FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 13, column 86: Self reference doesn't match document location [help]

... rel="self" type="application/rss+xml" />
                                             ^

line 42, column 0: style attribute contains potentially dangerous content: max-height (5 occurrences) [help]
```
If you haven&#8217;t yet, please consider jumpin ...
```
line 204, column 0: content:encoded should not contain sizes attribute (3 occurrences) [help]
```
<a href="http://agilesynapse.files.wordpress.c ...
```
line 350, column 0: content:encoded should not contain data-shortcode attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain aria-describedby attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-attachment-id attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-permalink attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-orig-file attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-orig-size attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-comments-opened attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-image-meta attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-image-title attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-image-description attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-medium-file attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```
line 350, column 0: content:encoded should not contain data-large-file attribute [help]
```
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class ...
```

Source: http://feeds.feedburner.com/SteveGibsonsBlog

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
xmlns:georss="http://www.georss.org/georss" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:media="http://search.yahoo.com/mrss/"
>
<channel>
<title>Steve (GRC) Gibson's Blog</title>
<atom:link href="http://steve.grc.com/feed/" rel="self" type="application/rss+xml" />
<link>http://steve.grc.com</link>
<description>Steve's Public Brain Dumping Ground (watch where you step!)</description>
<lastBuildDate>Tue, 03 Jun 2014 00:34:44 +0000</lastBuildDate>
<language>en</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>http://wordpress.com/</generator>
<cloud domain='steve.grc.com' port='80' path='/?rsscloud=notify' registerProcedure='' protocol='http-post' />
<image>
<url>http://s0.wp.com/i/buttonw-com.png</url>
<title>Steve (GRC) Gibson's Blog</title>
<link>http://steve.grc.com</link>
</image>
<atom:link rel="search" type="application/opensearchdescription+xml" href="http://steve.grc.com/osd.xml" title="Steve (GRC) Gibson's Blog" />
<atom:link rel='hub' href='http://steve.grc.com/?pushpress=hub'/>
<item>
<title>This BLOG disappears tomorrow!</title>
<link>http://steve.grc.com/2019/05/13/this-blog-disappears-tomorrow/</link>
<comments>http://steve.grc.com/2019/05/13/this-blog-disappears-tomorrow/#comments</comments>
<pubDate>Mon, 13 May 2019 17:51:15 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=740</guid>
<description><![CDATA[WordPress has just notified me that my annual contract for “domain forwarding” with them will be expiring tomorrow. So this is my final — before it disappears — reminder that I have a NEW self-hosted blog over at https://blog.grc.com where … <a href="http://steve.grc.com/2019/05/13/this-blog-disappears-tomorrow/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[WordPress has just notified me that my annual contract for “domain forwarding” with them will be expiring tomorrow. So this is my final — before it disappears — reminder that I have a NEW self-hosted blog over at <a href="https://blog.grc.com">https://blog.grc.com</a> where I’ll be posting anything of interest in the future.
If you haven’t yet, please consider jumping over there and subscribing to that one so that you’ll be notified if anything I post. My next planned posting there is an explanation of my plans for SpinRite’s future development. <img src="https://s0.wp.com/wp-content/mu-plugins/wpcom-smileys/twemoji/2/72x72/1f642.png" alt="🙂" class="wp-smiley" style="height: 1em; max-height: 1em;" />
And… thanks very much for your interest!
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2019/05/13/this-blog-disappears-tomorrow/feed/</wfw:commentRss>
<slash:comments>1</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>We’re Moving! Come on over and check-out the new place!</title>
<link>http://steve.grc.com/2019/04/18/were-moving-come-on-over-and-check-out-the-new-place/</link>
<comments>http://steve.grc.com/2019/04/18/were-moving-come-on-over-and-check-out-the-new-place/#comments</comments>
<pubDate>Fri, 19 Apr 2019 02:19:42 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Gibson]]></category>
<category><![CDATA[GRC]]></category>
<category><![CDATA[SpinRite]]></category>
<category><![CDATA[SQRL]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=737</guid>
<description><![CDATA[Yo!! After a long time without generating headlines, things are about to start hopping at GRC My 5+ year project to address the website login nightmare by eliminating usernames and passwords has its own web forum with more than 1,014 … <a href="http://steve.grc.com/2019/04/18/were-moving-come-on-over-and-check-out-the-new-place/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[Yo!!
