Security Now 330

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 330

Security Now 330: Your Questions, Steve's Answers #132

News & Errata

Zero Day Flaw in Adobe Reader

  • Reader 10 has a new function "protected mode" this has mitigated the problem in these versions. Can not do the same damage as it could in the previous versions.
  • Will be updating Reader 10 on their quarterly cycle.
  • Emergency release for all version 9 and prior versions, no later than the week of December 12th.
  • PCWorld News Article

OpenDNS "DNSCrypt" beta for Mac

  • A DNS Encyption Scheme for use with the OpenDNS service for additional privacy.
  • DNSCrypt Preview Release Article
  • Point-to-point encryption of DNS records between a Mac running the OpenDNS DNS client to the OpenDNS servers.

Zeus Banking Trojan

  • It's become the premier ACH banking trojan, meaning that people download it into their machines by mistake.
  • It lives in their system, watches them doing banking transactions, and then hijacks their banking credentials.
  • The latest variants of the Zeus trojan will perform a fraudulent transfer in order to obtain moneys from one or more individuals
  • They will then launch a distributed denial of service attack on the banking website in order to pull the site down.
  • This gives them a larger window of opportunity in order to get the funds moved to somewhere where they cannot be reversed.
  • Prevent the valid users from being able to get to the website to see that their money is no longer there.
  • GCN News Article
  • The bad guys will contact high-end luxury jewelry stores and commit to purchase precious stones or, for example, luxury watches that are very expensive. And they will say - they'll arrange the purchase, and they'll say, okay, we're going to wire the money to you, and then we'll have one of our people come and pick up the merchandise.
  • They will then transfer the money from one or more individuals who have been infected with the Zeus trojan into a composite account, and then from there to the jewelry store.
  • And then one of their so-called "mules" will come in and pick up the physical merchandise which has now been paid for from this composite money transfer, wiring the funds into the bank, that then - everything's been paid for.

Carrier IQ

  • What does Carrier IQ do?
  • Dan Rosenberg CarrierIQ: The Real Story
  • Executives at Carrier IQ have said that their monitoring software gathers information about web usage, as well as when, where, and to what numbers calls are made and text messages are sent, but not the content of text messages.
  • Data has always been collected, but the use of the devices has evolved to become more personal.


Jakob Nielsen has weighed in on the Kindle Fire and other seven-inch tablets

Tablet Usability Review

  • Regarded as a major UI guru.
  • Determined that seven-inch tablets were too small for convenient use of non-mobile websites.
  • However the iPad or a larger screen, a 10.something-inch screen, was large enough for non-mobile websites.
Review of current eInk readers

Spinrite Story - Paul Smith

"SpinRite Saves Movie Night"

"Hi, Steve and the support team. Sunday night is movie night for us. However, the disk drive in our NAS, our network attached storage box, started going AWOL. So I took it out and connected it to a PC and ran my copy of SpinRite - first use since I ordered and purchased it back in 2010. Anyway, at about 16 percent I got a divide overflow error and a red screen. This being Sunday, I thought that was it. But no, an email to GRC Support was returned in minutes, and changing a setting in the BIOS as recommended by Greg completely cured the problem. Within the hour, SpinRite had completed its magic, and movie night was back on. Of course, the drive then worked perfectly. Thanks, Steve, for the great software. And you can pass my thanks to Greg McIntyre from your support team. And also thanks for the Security Now! show."

Questions & Answers

Question: [ 01 ] - @Jason_JW

Question: Steve, any recommendations for PC performance diagnostic software? My boss complains the PC I recently built is slowly down. Thanks.

So I thought about Jason's question, saying that a recently built machine was slowing down. And he was asking me, like as you read, recommendations for PC performance diagnostic software. And I thought, okay. I'm aware of a number of different things that have been around. For example, there was something I ran maybe six months ago that did an audit of my machine's startup, so that I was able to see what was going on as the system was starting. But I sort of pushed myself back a little bit. And I said, you know, one thing that almost anything you install does is make a mention of itself right in the control panel under Add/Remove Programs.

