Security Now 180

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 180

This week is the 58th questions and answers episode of Security Now. Leo Laporte and Steve Gibson reach into the mail bag and answer your security questions.


Spinrite Story

This weeks Spinrite Story is titled "Spinrite Saved My Rear" and comes from an IT directory for a small chain of retail cell phone stores. This chain uses a proprietary point of sale system. Every once in a while they will host live radio personalities to increase traffic and sales. One day prior to one of these live events one of the POS systems went down. The IT directory wasn't too worried. He kept an external USB drive with an image of the disc for these types of situations. When he tried to use it however he found that there was a problem with the external disc and it would not mount. He quickly grabbed his trust Spinrite disc and ran it on the failing POS system and within minutes he was able to boot it up and it was in working order minutes before they went live. Later he ran Spinrite on the dead external disc and was able to fix that too.

Listener Questions

  1. Mat Ludlam in Weybridge, London wants more of #177
    • Hey guys! ... I loved the show (as always), but particularly enjoyed the "off topic" conversations about PDP-8's, Ultra Capacitors etc. It made me wonder if you have enough material to do a different podcast, say monthly on a specific technology subject. Solar cells, wind energy, wave energy, your first PC, latest Sci-Fi releases etc. What do you think? Keep up the great work.
  2. Tom in Vancouver, Washington revealed something amazing
    • Hi steve and leo. I have been a listener since show one. I am also a SpinRite owner. I want to leave some feedback about Microsoft's Malicious Software Removal Tool (MSRT). You can run this program on demand without downloading anything particular from Microsoft's website. Just right click on the desktop and select "New" and "Shortcut." Type MRT into the edit field, then hit enter twice. This will create a icon for the MRT tool that you can run whenever you want with no hassels and no reboots. Keep up the good work with security now!
  3. Bill Everson in Green Bay, WI can't WAIT to be frightened!
    • Regarding the EEStor capacitor energy storage system: Given all the technical hurtles that must be overcome to make a "battery" like this work, it is unlikely that we will see it in a commercially available vehicle for a few years. There is one aspect of a capacitor this large that you haven't mentioned: What happens if the capacitor fails or is damaged in an accident? All that stored energy has to go somewhere! Since a capacitor doesn't have any internal resistance like a battery, the energy will be instantly converted to heat. What we are describing here is a large bomb. Before such a device would be allowed into the hands of the public it needs to be made safe. That will probably take the form of blast shielding that will greatly increase the size and weight of the unit. Also non-replaceable internal fuses will be required to limit the fault current leaving the enclosure. With that said, if this technology ever does make it into a car in a reasonably safe form, I will be among the first in line to buy one.
  4. Matt in Walla Walla wants to use Yubikey's static passwords
    • Steve- I really appreciate all your hard work with both the show and your software. Looking forward to CryptoLink. I'm very interested in using the YubiKey in the static password role as you've described. After the key is set up with the utility, is that the only password that key can ever provide? Or can you run the utility again to get another password? I'm hoping that losing that one password, though unlikely, doesn't render the YubiKey useless. -Thanks again, Matt
  5. Wes in Boise, ID wonders why so little eMail is secured
    • Hey guys - I hope you can explain this for me: Companies rely so heavily on email now, and the data is very often confidential and ideally would be encrypted. Many companies have work around methods via a secure website with just a link transmitted by email. So my question is: why is it so difficult to move to a universal secure method to transmit between email servers? I am constantly amazed there is no massive movement to push toward secure email by the corporations of the world.
  6. Jim in Washington DC wants to use the Yubikey ... but
    • Hey Steve & Leo... I am fairly new listener to the show, I am a IBM software engineer working out of Washington DC. I am currently making my way back through your back catalogue of Security Now. I love the show and I wanted to say that this show has certainly made me much more security aware. Thank you both for a very entertaining and informative podcast. I have come to love your Perfect Passwords application and I secure my router at home with it. I currently store the password in an encrypted txt file and I thought it would be very cool to have a physical token that would allow quicker authentication using the static password feature of Yubikey. My question has to do with the Yubikey password complexity. After looking at the Yubikey Static Password How-To PDF guide on the yubico website, I noticed that the password examples they were generating were only using a a- z alphabet in lower case. I was wondering if the Yubikey was capable of outputting the entire range of ASCII characters. After listening to the Security Now discussion about the Yubikey, I was very excited but hesitated from actually purchasing one when I made that observation since only having lower case a-z (even if it is a long string) decreases the complexity of the password tremendously. What are your thoughts on this? And also, kudos to your listener with the idea of using a concatonation of the static yubikey in addition to a memorized password. It would add an extra layer of protection in case you were to have your key lost or stolen. Thanks again for the great show!
  7. Jon in Duluth, GA wonders how secure the PayPal football really is
