A bunch of researchers, among them the famous Bruce Schneier, have discovered that features like Recent Documents list may reveal information about files on an encrypted partition even when used in conjunction with the so called deniability feature which hides data in an encrypted partition.

I’m a bit puzzled that it took them so long to figure out that every kind of application that is logging or saving temporary data might reveal information about such hidden data. Maybe I got it wrong and missed something but if that is not the case I might call this finding rather obvious.

If I have a Word document on an encrypted partition and open it with Word it gets added to the recently accessed files list in Word as far as I know. The research paper has already been published and can be downloaded freely. The name of the document is “Defeating Encrypted and Deniable File Systems:
TrueCrypt v5.1a and the Case of the Tattling OS and Applications”.

continue reading "Data Can Leak From Partially Encrypted Systems"

You might have already read it elsewhere that it is possible to reveal the real name of any Gmail user by sharing a calendar in Google Calendar with him. Let me explain how this is done. Google Calendar can be loaded in the header area of Gmail after logging in. A click on settings will load the settings where users can change all sorts of information like the date format and time zone.

A click on the Calendars tab loads the calendars that are currently active. A click on the Calendar loads the details of that calendar with information about the calendar timezone and addresses. There is also another tab in that view that lets the user share the calender with other users.

A click on the Share This Calendar tab displays a list of all users who have access to this calendar with the option to add new users by pasting their email address into the form field.

continue reading "Gmail Has a Privacy Problem"

I noticed in the beginning of July that someone else transferred most of the money that had been in my PayPal account to an online hoster to buy six month access to an virtual server. That was quite shocking and you can read up on theUnauthorized Payment Done With My PayPal Account story. I got the money back the same day because the merchant was nice enough to post a full refund of the money after I submitted a dispute on the PayPal website.

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

continue reading "Update on my PayPal Story"

DRM (Digital Rights Management) is slowly getting out of company executive heads and several stores are successfully selling music that is DRM free. That’s a good thing for the customer who can transfer the songs that he bought to other devices and even burn them on CD if he likes. We are however not at the point where most users would like to be.

A current trend seems to be to include identifying tags into the downloaded music. While that is not a huge problem if you keep a close eye on your music collection you could run into troubles if someone would steal your computer, notebook or mp3 player. Besides that every single song is available on those networks anyway.

It’s a gray area legally in my opinion and I would suggest to everyone to remove the identifying information from those songs.

continue reading "Remove Identifying Information from Rhapsody MP3s"

The award for the longest title ever could go to this one. But it’s good news actually. Both Email services are “supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages” for a few years now but could not eliminate all phishing emails because of companies signing their mails only partly. The filter was therefor not perfect which still meant that users were seeing phishing emails in their inboxes and spam folders.

PayPal and eBay finally made the decision to sign all emails originating from their servers including the international versions which means that it is possible to eliminate PayPal and eBay phishing emails before they even reach the inbox or spam folder. The system was tested for a few weeks silently and only a few users did notice according to the official Gmail blog.

continue reading "Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing Mails"