And so what I normally do when I first encounter a system which is running sluggishly, is rather than installing any other kind of third-party stuff, I just jump over to the Control Panel and look at Add/Remove Programs. And it's very revealing to see how much crap, frankly, a machine can acquire, in someone else's hands, in a couple of months. There are some people who just seem unable to resist installing things. And very often these are things that are installed once.

So many programs now that you install want some time from your system when they're starting up. They want to run in the background. They want to run a chunk of themselves in the background. I'll see that, like, for example, things I rarely use, like for example Microsoft Office Suite, will have a quick startup thing that it's running whenever it starts up. And it's like, okay, do I really need all of that? So I would recommend, before you do anything else, just go to the Control Panel, look at Add/Remove Programs, and scroll through, maybe sit down with the person whose machine this is and say, okay, when was the last time you used that? Do you really need that? And what about that one? Very often these are things they installed once and then forgot about, haven't even used since. And just getting rid of all that junk can really make a difference. So I think that's what I would recommend is just use - just go through and look at, sort of challenge them for the things that are installed, do they really need those things.

Question: [ 02 ] - CyberAdminDude

I am a catchall server/programmer guy for a small company that runs a website. I was wondering what the easiest way to stress the importance of good practices to people less in the know is. When I talk about them, I get blank stares or NyQuil-like reactions to my rants. The person who is my commander isn't really tech savvy, either, but knows the buzzwords, LOL. So I don't have the influence/power to make changes myself. We have passwords like "apples" for our phpadmin page and FTP passwords like "Workus3r." Is there a website with a collection of testimonials or horror stories I can send to my coworkers to help them understand the threats?

The best advice that I have for people is try to connect the notion of cybersecurity to aspects of security that people do understand, and that's real-world security, physical security. Would you deliberately leave your front door unlocked? Would you deliberately walk away from your car with the windows rolled down while there's stuff in your car that would be valuable to somebody else, that might be available for stealing? I think that the problem that people have with cybersecurity, not understanding what's really going on, is that it's too virtual. They just don't think of it in the same way they think of physical security. We've talked about how no security is perfect. Yes, locking your front door doesn't prevent people from breaking your windows. But locking your front door is better than not locking your front door. And closing your windows is better than leaving them wide open.

So I've sort of thought about this a lot, and I think that the best advice is to try to relate this to security that people do understand. And everybody understands physical security, real-world security, security that you grow up gradually acquiring an awareness and an appreciation and an understanding of the importance of, over time. And try to explain that the same issues in the real world do affect the virtual world. And so it's important to take these precautions. Just leaving your windows down doesn't mean someone's going to steal from you, it just means they can much more easily. Similarly, using a password like "apples" doesn't mean somebody is going to crack into your phpadmin pages, but it means they can much more easily. It's exactly analogous.

Question: [ 03 ] - John Palmer

Steve, on December 1st you tweeted "Carrier IQ not a rootkit. It's commonly installed carrier feedback firmware for monitoring handsets. Comes with the territory." But, he says, it clearly is a rootkit, isn't it? So is it a rootkit or it's not a rootkit? Why isn't it a rootkit?

So it was interesting how much controversy this stirred up because I was seeing people using the term "rootkit." Actually, people were sending me in my Twitter feed all of this commentary about Carrier IQ being a rootkit. And so I tweeted, "It's not a rootkit." And that generated still more controversy. So I thought I would just take this moment to say to our listeners, to remind people, a rootkit is not software that you don't like. I mean, okay, a rootkit is software that you don't like, but it's not defined as software that you don't like. A rootkit is something that a malicious third party installs in your machine through a vulnerability, and it's not something that your OS vendor approves of, not something that you approve of. It was maliciously installed. So we now understand that, even though people may not like the idea that there is this monitoring technology which was offered by a third party, it's not a rootkit because it was there when you got the phone. I mean, it is - somewhere in the license agreement it says it's going to be there. And it may have been hidden from you deliberately. In some cases that's so that it's not mixed in with the applications that you see and you're able to run and install and remove and stop running and so forth. But it's also - it's part of the firmware. So I just wanted to draw that distinction. Rootkit, again, rootkit isn't defined as stuff you wish wasn't there. Rootkit is malware which was installed and hides itself. So, yes, Carrier IQ is preinstalled and hiding itself, but that's not a rootkit.

