Security Now 220

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 220


Security Now 220: Listener Feedback 78

News & Errata

01:10 - 04:54

  • Steve created the first sampling synthesizer when he was at UC

09:20 - 11:55

  • A new version of Firefox is out (v3.0.15) and (3.5.4)
  • It fixes:
    • A crash with evidence of memory condition
    • Memory safety bugs
    • Heap buffer overflow in string to number conversion
    • Privilege escalation bugs
    • A heap buffer overflow in the GIF color map parser
    • Form history was vulnerable to stealing

11:56 - 16:30

  • A consultant found a problem with Time Warners SMC8014 Wifi Router where the login page can be easily bypassed by simply disabling Javascript
  • Also it was exposing port 80 to the internet and the routers web interface
  • Time Warner are scrambling to publish a fix

16:31 - 20:06

  • The FCC has published a 107 page document discussing its proposals for net neutrality laws

20:07 - 21:25

  • Internet access is becoming recognized as a basic human right

21:26 - 23:02

  • Amazon has said that Kindle buyers purchase 3.1 times as many books than they did before they owned the device

Spinrite Story

23:03 - 26:35 Kelly Stowell (Windsor, Ontario)

  • Steve has not seen a massive increase in performance after installing a SSD
  • Leo has seen a massive performance increase and says that you must ensure your hardware supports the SATA2 Spec

The listeners Raptor drive began to fail so they ran Spinrite on it and it fixed the drive within 2 hours

Questions & Answers

29:35 - 01:19:43

Comment: [ 01 ]

29:35 - 33:24 Marv Schwartz (Case Western Reserve)
Listener Comment: To get Mozilla s Plugin Check to work when using NoScript you must allow mozilla.com and mozilla.org

Steve's Comment: This is correct and Firefox 3.6 will automatically check if your plugins are out of date. John Cumming will be on next week to talk about Javascript

Question: [ 02 ]

33:25 - 39:29 Paul (London, Ontario, Canada)
Question: My bank (President's Choice Financial in Canada) is offering Rapport by Trusteer, do you know anything about it and do I need to use it? Also can you create your own operating system called; SOS (Steve's Operating System)

Answer: Steve will be creating his own operating system for the PDP 8 but doesn't have enough time to write one for modern computers. The software he is talking about hardens the web browser by doing things such as enabling private browsing and preventing DNS spoofing. Steve recommends using it. It is being offered as the bank has no control over its users computers and so they try to protect the user if they have malware on their computer.

Question: [ 03 ]

39:40 - 43:39 Abhi Beckert (Cairns, Australia)
Question: Have you heard of the ClickToFlash plug-in for Safari on the Mac or the similar plugin for Firefox?

Answer: This is a great plugin, the Firefox plugin is called Flash Block

Question: [ 04 ]

43:40 - 47:54 Paul (Lancaster, PA)
Question: Is it better to write your own ecommerce application or purchase an off the shelf application ?

Answer: Most people should use commercial applications and ensure that they stay up to date if you are a programmer and security expert you could write your own system

Question: [ 05 ]

52:51 - 58:22 John (Baltimore, Maryland) [Read after question 6 as Leo missed it]
Question: Is a 1024 bit SSL certificate key secure or is it time to move to 2048 bit like the root certificate authorities use ?

Answer: The 1024 bit key that are issued will expire within a couple of years meaning that they can safely be 1024 bits. Root certificate authorities have longer expiration dates on their keys so they need to be longer incase something happens in the future before they are renewed.

Comment: [ 06 ]

47:55 - 52:50 Lex Thomas (Research Triangle Park, North Carolina)
Listener Comment: A maxim they like is "The activity of debugging, or removing bugs from a program ends when people get tired of doing it, not when the bugs are removed." Datamation, January 15, 1984. For those who are waiting for Microsoft to quit having Patch Tuesday, I'd say they are waiting for Godot"

Steve's Comment: Steve loves this quote (@ 52:25 ending music begins playing)

Comment: [ 07 ]

58:23 - 01:01:36 Tim Lemmon (Atlanta, Georgia)
Listener Comment: I tried to use my knuckle at the Disney theme park entrance instead of my fingerprint and it didn't work. This may be because they still have my fingerprint on record from 3 years ago or the system is smart enough to recognise it wasn't a finger on the reader

Steve's Comment: Your fingerprint is probably being stored on a insecure database somewhere and Steve recommends using an alternative finger to what they recommend.

Question: [ 08 ]

01:01:37 - 01:10:54 Eric (Unknown)
Question: Someone got into my computer using SSH so could you please do a round up of best SSH practices ?

Answer: Change the default port 22 to something different, use a high strength username and password. You could use port knocking where by you must send packets to certain ports in a certain order before the port you want to use will accept your connection.

Question: [ 09 ]

01:10:55 - 01:15:45 Joe Dorward (Berkshire, England)
Question: How do you use open wifi securely ?

Answer: Make sure you use SSL when your connecting to websites requiring you to login. Consider using a VPN.

Security Disaster of the Week: [ 10 ]

01:15:46 - 01:19:43 Eric Nichols (Odessa, Delaware)
Disaster: The default WEP key of a FIOS access point is the MAC address of its network interface. You can calculate the WEP key of a FIOS router using this website

Steve's Response: This means they are broadcasting the WEP key via the SSID

Sponsors

Carbonite

  • Carbonite
  • Offer Code: TWIT
  • Ad Time: 05:12 - 08:12

Go To Assist

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.