<h2 style="text-align:center;">After a long time without generating headlines, 
things are about to start hopping at GRC</h2>
My 5+ year project to address the website login nightmare by eliminating usernames and passwords has its own web forum with more than 1,014 participants at last count. They’re all using their SQRL identities to login with SQRL clients for Windows, iOS, Android and a web extension for Firefox, Chrome and the new Chromium version of Edge. (And you can too!)
The instant I no longer need to be working to get SQRL finished, a day which is fast approaching, I will immediately be back to work on the long-awaited upgrade to SpinRite 6.
This blog has always been hosted at WordPress.org on their servers. But I’ll be hosting this blog’s successor and replacing this one. Our contract here ends next month, and I’m ready with the replacement site… so THIS will be the final notice from this blog.
Since you are subscribed here, I hope you will come over to our new location and re-subscribe there. (One of the many annoyances of not hosting our own blog is that I have no access to the list of this blog’s subscribers… so it’s up to you to re-join over there.)
If you’re curious to learn more about SQRL, you will find links to the SQRL forums there. You can check them out, grab a SQRL client, create your SQRL identity (it’s all free, of course) and see what I’ve been working on for the past five and a half years. I think you’ll find that the time was not wasted.
The replacement blog is at: <a href="https://blog.grc.com">https://blog.grc.com</a>
I hope to see you there! Come on over and say HI!
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2019/04/18/were-moving-come-on-over-and-check-out-the-new-place/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>The “Encryption” Debate</title>
<link>http://steve.grc.com/2016/03/12/the-encryption-debate/</link>
<comments>http://steve.grc.com/2016/03/12/the-encryption-debate/#comments</comments>
<pubDate>Sun, 13 Mar 2016 02:49:35 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=475</guid>
<description><![CDATA[“Encryption” is quoted in the title of this essay because encryption is NOT what any of this is actually about. The debate is not about encryption, it’s about access. It should be called “The Device Access Debate” and encryption should … <a href="http://steve.grc.com/2016/03/12/the-encryption-debate/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[“Encryption” is quoted in the title of this essay because encryption is NOT what any of this is actually about. The debate is not about encryption, it’s about access. It should be called “The Device Access Debate” and encryption should have never been brought into it.
Modern smartphones have batteries, screens, memory, radios, encryption, and a bunch of other stuff. Collectively, they all make the phone go, they are all good, and we want as much of each them as the device’s manufacturer can squeeze in. We do not want smaller batteries, lower resolution screens, less memory, less capable radios, or weaker encryption. And it is entirely proper for Apple to boast about the battery life, screen resolution, memory, radio, and encryption strength of their products. The FBI is entirely correct when it says that Apple is actively marketing the newly increased encryption strength of their latest phones and operating systems. That’s as is should be, in the same way that Apple is marketing their device’s battery life and screen resolution. Those are all features of modern smartphones, and Apple knows what their users want. We all want those things.
The fourth amendment to the US Constitution states: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The 4th amendment is about managing access. It does not provide that under no circumstances, ever, can duly authorized law enforcement officials enter someone’s home. It provides a managed and monitored mechanism―a compromise―between the privacy rights of the individual and the needs of the citizenry who surround that person. And it is under this 4th amendment that US citizens have enjoyed the balanced guarantee that their home is their castle and that only a lawfully issued search warrant, meeting the test of probable cause, would allow law enforcement authorities a legal right to enter.
Mapping the 4th amendment onto encrypted devices: 
Without weakening their devices’ encryption, Apple could arrange to be able to respond to court orders in the United States. If Apple wished to be able to respond to lawful search warrants to unlock their devices, they could embed a single, randomly derived, high-entropy (256-bit) unique per-device key in the hardware secure enclave of every device. This key would not be derived from any formula or algorithm, so there would be no master secret that might somehow escape or become known to a malicious agency. It would be truly random and far too lengthy for any possible brute force guessing attack to be feasible. Upon embedding each individual random per-device key, Apple would securely store a copy of that key in their own master key vault. In this way, without sacrificing anyone’s security, only Apple, on a device by device basis, could unlock any one of their own devices.
This might appear to place an undue burden upon Apple. But this, too, seems balanced. Apple is, as the FBI correctly observed, obtaining great marketing value from the strength of their security technology. It is understandable that Apple would rather not be able to respond to court orders to unlock their devices. But this attitude is not in keeping with constitutional precedent.
Users of Apple’s products would know that our devices sport the latest and greatest strongest encryption, making them utterly impervious to any attacker, hacker, border official, local or foreign government. And that as with the interiors of our homes, only in accordance with due legal process, and Apple’s continuing assistance, could our device be unlocked in compliance with a search warrant. And if, at any time in the future, Apple decided this was the wrong decision, they could destroy their vault of per-device unlocking keys and we would be no worse off than we are today.