Question: [ 04 ] - Aaron

Hi, Steve. I'm confused by bandwidth. Everywhere you look, the only measure you find is Mb/s. Is it really that simple? Does that mean that my office of 30 people with a 1.5 Mbps connection is truly the same as my home DSL connection of 1.5 Mbps? Shouldn't there also be a capacity measurement? I'd like to think that the office connection is like a multilane freeway with a speed limit of 65, and my home is like a rural two-lane road with a speed limit of 65. Both have the same speed, but different capacities. Could you clarify?

Well, it's an interesting analogy which is a little bit confused. But we'll have some fun here with some visuals. We recently on the podcast talked about the way bandwidth is throttled, that is, I think it was a Q&A maybe either two weeks or four weeks ago. Somebody said, how is it that bandwidth is differing for different users, if all the packets on the Internet are moving between routers at the same speed? Which is the case. The routers out on the main Internet backbone are treating everybody the same. It is the so-called "last mile," which is the term used for the ISP to you connection, where the ISP is hooked into the main backbone of the Internet, pulling, able to transact traffic with all of the other major providers on the Internet. But then your ISP is sort of your portal, your connection out onto that super high-capacity highway. So what your ISP does is limit sort of the average speed that you're able to move traffic to and from the Internet.

Now, the reason that this wide-lane, multilane freeway analogy, where all the cars are moving at 65 miles an hour, versus a rural two-lane road with the same speed limit, the reason that's sort of confusing is that the way to think of bandwidth would be in cars per second, for example. So if all the cars are moving at 65 miles an hour, but you've only got one lane in each direction on a rural road, then that's going to limit the number of cars per second that are able to travel. But if you had a multilane freeway, where each lane was moving at 65 miles an hour, because now you've got parallel lanes, the number of cars per second is much higher on a freeway, which actually is why freeways work.

We have the notion of packet rate, where an ISP limits you to a certain packet rate, that is, the number of packets per second you're able to move. The packets themselves may move very quickly. In fact, the actual packet, the actual rate at which the bits move would be the same for a low-bandwidth cable modem user and a high-bandwidth cable modem user. It's just that the high-bandwidth cable modem user gets more packets per second, where the actual packet rate is the same.

And now, finally, stepping back and looking exactly at what Aaron was talking about with his office connection at 1.5Mb and his home connection, what really happens is, if you were to monitor a single user's 1.5Mb connection, it would be very burst-y. That is, he clicks a link, and that sends the link off. And then the page comes back. And then he sits there and looks at the page, scrolls a bit, clicks a link. Again, that happens. So he may have a 1.5Mb connection, but he's not using it, that is, his utilization of it, because he's just one person, is probably relatively low. But if you put his 30-person office behind that same 1Mb connection, you're going to see it is saturated by those 30 people.

So now you've got 30 people, all clicking links and probably waiting a little bit longer, that is, their traffic is, like, lined up one behind each other, really packing that 1.5Mb connection much more densely than Aaron sitting by himself at home. So even though both situations, a 30-person office and one-person home, may have a 1.5Mb connection - and this is what he talked about when he's talking about capacity. It's actually the utilization level of that link at that speed is probably much higher when you've got 30 people all fighting each other for access to the Internet over that same relatively low-bandwidth channel, compared to 30 people. Essentially, if they were all trying to use it all the time, they would be 1.5Mb divided by 30 would be their shared level of access.

The good news is it can function pretty well because most users who are not just downloading monster files, but interactive users, are inherently burst-y in their access. They click a link, get a page, look at it, click a link, get a page, look at it. And that's the kind of access that 30 people could share just by sort of interleaving their access.

Question: [ 05 ] - Kevin Odell

How can you test guest networking is properly segmenting the networks? I know you mentioned the Airport Extreme does it properly. I recently purchased a D-Link DIR-655 router and have had a lot of problems using AirPlay between my iPhone and my Apple TV 2. Recently a friend was at my house and said, "Cool, I can see your Apple TV." I knew immediately there was something wrong with the router since he was on the guest network, and the Apple TV should not be visible. I did a firmware upgrade, and still the same thing. I turned off the guest networking, and AirPlay works perfectly. I went through three levels of tech support, and they finally passed it on to the engineers at D-Link, and they still can't explain it. I just wanted to make your listeners aware, don't trust guest networking unless you know for a fact that it's working properly.

