Security Now 234
Topic: Your Questions, Steve's Answers 85
Recorded: February 3, 2010
Published: February 4, 2010
- 1 Security Now 234: Your Questions, Steve's Answers 85
- 2 Sponsors
- 3 Production Information
Security Now 234: Your Questions, Steve's Answers 85
Internet Explorer as a file system, using Live CDs for security, and Steve takes on the iPad...
News & Errata
02:45 - 5:30
- Steve has a section about the PDP 8 on his website
5:31 - 11:03
- A mum in Minnesota was fined 1.92 million dollars after being accused of illegal file sharing by the RIAA
- The judge then reduced the fine to $54,000
- The RIAA then offered her a deal to reduce the fine to $25,000 if she told the judge to vacate his decision to reduce the penalty
- She refused this offer
11:04 - 14:11
- There was a presentation at black hat by Jorge Luis Alvarez Medina called "Internet Explorer Turns Your Personal Computer Into a Public File Server."
- It uses features of internet explorer to do this. But this was never an intended use and Microsoft it working to fix it
- It can give a remote site full access to your file system
14:11 - 15:38
- There is a security update out for Real Player
- If you don't need it Steve recommends uninstalling it
15:39 - 17:27
- Steve's analysis of Lock Note is coming up next week
20:44 - 38:12
- Steve thinks the iPad is great value at $499
- Steve likes the idea of having a portable web browser
- Steve also thinks there is no camera to save money but there will be a USB camera attachment you can buy
38:12 - 40:17 Mark Jones (Unknown)
The geek squad said the hard drive was defective but Spinrite fixed it
Questions & Answers
43:47 - 01:27:15
Question: [ 01 ]
43:47 - 47:35 Steve, Van A. Eash (Laredo, Texas)
Question: Can you run .Net applications in Firefox ?
Answer: There used to be a .NET framework assistant for Firefox but Steve can't find it for Firefox 3.5. He recommends using internet explorer for any websites that require .Net and Firefox for all other browsing
Question: [ 02 ]
47:36 - 51:50 Hans in Uppsala (Sweden)
Question: I suggest people use a virtual machine for online banking as it is more convenient than using a live CD or a separate computer. Is this a secure solution ?
Answer: No as the PC you are using the virtual machine on could have malware on it monitoring all network activity
Comment: [ 03 ]
51:51 - 54:00 Francois Pominville (Montreal)
Listener Comment: Before using a Linux live CD for online banking I recommend turning the computer off for 30 seconds to ensure any viruses in memory are removed
Steve's Comment: Steve can not see the benefit of this
Comment: [ 04 ]
54:01 - 01:01:20 Anonymous (Michigan)
Listener Comment: I heard you and Leo discuss what happens when one side of the connection has SSL renegotiation disabled, as in the case of Apple's recent update to its broken SSL/TLS. In the discussion that followed, you described the unlikely instance of SSL sessions that last a month or more, which is correct.
However, where this issue also arises in more practical terms is with client certificate authentication, which is a use case which you touched on when you previously discussed session renegotiation. You might have forgotten to mention it this time.
At least with Apache, the behavior of client certificate authentication depends on whether you apply the directive on a per-server or per-directory context. In the per-server context you have to supply a valid client certificate to establish the SSL connection to the server. In a per-directory context, you establish a non-client certificate authenticated connection first. Once you request a directory requiring certification, Apache forces a session renegotiation before giving the client the data. So you start with an insecure connection, try to go to that directory. Apache says, no, wait a minute, it's secure, let's renegotiate so that we can have a secure connection. He gives a link to the Apache docs for this.
In the case where Apache is compiled with OpenSSL 0.9.81, thus breaking session renegotiation, client certificate authentication in a per-directory context no longer works. Clients are unable to access the directory protected by client certificate authentication.
Steve's Comment: This is correct,
Question: [ 05 ]
01:01:21 - 01:05:09 Joshua (Perth, Australia)
Question: Make sure you put your banking Live CD into a CD-ROM drive or use a USB key with a physical hardware switch lock on it. If you can't find one of those, SD cards usually have the switch and should boot from USB card readers. And for the ultra-paranoid, add a physical switch to your computer which disconnects the hard drive. What do you think about that? Is this necessary to prevent a possible attack where a virus modifies the live CD?
Answer: Many live CD's are finalised so they can not be modified but it is good to think about all the possible attacks
Question: [ 06 ]
01:05:10 - 01:08:12 Ben (Brea, California)
Question: How do you know that the Firefox master password pop up window was generated by Firefox and not a malicious website ?
Answer: Steve would like a addon for Firefox that pops up the password prompt when Firefox starts but does not answer how you can tell currently
Question: [ 07 ]
01:08:13 - 01:13:52 Bill (Washington, DC)
Question: How can I force my lawyer and accountant to be more secure when handling my data on there computers ?
Answer: Tell them how much damage it would cause to their reputation if the data they store was stolen
Comment: [ 08 ]
01:13:53 - 01:19:03 Greg Christopher
Listener Comment: Self signed certificates are not secure as anyone can create a certificate for any website you need a certificate authority to verify the site is who they say they are
Steve's Comment: This is correct
Question: [ 09 ]
01:19:04 - 01:25:17 Rob McLean (Saskatoon)
Question: If you took an AC signal from an antenna and ran it through a transformer, you could then turn a few millivolts into several volts. If you then step it through another transformer, you could ramp up the amperage. I haven't had the chance to test this out, but from what I read it seems to work. In the podcast you mentioned the math wouldn't work out. In the spirit of the current series on the podcast, could you explore why or why not this system works?
Answer: Power is the constant, and power equals voltage times current. So by definition, for example, a watt of power is a certain amount of voltage at a certain amount of current. So if you step up the voltage, then you're going to get more voltage, but at less current, because the power minus the losses of conversion will be the same.
Comment: [ 10 ]
01:25:18 - 01:27:15 Kenneth Musante (New York City)
Listener Comment: "I'm so excited about the 'How Computers Work' series." This is what we started last week. I've always been curious about how computers work, but since I've only been around for about 30 years, the modern machines I've always known seem so far removed from the computers of yesteryear like your PDP-8s. To me they've always just been black or beige boxes. I have been using computers since I was a kid in the early '80s. My first machine, a Coleco Adam.
I also know a lot about computer history - Babbage, Colossus, ENIAC, and so on. And I know most of the basic principles of electronics. However, the conceptual gap between those historical machines and the iMac sitting on my desktop seems insurmountable. I would love to really know what's going on inside there. Even in college, no one was able to explain it to me in a way I could understand. I loved your talk about how the Internet works, and I'm certain if anyone can explain what appears to be such a complex topic, you're the guy. Looking forward to learning. Thanks so much to you and Leo for doing this for all of us.
Steve's Comment: I got a lot of really great feedback about last week's episode
- Ad Times: 0:43-1:00 and 18:24-20:44
- Ad Times: 1:01-1:10 and 40:24-43:42
| The Last Train from Hiroshima: The Survivors Look Back by Charles Pellegrino (UNABRIDGED)|
Narrated by Arthur Morey
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|