email, online document and life management cloud providers. These are the companies we need to be storing everything with, surely.

Okay, I talked a little while ago about how disastrous things could turn out if your put all your eggs in one basket, so by this point you should be heaving a huge sigh of relief that you can’t actually do this yet. I would argue the opposite. Let’s set aside for a moment that simple fact that it is much easier to be able to actually do things with your files and data in the cloud when its all stored in the same place, that’s obvious. There are also important security and privacy pros to consider.

This being that it is very unlikely that anything more complex than username and password stealing will ever happen. There might be the odd occasional piece of annoying data loss, I myself lost some emails when Hotmail crashed recently, but there’s none of the annoying interconnectedness that you get when you have multiple services.

The upshot of this is that should there be a security breach you only have to go into a single service and change a single password. But! I hear you cry, this is exactly what I’d do if one of my many services were compromised! I’d beg to differ, for the simple reason that the more services we use in our lives, the more likely it will be that we’ll use the same usernames and passwords across them.

If you find that one of the cloud service providers you use has been compromised then you could have to change your Facebook, Twitter, Amazon, eBay and other password because they’re all the same.

If you have your main online life in a single place then this, arguably most important, part of your life can be kept separate because it would be much easier to remember a different username and password if you only have to remember one for this and another for everything else.

Let’s not forget that if eBay, PayPal, Amazon or the like are hacked, much in the way Ashampoo was only this week, you only have to worry about how long it will take your bank to refund any fraudulent payments that are made. If your life in the clouds is hacked things will get far messier.

But! And you’re starting to get angry now I can feel, “if my Amazon password is exposed I will also have to change the password on eBay, PayPal etc you doofus!” This is exactly the point I wanted to make. While you will most likely have to change your password for these sites, firstly the impact will almost immediately be greatly minimised as you’ll most likely be using only one or two bank cards across all of them, and secondly your personal files and email will still be secure.

In creating your life in the clouds by putting all of the important things in a single place you are effectively minimising the damage that can be done elsewhere because that single place can have a seperate, very secure password. There can be no sending of spam from your email address (we all get spoofed from time to time), there can be no searching your online documents for sensitive financial information and you can rest much more pleasantly at night.

I firmly believe therefore that there’s a very strong case to be made for Google, Microsoft, Apple and the like to pull their finger out and provide a holistic cloud-based service for us all. We can then rely on Facebook to get us logging into shopping websites (which again helps minimise any damage as there’s less surface area for a hacker to attack) and the ultimate upshot is that we’re not only happier and more secure, but we’ll suddenly find that we have a better online life with it too.

Microsoft are also taking Apple to court over the name “App Store” claiming that it’s a generic term and they should be able to use it for the Windows Store should they want to.

These are two examples of the madness that’s been going on in the last couple of days with tech companies and litigation.  Sony are effectively saying, “our product isn’t secure enough and you’re to blame for that, not us” and Microsoft, frankly, are perfectly correct in their assumption of generality.

Let’s take the Microsoft / Apple case first.  There are a great many terms in the world that fall into this generalisation category.  UK technology firm Psion famously sued over the term “Netbook” a couple of years ago because they had released a computer previously with that name back in 1999.  They lost, and rightly so.  A netbook is a net enabled book-sized thing.

The fact that Apple have popularised the App Store concept means, as they can expect, that every other technology company will jump onto the bandwagon.  The company couldn’t possibly claim to hold onto exclusive use of such a ‘foggy’ trademark name in such a broad market.  Not in the way they can with a specific product name such as iPod.

Apple on the other hand have sued other companies for using the letter i at the beginning of their product names.  This has even included products that were around for years before the first iPod appeared.  Is this right and should it be allowed?

This brings me back to Sony who are using their corporate size and money to push responsibility for their security problem onto a party of hackers, because hackers can be seen as an easy target.  The group responsible for the hack, fail0verflow, have said that ”We have never condoned, supported, approved of or encouraged videogame piracy.  We have not published any encryption or signing keys. We have not published any Sony code, or code derived from Sony’s code.”

They also claim they only broke the code so that people could run their own legitimate code on the console if they wanted to.  But what is a crime?  Surely it would be a crime if they took Sony’s code and used it in their own products.  Is simply finding out what Sony’s code is a crime?  Many people would think not.