So that's a great piece of wisdom. One of the things that I hear frequently as the person who offers ShieldsUP, which has been used for untold number of years by people to check their security, what I'm hearing all the time is they'll believe they're secure, that they'll believe their ports are closed or that they know the way their system is configured, they'll check it with ShieldsUP, and ShieldsUP will find a port which is open that they were unaware of. And so it's really the case that testing is the only way to know for sure what's going on.

Now, I did a little bit of research on D-Link in particular, since that's what Kevin was referring to. And there is a setting on the guest network configuration, which you have to explicitly disable, which allows routing between the guest network and the main home network. So you absolutely want to make sure that's turned off. If not, then the router will allow traffic to cross between guest and main network. And even so, you want to test. The way to test is as simple as just trying to ping the router. I mean, I'm sorry, try to ping the machine on either side that are in these networks which are supposed to be isolated.

Take a look at the IP, for example, that a machine has been assigned over on your home network. And then, from a machine on the guest network, just use the ping command. Open up a command window and type p-i-n-g, space, and the IP address of the other machine. See whether you get a response. You hope not to, if that machine is not accessible, and you want your networks to be isolated. And I would just say, if you're using a guest network, regardless of what router you have, look carefully at those settings and make sure that the router has been instructed to isolate those networks. Because it makes sense that there would be the option because in some cases you might want your guest, for example, to have access to your Apple TV device. In other cases, you definitely don't.

Question: [ 06 ] - Luis

Hello, Steve. About the TTL or hop count, I want just to inform that, when a packet goes through a MPLS VPN for a customer, the provider doesn't touch the TTL. So a lot of times there is not a TTL change. Most packets have more hops than we can see on the traceroute. Just to inform you of that. Kind regards, Luis.

It's something that we had never talked about before in our - you were talking about the How the Internet Works series.

And one of the things we covered carefully was this notion of the TTL, the so-called Time To Live, which as Luis mentioned has been renamed "hop count" in the IPv6 spec. They wanted to make it clear that it wasn't a time measured in seconds or any temporal sense. It was actually decremented per router hop, and so simply called "hop count."

But the point he makes, and it's a really good one, is when you are in a virtual private network tunnel, then your traffic, as it moves from router to router, the external tunnel packets will have their TTLs decremented. But the packets moving through the tunnel don't see router hops at all. So there will be no TTL decrementation for tunneled packets, that is, packets that are being carried by the VPN tunnel, which is something I had never mentioned before. And I thought that was a neat observation. So if you were, for example, to do a traceroute from a point to another point, not through a VPN, you would see every hop count shown by traceroute that the packets made.

By comparison, if you did the same traceroute, but some portion of the transit was carried by VPN, then you would see none of the TTL decrementation or the IPs of the routers which a traceroute would normally show you, thus tracing your route, until your packet emerged from the other end of the tunnel, then made any additional hops it needed to, to get to its destination. So you are in fact blinded by the tunnel. They don't get seen. I thought that was just a very cool observation.

Question: [ 07 ] - Christopher S. Bates

I've been catching up on your podcasts here in the last few weeks and remember you mentioning a problem with some sites disallowing special characters in usernames and passwords. That's one of my bugaboos, too. I completely agree with you that this is horrible practice. I have noticed, though, and tried to get changed, that my bank follows this practice for logging into their customer web portal. I have reported this as being an issue many times to their online suggestion box/email system, but it has never been corrected. I left this in case you don't want to read it over the air. I'm talking about Chase banking. I just wanted to make it clear to you this is a large institution, not a small credit union.

So we've talked about this before. And since we last did, I verified some of the rumors I had heard. The reason this seems to afflict banks, annoyingly, is that the way the web evolved was that, unfortunately, web-based front ends were put in front of existing old-school mainframe banking back ends.

And so, I mean, it is slipshod, and it is sloppy, and there's no excuse for it. But there is an explanation for it. So I don't mean to be excusing this behavior at all, merely understanding and explaining it. And so it is because once upon a time the login technology for mainframes wasn't very secure, and it only allowed alphanumeric passwords. And so what happened was that exactly that technology was just sort of pushed out onto the Internet so that users are logging in, in the same way over the Internet that they once logged in directly at a mainframe terminal.

