Security Now 188
Topic: Listener Feedback 62
Recorded: March 18, 2009
Published: March 19, 2009
Security Now 188: Listener Feedback 62
News & Errata
- Only 10 questions this week due to there being so much news and errata
6:38 - 10:20
- Multiple security vulnerabilities in Foxit which have been patched.
10:21 - 15:45
- Spencer Kelly for the BBC purchased a 22,000 PC botnet, to send spam to themselves and DDOS a website (with permission). Then they changed the desktop wallpaper of the machines to alert the owners to the fact their PC was compromised. Finally they shut the botnet down. Some people have questioned the ethics and legality of this.
15:46 - 33:34
- Steve announced the winners of the Yubiking for the best use of the Yubikey. The top two wiki voted entries were entries by companies which voted for themselves lots of times. There were three winners (http://wiki.yubico.com/wiki/index.php/YubiKing_Award).
- Maventa who make a secure electronic invoice system (http://www.maventa.com/).
- Collective Software who make a multi armed authentication system for windows "authlite" (http://www.collectivesoftware.com/Products/AuthLite).
- "Keygenius" uses a browser add on to automatically fill in password fields on websites when you press the Yubikey button (http://key-genius.appspot.com/).
- A really fun entry was Yubihome where they use a Yubikey as their door key (http://smartpirtti-yubikey.blogspot.com/).
- Next month an update to the Yubikey will allow one Yubikey to operate in one time password and static password mode.
33:35 - 52:53
- Two MIT chemists have made a major battery break through. They have made a technology to change the surface crystallisation of lithium ion batteries. You can take existing lithium ion technology switch it to this new technology and charge and discharge the battery in seconds. Voltage is pressure, current is flow the current is currently the limiting factor. To make this change they take a lithium iron phosphate electrode:
- Which they heat to 600 degrees for some length of time
- Then they raise it to 900 degrees
- And do this and that
This changes the crystalline surface structure at the nano level so that it is far more permeable to ions. And it's the ionic permeability of the electrodes which have traditionally limited the rate at which you can charge and discharge lithium ion cells.
Spinrite Amazingly Cool Tip
52:54 - 55:29
Dave Jones (Birmingham, AL) got Spinrite to boot via PXE (Network Boot). To do this he took FDBOOT.img floppy image from freedos and merged spinrite.exe into it. Then he placed a call to it in freedos auto exec and put the .img file in the PXE menu.
- Information about the PXE topic that was not discussed in the show:
A post exists in GRC's Newsgroup server with a partial explanation on how to get SpinRite to boot from the LAN. It can be found here:
or located in the newsgroup by searching for PXE under grc.spinrite.
Nearband Tutorial: http://blog.nearband.com/2007/11/19/pxe-booting-spinrite/
Dave's Tutorial: http://www.southernbread.org/sysadmin/
Questions & Answers
1) 57:46 - 01:00:52, The horrifying Paypal revelation of the week, Francis (London)
Listener Comment: A listener need to reset a Paypal password he used the forgotten password link at the login screen and recived the email with a link. However every time he clicked the link it said it had expired. So he rang up Paypal and they asked what the last 4 digits of the account number were. He didn't know it as its a corporate account so the Paypal support person told him to guess it but there were 10,000 possibility's. So he told PayPal he couldn't guess it. So they told him to guess the first number. He guessed 5 to which PayPal responded higher. He said 8 to which Paypal responded lower. He guessed 7 to which Paypal responded yes its 6. Repeating this he guessed all 4 numbers and was able to change the password and security questions.
Steve's Comment: If he didn't do this it would cause more hassle for the PayPal rep but this also indicates the PayPal guy could see the account number. Steve and Leo both laugh at how mad this is.
2) 01:00:52 - 01:03:38, Ian Cummings (Newbury, UK)
Listener Comment: To authenticate yourself when calling Paypal you need to generate a code once you login and give it to them when you ring. It is no longer the last 4 digits of your credit card.
Steve's Comment: This is more secure as the last 4 credit card digits are easy to acquire.
3) 01:03:38 - 01:08:35, Mark McSweeny (Concord, New Hampshire)
Question: A listener SSH's to his Linux box when he's away using public key cryptography for authentication and a socks proxy to browse the web through this machine.
Answer: Steve says just as secure as an SSL VPN, says it is good not being on default port for SSH.
4) 01:08:35 - 01:14:43, Jeff Harmon
Question: A listener can't get his 16-bit software to work after installing Windows XP Service Pack 3.
Answer: Steve cannot verify that 16-bit software was dropped in SP3. Leo thinks there may be a corrupted file when he installed SP3. We are seeing Microsoft starting to stop supporting 16-bit applications, Steve believes that he heard that Windows 7 completely drops support for 16-bit applications.
5) 01:14:43 - 01:18:33, Larry (Minnesota, USA)
Question: A listener wants to know how SSL can protect you from man in the middle attacks at unsecured Wifi hotspots. But not in a corporate environment.
Answer: In a corporate environment you take the SSL certificate from the content filtering system not the website. So they can decrypt your traffic and read it before sending it on to the website.
6) 01:18:33 - 01:23:12, Paul Kucher (Ellicott City, Maryland)
Listener Comment: A simple example of hysteresis. When the temperature rises beyond the set temperature of the thermostat, the heater turns off. When the heat begins to escape your home, and the temperature begins to fall, the heater does not come back on immediately after it reaches the set temperature. Otherwise it would be constantly switching on and off. Instead, the temperature decreases to a lower threshold, whereby it then begins to increase until it shuts off again. Hysteresis allows the heater to turn of and on at a minimal internal without constantly switching off and on while it tries to converge on the target temperature.
Steve's Comment: He has seen this in many thermostats before.
7) 01:23:12 - 01:26:07, Glenn Edward (Nottingham, Maryland)
Question: A listener wants to know if AES and PGP is secure after reading this www.mediafilter.org/caq/cryptogate ?
Answer: The technology is secure but the implementation in this case was not. The machines were deliberately made insecure in this case.
8) 01:26:07 - 01:29:18, Taz (Nova Scotia)
Listener Comment: You can set how PayPal will ask you to identify yourself when you ring them in the preferences on PayPal. To access it: If you log onto PayPal and go to My Account, then Edit Profile, down at the bottom of the account information column there is something called Identification Preferences.
Steve's Comment: This is correct go there and do it.
9) 01:29:18 - 01:35:28, Renee-Ann (Birmingham, Alabama)
Question: How do you image your hard drive?
Answer: Steve's favourite software is "Image for Windows". Before he uses it he deletes temporary files, runs system clean up, empties the trash.
10) 01:35:28 - 01:38:16, Rafael Mediavia (San Juan, Puerto Rico)
Question: Why aren't you on Twitter?
Answer: Steve is fundamentally incompatible with Twitter.
- Ad Time: and 03:22-06:12
Nerds On Site
- Ad Time: and 55:14-57:40
- Recorded Date: March 18, 2009
- Release Date: March 19, 2009
- Duration: 1:39:58
- Log line:
- Edited by: Tony
- Notes: Removed Steve disconnection @ 34:22
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|