TrueCrypt 7.1a and VeraCrypt 1.14 CVE Assignments Followed by a Kick in VeraCrypt's Bottom for Inproper Disclosure

28 September, 2015 07:54 CST6CDT

The two recently discovered TrueCrypt and VeraCrypt vulnerabilities:


I would like to request two CVE identifiers for the two security issues described below affecting TrueCrypt 7.1a (latest version) and its fork VeraCrypt 1.14 (latest version) running on all versions of Windows.

These issues were reported by James Forshaw (Google).

Issue 1: Local Elevation of Privilege on Windows by abusing drive letter handling.

Issue 2: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling.

Issue 1 is critical.

A fix has already been developed. Version 1.15 of VeraCrypt will be released soon to address those issues.

For your information, I have sent a similar CVE request to


From:    VeraCrypt Team <>

And the OSS mailing list response:

> I would like to request two CVE identifiers for the two security issues
> described below affecting TrueCrypt 7.1a (latest version) and its fork
> VeraCrypt 1.14 (latest version) running on all versions of Windows.
> These issues were reported by James Forshaw (Google).

> Issue 1: Local Elevation of Privilege on Windows by abusing
>               drive letter handling.

Use CVE-2015-7358.

> Issue 2: Local Elevation of Privilege on Windows caused by incorrect
>               Impersonation Token Handling.

Use CVE-2015-7359.

> For your information, I have sent a similar CVE request to

That request was about 40 minutes earlier.

Sending the same CVE request to multiple addresses is typically not what MITRE wants, although you're certainly welcome to change your mind and decide that you had actually preferred that a CVE request be publicly archived from the beginning. (It's rare for a vendor to use oss-security for CVE requests related to "critical" vulnerabilities that don't yet have a fixed release. The issue descriptions here, in combination with vendor confirmation, probably make the vulnerabilities sufficiently public that they are within the scope of the oss-security list charter. We think the implication is that readers should look at

at a future time, if interested in other details.)

CVE assignment team, MITRE CVE Numbering Authority


A year ago I was writing...

The Morning I Turned On World News Now And This Happened

Article & Comments Tags: Software

Turn Your Old AV Receiver into a Modern HDMI AV Receiver and Switch

10 August, 2015 22:41 CST6CDT

I wrote about the Skeptre TV I purchased a few months back and it came with a few limitations. I currently have an old Sony analog audio/video receiver that I refuse to replace. Luckily I have two digital inputs, an optical port and a coax digital input that I can use to receive audio for a couple of devices but not all of them, the Raspberry Pi namely, has no digital output besides the HDMI link. The Skeptre TV refuses to pass through DTS audio of any kind most probably because of licensing issues. It did not matter whether the TV was passing through with the PCM or 5.1 settings. In addition to the Pi, I have a Western Digital HD Streaming device and a computer with a long HDMI cable to the entertainment center area. This is where an HDMI switch can turn a loving but aging AV receiver into a modern AV receiver and switch.

I decided on the Monoprice 4 port HDMI switch model 5557. This unit has one HDMI out for the display and four HDMI inputs for audio and video. The switch outputs audio simultaneously to three connections, a fiber and coax SPDIF outputs and a 3.5mm stereo jack. All three of my media sources may be controlled remotely with UPnP and/or DLNA and I did not want to have the TV screen on when doing so. Unfortunately my TV is an entry level large screen LED so the otherwise simple option of turning off the display while keeping the juices flowing is not available to me. With the 5557 you simply select one of the four HDMI inputs with the included remote or on the switch itself to parse the audio out of an otherwise multiplexed audio and video HDMI source link. No TV needed for digital audio from my desktop computer, Raspberry Pi (OpenELEC), or the WD HD Streaming device.

Monoprice Model 5557 HDMI Switch

The switch has two audio modes, 2 channel or 5.1 channel output. With either option all three audio out links are encoded, decoded, or rendered appropriately. You can safely keep this on the 5.1 setting since the unit will auto detect the audio input and handle it accordingly. The 2 channel mode will give you the ability to take a 5.1 speaker arrangement and convert it to two channels.

My HDMI devices were able to detect compatibility for most audio profiles old and new such as DTS Digital with DTS-HD support, and Dolby Digital including True HD. You are not stuck with just a 5.1 speaker arrangement. Uncompressed audio such as LPCM is fully supported. This is my use case at the moment: a desktop computer with an output of 48KHz s32le 24-bit (32-bit little-endian), a Raspberry Pi with an output of 48KHz s16le 16-bit, and a WD media device with an output of 44.1 and 48KHz at 16-bits. I have tested the switch using 96KHz 24-bit audio with no problems as to be expected since the unit will handle up to 192KHz audio.

This Monoprice model has one input on the front of the device for plug and play situations therefor if you have more than three HDMI sources, you will need to route a fourth one to the front, and the front is where the Monoprice 5557 makes itself known. The status lights are very bright, overly bright, to the point of hurting my eyes. It took two layers of colored sticky post it note paper to dim the visual modes to a level I could use in a darkened environment. The overly bright lights is my only complaint of the switch.

The switch does 192KHz audio but you may be wondering how the video is handled and switched into the output channel. The HDMI output and all four HDMI inputs are specification 1.3b and supports HDCP protected content at up to 1080p video resolution. The switch handles 12-bit color which I tested on a Western Digital HD Streaming with no problems (36bits on all channels). The Skeptre has a static color gamut but I still notice a big difference on supported 1080/24p playback. Each channel runs at 225MHz/2.25Gbps for a total of 6.75Gbps bandwidth.

How much power you may ask? For electric costs less than my 8 watt LED lights perhaps. The switch includes an AC to DC power source and uses 2 amps and 5 watts at 5 volts. This was a good buy for my needs so if you have the same needs or a similar situation and can easily handle masking tape for the overly bright lights, this is a no brain complete solution.