Now, there's nothing that would have prevented a much more sophisticated and secure front end to provide essentially separate web accounts which would then have an identity to the mainframe, so that users could log in with all kinds of extra security, multifactor authentication technology that the back end didn't ever need or think to support. And then, if all that succeeded, that would then log them in using old-school and private alpha-only login, so that they had to authenticate with a much more secure front end.

That's not what happened. And that's why we keep seeing banking institutions having among the worst web-facing login security of any. It's because of the legacy of mainframe login that just got surfaced out onto the web page. So the bad news is I don't think, no matter how many times Christopher and any of our other listeners complain, we're going to see any change. It will end up being a legislative requirement imposed by law. At some point they will say minimum password length and large character set must be supported, and they must be case sensitive, and so forth. It will be that kind of legislation which finally enforces banking institutions to say, well, we're going to have to spend some more money. They just don't want to spend the money.

Question: [ 08 ]

Every so often I hear you talking about how the apps in the Apple App Store are somehow more secure because they've been vetted by Apple. On first glance, this appears to be true. Apple does some vetting for each app. However, the truth is a little different. It's trivial to get undesirable code past the vetters.

As an active iOS app developer, I thought I'd share some insider information: For example, in my apps I allow four weeks to pass from the time of submission before doing anything that might be regarded as nefarious. I even check the date at to be sure I'm picking up the real date. I host a website with a simple text file on it. This contains instructions for the app, allowing me adjust the app's activity. In my case, I use this to turn user logging off once I have enough data, but it doesn't take a genius to work out how this could be used to activate a malicious payload.

In my case I use this data to improve the apps and see which features are being used. I've got six apps in the App Store, every one of which sends data back to me behind Apple's back, without Apple or my apps' users knowing a thing about it. It's trivial to do, and there's almost zero chance of being caught. Great show, been a listener since the start.

So there's a perfect example of what we've talked about often, which is there is no way for Apple to know exactly what an app is doing. I mean, they'd have to have the source code, and then have to go through and inspect the source code in detail to see what's going on. So this anonymous listener, who is a developer, obviously came up with a slick way around it. He has his apps look for the date and change their behavior after a certain date. So it gets past Apple, who checks the app to see what it's doing at time of submission; and then simply, since the app knows it's going to have network connectivity, every so often it checks the date. And if it's been long enough, it suddenly awakens an aspect of the app that was lying dormant before. And in this case the app pings this guy's website to obtain updated instructions about how it should behave, whether or not it should still log and where it should send the logs and so forth.

So, I mean, I wanted to share this because this is actually happening. And it's very clear there's just no way to prevent this kind of behavior. And as he says, his use is not malicious, but it's certainly the case that it could be. And so the point that I made last week with Leo, when we were talking about what's more secure, Apple or Android, exactly, is none of the above. Maybe Apple is putting a little more oversight on - we made the point that Android developers pay $25, and it's easy to be anonymous, and then they were able to dump apps day and night into the Android store. Leo countered with the fact that, yeah, sure, but those apps can also be removed retroactively. So both Apple and, for example, Google in the case of Android Marketplace, have the ability of pulling things that are later found to be a problem.

And my point is, install as few things as possible. Or look carefully at the reputation of the companies whose apps you're installing. Now, this guy, who's a multi-iOS app developer, he's doing something that Apple doesn't officially approve of because he feels Apple's policies don't give him the flexibility he needs to deliver the best app to the users. I wouldn't disagree with that. And there is no way, I mean, this is a perfect example of there is no way for Apple to guarantee the performance of their apps, no matter what they do. So any malware could do this. And it's not like we're letting any secrets out of the bag. I mean, this is clearly obvious to any developer who wants their app to work, who wants this kind of flexibility and freedom. There isn't any way to prevent it.

Question: [ 09 ] - Chad

Dear Steve, I wanted to share with you and fellow Security Now! listeners an issue I have come across. I recently placed an order through Roku. I ordered at my local open WiFi cafe while my connection was protected by VPN. But Roku cancelled my order and refunded the money. When I called to ask why, they explained that because the IP address of the computer I ordered from did not match the area of my credit card billing address, they flagged the order as fraud.