    • Hi Steve, I was thinking that the PayPal Football suffers from a similar vulnerability to that of captchas and Bank Of America's "Click the picture of your teddy bear" authentication. Someone could create a fake PayPal web site or a fake store front that sends people to the fake PayPal site. The fake PayPal site would prompt the user for his user name, password, and football token. Next, the website could turn around and take the user name, password, and football token and log into the real PayPal site. Once logged into the real PayPal the fake PayPal site could do what ever it would like. The football is supposed to be a onetime password, it doesn't seem to prevent a malicious program from using it that one time. It seems that this would need to be a malicious program instead of a malicious user in order to be able to log in before the token expires. Do you think this is a vulnerability? Do you think there is a way to protect against it. I love the show and have been listening since episode one. Keep up the good work.
  8. Angus Scott-Fleming in Tucson, Arizona brings up a good point about WPA laptop keys
    • Leo and Steve, I've been listening to SN since episode 1, good stuff. It's my first-choice podcast when I have time to listen, and I always go back and catch up when I get a few weeks behind. I've owned SpinRite since SpinRite II and use it often. With respect to your enthusiasm for the secrecy of wireless WPA passwords when you use your Yubikey to "type in" the WPA passwords in visitor's computers, you should be aware that NOTHING in a Windows computer is really secret. Nirsoft makes a freeware utility called WirelessKeyView that instantly shows the WEP/WPA keys stored by Windows' Wireless Zero Configuration service. I carry this around on my USB toolkit. The only time I haven't been able to recover a wireless key using this utility is when the laptop isn't using Windows to manage its WiFi keys (e.g. IBM/Lenovo laptops have a very good "wireless profile manager" that I always use on them). But
  9. Gustin Johnson in Calgary, Canada offers Firefox thoughts and plug-in suggestions
    • I am not sure why it only just occurred to me now, but isn't Leo *exactly* the sort person who should be using noscript? It seems to me that since he is viewing a large number of sites his attack surface is much larger. I know for me I do try not to add sites to the white-list since I know that even if they are safe today, they may not be tomorrow. On a related topic, I have a couple of Firefox plugin suggestions:
      • Jsview: This plugin allows you to view the source of all javascript and css code sent to your browser. Really neat
      • ShowIP: This plugin displays the IP address of the web server your browser downloaded the current page from. In addition there are two menus full of options (one accessed by a left click, the other a right click). Things like dns and whois info, netcraft lookups and more.
      • Firebug: This plugin is a great way to explore how a site is put together. The Inspect option is quite handy for tracking down errors in your own site. It is additionally handy for inspecting suspicious elements of web sites or inspecting their login methods.
    • Keep up the great work guys.
  10. Kerry in Santa Cruz, CA wonders about needing to trust anyone
    • I recently obtained a Thawte personal email certificate. I am wondering how secure these really are? I realize that it is safe enough to protect me from a "man in the middle" attack, however is it as secure as a "trust no one" technology? In other words, does thawte (or any certificate providers) keep a copy of the private key? I hope you can answer this, I can't seem to find any information about it on google. I have tried using PGP but as you know it isn't free and it isn't easy for many users to set up. I also wanted to thank you for the show. When I discovered it last winter I downloaded every edition and listen to all over them within a couple of months. I now stay caught up every week.
  11. Scott Pritchett in Kidderminster, UK provides some additional PayPal info
    • Searching for "plug in" on gives: PayPal Plug-in - Shop securely online - We're sorry but the PayPal Plug-In is currently only available in the United States and is not offered in any other country at this time. More Information: Clicking the "More Information" link gives an out of date error. I think as this plug-in is US only, then by extension One Time Cards must be too.
  12. Dan in the USA (being necessarrily vague) writes
    • Steve, On security now #179 you were mentioning better security questions that a user had submitted. One in particular perked my attention as a very BAD security question. The suggestion was "What was your score on the civil service test?". As a civil servant myself I can tell you that this is very bad! Because in many states (mine for example) civil service results are posted online and fall under "public information". All someone would need is a name, address, or SSN # and they can get the results of not only that person's score, but all the scores from everyone who took the same test. Granted the question could be referencing a score from many years ago, but there could be a chance that the information is preserved. God only knows how far identity thieves will go, but odds are they already have some of this information on hand. Civil servants are subject to a bit of public scrutiny and therefore, the public can get a lot of info from the state (start dates, years of employment, salary, job title, etc). Basing any security question on any employment info is a bad idea. Anyway, just thought I should give you and the listeners a heads up. Love the show, and I love my SpinRite!


Audible Pick Of The Week

The 7 Habits of Highly Effective People by Stephen R. Covey (UNABRIDGED)
Narrated by Stephen R. Covey

Ad Time: 0:33-0:43 and 3:11-6:15

Please note this offer is not available in Australia.


GoToMyPC is the fast, easy and secure way to access your PC from any Web browser or wireless device in real time.

Ad Time: 0:44-1:00 and 15:56-17:51

Nerds On Site

Nerds On Site Provides computer services to homes and businesses, with representatives in many locations across North America.

Ad Time: 01:01-01:10 and 1:15:03-1:17:41

Production Information

  • Recorded Date: January 20, 2009
  • Release Date: January 21, 2009
  • Duration: 1:22:15
  • Log line:
  • Edited by: Tony
  • Notes: NA

Previous Show - Next Show

Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section