Security Now 332

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 332

Security Now 332: Your Questions, Steve's Answers #133

News & Errata

Adobe Watch has us keeping our eye on the two zero-day Flash vulnerabilities which surfaced last week. No Further News on this.

Adobe updated reader 9 to fix another zero-day problem. Problem contained by reader 10 sandbox and will be updated at a later time.

Microsoft will be adding automatic background updating to Internet Explorer in 2012.

Mozilla planning to add automatic background updating to Firefox 12 on April 24th of 2012.

SOPA Amended to respond to criticism

Mobile Carriers Claim Consumer Consent to Carrier IQ Spying

Briefly stalled sales after GRC switched SSL providers. Problem fixed after a day or two, most likely due to alerts of the provider switch triggering in monitoring companies and browser security extensions.

Spinrite Story - Richard Shepherd

Subject: YAST (Yet another Spinrite Testimonial)
"I remotely connected to a client's domain today to take control of a PC there and burn our site-licensed ISO of SpinRite at the client's office that is 72 miles away from me. I walked the client through rebooting to the SpinRite CD and starting SpinRite at Level 2. And, well, this email exchange is all you need to know. I get all the credit for your great work. I hope your EV Cert/SpinRite sales issue has been resolved. Big Fan, Rick Shepherd."

Questions & Answers

Question: [ 01 ] - Bruno Miranda

Hello, Steve and Tom. I have just won one of those battles against those little things that we wouldn't normally suspect of, and almost out of despair call it broken logic. Suddenly one day I discovered that I couldn't log into my router, a cheap but interesting Vodafone Sharing Dock. It wasn't recognizing my password. I was surfing the web, everything else was okay, but I just couldn't log into the router. I rebooted, restarted, reset, powered the router off and back on again, cursed at it, yelled at it, all to no avail. Had I been hacked and my router stolen from me? I even upgraded, then downgraded the firmware. Still nothing. After a full factory reset, it wasn't even accepting its default password. Then I tried my tablet, and it was working fine. But the laptop wasn't. And I knew the password. I knew that I knew the password. Was the router broken? So I took a last deep breath, multi-booted my Linux machine into Windows, and it was working. It wasn't the laptop's hardware. I returned to Linux Mint, installed another web browser, and it was working! Only two chances left: Broken router or something in Firefox. I went around Firefox's configurations, and yes, I had changed something some time ago: I had activated the Do Not Track (DNT) header. After unchecking the box, I typed in my password, and Shazaam. That was it. Of course there's no need for or worry about my own router tracking me. This seems to be one of those little broken compatibilities that test our nerves. I wanted to share my interesting adventures with your listeners. Thank you so much for the great show and all the energy both of you put into it! Security Now! is listened to on this side of the Atlantic.

Now, that's really odd. The only thing that the Do Not Track header does is add a "DNT: 1" for Do Not Track. Basically it's just making - your browser adds that one line to what's called the "query headers," the list of things that are being sent out when your browser is asking for a page. And normally, essentially, the router looks like a web server, so your browser is querying the web server in your router for a page. And it's just - it's bizarre to me that the addition of a header, which it almost certainly wouldn't know about, would cause a login failure. I mean, the only behavior of turning Firefox's Do Not Track header on should be to add that to the query. It shouldn't prevent, for example, cookies. Now, the only thing I could think is that there's some interaction or maybe something else in his browser was seeing the Do Not Track header and was, for example, doing something with cookies because I could imagine that, if you were blocking cookies, that could cause a login problem. But I just can't see that the Do Not Track header by itself could. But I thought I would share this just in case anybody else had a router that was acting in the same way. Turning on Do Not Track is something that we would be promoting for people. So if it's causing a side effect in some bizarre cases, that's certainly worth knowing.