I explained at great length that the order was legitimate and that I was willing to reorder from my home computer so they could see that the billing ZIP code matched my home IP address location. But after a week of relentless calls, Roku still refuses to let me place my order again. Perhaps my situation could be a eye-opener to another Security Now! listener. Love listening to all the TWiT shows. However, without a doubt, Security Now! is top of my list. Thank you, Chad.

I thought that was really interesting. First of all, I am heartened from a fraud prevention standpoint to see that we're beginning to match up IP addresses with physical addresses. I mean, there's always been sort of an IP location technology, never worked very well. But over time, especially with things like Google roaming around, pulling the locations and mapping the locations of all of these WiFi nodes, we're beginning to get much more IP location granularity. And of course smartphones with GPS that also have IPs, that's helping to create a map of where, physically where, given IPs are located. And so the idea that that's now being used as fraud prevention I think is very nice because it means that people in Russia are going to have a much greater difficulty using credit cards from Omaha, Nebraska.

But there is an unintended consequence that a VPN provides. Because if you use a VPN, and this is related to that tracerouting example from a couple questions ago, your physical IP will not be where you're located. It will be where you're terminated. It'll be the other end of your VPN tunnel. And if you were using some third-party service like HotSpotVPN, for example, you're going to be connected somewhere probably remote from where you are, some distance away. And so if anyone tries to geolocate your IP address, they're going to see the other end of the VPN, not you. So on one hand I say, hey, Chad, nice going that you were in an open WiFi environment, smart about using a VPN to protect yourself. But, whoops, there was a side effect of that, which is you came out on the Internet with an IP of your VPN provider, not located near where you went into the VPN tunnel. It's a very cool problem.

Question: [ 10 ] - Marcin Ceglarek

For some time I've been a happy smartphone user, and your advice about battery management has been really helpful. I feel much more confident about proper battery management now. Previously, I was discharging the battery all the way down, and then charging it to full again to avoid the memory effect from NiCad batteries, which I now know lithium ion batteries don't have and, in fact, is BAD for lithium ion.

But there is one more issue: Is it safe to leave the phone plugged in overnight? From experience, I know it will get fully charged in about three hours. Since I'm plugging it in around 8:00 p.m., it is fully charged by the time I go to sleep. But if I then unplug it, overnight it loses about 5 to 10 percent of its battery life, so in the morning I only have about 90 percent remaining. On the other hand, if I leave it plugged in all night, I have full 100 percent in the morning. What's the best approach?

Okay. So assuming that the phone or laptop is properly managing its lithium ion batteries - and we have to make that assumption. I mean, if you've got an older device which is causing batteries to catch fire, or doesn't have - I mean, as some have or isn't properly managing batteries, then we're turning you into the battery manager. And that's just a bad idea. What lithium ion, the way lithium ion batteries behave is different from the way NiCads behave. The way NiCad batteries are charged is a NiCad battery voltage will increase to whatever level it's going to and then begin to decrease. And so in fact there were, like, rapid NiCad chargers that the RC modelers used for a long time which could recharge a NiCad incredibly fast by watching for that dip, watching for the point where the voltage began to drop. And the second it was detected to be dropping, the NiCad battery charger would stop and say your battery is now fully charged.

Lithium ion doesn't work that way. Lithium ion has to be stopped charging per cell, that is, every individual cell in a series connected chain - remember that "battery" itself, the word means a multiple. You have a battery of guns. That's a bunch of guns. Or a battery of cells is what we refer to as a battery. So that's a set of cells, individual cells connected in series. Each cell has to be monitored separately, which is why, if you look at the connectors on our laptop batteries, you'll see sort of like a comb of connections. And when you put your battery in your laptop, that comb is mating to a comb on the underside of the laptop, and those individual connections give your laptop's battery management access to, that is, visibility into each connection between the cells in that battery module which you plugged in. Lithium ion has to be charged to a cutoff voltage and then stopped.

