Security Now 269

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 269


Security Now 269: Your Questions, Steve's Answers 102

Security Updates

3:15 - 5:15

  • The Combating Online Infringements and Counterfeits Act (COICA) was dropped
  • But Steve and Leo believe it will keep coming up

8:28 - 9:55

  • Adobe Acrobat & Reader v9.3.4 were patched Tuesday, Oct 5th
  • Fixes the 0-day vulnerability that's being actively exploited

9:56 - 12:55

  • Google Chrome updated to v6.0.472.63
  • Multiple remote code execution vulnerabilities are being fixed
  • One in the handling of scalable vector graphics (SVG) objects and another in the buffer mismanagement of the SPDY protocol (SPeeDY)

12:56 - 15:06

  • Steve is loving LastPass

Security News

15:07 - 17:58

  • RIM have given "Manual" access to Black Berry Messenger to India
  • Within four to five hours of making a request paper printouts of the Messenger dialog are provided
  • Fully "Automated" realtime access is coming by the start of 2011.

17:59 - 24:50

  • Comcast has been testing a Proactive Bot Notification and is now preparing to take it nationwide
  • They say "We may email a “Service Notice” to your Comcast email address if we believe a computer behind your cable modem may be infected with a type of virus called a Bot. "

SpinRite Story

24:51 - 28:28 Bobby Irvin (Rogers, Arkansas)

Spinrite fixed a broken hard drive

Questions & Answers

30:45 - 01:17:09

Question [ 01 ] - Gary in Detroit, MI mourns the end of the PayPal plug-in...

30:45 - 34:24
Question: I am very disappointed that Paypal chose to discontinue the plugin. It was a great feeling to be able to pay for online purchases with their "secure card" without revealing my credit card, and have the funds come out of my Paypal account. Is there an alternative?


Answer: Steve wants the listeners to suggest any services. The chatroom points out that "Citibank" do this

Comment [ 02 ] - Paul in Montreal, Quebec shares some troubling information about Iphone apps:

34:25 - 38:02
Listener Comment: Below is a link to a story that came out this week concerning Droid and Iphone apps and how a good chunk of these Free apps are conducting data collection from the devices they are installed on. I've always been a little put off by its lack security and Apple's carefree attitude when it comes to security in general. Reading this article just confirms every reason for me never to buy one.

http://www.h-online.com/security/news/item/Study-Many-free-iPhone-apps-pass-device-ID-to-the-app-vendor-1100828.html


Steves Comment: Steve thinks this will become a bigger problem in the future

Question [ 03 ] - Sean in Woodside, NY has given a lot of thought to the technical consequences of his death...

38:03 - 44:42
Question: I've been thinking about how to make sure people have access to my online accounts in the event that I'm either incapacitated or die. I'm a lastpass user and considered giving my lawyer a one time password but after thinking more about it I've decided that I want things to be a little more secure and am taking a lesson from Nuclear Missile Silos . Here's the plan I'm thinking of using:


1) Generate 3 One Time Passwords.


2) Select 3 trusted family members or friends who don't know each other well.


3) Divide and combine the passwords so any combination of 2 people have once complete password. For Example: a) Assume that the one time passwords are "0123", "4567", "89ab". (yes I know they are really 32 characters, but this is just for an example) b) The First key is the first half of password 1 and the second half of password 2, "0167". c) The Second key is the first half of password 2 and the second half of password 3, "45ab". d) The Third key is the first half of password 3 and the second half of password 1, "8923".


4) Give each of the 3 trusted folks 1 of the new keys tell them to hold it until approached by my lawyer. These folks have no other information about the system.


5) Give my lawyer the URL and my account name for lastpass, the list of people who have keys and how to assemble them.


Of course, part of the appeal of this is to hand a friend a card with a 32 character key and say "in the event of my death, my lawyer will reach out to you, you will need this passcode". Most of my friends are already freaked out when I an additional authentication factors such as PPP or the grid on last pass, giving them a secret code with instructions to wait until contacted will have them thinking I'm in the CIA .

So, is this too much? I'd love to hear what you think


Steve's Comment: He raises a good point about giving people access to your online world in the event you are no longer around. He also thinks that just giving a single password to someone you trust is probably OK.

Question [ 04 ] - Edwin Rosales in Springfield, Oregon wonders about the security of Wireless Keyboards and Mice...

44:43 - 48:00
Question: I use a wireless keyboard/mouse with my Dell laptop, just wondering if doing so created a weakness and/or security hole?


Answer: There is not strong encryption in wireless keyboards and you need to be aware of that

Question [ 05 ] - Brian M in Edmonton, Alberta says that Steve doesn't have to stop writing CryptoLink!

48:01 - 52:20

Listener Comment: I am glad I am not the only one losing sleep over that recent proposed bill. But I don't think you need to stop writing cryptolink because of it. In fact, you likely wont have to change much of crypto link in order to make it comply. Let me explain.


At some point, you are going to be using symmetric crypto with symmetric keys to encipher the data. You could just encrypt the symmetric key with a special, high security, "Steve Gibson" public key, then include that in the stream; you wont have to shunt the traffic off to yourself. That way, it requires both you, and the FBI to actually grab anyones data. That is to say, the FBI cannot decrypt it without a court order to you, and you cannot decrypt it as you wont have a copy of the data. You wouldn't have to protect that key either, as it is merely a public key, and cannot be used to attack others. My understanding is that is how PGP works already, so it should be safe.


Steve's Comment Steve doesn't like people saying that adding a backdoor will weaken crypto. He says he would do it by encrypting the session key with a public key that only Steve has the matching private key too.