Although the perfect math of encryption does provide for absolute privacy, we all know that privacy can be horribly abused and used against the greater public welfare. The founders of the United States, whom many revere, understood this well. Apple should too.
<div style="background:#f8f8f8;font-size:smaller;line-height:130%;border:#888 solid 1px;padding:.5em 1em;">People who intend to comment: Please recognize that I understand there are many additional subtleties, such as handling the demands of foreign authorities. It is probably the case that the applicable laws of each country should be honored. This essay intended only to clarify the confusion between encryption and access, and the scheme I have proposed is sufficiently flexible to accommodate any specific access policy Apple might choose and/or change as needed.</div>
 
Follow-up, 20 hours later: 
I wrote this post to separate the issue of encryption strength from access policy. Much ink and angst has been expended over phrases involving “backdoors” and “weakened encryption.” All such concerns are red herrings because unbreakable encryption simply gives Apple unbreakable access control. Apple could design a completely secure facility to manage unlocking individual devices. Whether Apple should do so is deservedly one of the most critical questions of our time, and is worthy of truly engaging debate. If we decide that we want to leave things as they are, that’s fine. But we should not conflate whatever policy Apple implements with their user’s security. We can have both.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2016/03/12/the-encryption-debate/feed/</wfw:commentRss>
<slash:comments>111</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>Yes… TrueCrypt is still safe to use.</title>
<link>http://steve.grc.com/2014/05/30/yes-virginia-truecrypt-is-still-safe-to-use/</link>
<comments>http://steve.grc.com/2014/05/30/yes-virginia-truecrypt-is-still-safe-to-use/#comments</comments>
<pubDate>Fri, 30 May 2014 22:05:23 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[GRC]]></category>
<category><![CDATA[TrueCrypt]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=457</guid>
<description><![CDATA[So opens the short editorial I wrote this morning and placed at the top of GRC’s new TrueCrypt Final Version Repository page. The impetus for the editorial was the continual influx of questions from people asking whether TrueCrypt was still … <a href="http://steve.grc.com/2014/05/30/yes-virginia-truecrypt-is-still-safe-to-use/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[So opens the short editorial I wrote this morning and placed at the top of <a href="https://www.grc.com/misc/truecrypt/truecrypt.htm">GRC’s new TrueCrypt Final Version Repository page</a>.
<img class="aligncenter" src="https://www.GRC.com/misc/truecrypt/tc-logo.png" alt="tc-logo" width="100" height="99" />
The impetus for the editorial was the continual influx of questions from people asking whether TrueCrypt was still safe to use, and if not, what they should switch to, and so on. By this time, one of the TrueCrypt developers, identified as David, had been heard from, and his interchange confirmed the essential points of my conjectured theory of the events surrounding the self-takedown of TrueCrypt.org, etc.
Rather than repeating that entire editorial here, I’m posting this as <a href="https://www.grc.com/misc/truecrypt/truecrypt.htm">a pointer to it</a> since folks here have thanked me for maintaining a blog and not relying solely upon Twitter. And also, this venue supports feedback and interaction which GRC’s current read-only format can not.
Peace.
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2014/05/30/yes-virginia-truecrypt-is-still-safe-to-use/feed/</wfw:commentRss>
<slash:comments>169</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
<media:content url="https://www.GRC.com/misc/truecrypt/tc-logo.png" medium="image">
<media:title type="html">tc-logo</media:title>
</media:content>
</item>
<item>
<title>An Imagined Letter from the TrueCrypt Developer(s)</title>
<link>http://steve.grc.com/2014/05/29/an-imagined-letter-from-the-truecrypt-developers/</link>
<comments>http://steve.grc.com/2014/05/29/an-imagined-letter-from-the-truecrypt-developers/#comments</comments>
<pubDate>Thu, 29 May 2014 14:51:16 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=446</guid>
<description><![CDATA[As I wrote yesterday, we know virtually nothing about the developer(s) behind TrueCrypt. So any speculation we entertain about their feelings, motives, or thought processes can only be a reflection of our own. With that acknowledgement, I’ll share the letter … <a href="http://steve.grc.com/2014/05/29/an-imagined-letter-from-the-truecrypt-developers/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[<a href="http://steve.grc.com/2014/05/28/whither-truecrypt/">As I wrote yesterday</a>, we know virtually nothing about the developer(s) behind TrueCrypt. So any speculation we entertain about their feelings, motives, or thought processes can only be a reflection of our own. With that acknowledgement, I’ll share the letter I think they might have written:
<div style="border:#000 1px solid;padding:1em 1em 0;margin:1em;border-radius:10px;box-shadow:3px 3px 5px 2px #ccc;">
TrueCrypt is software. Frankly, it’s incredibly great software. It’s large, complex and multi-platform. It has been painstakingly designed and implemented to provide the best security available anywhere. And it does. It is the best and most secure software modern computer science has been able to create. It is a miracle, and a gift, and it has been a labor of love we have toiled away, thanklessly for a decade, to provide to the world… for free.