A year ago I was writing...

Zenphoto Lighttpd Rewrite Rules
XBMC now Kodi on the Raspberry Pi B+ First Impressions

Article & Comments Tags: Technology

Webalizer Search Engine List

26 July, 2015 05:30 CST6CDT

updated 2015-07-26

The Webalizer is an HTTP server log file analyzer that generates visual output statistics and graphs for your Internet website(s) and visitors.  One of the features of The Webalizer is the search engine search strings (keywords, search text) logging.  Each search engine uses a URL parameter that contains a query or a search string from the referring site that may direct traffic to your website(s).  Webalizer uses the search query parameter to generate a list of 'Search Strings' that may be viewed and referenced by rank, hits, and percentage of hits.

SearchEngine name variable

Allows the specification of search engines and their query strings. The name is the name to match against the referrer string for a given search engine. The variable is the cgi variable that the search engine uses for queries. See the sample.conf file for example usage with common search engines.

The following is a list of search provider names and their corresponding query variable for generating Webalizer search strings statistics.  I will update these periodically.  Some search strings require Webalizer or later.

SearchEngine    facebook.       q=
SearchEngine q=
SearchEngine        q=
SearchEngine       q=
SearchEngine      q=
SearchEngine      MT=
SearchEngine    qt=
SearchEngine       query=
SearchEngine   find=
SearchEngine    q=
SearchEngine q=
SearchEngine        q=
SearchEngine       q=
SearchEngine  q=
SearchEngine     q=
SearchEngine     as_q=All Words
SearchEngine     as_epq=Exact Phrase
SearchEngine     as_oq=Any Word
SearchEngine     as_eq=Without Words
SearchEngine     as_filetype=File Type
SearchEngine   p=
SearchEngine   va=All Words
SearchEngine   vp=Exact Phrase
SearchEngine   vo=Any Word
SearchEngine   ve=Without Words
SearchEngine   vf=File Type
SearchEngine    bingj.  q=
SearchEngine    bing.   q=
SearchEngine         q=
SearchEngine       terms=
SearchEngine   q=
SearchEngine   q=
SearchEngine         query=
SearchEngine         q=
SearchEngine   qt=
SearchEngine       query=
SearchEngine    query=
SearchEngine      q=
SearchEngine    search.alot.    q=
SearchEngine      q=
SearchEngine    search.conduit. q=
SearchEngine      q=

Article & Comments Tags: Software, Projects

How-to Rate Limit SMTP with milter-greylist

13 July, 2015 13:02 CST6CDT

If you have a small cloud instance or a server with little resources you will often need to adjust a handful of SMTP settings appropriate for the scope of your server's capabilities.  In conjunction with MTA tweaks, an MTA milter, milter-greylist, allows you to defer incoming mail (rate-limit) based on several possible rate conditions, rate matching, and index keys.

Lets have a look at these two milter-greylist rate-limit examples:

ratelimit "defaultlimit" rcpt 60 / 1m key "%r"
racl greylist rcpt /^.*$/ ratelimit "defaultlimit" delay 31m autowhite 0m msg "Message rate exceeded"

ratelimit "globallimit" rcpt 120 / 1m key "globallimit"
racl greylist rcpt /^.*$/ ratelimit "globallimit" delay 31m autowhite 0m msg "Message rate exceeded"

We first need to set a rate-limit variable with the limit of hits per a period of time and include a key to store the current MTA load on your system.  The key "%r" is the recipient e-mail address and "globallimit" is a generic non formatted string.

The racl declaration in these two examples match all recipient e-mail addresses.  The first example will keep record of the rate-limit in a variable of the recipient e-mail address "%r" and defer the sender by 31 minutes if the ratelimit parameter is exceeded for that recipient address.  After the 31 minute defer time the message will be accepted regardless of any other milter-greylist declaration.  The second example is a global rate-limit using the generic key "globallimit" that applies the same recipient matching as the first example.  This second example however will only allow the MTA to accept e-mail at a rate of 120 messages or lower per minute globally.  Order of operation is key here and you generally want to place these access control lists after blacklists and before whitelists.

You are not limited to just recipient matching or a specific format string key.  In addition you could match an ACL based on message data (dacl) containing a URL or a block of text inside a message.  See 'format strings' in the greylist.conf man page for possible key variables.

A year ago I was writing... - Godless is Godless Synonym
Microsoft's Canadian Legal Fears
HOWTO Force Spamassassin to Mark Mail As SPAM

Article & Comments Tags: Software

How-to Support Equality With Pride On-line Globally

19 June, 2015 18:02 CST6CDT

The ability to support diversity on-line with a massive number of your peers for Pride, a global festivity happening in one place on an otherwise random corner of the Internet, is now possible.  Prepare to celebrate LGBTQ and diversity by creating an Android Droid representation of yourself for the event occurring on the weekend of June 27th and 28th.  Android is the name of Google's smartphone operating system.  A Droid (robot) often represents Google's Android.

Global Pride AndroidGoogle is putting on a global virtual Pride parade named #AndProud where your self-designed Droid will march.  You may use Androidify to create a Droid with several choices of hair and color, shirt and pants, with a persona of your own.  Optionally you may identify your Pride march Droid with a name and (or) location.

Along with the virtual global pride event happening on-line, your Droid may be chosen to be displayed on a large screen on a parade float during Google's physical support of diversity in the San Francisco, London, and New York parade locations.

A year ago I was writing...

A Look at the Aspire ET-S BDC Glassomizer
SpamAssassin Updates Not Available - Version 1588424 is the last sa-update version available for the near future

Article & Comments Tags: Day to Day

1 2 3 ... 124 125 126  Next»
Land where drunk cows swim and home to my daily hand