Now I’m not going to get into any guessing game over who is right or wrong as  fail0verflow will have to prove their claims but it still boils down to the fact that Sony’s security simply wasn’t good enough.  There is security in other products that’s never been cracked and other companies have means of patching security holes as and when they appear.  Who’s fault is this?  Is this the fault of a group of hackers?

The litigation situation with large technology companies is getting out of hand, especially when there are so many thousands of products on the market that are all so similiar to one another and that all do the same thing.  Xerox, if it wanted to, could probably take Microsoft, Apple and Linux to court for copying their first windowing GUI way back in the 1980′s.  They’d definitely lose though because GUIs are now generic and everywhere, even on your phone.  Microsoft couldn’t sue Apple or the Linux community either for using windows on their desktops because windows on a computer have now become a generic thing.  Such lawsuits would be laughable.

So come on guys, put your hands up and admit to your own problems and don’t try to cling onto pointless patents anymore.

There’s no confirmation on whether this was intentional or not, but it comes at a time of increased sensitivity over cyber-terrorism.

Among websites who had traffic diverted were the US Senate, The Office of the Secretary of Defence, NASA and the US Commerce Department.

A draft report by the US-China Economic and Security Review Commission says “Evidence related to this incident does not clearly indicate whether it was perpetrated intentionally and, if so, to what ends.  However, computer security researchers have noted that the capability could enable severe malicious activities.”

The Internet, such as it is, is at some risk of attacks that could threaten national infrastructure and so countries around the world have been working on methods of defending their Internet servers from such threats.  A recent attack was, allegedly, made on Iran and saw plants in the country experiencing significant disruption.  There is no evidence of who was responsible for the attack though it is widely considered that only a major power would have the resources to instigate such a project.

The FBI worked with police and security agencies right around the world.  The UK police confirmed that more people had been detained the Ukraine.  Other countries involved included the Netherlands.

The US Attorney General said that those arrested in the US had been charged with conspiracy to commit bank-fraud and money laundering.  They acted as go-betweens providing bank accounts for the criminals to deposit stolen money in.

The FBI added that the crime ring had attempted to steal $220m by obtaining usernames and passwords for bank account details.

The arrests are the culmination of an investigation that began in May 2009 when FBI agents noticed a string of suspicious bank transactions.

In the UK, 19 suspected members of the ring were arrested and Ukranian police arrested 5 people suspected of directing the scheme.

Engadget reported the news shortly after it first appeared in Twitter.  HDCP is configured in such a way that should any particular key be cracked it can be wiped and replaced.  What’s now been discovered apparently is a master key that can permanently unlock the content.

The key is described as being a  ”a forty times forty element matrix of fifty-six bit hexadecimal numbers” and so far, and quite understandably, nobody knows who has created the crack or how effective it will be, even if it works at all.

No doubt this will generate enormous interest over the next few weeks and caus great concern for the movie companies, who were banking on the enhanced security of Blu-Ray after the encryption of HD-DVD was cracked.

The upshot is that if the key is made public, and works, there will be little to stop people copying high definition content to play anywhere, and little to stop them except another costly format change the public might not accept so recently after Blu-Ray’s introduction.

That said there can be no doubt that with higher capacity Blu-Ray discs already on the way, the movie studios and technology companies behind the format will already be looking at ways of beefing up the security, and will no doubt have anticipated this news.

The race is now on as to who succeeds first.

The malware takes the form of a game that spies on the smartphone’s owner and was built using the standard software toolkits that are available  to everyone.  In a report on the experiment today, Experts says that this makes the malware much harder to spot.

There is evidence that criminals are now beginning to target smartphones with their complete lack of virus protection, in order to gain personal details that can be used for identity theft and other crimes.

Chris Wysopal, the co-founder and head of technology at security firm Veracode, who helped the BBC develop its malware, said that smartphones are not at the point PCs were at in 1999, at the birth of the popular internet.

“At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information.”  He said.  “Mobiles offered a potentially more tempting target to those criminals.”

Simeon Coney, of mobile security form Adaptive mobile said…

“In a mobile network the device is intrinsically linked to a payment plan, to a user’s credit,” he said. Nothing happens on a mobile network, no call is made or text is sent, without money changing hands.  Criminals have tapped into that revenue stream by getting phone owners to dial or contact premium rate numbers. Now they are turning their attention to applications and the lucrative information they scoop up.”