TrueCrypt is open source. Anyone could verify it, trust it, give back, contribute time, talent or money and help it to flourish. But no one has helped. Most just use it, question it and criticize it, while requiring it to be free, and complaining when it doesn’t work with this or that new system.
After ten years of this mostly thankless and anonymous work, we’re tired. We’ve done our part. We have what we want. And we feel good about what we have created and freely given. Do we use it?  Hell yes.  As far as we know, TrueCrypt is utterly uncrackable, and plenty of real world experience, and ruthlessly still-protected drives, back up that belief.
But hard drives have finally exceeded the traditional MBR partition table’s 32-bit sector count. 2.2 terabytes is not enough. So the world is moving to the GPT. But we’re not. We’re done. You’re on your own now. No more free lunch.
We’re not bitter. Mostly we’re just tired and done with TrueCrypt. Like we wrote above, as far as we know today, it is a flawless expression of cryptographic software art. And we’re very proud of it. But TrueCrypt, which we love, has been an obligation hanging over our heads for so long that we’ve decided to not only shut it down, but to shoot it in the head. If you believe we’re not shooting blanks you may want to switch to something else. Our point is, now, finally, it’s on you, not us.
Good luck with your NSA, CIA, and FBI.
</div>
<div style="text-align:center;">Please also see <a href="http://bradkovach.com/2014/05/the-death-of-truecrypt-a-symptom-of-a-greater-problem/">Brad Kovach’s blog posting</a> about this topic. Very useful.</div>
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2014/05/29/an-imagined-letter-from-the-truecrypt-developers/feed/</wfw:commentRss>
<slash:comments>105</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>Whither TrueCrypt?</title>
<link>http://steve.grc.com/2014/05/28/whither-truecrypt/</link>
<comments>http://steve.grc.com/2014/05/28/whither-truecrypt/#comments</comments>
<pubDate>Wed, 28 May 2014 23:15:41 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=407</guid>
<description><![CDATA[My guess is that the TrueCrypt self-takedown is going to turn out to be legitimate. We know NOTHING about the developers behind TrueCrypt. Research Professor Matthew Green, Johns Hopkins Cryptographer who recently helped to launch the TrueCrypt Audit, is currently … <a href="http://steve.grc.com/2014/05/28/whither-truecrypt/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[My guess is that the TrueCrypt self-takedown 
is going to turn out to be legitimate.
We know NOTHING about the developers behind TrueCrypt.
<a href="http://blog.cryptographyengineering.com/">Research Professor Matthew Green</a>, Johns Hopkins Cryptographer who recently helped to launch <a href="http://istruecryptauditedyet.com/">the TrueCrypt Audit</a>, is currently as clueless as anyone. But <a href="https://twitter.com/matthew_d_green">his recent tweets</a> indicate that he has come to the same conclusion that I have:
<div style="border:#000 1px solid;padding:1em 1em 0;margin:1em;border-radius:10px;box-shadow:3px 3px 5px 2px #ccc;">
<ul>
<li>I have no idea what’s up with the Truecrypt site, or what ‘security issues’ they’re talking about.</li>
<li>I sent an email to our contact at Truecrypt. I’m not holding my breath though.</li>
<li>The sad thing is that after all this time I was just starting to like Truecrypt. I hope someone forks it if this is for real.</li>
<li>The audit did not find anything — or rather, nothing that we haven’t already published.</li>
<li>The anonymous Truecrypt dev team, from their submarine hideout. I emailed. No response. Takes a while for email to reach the sub.</li>
<li>I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site.</li>
<li>Unlikely is not the same as impossible. So it’s *possible* that this whole thing is a hoax. I just doubt it.</li>
<li>But more to the point, if the Truecrypt signing key was stolen & and the TC devs can’t let us know — that’s reason enough to be cautious.</li>
<li>Last I heard from Truecrypt: “We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!”</li>
</ul>
</div>
I checked out the cryptographic (Authenticode) certificate used to sign the last known authentic version (v7.1a) of TrueCrypt, signed on Feb. 7th, 2012:
<a href="http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png"><img id="i-416" class="size-full wp-image" src="http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png?w=409" alt="Image" srcset="http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png?w=409 409w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png?w=129 129w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png?w=258 258w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png 419w" sizes="(max-width: 409px) 100vw, 409px" /></a>
You’ll notice that nine months after being used to sign the v7.1a Windows executable the signing certificate expired (on November 9th of 2012.)
