Tag Archives: security

Securely erase Drives on Synology NAS

I had to erase an external hard drive, a WD My Book, because I had to return it due to defects. So I searched on the web how to do that on a Synology DS916+ NAS, but I could not easily find the solution. Therefore I did a more generic search how to do it under Linux, and came across the tool “shred” which I had used years ago for the last time.

I checked on my NAS, and the tool was readily available. So I ran the following command to securely erase the (external) hard drive:

 shred /dev/sdq1

Hope this helps people who need to accomplish the same.

PayPal phasing out Symantec VIP Access

I tried to add a new virtual security key, provided by Symantec’s “VIP Access” smartphone app, to my PayPal account. However, it didn’t work as it used to work, by visiting this link. I only got an error message saying:

“We’re sorry. There’s been an intermittent communication problem. Please try again later.”

To me that sounds like PayPal’s portal needs to communicate with Symantec’s back-end for VIP Access, and there is something wrong.

So I wrote a message to PayPal support, and this is what I got:

“Since last year you only can use a mobilephone number for security keys. Old Keys produced by the VIP Access App still can be used but no new one can be registered. Sadly I have no timeframe how long you can use the registered app keys before they were invalid too.”

It is really very disappointing that they migrate away from this very secure and privacy-concious solution to an inferior one, because it is

  • privacy-intrusive (they require your mobile phone number to send you the one-time code) and
  • definitely less secure (mobile-phone based one-time codes have been demonstrated to be easily interceptable for skilled hackers!)

If you oppose this change, please approach PayPal and voice your concerns.


Gestern wollte ich während eines Bestellvorgangs mit PayPal bezahlen als ich feststellte, dass mein PayPay-Sicherheitsschlüssel nicht mehr funktionierte. Egal wie oft ich den Knopf zur Anzeige eines Sicherheitscodes drückte, das Display blieb ohne Funktion, das Gerät war wie “tot”.

Es handelt sich bei meinem Modell noch um den ursprünglichen Schlüssel (und nicht den neuen im Kreditkartenformat), der eine gewisse Ähnlichkeit mit den ersten RSA SecurID-Tokens hat:

Das Teil war jetzt über sechs Jahre alt, daher ging ich davon aus, dass schlicht und einfach die Batterie leer war. Da ich nicht riskieren wollte dass mein Bestellvorgang wegen Inaktivität abgebrochen wurde, wollte ich den Schlüssel möglichst schnell “reparieren”. Continue reading PayPal-Sicherheitsschlüssel

ARDAgent exploitable locally

I was pointed by a colleague that ARDAgent can be exploited locally to gain “root” privileges under MacOS 10.4 and 10.5. A quick search on Google turned up this post on Macworld that gives some details about this issue.

To check whether you’re vulnerable type the following in a Terminal window:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

And if it says root you are vulnerable. To quickly protect you type the following:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

TrueCrypt for Mac

I was very happy to see that there’s TrueCrypt for the Mac, a disk encryption tool I really like and use since a long time on my Windoze PC.

Quickly I installed it. The installation went smoothly, and a quick test was successful. However, when I played some more with it, I found a strange oddity which I couldn’t clarify myself. I doubt that it’s because I’m a new Mac user, but I rather think it’s a quirk in TrueCrypt. Let’s see whether anyone can reproduce the issue, and whether it will be fixed (shortly). :)

Anyway, this is a tool that you should definitely use when you have confidential data on your laptop.

GPG with IDEA on the Mac

One of the first things I did when I got my new Mac was install Mozilla Thunderbird, the invaluable EnigMail extension, which is a very easy-to-use frontend to GNU Privacy Guard (GPG), and of course GPG itself.

All went very smoothly, and to check whether the installation was fine I tried to opened an encrypted message which I had received some days ago. Unfortunetly GPG couldn’t decrypt the message. A quick look at EnigMail’s console window told me that the message was encrypted using IDEA, and that the version of GPG I had installed was lacking support of that encryption algorithm.

Continue reading GPG with IDEA on the Mac