The Java application from the BBC was put together in only a few weeks and  gathered contacts, text messages and also gathered the phones’ location.  IT then sent this information to a specially set-up email address.

The malware was only 250 lines of code, with the entire program only 1500 lines of code.  The BBC say in their report that there can be benefits to the way some phone OS manufacturers vet programs.  Apple vets every program for the iPhone and iPad and Blackberry maker RIM and Google can easily switch off malicious applications through use of a code-signing system.  Microsoft’s Windows Phone 7 operating system will also see all programs vetted.

The last time the BBC conducted an experiment like this they took control of a botnet, but when the experiment was over left a message on the screens of the infected PCs worldwide and instructed the botnet to self-destruct.

The latest threat is another with Adobe’s name on it.  The company has already come under heavy criticism this year for major flaws in it’s Acrobat and Flash platforms, this new threat is more of the same with the Acrobat reader for the iPhone.

The BBC is reporting that experts are saying the threat has yet to be exploited and are urging Apple and Adobe to find a fix before it is.

The threat would affect all devices running Apple’s iOS operating system, the iPhone, ipod and iPad, none of which run anti-virus software.

Graham Cluley, a computer security expert with Sophos, told BBC News that the exploit used the same principle as Jailbreakme – a utility that lets iPhone 4 owners run non-Apple approved applications – although it uses the exploit in a benign way.

“It uses the same tricks as you do when jailbreaking,” said Mr Cluley.  “We always thought that Apple’s Mobile Safari would be the main vulnerability.  “At present, we have yet to see any of these exploits out in the wild, but it is only a matter of time,” he warned.

The method exploits a weakness in the Safari web browser to automatically open an infected PDF.  The irony of this being that so far the only way to secure yourself against it is to unlock your device and install unapproved software on it.

Neither Apple for Adobe have so far commented on the threat or said when a patch might be available.

The attack was dreamt up by security expert Sam Kamkar who demonstrated at the Black Hat hackers conference a website exploiting common shortcomings in a router to reveal it’s real-world location.

He tricked the router into believing the request for it’s ID information was coming from the connected PC, not from the Internet.  He then used the revealed MAC address with a geo-location feature in Firefox to interrogate the database Google gathered when it made its Street View photographs.

The data, which was controversially gathered, linked the MAC addresses of routers to GPS co-ordinates.  “This is geo-location gone terrible,” said Mr Kamkar during his presentation. “Privacy is dead people. I’m sorry.”

Mikko Hyponnen, senior researcher at F Secure called the demonstration “very interesting” adding that such a technique could be used for “stalking or targeted attacks against an individual”.

“The fact that databases like Google Streetview’s Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly.” said Mr Hypponen

In 2005, Mr Kamkar created a work that helped him gain more than 1 million MySpace friends in a single day.

Recent changes in Google’s SOAP-API rendered many security tools using Google useless. The aim of the Diggity project is to provide security researchers and network admins with a toolset to utilize Google Search and Bing again to uncover security vulnerabilities.

The two command line programs for Windows, Google Diggity and Bing Diggity, are offered as a free download on the project website.

Google Diggity:

The command line tool comes with a dataset of more than 1500 different vulnerability signatures, including insecure admin interfaces, SQL-injections, Cross-Site-Scripting vulnerabilities or documents that contain sensible information like passwords or financial data.

The commands define the nature of the search. It is possible to run the full set of known signatures against a website, server or IP, or perform a Google custom search which is limited to the first 64 results.

google diggity

With the retirement of Google’s SOAP Search API on September 7, 2009, most of the security utilities available for Google Hacking cease to function, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new MS Windows command line utility designed to help fill that need. GoogleDiggity leverages the Google AJAX API, so it will not get you blocked by Google bot detection while scanning. Also, unlike other Google Hacking tools available, GoogleDiggity actually allows you to specify a Google Custom Search Engine (CSE) id to run Google Hacking vulnerability checks against a customized version of Google that will only return results tailored to your organization.

BingDiggity

Bing Diggity has not been released yet, but will be available for download shorty.

BingDiggity is a new command line utility that leverages the new Bing 2.0 API and Stach & Liu’s newly developed Bing Hacking Database (BHDB) to find vulnerabilities and sensitive information disclosures related to your organization that are exposed via Microsoft’s Bing search engine. This utility also provides footprinting functionality that allows you to enumerate URLS, hosts, domains, IP-to-virtual host mappings, etc. for target companies

Google Hacking Alerts and Bing Hacking Alerts

Google Alerts and Bing Alerts have been created for every vulnerability signature to assist network administrators, security researchers and webmasters with the monitoring of security vulnerabilities.

