I've been incredibly busy for the last 14 months (I guess that's what happens when you go into information security as a career), but here are a few updates:

• The Mirror's Surface Breaks 1.3.1 - this is a minor patch that is mostly fixes and code cleanup in the dshadow.dvrc file. Last year, the official DaVinci project was kind enough to incorporate some of my customizations back into the mainline (there is now a non-zero probability that a function I wrote might be used to process actual images from space probes!), and this patch includes the changes I made at that time but never released on this site - for example, fixes to the Tasseled Cap functions. The corresponding documentation here (e.g. the Calculated Greyscale Images article) has also been updated.
• Health Burdock Gean - my new favourite mock meat, with a couple of simple recipes.

There will be more sooner or later.

A small update to mention a side-project I worked on earlier this year: Robust Machine Readable Codes - a 2D marking system with high levels of redundancy which is suitable for being stencil-painted (among other things).

The first security-related research I've done outside of work, and can therefore discuss publicly :). Motorola Is Listening, and the Python-based man-in-the-middle exploit (XMPPPeek) I developed as part of doing that research.

Motorola Is Listening certainly got a lot more attention than I expected. I've added a minor note near the top because a lot of the discussion I've seen is around the "MotoBlur" user interface, which the phone I used (the Droid X2) does not include.

I've also added a link to the UVIR Optics eBay store on the Filters page. They have some really nice filters available made out of hard-to-find (at least in the US) glass, and the prices are quite low.

I realized something while I was in the shower this morning - there may be a more serious security issue exposed by the mechanisms described in the Motorola Is Listening article. I've added a note near the top to this effect. It's entirely theoretical at this point, but I wanted to throw it out there in case anyone has more time to actively research this.

Another update to the Motorola Is Listening article - looks like I failed to notice an authentication-related problem until now.

Added a bit more information and a table-of-contents to the Motorola Is Listening article.

As promised in the Motorola Is Listening and XMPPPeek articles, I've created a guide to building the type of Linux VM that I used for my testing: Multipurpose Man-in-the-Middle VM.

Some corrections and minor updates have been made to the XMPPPeek and Motorola Is Listening articles as well.

I've made a few corrections and additions to the Multipurpose Man-in-the-Middle VM writeup. I'd forgotten to include the steps for manually chaining SSL certificates together when performing a custom MitM (e.g. for XMPP communication and socat), and I've updated the troubleshooting steps I had to use to get the network configuration to "stick" on one of my VMs.

I've also updated the traffic-forwarding scripts that are included with XMPPPeek.

I managed to track down the location-data-collecting component of Motorola's software on my phone - but before you get too excited, it was not enabled at the time. It's called "Little Sister", and I've added a section on it and a few other updates to the Motorola Is Listening article. I've also added a description of the hack/workaround I've used on my own device to prevent it from communicating with Motorola.

In the process of testing that hack/workaround, I learned something about HTTP proxies. Maybe it's common knowledge in some circles, but I sure hadn't run across it before. The details are in the HTTP Proxies and Loopback Addresses article.

I've made some minor corrections to the Multipurpose Man-in-the-Middle VM article as well, so if you've been giving that a shot and have run into trouble, those updates may help.

Looks like I forgot to actually upload the updated version of the XMPPPeek HTML file that included a link to the package with updated traffic-forwarding scripts. Sorry about that. It's been corrected.