The just-created Windows executable version of TrueCrypt, v7.2, was signed on May 27th, 2014 with THIS certificate:
<a href="http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png"><img id="i-422" class="size-full wp-image" src="http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png?w=409" alt="Image" srcset="http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png?w=409 409w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png?w=129 129w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png?w=258 258w, http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png 419w" sizes="(max-width: 409px) 100vw, 409px" /></a>
You’ll notice that the certificate which signed it was minted on August 24th of 2012, a few months before the previous certificate was due to expire, just like we’d expect, and also by the same CA (GlobalSign), though having a longer public key (4096 bits). This all exactly passes the smell test.
In a comment below, Taylor Hornby of <a href="https://defuse.ca/">Defuse Security</a> noted that “The GPG signatures of the files also check out. The key used to sign them is the same as the one that was used to sign the 7.1a files I downloaded months ago.” So, again, this speaks of either a willful and deliberate act by the developers, or a rather stunning compromise of their own security. While, yes, the latter is possible, it seems much more likely, if also much less welcome, that TrueCrypt has been completely abandoned by its creators.
So, given the scant evidence, I think it’s much more likely that the TrueCrypt team – whomever they are – legitimately created this updated Windows executable and other files which would imply that they also took down their long-running TrueCrypt site.
Which, of course, leaves us asking why?  We don’t know because we don’t know anything about them or their motives. They might be in Russia or China where Windows XP is still a big deal (with a more than 50% share) and personally annoyed with Microsoft for cutting off support for Windows XP.  Or anything else.
What’s creepy is that we may never know.
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2014/05/28/whither-truecrypt/feed/</wfw:commentRss>
<slash:comments>191</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
<media:content url="http://agilesynapse.files.wordpress.com/2014/05/tc-7-1a.png?w=409" medium="image">
<media:title type="html">Image</media:title>
</media:content>
<media:content url="http://agilesynapse.files.wordpress.com/2014/05/tc-7-2.png?w=409" medium="image">
<media:title type="html">Image</media:title>
</media:content>
</item>
<item>
<title>A quick mitigation for Internet Explorer’s new 0-day vulnerability</title>
<link>http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/</link>
<comments>http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/#comments</comments>
<pubDate>Mon, 28 Apr 2014 16:32:14 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=343</guid>
<description><![CDATA[The Internet industry press has been milking the news of the end of Windows XP support for much more than it’s worth. Now, over the weekend, we get news of another, in a continuing series of, (0-day) flaws in Internet … <a href="http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[The Internet industry press has been milking the news of the end of Windows XP support for much more than it’s worth. Now, over the weekend, we get news of another, in a continuing series of, (0-day) flaws in Internet Explorer. (Oh My God! It’s the XPocalypse!!)
Or maybe not quite yet.
May 1st, 2014: Microsoft has decided to patch everyone’s 
versions of Internet Explorer v6 through v11… even on XP. 
So nothing changes yet. Stay tuned. (And update your IE’s!)
Web browsers are growing incredibly complex. It’s pretty clear that they will be our next-generation operating platforms. And as the last annual “<a title="2014 Pwn2Own Recap" href="http://www.pwn2own.com/2014/03/pwn2own-2014-recap/">Pwn2Own</a>” contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.
With most recent exploits, the path to exploitation is convoluted and complex and this one is no exception. In this case it depends upon encountering malicious Web content with IE’s ActiveScripting and ActiveX enabled (which is the default in both cases). That will load an Adobe SWF (Shockwave FLASH) file which first prepares the machine for exploitation, then uses JavaScript against the vulnerable version of IE (presently all versions of IE) to exploit a subtle flaw in the age-old and long-ago deprecated VML (vector markup language) rendering library. (Which is, nonetheless, still hanging around “just in case.”)
To immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed): You must first open a command prompt window with administrative privileges. This is done by right-clicking on the Command Prompt icon in the start menu and selecting “Run As Administrator.” Commands issued within this window will have the privilege required to make system level changes.