Currently, only Google Hacking Alerts are offered, with Bing Hacking Alerts released in the near future. Google Hacking Alerts make use of Google Alerts to provide realtime information about new websites appearing in Google Search that are vulnerable to one of the 1623 signatures. A Google Reader compatible RSS feed is provided on the project homepage. The RSS feed alerts are grouped into categories.

google alerts

This, in conjunction with filters makes it a solid defense strategy. The RSS feed is compatible not only with Google Reader but also other feed readers. Downloads and additional information are provided at the project website.

Defending all of our interests in cyberspace is a relatively small cadre of talented and highly skilled public sector and private sector cyber security professionals,” said Baroness Neville-Jones, Minister of Security.

Lady Neville-Jones said the pool of available professionals had to grow and the Cyber Security Challenge was an “innovative” way to attract people to take up the profession.

The UK has fallen behind in recent years in computing expertise which has angered many who remembered the country as the birthplace of the modern computing revolution where programmers were sat in every front room and bedroom on their Sinclair Spectrum, BBC Micros or Commodore 64 only thirty years ago.  Since then, other countries have stolen the lead in expertise because they have put much greater emphasis on the appropriate skills during schooling than British governments have done.

A virtual competition takes the form of a treasure hunt that will involve looking for flaws on a dummy website and answering questions about what was found. The challenge will take about two hours to complete with will be run on several dates between September and December.

The face-to-face challenge will see teams taking over a simulated network and defending it against a series of attacks carried out by security professionals.

The winners of these initial competitions will go forward to the UK Masterclass at which they will work with others to defend a different simulated network.

If you fancy yourself as a computer security specialist and would like to enter the competition you can do so here.

The group, calling themselves Goatse Security harvested the data using nothing more than a PHP script and are now in possession of some very high profile people’s contact details which include celebrities, white house officials and high ranking military officers.

So who is responsible for this, Apple or AT&T?  To be honest it’s going to be a bit of both and questions need to be asked why the hashing technique, common for exchanging passwords online, hasn’t been implemented here.

Hashing runs your password through a cipher that scrambles it.  It’s a one-way cipher so that the password can never be unscrambled.  A similar cipher scrambles the password on the authenticating computer and then both of these ‘hash codes’ are compared.  The reason for doing this is so that no password is ever put in the open where it can be intercepted.

This is clearly what happened with the iPad hack and it will come as a blow to Apple’s reputation for developing secure operating systems, the iPad OS is based on the same Unix code as their OS X desktop and server operating systems after all.

It remains to be seen if and how quickly a firmware update will be rolled out by Apple to encrypt sensitive data as it’s broadcast over 3G and other wireless networks to authenticate users.  AT&T also have questions to answer on whether this technique can be used to gather sensitive data from any other devices on their network.

Fortunately the hackers notified AT&T of the breach so they could close the hole and came clean about the hack.  The next group of hackers might not feel so benevolent.

Of course {zip/rar}ing everything is a no-go; nobody wants to have to open an archive before being able to launch an application. So what?
Enter UPX, the reference packer for executable files. UPX compresses executable files (mostly .exe and .dll under Windows), but contrarily to zip/rar/whatever, it keeps them executable, also preserving  their properties (icon, version…). All this at the cost of a completely unnoticeable performance hit when starting the application. Sounds good? Let’s compress everything executable in this Dropbox that is dangerously close to reaching its 2GB limit.

1. Download UPX from SourceForge and extract it to <upxFolder>.
2. Open a command prompt and browse to <upxFolder> (you can find the command prompt in Start > Accessories or run it via Windows+R, then “cmd”. Use “cd FolderName” to navigate the filesystem).
3. Run upx.exe to have a look at the options available. I’ll use -9 but you can adjust this (for example if you feel a performance hit on an old machine –I don’t–), and -v to have verbose output. Now, navigate to the folder of a program you want to compress and run your freshly-baked command:
   "<upxFolder>\upx.exe" -9 -v *.exe *.dll
   (replace <upxFolder> adequately, and keep the quotes around the path, or spaces will cause problems)
4. You’ll see the files being compressed, the compression ratio, as well as the occasional “AlreadyPackedException: already packed by UPX“, or “CantPackException: .NET files (win32/net) are not yet supported“, or “IOException: read error: Invalid argument“. These errors are all OK, UPX just notifies you that it left the file untouched.

