Security Now 252
Topic: RISCy Business
Recorded: June 10, 2010
Published: June 10, 2010
Security Now 252: RISCy Business
Adobe zero-day, overwrought iPad security news, the evolution of computing architectures, and more.
04:22 - 12:20
- All versions of Adobe Flash Player below v10.1 have a critical security vulnerability, Adobe Reader also has this vulnerability
- People need to go and update Flash Player
- The update for Adobe Reader will be coming on June 29th
- Steve also reminds people about Mozilla's Plugin Checker
- Steve has advice on how to protect yourself from the Adobe Reader vulnerability on his blog
12:21 - 13:12
- Microsoft Patch Tuesday News:
- 10 security bulletins (three critical) eliminating 34 known vulnerabilities in Windows desktop and server OSes, IE, and Office
12:13 - 14:30
- Adobe Photoshop CS, CS2, CS3, CS4 all have a known critical security vulnerability
News & Errata
17:45 - 30:01
- A group of researchers at Goatse Security discovered the protocol that AT&T was using to fill in the email address field for the login to their system from an iPad
- If an iPad user wanted to check their AT&T account status they could bring up the control panel on the iPad and the email address field was auto populated by sending the ICC-ID to AT&T and then they could look up what email address is associated with that number
- This was all done in the clear though and the security researchers realized that anyone could query AT&T's system
- The ICC-ID is 20 digits long but the last digit is a check digit
- The researchers then created a script to try every possible ICC-ID known to be in the range assigned to iPads and they collected 114,000 email addresses belonging to iPad owners
- AT&T has now fixed this vulnerability
- A CrunchGear Article
31:02 - 37:48
- Google hired a 3rd party to analyze what happened when they accidentally collected data from open Wi-Fi hotspots
- The code was found to have been set to save plain text data by default
- Canada joins Germany, Italy, France & US FTC in "investigations"
- In an unrelated case the California 9th circuit court just upheld a ruling by a lower court denying damages in a class-action suit brought by someone whose social security number was on a lost laptop
- Actual proven damages must have resulted, simply being annoyed is insufficient
37:49 - 38:28
- Windows 7 SP1 BETA is due out by the end of July, Final to be sometime in the fall (approximately 1 year from General Availability of Windows 7 - so Final due around October 2010)
38:29 - 39:22
- In Australia the word "Rooter" has a strong sexual connotation (Rooters love sex)
39:23 - 44:39
- Steve prefers the Kindle over the iPad for reading
44:40 - 48:08
- A physicist says that Steve Jobs is incorrect with his claims about the new iPhone screen
- Steve Jobs claims that the new screen has so many pixels it is greater than the eyes ability to distinguish between the pixels
- However this is incorrect, at 12" the eye's ability to resolve pixels is 50 cycles per degree so at 12" that's 477 pixels per inch not the iPhone's 320 pixels per inch
48:09 - 50:54 Darren Bessett (Thornton, Colorado)
Spinrite fixed a hard drive with wedding related data on
53:31 - 1:30:46
53:31 - 57:37
- As hardware became cheaper programmers told the hardware engineers they wanted more registers
- This meant the word had to be longer as they need more bits to specify the register
- So words got longer
57:38 - 1:00:00
- Simple instructions like "clear the register" didn't need a memory address so the instruction to do this got shorter
- An instruction was born that allowed you to add two numbers and store it in a third location
- This meant that you needed to specify 3 memory addresses in the instruction and it was longer than normal
- This gave birth to variable length instructions
1:00:01 - 1:12:00
- The programmers then asked for an instruction to do linked lists
- And then they asked for an instruction to call subroutines with bits in the instructions to specify which registers to preserve
- They also asked for an instruction to read memory until it finds a bit that is set
- The engineers then had the problem of figuring out how to implement these instructions
- The engineers then said that they couldn't design hardware to implement these features as it would require massive amounts of AND and OR gates
- So the engineers then dropped the idea of AND and OR gates and they said, wait a minute, computers have sort of flow paths.
- There's an adder that can get its data from different places, and there's a memory buffer that has the contents of memory, and there's maybe a multiplier that has its input.
- So imagine a very different kind of instruction word, probably long, many bits.
- But the bits in this so-called microcode, they just enable the flow of data along these different data paths at different times.
- And so just by sort of opening and closing these data paths in sequence, we can implement a complex instruction in multiple small steps so the outside world still sees it as a single instruction.
- Inside, the microcode has many small steps which it goes through to pull off this complex instruction.
- So the programmers don't see it on the outside, but the engineers who engineer the microcode, they came up with a whole new way of thinking about how to engineer a computer
1:12:01 - 1:30:46
- As technology moved forward we were no longer memory constrained
- Compilers were also born but they couldn't take advantage of these microcode based instructions
- When the computer architects of the past profiled the actual instructions that were being used, they discovered the familiar 90/10 rule. You know, 10 percent of the instructions were used 90 percent of the time.
- So they realised they were paying to make chips with instructions no one used
- The idea was that they realized they'd sort of gotten way off track with these incredibly expensive instruction sets because, they said, wait a minute, let's - hold on.
- Let's instead kind of go back to where we were.
- That is, let's have very simple instructions which, now that main memory was fast, had caught up in terms of the speed we needed, and it got cheap.
- Variable length instructions were scrapped
- The concept of caching came in
- Ad Times: 1:02-1:17 and 14:51-17:59
Go To Assist
- G2AX #3
- Ad Times: 0:42-1:01 and 50:55-53:30
- Edited by: Tony
- Notes: First time in the history of Security Now, a blooper.
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|