32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:
<pre>regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"</pre>
These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt. Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.
You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: <a href="http://www.vmlmaker.com/gallery/visio/office_layout.htm">http://www.vmlmaker.com/gallery/visio/office_layout.htm</a>. The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the vmlmaker.com domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.
Note: An additional test can be performed by searching the Windows registry (search: Data with “Match whole strings only” disabled) for references to vgx.dll. If it is found showing its location as the “Default” data of an “InprocServer32” key, then it is still registered and available.
You can confidently leave things this way.. since you are never going to need VML and, as this circus shows, we’re all a lot better off without it!
(My most recent work: <a title="An Evaluation of the Effectiveness of Chrome's CRLSets" href="https://www.grc.com/revocation/crlsets.htm">An Evaluation of the Effectiveness of Chrome’s CRLSets</a>.)
/Steve.
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/feed/</wfw:commentRss>
<slash:comments>106</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>The Lesson of Lavabit</title>
<link>http://steve.grc.com/2013/08/08/the-lesson-of-lavabit/</link>
<comments>http://steve.grc.com/2013/08/08/the-lesson-of-lavabit/#comments</comments>
<pubDate>Thu, 08 Aug 2013 20:49:40 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=281</guid>
<description><![CDATA[An implication of undeliverable security painted a bullseye…Post’s Permalink On Thursday, August 8th, Ladar Levison, the owner and operator of the semi-secure Lavabit.com eMail system, shut down his nearly ten year old service rather than be forced to continue to … <a href="http://steve.grc.com/2013/08/08/the-lesson-of-lavabit/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[An implication of undeliverable security painted a bullseye…<a href="http://wp.me/pV3mA-4x">Post’s Permalink</a>
On Thursday, August 8th, Ladar Levison, the owner and operator of the semi-secure Lavabit.com eMail system, shut down his nearly ten year old service rather than be forced to continue to comply with United States law enforcement demands for the disclosure of personal and private information belonging to his service’s clients. The <a title="Lavabit home page" href="http://lavabit.com/">Lavabit web site</a> now simply displays this notice:
<div style="background:#eee;padding:1em;margin:1em;">
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Sincerely, 
Ladar Levison 
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7BCR4A5W9PNN4">here</a>.
</div>
What is the lesson of Lavabit?
When news first surfaced about Edward Snowden’s presumptive use of Lavabit’s eMail service for his eMail communication the assumption was that it was somehow “secure.” So I researched the nature of the service that was being offered, and I was not impressed. The trouble was, it was making a lot of noise about security, but as an eMail store-and-forward service it didn’t (and couldn’t) really do anything that was very useful from a security standpoint: Ladar had arranged to encrypt and store incoming eMail to a user’s inbox in such a fashion that his service could not then immediately decrypt the eMail. It would not be until the user logged in that the Lavabit servers would be able to derive the decryption key in order to forward the then decrypted eMail to the user.
As you can see, while this did offer somewhat useful encryption of data-at-rest, it didn’t actually offer his users any real protection because both incoming and outgoing eMail would necessarily be transmitted in the clear.
This architecture would, therefore, inherently expose the Lavabit service, its servers, its owners, and thus its users’ data to law enforcement demands. Which, it seems clear, is exactly what happened. Ladar made his service a target by offering “security” that wasn’t actually secure. (And how very wrong is it that he cannot even share the exact nature of the demands that were made upon him?!)
I am impressed that Ladar chose to shutdown his service rather than continue to promise something that he now unequivocally knew was no longer secure in the face of law enforcement’s quasi-legal incursions. It would have probably been better if he hadn’t attempted to offer security that was beyond his ability to provide.
During my weekly <a href="http://twit.tv/sn">Security Now! podcast with Leo Laporte</a>, we use the acronym “TNO” (Trust No One) to refer to any system where readily available cryptographic technology is properly employed in such a fashion that it is not necessary to trust the behavior of any third party. Unfortunately, without going to extraordinary lengths (e.g. S/MIME, PGP, GnuPG, etc.), today’s eMail technology is resistant to the TNO principle.
In coming weeks our Security Now! podcast will be delving deeply into the ways and means of producing true TNO eMail security.