Woot, you already gained 50MB by just compressing big ol’Inkscape.

Of course you now want to do this on ALL the executables in a folder. But you’re lazy, and the perspective of running this line inside hundreds of subfolders leaves you bleak. Lucky you, I’m lazy too, so I dug Stack Overflow to assemble a script that will do the operation recursively.

1. Paste this in a text file (of course adjusting the main line like we did before) you will rename to something like upxRecursive.bat
   for /r /d %%x in (*) do (
pushd "%%x"
"<upxFolder>\upx.exe" -9 -v *.exe *.dll
popd
)
pause
2. Move this batch file inside your Dropbox folder, launch it and see the magic. This will take a long time on a big folder filled with executable files, but will seriously slim it down. In my case, I saved 400MB (from 1.7GB to 1.3GB), leaving me with plenty of space for more crap.

Final notes:

• UPX has been in development for a long time and is praised for its extreme stability and reliability, but could possibly leave you with some exotic executable files that won’t run after compression. I personally never occurred to me, but accidents happen. In this case, use "<upxFolder>\upx.exe" -d problematicFile.exe to get an uncompressed version. Note it won’t be byte-identical, if you want to be able to get back to byte-identical versions, you should add the --exact switch at compression time.
  By the way, the folks at PortableApps.com pack all the software they release with UPX. Reassured about its reliability?
• People familiar with the win32/pe format will know that .exe and .dll are not its only valid extensions. The full list is “.exe .dll .cpl .ocx .sys .scr .drv”. However, I don’t recommend compressing sensitive files like control panel extensions or driver files, and this is why the line I suggest targets only dll and exe files. Compressing VLC is OK because you can reinstall it if UPX butchers it. Compressing critical software is not.
• I’m just repeating my previous point, but don’t want to see angry comments from people doing crazy things with this. Again, don’t do this on all C: , it -will- wreck your system. Compress executables when you really need it, and inside folders containing only reinstallable applications if things go wrong.
• UPX is multi-platform. My article focuses heavily on Windows because this is the platform where my use case comes from, but you can of course adjust this idea/script for Linux (plus you will probably have access to a saner scripting language than batch).
• EDIT: as pointed by John T. Haller in the comments, PortableApps offers AppCompactor, a graphical frontend that relies among others on UPX.

Ronan is a geek and musician living in Montreal. He likes scaring wary sysadmins with 2GB folders full of false positives and writes about software, music and life at flying molehill.

When someone puts a file up on a server for download, how does the host or the end-user know, for sure, the file they are about to download (or are serving up) is the valid file? What if someone hacked into the server and replaced the file with a bogus file that contained malicious code? It’s happened before and it will happen again. Fortunately there is a way to avoid downloading invalid files – checking the md5 hash. The only problem is that this method only works if the host and user knows how to use md5 tools. In this tutorial you will learn how to add an md5 checksum to a file and how to run a check on a file you have downloaded.

What is md5 and checksum?

Before we continue with the actual steps, you might benefit from knowing exactly how the process of checksumming works. MD5 stands for Message Digest algorithm 5, which is a cryptographic 128 bit hash function and serves as a “fingerprint” for a digital file. A checksum is a fixed-size datum that is computed from a block of data. When it is crucial for a piece of data (such as a download) to be valid, the datum is compared to the original block the datum was computed from to check for a match. When an md5 checksum matches, the user/host can be certain the file is valid. When the md5 checksum does not match, a red flag should immediately go up and the original block of data should be discarded. If a file changes by so much as a byte, the checksum will fail.

For most users these tasks are handled from the command line. There are GUI tools available (such as GtkHASH) that can tackle the same tasks. But for the purposes of this tutorial we will stick with the command line tool.

