Security Now 234

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 234

Security Now 234: Your Questions, Steve's Answers 85

Internet Explorer as a file system, using Live CDs for security, and Steve takes on the iPad...

News & Errata

02:45 - 5:30

  • Steve has a section about the PDP 8 on his website

5:31 - 11:03

  • A mum in Minnesota was fined 1.92 million dollars after being accused of illegal file sharing by the RIAA
  • The judge then reduced the fine to $54,000
  • The RIAA then offered her a deal to reduce the fine to $25,000 if she told the judge to vacate his decision to reduce the penalty
  • She refused this offer

11:04 - 14:11

  • There was a presentation at black hat by Jorge Luis Alvarez Medina called "Internet Explorer Turns Your Personal Computer Into a Public File Server."
  • It uses features of internet explorer to do this. But this was never an intended use and Microsoft it working to fix it
  • It can give a remote site full access to your file system

14:11 - 15:38

  • There is a security update out for Real Player
  • If you don't need it Steve recommends uninstalling it

15:39 - 17:27

  • Steve's analysis of Lock Note is coming up next week

20:44 - 38:12

  • Steve thinks the iPad is great value at $499
  • Steve likes the idea of having a portable web browser
  • Steve also thinks there is no camera to save money but there will be a USB camera attachment you can buy

Spinrite Story

38:12 - 40:17 Mark Jones (Unknown)

The geek squad said the hard drive was defective but Spinrite fixed it

Questions & Answers

43:47 - 01:27:15

Question: [ 01 ]

43:47 - 47:35 Steve, Van A. Eash (Laredo, Texas)
Question: Can you run .Net applications in Firefox ?

Answer: There used to be a .NET framework assistant for Firefox but Steve can't find it for Firefox 3.5. He recommends using internet explorer for any websites that require .Net and Firefox for all other browsing

Question: [ 02 ]

47:36 - 51:50 Hans in Uppsala (Sweden)
Question: I suggest people use a virtual machine for online banking as it is more convenient than using a live CD or a separate computer. Is this a secure solution ?

Answer: No as the PC you are using the virtual machine on could have malware on it monitoring all network activity

Comment: [ 03 ]

51:51 - 54:00 Francois Pominville (Montreal)
Listener Comment: Before using a Linux live CD for online banking I recommend turning the computer off for 30 seconds to ensure any viruses in memory are removed

Steve's Comment: Steve can not see the benefit of this

Comment: [ 04 ]

54:01 - 01:01:20 Anonymous (Michigan)
Listener Comment: I heard you and Leo discuss what happens when one side of the connection has SSL renegotiation disabled, as in the case of Apple's recent update to its broken SSL/TLS. In the discussion that followed, you described the unlikely instance of SSL sessions that last a month or more, which is correct.

However, where this issue also arises in more practical terms is with client certificate authentication, which is a use case which you touched on when you previously discussed session renegotiation. You might have forgotten to mention it this time.

At least with Apache, the behavior of client certificate authentication depends on whether you apply the directive on a per-server or per-directory context. In the per-server context you have to supply a valid client certificate to establish the SSL connection to the server. In a per-directory context, you establish a non-client certificate authenticated connection first. Once you request a directory requiring certification, Apache forces a session renegotiation before giving the client the data. So you start with an insecure connection, try to go to that directory. Apache says, no, wait a minute, it's secure, let's renegotiate so that we can have a secure connection. He gives a link to the Apache docs for this.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient

In the case where Apache is compiled with OpenSSL 0.9.81, thus breaking session renegotiation, client certificate authentication in a per-directory context no longer works. Clients are unable to access the directory protected by client certificate authentication.

Steve's Comment: This is correct,

Question: [ 05 ]

01:01:21 - 01:05:09 Joshua (Perth, Australia)
Question: Make sure you put your banking Live CD into a CD-ROM drive or use a USB key with a physical hardware switch lock on it. If you can't find one of those, SD cards usually have the switch and should boot from USB card readers. And for the ultra-paranoid, add a physical switch to your computer which disconnects the hard drive. What do you think about that? Is this necessary to prevent a possible attack where a virus modifies the live CD?

Answer: Many live CD's are finalised so they can not be modified but it is good to think about all the possible attacks

Question: [ 06 ]

01:05:10 - 01:08:12 Ben (Brea, California)
Question: How do you know that the Firefox master password pop up window was generated by Firefox and not a malicious website ?

Answer: Steve would like a addon for Firefox that pops up the password prompt when Firefox starts but does not answer how you can tell currently

Question: [ 07 ]

01:08:13 - 01:13:52 Bill (Washington, DC)
Question: How can I force my lawyer and accountant to be more secure when handling my data on there computers ?

Answer: Tell them how much damage it would cause to their reputation if the data they store was stolen

Comment: [ 08 ]

01:13:53 - 01:19:03 Greg Christopher
Listener Comment: Self signed certificates are not secure as anyone can create a certificate for any website you need a certificate authority to verify the site is who they say they are

Steve's Comment: This is correct

Question: [ 09 ]

01:19:04 - 01:25:17 Rob McLean (Saskatoon)
Question: If you took an AC signal from an antenna and ran it through a transformer, you could then turn a few millivolts into several volts. If you then step it through another transformer, you could ramp up the amperage. I haven't had the chance to test this out, but from what I read it seems to work. In the podcast you mentioned the math wouldn't work out. In the spirit of the current series on the podcast, could you explore why or why not this system works?

Answer: Power is the constant, and power equals voltage times current. So by definition, for example, a watt of power is a certain amount of voltage at a certain amount of current. So if you step up the voltage, then you're going to get more voltage, but at less current, because the power minus the losses of conversion will be the same.

Comment: [ 10 ]

01:25:18 - 01:27:15 Kenneth Musante (New York City)
Listener Comment: "I'm so excited about the 'How Computers Work' series." This is what we started last week. I've always been curious about how computers work, but since I've only been around for about 30 years, the modern machines I've always known seem so far removed from the computers of yesteryear like your PDP-8s. To me they've always just been black or beige boxes. I have been using computers since I was a kid in the early '80s. My first machine, a Coleco Adam.

I also know a lot about computer history - Babbage, Colossus, ENIAC, and so on. And I know most of the basic principles of electronics. However, the conceptual gap between those historical machines and the iMac sitting on my desktop seems insurmountable. I would love to really know what's going on inside there. Even in college, no one was able to explain it to me in a way I could understand. I loved your talk about how the Internet works, and I'm certain if anyone can explain what appears to be such a complex topic, you're the guy. Looking forward to learning. Thanks so much to you and Leo for doing this for all of us.

Steve's Comment: I got a lot of really great feedback about last week's episode

Sponsors

GoToAssist Express

Audible

Picks

Audibledotcom.png
The Last Train from Hiroshima: The Survivors Look Back by Charles Pellegrino (UNABRIDGED)
Narrated by Arthur Morey

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.