<img alt="Steve's Sig" src="http://www.grc.com/image/smg-sig2.gif" />
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2013/08/08/the-lesson-of-lavabit/feed/</wfw:commentRss>
<slash:comments>230</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
<media:content url="http://www.grc.com/image/smg-sig2.gif" medium="image">
<media:title type="html">Steve's Sig</media:title>
</media:content>
</item>
<item>
<title>IronMan 3 was “Unbelievable”… but not in a good way.</title>
<link>http://steve.grc.com/2013/05/04/ironman-3-was-unbelievable-but-not-in-a-good-way/</link>
<comments>http://steve.grc.com/2013/05/04/ironman-3-was-unbelievable-but-not-in-a-good-way/#comments</comments>
<pubDate>Sat, 04 May 2013 18:16:27 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[IronMan 3]]></category>
<category><![CDATA[Movie Review]]></category>
<category><![CDATA[Science Fiction]]></category>
<category><![CDATA[Summer 2013]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=276</guid>
<description><![CDATA[My two-cent take on IronMan 3: This was a Disney/Marvel collaboration. Perhaps one problem was that it was too much Disney and insufficient Marvel. The thing I was conscious of at many points throughout the movie, was that in ridiculously … <a href="http://steve.grc.com/2013/05/04/ironman-3-was-unbelievable-but-not-in-a-good-way/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[My two-cent take on IronMan 3:
This was a Disney/Marvel collaboration. Perhaps one problem was that it was too much Disney and insufficient Marvel.
The thing I was conscious of at many points throughout the movie, was that in ridiculously violent fights between unarmored and unprotected simple flesh and blood humans… no one gets hurt. In Road Runner cartoons, when the anvil flattens the Coyote, it’s quite funny due to its ludicrous overstatement. But the real parts of a movie involving humans — which are intended to be believable — really need to remain believable… or it’s asking too much from a mature audience.
As a Science Fiction lover, I am more than willing to suspend my disbelief for the sake of immersion into a new idea. I loved the first IronMan, and have watched it many times. So I will gleefully imbue a robotic suit with any levels of strength and power the story may require. That’s fine. Bring it on. Thrill me. But I know the limitations of an unaided human body. We all have one. And what I saw far too much of, against human flesh, was a level of coyote-flattening violence that was utter nonsense.
Despite the fact that I have no doubt IronMan 3 will break US domestic box office records, as it already has overseas, I think that “Oblivion” was the far better movie so far this summer.
/Steve. (@SGgrc and <a href="http://www.grc.com" rel="nofollow">http://www.grc.com</a>)
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2013/05/04/ironman-3-was-unbelievable-but-not-in-a-good-way/feed/</wfw:commentRss>
<slash:comments>52</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
</item>
<item>
<title>Reverse Engineering RSA’s “Statement”</title>
<link>http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/</link>
<comments>http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/#comments</comments>
<pubDate>Sat, 19 Mar 2011 20:11:03 +0000</pubDate>
<dc:creator><![CDATA[Steve Gibson]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">http://steve.grc.com/?p=245</guid>
<description><![CDATA[Responsible Disclosure?  Ummm, not so much…Sharable Shortlink On March 17th, 2011, Art Coviello, RSA Security‘s Executive Chairman, posted a disturbingly murky statement on their website disclosing their discovery of an “APT” (Advanced Persistent Threat). In other words, they discovered that … <a href="http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[Responsible Disclosure?  Ummm, not so much…<a href="http://wp.me/pV3mA-3X">Sharable Shortlink</a>
On March 17th, 2011, Art Coviello, <a href="http://www.rsa.com">RSA Security</a>‘s Executive Chairman, posted <a href="http://www.rsa.com/node.aspx?id=3872">a disturbingly murky statement</a> on their website disclosing their discovery of an “APT” (Advanced Persistent Threat). In other words, they discovered that bad guys had been rummaging around within their internal network for some time (persistent) and had managed to penetrate one of their most sensitive and secret databases.  Here is the most relevant piece of Art Coviello’s disclosure (<a href="http://www.rsa.com/node.aspx?id=3872">you can find the whole piece here</a>):
<div style="margin-bottom:1em;color:#006000;background-color:#f0fff0;border:2px solid #008000;padding:.5em;">[…] Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations. […]</div>
As you can see, it would have been difficult for any bureaucrat to be less clear about what they know. But science is science, and the simple realities of what must be going on doesn’t accommodate much bureaucratic wiggle-room:
RSA’s SecureID devices are known to be designed around a cipher keyed with a 64-bit secret. The 64-bit secret is used to encrypt a realtime counter which generates an effective 22-bit value. While this is not many bits of time, the clock is incremented slowly, only once every 30 or 60 seconds, so 22-bits (4,194,304 values) is sufficient to outlive the expected life of the device and the timer would never be expected to wrap around.