Creating an md5 sum

For those who plan on hosting files for download, you will want to know how to create an md5 sum. This is very simple. Open up a terminal and change to the directory holding the file you want to work with. Say, for example, you want to create an md5 on the file /var/www/files/download.tgz. To do this you would change to the /var/www/files directory and issue the following command:

md5 download.tgz

The above command will output something like:

As for the iPhone of the present, we now have the first truly malicious iPhone malware going around while Apple continues to grow in the smartphone business, posting more profits that the Finnish giant Nokia.

iPhone Malicious Code Now A Reality

For those who paid no heed to the first ever iPhone worm, here’s a much scarier piece of a news. While the first worm never really did much other than change your wallpaper to rickroll you, there’s a new piece of code that has truly malicious intents for your iPhone.

It attacks the same way as the last one does but instead of making its presence known, it will silently steal all the personal data that it can find on the iPhone and inside the apps. Thankfully, just like the last worm, this malicious program can only infiltrate jailbroken iPhones that have open SSH sessions and have not changed their default root password. So to all those who are jailbreaking their iPhones, do take your time to understand exactly what you are doing and close this gaping security holes. [read]

New iPhone May Be Verizon Only

After the rumors of the next generation iPhone going worldmode surfaced, we now have rumors about the iPhone being made solely for Verizon. This is the result of a confusion regarding reports from chip-maker Qualcomm who have been making new CDMA chips for their parters, including Verizon. [read]

Famous iPhone Dev Quits, First Of The Many To Follow?

After enduring Apple’s shenanigans with the app store approval process, the famed developer Joe Hewitt (creator of the Facebook app)  has officially declared that he is quitting iPhone development. And he makes no bones about being vocal about why he quit, clearly stating that his decision “has had everything to do with Apple’s Policies”.

With so many other developers also complaining about Apple’s policies, Joe’s move may be taken as an example and followed. And if that does happen, Apple will be losing the most important part of what makes the iPhone tick — great apps from great developers. [read]

iPhone Now Has 17% World Smartphone Market Share

Apple is fast closing in on the others in the global mobile Handset Market. After being in the market for barely two and a half years, Apple now constitutes 17.1% of the total global smartphone market.

This is a 50% growth for Apple in recent times, showing exactly how fast a company can grow with the right steps and a brilliant product. The other reason why Nokia is so very important is because it is also one of the largest sellers of smartphones. Its smartphones are the reason why Symbian still holds such a large share of the market. Blackberries may have been very popular in different pockets (RIM is on the wane) but nothing beats Nokia’s worldwide reach. Nothing until now it seems. [read]

Want More Bang For Your Buck? Try The App Store

Analysts have shown that iPhone users have more than just the highest number of Apps to choose from. They also have more value for money when calculated on dollar for dollar. [read]

Apple Creates More Profit Than Nokia

In the last quarter (Q3), Apple made much more money than the world’s number one mobile handset maker – Nokia. And the difference is significant too. While Nokia made $1 billion, Apple made $1.6 billion. [read]

First iPhone Worm Rickrolls Jailbroken iPhones

This has been the main worry about everything Mac, They do not have viruses now, true but as they start to get more popular they will attract the attention of malware creators. So in that vein of paranoia, we have news of the first ever worm for the iPhone.

You can cut out the screaming and the deep breathing exercises because it is a) completely harmless and b) only effective on jailbroken iPhones. It does things like change the wallpaper and rickrolling users, so it is not exactly destroying your iPhone yet. A worm on a jailbroken phone is a worm on a device that has already been tampered with. So you can wait for the first ever worm on legit iPhones before you hit the panic button. [read]

Complete Car Control Via iPhone

Okay, this is certifiably crazy. In fact, we should probably start a ‘gHacks Certifiably Nuts’ award just for these fellas. But I must admit that what they are is doing is pretty cool. We know that the iPhone can already be used to start your car remotely but fully driving with the iPhone kinda takes the cake.

So what you do is you take some electronic control circuits, hook them up to control your steering, acceleration and brakes and then control them wirelessly. If you want a less vague and more accurate description, check out the videos. It is quite nicely done and I especially love the fact that they are using the accelerometer to control the steering.

The result is pretty 007-ish — that you can drive your car through your iPhone. Look M(a), no hands! [read]

HD Radio Comes To The iPhone Via Gigaware

Now that the Zune HD is out, your least favorite co-worker who loves to make fun of your liking for Apple has probably been going on and on about how his Zune HD does HD radio and your iPod Touch does not. Setting aside the all important the question of how many good HD radio stations are there near you, you can now get back at him saying “there’s an app for that!”