Question [ 06 ] - Dennis Ã-stergren in Karlskrona, Sweden notes "The World View according to US congress"...

52:21 - 57:55

Question: Off and on during the previous years, the likes of Pirate Bay have published letters from US authorities where the lawyers from the rights holders of media have stated that according to the DMCA and whatnot, they absolutely have to stop their business because they are in violation of US law.

Every time the same answer is given back: US law does not pertain to companies, or individuals outside of the US, thank you very much but go away and leave us be. One sometimes gets the notion that that catches the MPAA or their attorneys off guard and by surprise. I'm sure that's not the case, it's so obvious, and yet they try.

So in terms of your episode regarding encryption, and the demand for installing back doors, it's the same thing all over again. What's stopping any US company from merely selling their product via any other country, or registering their company elsewhere? I don't expect the big ones like Microsoft moving shop but still... I'm absolutely sure both you and Leo knows this, but it could be worth mentioning on the air that US law pertains to US citizens and US companies alone, it's very easy to get the idea from listening that what you discussed has an impact on everyone. Did I miss something obvious? May I suggest you moving to Sweden?


Answer: Steve isn't just going to move country. He can just develop a different product instead.

Comment [ 07 ] - Griff in Columbia, MO shares his take on "Encryption Backdoors"

57:56 - 01:03:15

Listener Comment: You mentioned the new proposed law might not allow point-to-point encrypted traffic. Forcing encrypted traffic through an encryption vendor's server is not necessary, I think, for the government to achieve real-time wire-tapping. I suspect the government intends to obtain the encrypted traffic as it goes through each ISP's servers or routers, or maybe somewhere on an internet backbone. Also require the encryption software vendor to provide some master-key or other means to allow the government to decrypt the messages in real-time. This wouldn't require , for example, Skype's or Crypto Link's point-to-point encryption to go through a central server somewhere. Even point-to-point messages already go through a relatively small number of internet backbones where the "wire tapping" could occur (maybe already occurs?).


Steve's Comment: Someone needs to tell the FBI that you can just flip a switch and do this.

Question [ 08 ] - Oliver Stengele in Heidelberg, Germany says: "Welcome to the rest of the world with COICA"...

01:08:07 - 01:12:00

Listener Comment: As it is common for the listenership of your podcast, I am a computer science student in Germany and I am here to bring you bad news and more bad news: The idea behind COICA - that is government controlled internet cencorship via DNS blacklists - is not new. Not long ago, we had the exact same brain-dead proposition in our political organs. The "Zugangserschwerungsgesetz" (german for "access complication law") was headed by Ursula "Zensursula" von der Leyen and reasoned with the killer- argument of fighting child pornography. Long story short: the whole thing went through and is currently in effect. Well, not quite - because short time after the proposition became law, some politicians realized what they had done and due to an incredibly huge public opposition, which peaked with an online petition to the German Bundestag with 134.015 supporters - the largest petition to this day, they delayed the censoring part of the law, but did not cancel the whole thing.


The details are mostly disturbing but one thing is clear: it is a huge mess. And guess what? Not long after "Zensursula", a member of the European parliament named Cecilia Malmström got hooked on the same idea, this time for the whole European Union. I do not need to repeat the reasons against Internet censorship - you and Leo named quite a few in your recent episode - but seeing that now even the US is no longer safe from this Pandora's box really bothers me. If COICA gets through, it will become a "shining example" for all those countries that want to implement internet censorship in the future - a very scary prospect in my opinion. I just hope the land of unlimited possibilities does not become the land of impossible limitations.


Steve's Comment: It will be send if the internet becomes censored and secure communication impossible

Comment [ 09 ] - Kris Ackermans in Kortenberg, Belgium reminds us of Rijndael's 10 year birthday:

01:12:01 - 01:17:09

Listener Comment: On October 2, 2000 the Rijndael cipher was announced as the winner of the contest the NIST held in their search for the cipher for AES. At least, that's what I'm reading in the press today. No one has come close to cracking Rijndael in the 10 years that have passed, despite full publication of the algorithm. I thought it would fitting to remember this occasion on SN in times when government's no longer seem to be in favor of true security.

Steve's Comment: We already have a full understanding of how to do secure cryptography and this is a cipher that is proven to be secure

Comment [ 10 ] - Alec Thompson in British Columbia, Canada (16 y/o) is This Week's Up and Comer!

01:17:10 - 01:19:44

Listener Comment:I was listening to your recent podcast, episode #267, and I was really enjoying listening to the response from 17 year old JR Hallman. I'd like to make a sort of a shout out here that I hope you'll mention on your show. I'm 16 myself, and so far I've learned a variety of skills such as C, PHP, Python, XHTML, MySQL, and even assembler recently. My personal inspiration came from a site called http://www.hellboundhackers.org


Don't be thrown off by the name, the site is full of supporters for ethical hacking, and the majority of the sites users are younger than 25. Together, we have a pretty strong bank of knowledge, and I thought I would mention this in hopes to inspire other kids my age into learning programming skills. The site teaches the in's and out's of how to break into sites, so you yourself can learn how to keep malicious hackers out. Writing secure code is, as you would certainly know, very important stuff and I figured that you might be interested in passing along the link to everybody. Whether you're under 25 or not, there's probably something for everyone to learn.


Steve's Comment: Steve wants to acknowledge Alec and thinks its great young people are listening

Sponsors

Astaro

  • Astaro.com
  • Phone: 877-4-ASTARO
  • Ad Times: 1:00-1:15 and 5:14-8:15

Go To Meeting

  • Gotomeeting.com
  • Offer Code: now
  • GoToMeeting #2
  • Ad Times: 1:17-1:26 and 28:41-30:44

Mail Route

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.