So what is happening in Marcin's case, he's asking, if it takes three hours to charge, do I need to unplug it at the end of that time, in which case it will then switch to battery operation and discharge 10 percent by morning, or can I leave it plugged in? The answer is we have to assume the battery management technology is going to do its job. That is, it's going to work correctly. It's the battery manager; you're not. So leave it plugged in. What'll happen is it will charge the battery, the individual cells in the battery, to their cutoff voltages and then stop at the proper point. And then those three hours or eight hours, rather, while he's sleeping, it will be running off of the AC, not off the battery. So it will charge it and then not drain it. It'll be running off AC so that in the morning he disconnects it, and it's fully charged because the battery was charged but has then been floating overnight, not been discharged by not being plugged into the wall overnight.

And so that's the right strategy. Trust the management technology. If the device is within the last five years, everyone has figured out how to do this right, and they are doing it right. So leaving them plugged in over the long term is fine, as long as you're going to be using it. And remember, do not discharge lithium ion any further than you need to. Try to plug it in as much as possible.

Question: [ 11 ] - Brendan

He wanted to know if you recommend the keyboardless Kindle or the Generation 3 keyboard version. Sounds like you like the keyboardless one. I want to buy one and don't know what to get.

My feeling is it is impossible to recommend. It'd be like someone saying what's the best movie?It is too personal. I have all of the Kindles. I've shown them to various friends. Everyone likes a different one. Some people love the idea of touching the screen to change the page, even though the reviewers think it sort of sucks to do that. And other people want a physical button. They just like the idea of resting their hand on the button. I feel like, hey, I mean, since I've got them all, if I'm going to go down and walk on the beach, I'll put one in my pocket, I want it to be the small one. But if I want to, like, sit at Starbucks, I want something that's easier to hold, so I like having more margin at the bottom.

My point is, I really think they're all good. And so the one you choose is personal choice. It's what, you know, how sensitive are you to price because the smallest one is the cheapest one. If you get the ad-supported, it's only $79. The larger, older ones are more expensive. Maybe you care about touch, or maybe you don't. If you're going to be typing things in a lot, then having either the physical keyboard or the touch keyboard would make sense over having no keyboard and having to use the up-down left-right arrows to navigate around.

So at this point I think they're all good, and it's just a question of who are you? How sensitive are you to price? How sensitive are you to size? How sensitive are you to ease of handling? Do you want to have a physical button? I like physical buttons. Other people think it's cool to be able to touch the screen.

I would say go to the store. Go to Best Buy. Hold them. Feel them. And that's the way to make your decision. Try not to do it online, if you don't have to.

Question: [ 12 ] - John Morton

I've been listening to you and Leo since day one of Security Now!, Steve. I had a quick recommendation for you regarding battery life since you've mentioned it several times in the past few episodes.

It's a Mac program - sorry, Windows users - called Watts from The program basically keeps track of your battery usage and prompts you through various stages of cycling your battery when the conditions it's watching for have occurred. It will replace your battery indicator in the top menu bar with a much more robust dropdown menu that reports the condition of your battery and other bits of info.

The feature that might interest you the most is on its "Notifications" screen. There are two very handy options under the "Long Term Storage" heading. The first is "Notify me when reaching 50% of battery charge" and the second is "Shut down MacBook when reaching 50% of charge." I know of no other way of getting your MacBook shut down at its optimal level of battery usage. I hope you find this little program useful. I have. And thanks for all the education you've given me since Episode 1.

So I took a look at it, and it looks very nice. It is not free. It's free, full function, for 30 days. And then the developer and author wants $6.95.

I don't know whether it is or not. I went to, and this is the program that the developer is selling. And I looked at it. It looks very nice. And for someone who's, like, more interested in active participation with the status of his battery, it looks like it really does provide lots of information. It'll tell you the last time you recalibrated your battery and give you a popup when it's time to do a full-depth discharge and recharge in order to recalibrate it. As you read and he mentions, it'll help you store your battery, if you're not going to be using your battery and your MacBook for a long time. It's best to store lithium ions half charged rather than fully charged. It's best to use them in a full charge and recharge as quickly as possible. But if you're going to, like, stick it on a shelf for a few months, take it down halfway, and then that's better for long-term storage. So this was - I thought it was a great tip. And I have downloaded it and am using it on my laptop.

Significant Products





  • Carbonite
  • Use bonus code securitynow for 2 free months with purchase.
  • Ad Times: 1:37-1:52 and 1:01:50-1:03:20

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.