But that would be kinda half true because even though iBiquity has made an app that plays HD radio on your iPhone, you still have to get an additional hardware for accomplishing the feat. The device is called Gigaware Navigation Controller and is essentially an HD tuner with iPhone integration. It allows you to seek and auto tune as well. Plus there is Facebook tagging and iTunes tagging.

Works with the latest iPhone and the iPod Touch. Available on RadioShack. [read]

Sparkz Projector For Your iPhone

Do you want to spend a lot of money on a pico projector that will work with your iPhone/ iPod Touch/iPod Video? If you do, you can now have the Sparkz dock that lets you connect any of those devices and more to it so that you can project your favorites onto a nearby screen. It will support a/v and VGA inputs too.

Other than this extended support for inputs, it has a resolution of 640×480, stereo speakers and a 60-inch viewing area. It charges your docked device while it is projecting and it comes with its own tripod. The price so much goodness? A mere $495. Hey, I did say a lot of money. [read]

New iPhone Safari Bug Could Drive Your Bills Through The Roof

It has been a while since we have seen a major bug in Safari on the iPhone that users could themselves trip. So imagine our intrigue when we came across this bug. Apparently, if the user visits a site that uses Motion-JPEG (a format used mainly by security cameras) and then closes Safari – Safari continues to run in the background and continues to feed that stream into your iPhone.

The user is not notified of this in anyway and at the end of the day, you could end up with huge data bills or over usage charges. [read]

More Macs Online After The Windows 7 Launch

This might seem a bit hard to digest but it seems like the truth. We now have more Macs online  after Windows 7 has been released. In fact, Windows’ share of the Internet is on the decline. This could get interesting. [read]

Snow Leopard Update To Block Atom

Looks the latest build kernels of Mac OS 10.6.2 lacks support for Intel’s Atom. While the intention on Apple’s part is not entirely clear but we may be looking at yet another cat and mouse game here after the current Palm Pre sync thing.

If this build goes live, then netbook hackintosh makers will face a pretty challenging situation where there is no built in support for Atom. Since removing the support does not really contribute to the further streamlining of the Mac OS, blocking hackintosh makers seems like the logical intention here.

It would make sense too, with Apple trying to convert as many people has possible from the PC side of things. However, they won’t be able to keep at it for that long because you can bet that hackers on the case already and it won’t take them long.

Endless Racing Game For iPhone

I have not tried out the endless racing game but the video sure looks fun. If you are up for a simple racing that reminds of the old days, this one might be just the thing you are looking for. [read]

SquareSpace App Goes Live On The App Store

The popular hosted web-service called SquareSpace finally has its own iPhone. If you have an account over at SquareSpace, you will be able to access it securely over the app. The app does not take you through the website. It is a self-contained thing that is directly hooked up with the SquareSpace service and it lets you see everything about your website. You can see the stats, post on your blog, edit your blog, etc. [read]

Wadia’s High-End Dock For The iPod

Wadia has a high-end in audio and video solution for the the iPod, sort of. They have an iPod dock called the 170iTransport. Once you plug in your iPod, the device will act as a media server. It can stream your iPod digital output over an S/PDIF co-axial cable and it also has component video for all your movies. Going for $380, this might be a nice addition to your home theatre rig. Of  course, the quality will be as good as the original files, which will likely be compressed. [read]

Orange To Offer The iPhone In the UK From Nov 10, Bans Media Streaming Apps

Orange has declared that they will start selling the iPhone from November 10. But there is a problem here. [read]

It seems that Orange’s terms and conditions dictate that you cannot use your iPhone for other activities. These activities include making using the phone as a modem, using non-Orange Internet-based streaming services, VoIP and more. That means you will not be able to use apps like Spotify, YouTube, AudioBoo, etc. – all of which use Internet-based media streaming to deliver content on demand.

But Orange has clarified on BBC that iPhone users will be allowed to use these apps as long as they are within their monthly usage limits. I really hope they stick to that, because you will be signing the contract. [read]

iPhone OS 3.1.2 Unlock Coming On Nov 4^th, Unlock iPhone 3GS and More

It has been cracked folks!

Come November 4^th, i.e. tomorrow, you will be able to unlock your iPhone 3GS and other devices that are running iPhone OS 3.1.2. The hacker who made cracks of the previous iPhone OS versions has done it again. The crack is coming as blacksn0w  from Geohot. [read]