<div data-shortcode="caption" id="attachment_249" style="width: 510px" class="wp-caption aligncenter"><a href="http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg"><img aria-describedby="caption-attachment-249" data-attachment-id="249" data-permalink="http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/rsasecureidtoken/" data-orig-file="https://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg" data-orig-size="500,225" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":""}" data-image-title="RSA SecureID Token" data-image-description="" data-medium-file="https://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg?w=300" data-large-file="https://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg?w=500" class="size-full wp-image-249" title="RSA SecureID Token" src="http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg?w=640" alt="RSA SecureID Token" srcset="http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg 500w, http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg?w=150 150w, http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg?w=300 300w" sizes="(max-width: 500px) 100vw, 500px" /></a>One of several forms of the RSA SecurID Token</div>
Each SecureID has an external serial number (printed on the back) that is used to identify and register it with an authentication service.  Hopefully, there is no “algorithm” of any sort for determining the internal secret key from the device’s serial number, since the discovery of such an algorithm would instantly kill the security of the entire system.
In the absence of a mapping algorithm, at the time of manufacture individual SecurID devices would be assigned a secret internal random or pseudo-random 64-bit key and a database would be maintained to forever map the device’s externally visible serial number to its internal secret 64-bit key.
This public-serial-number-to-secret-key mapping database then becomes “the keys to the kingdom”. It is RSA’s biggest secret to keep, since a full or partial disclosure of the database would potentially allow attackers to determine a device’s current and future display values and would therefore, of course, break any authentication protection.
To carry out a successful attack, an attacker would need to obtain its target device’s public serial number as well as one or more current output samples, at a known time, to determine the current state of the device’s 22-bit realtime clock. From that point on, an attacker could reliably determine the device’s output at any time in the future.
What can be deduced from what (little) RSA has disclosed?
<ul>
<li>If “the keys to the kingdom”—the public serial number to secret key mapping database—had NOT been compromised, there would be zero danger to users of RSA’s SecurIDs.  But we know at least that the danger is not zero.  Therefore, the most reasonable conclusion to reach is that RSA believes that at least some of  “the keys to the kingdom” have been compromised. (Because that’s their system’s only real vulnerability.)</li>
<li>Users of SecurID, and other multifactor authentication systems, typically do not provide the device’s public serial number when they are using it for authentication … though neither is that number intended to be kept secret (since it is printed on the back of every device.)  This means that an attacker would need to either have brief physical access to a device to obtain its serial number (which would also presumably allow them to obtain a few output samples to determine the clock counter’s current realtime position), or also have compromised RSA’s authentication account registration database which presumably maps user accounts to their device’s SecurID serial number.  Unless RSA discloses more, we won’t know how much more than the secret key mapping database may have been compromised.  Thus, it’s not possible to assemble a comprehensive threat model.</li>
<li>RSA may not want to do the responsible thing because it would be very expensive for them… but given the only deductions possible from what little RSA has said in light of the technology, any company using RSA SecurID tokens should consider them completely compromised and should insist upon their immediate replacement.</li>
</ul>
RSA is understandably embarrassed.  And mistakes do happen.  If employees of a security company are using today’s incredibly insecure desktop toy operating systems, bad guys are going to be able to find a way to penetrate even the most carefully guarded connected networks.
RSA therefore needs to step up to the plate and take responsibility for what has happened. That means recalling every single SecurID device and replacing them all.  No company can consider RSA’s existing deployed SecurID devices to be secure.
You may <a href="http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/">CLICK THIS LINK</a> to view this blog posting by itself so you can see replies and add your own.
<img src="http://www.grc.com/image/smg-sig2.gif" alt="Steve's Sig" />
]]></content:encoded>
<wfw:commentRss>http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/feed/</wfw:commentRss>
<slash:comments>126</slash:comments>
<media:content url="http://1.gravatar.com/avatar/a604d67a7804cad916465d435e73a55c?s=96&d=monsterid&r=G" medium="image">
<media:title type="html">agilesynapse</media:title>
</media:content>
<media:content url="http://agilesynapse.files.wordpress.com/2011/03/rsasecureidtoken.jpg" medium="image">
<media:title type="html">RSA SecureID Token</media:title>
</media:content>
<media:content url="http://www.grc.com/image/smg-sig2.gif" medium="image">
<media:title type="html">Steve's Sig</media:title>
</media:content>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/SteveGibsonsBlog"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/SteveGibsonsBlog

Home · About · News · Docs · Terms