Question: [ 02 ] - Notre Poubelle

I've seen an app called "Battery Boost Magic" in the iOS App Store. Could an application actually help battery life? Wouldn't this be managed by the OS? I can see how an application that uses heavy resources could kill battery life, but to improve it? I've seen lots of reviews on the web, and they're generally extremely positive, but I can't see how this thing would work. Assuming it does work, is there any possible negative long-term effects to using something like this?

So I took a look at what the app was because I completely agreed with his assumptions about what limitations an app running in iOS would have. And looking carefully at what their claims were, I'd have to come to the conclusion that their claims were a little overblown. They were hyping what this thing was able to do more than their technology would warrant. What it appears that it does have to offer, which iOS doesn't, is very sensitive measuring of the amount of current that is being drawn, or the high-resolution look at the current charge state of the phone. And so over time, by looking at that, the app would be able to see the rate at which the phone was draining because the features which seemed strongest that this thing was offering was a projection of how much time you had left on the battery when you were doing different things. So this app was running, is passively looking at the rate at which the battery is discharging based on a much higher resolution readout of the amount of charge in the battery, and then it's able to do probably a straight-line prediction of when the battery will hit zero, essentially, and tell you, oh, you've got seven hours using this app and two hours using this app and so forth. So it does look to me like it's stretching what it's able to do. Essentially, it's a sophisticated battery meter and really doesn't look like it's anything more than that. And they've been clever with what they're doing with it. But they are sort of overselling it.

Question: [ 03 ] - Ranget

I like your podcast a lot, and I'm a weekly listener for almost a year. Damn, I wish I knew of your podcast earlier. Anyway, thanks for the amazing podcast. As for my question, let's say a hacker got a hold of your IP address, and your home network is behind a hardware firewall, a router. What can he do in order to hack the network? Are we safe behind our routers? Or are hackers able to gain access remotely to our network by probing the firewall with some of their gadgets? And what can we do in order to protect against such attacks?

Yeah. When I encountered this, I thought, well, this is sort of a basic question, but basic is also good because some things have been changing in our computers in the last few years that are worth noting. The other day I was setting up a new machine and was curious what exceptions had been made through the Windows - I was setting up a Windows machine and was curious what exceptions had been made through the Windows firewall. And I was disturbed to see how many different apps and services had registered themselves to receive incoming traffic through the firewall. Meaning they were opening ports through the software firewall in Windows to make themselves available for incoming traffic. Now, that's different than opening ports out in the hardware firewall, the router, as he mentions. Except that Universal Plug and Play, UPnP, explicitly allows this. That is, it is designed, the reason it was created was that consumers were installing routers for their security and for the features that they afforded. But that was blocking software features from being able to receive incoming traffic. So Universal Plug and Play was created as a means to allow machines inside the network to talk to the router, which would be advertising its UPnP services and selectively open ports through the router, essentially violating its security. Leo and I have often, through the years, suggested to people that, if you do not need, you don't know you need Universal Plug and Play, then you really want to disable that in the router. A place, for example, where you do need it is by default Xbox wants to open a bunch of ports. Now, what you can do is disable Universal Plug and Play and then manually open those ports yourself so that you retain control over what your router's doing and have those ports sent only to the X-box. If you have Universal Plug and Play enabled, any machine in your network can open ports through your router. And when I look at the number of openings in the typical Windows firewall now, it's a lot less secure than we wish it was.

Question: [ 04 ] - Jamie Hunt

Hey, Steve. I might be missing something here, and I'd love to know it if I am; but aren't all of your tools, which you write in assembly language, inherently open source, since they can be relatively easily disassembled? Take, for example, your DNS Benchmarking tool: If I download a copy of this, I can open this with my favorite disassembler (PE Explorer), and within seconds I am looking at all of your source code just as you wrote it! If you wrote these tools in C , then I wouldn't have your C source code, I would have the compiled assembly language produced from the source code so they remain relatively closed source. But since your tools are written in assembly language, the code is the same; right? I have a feeling that I am missing something, but I can't see where.

Well, it's funny because there's been - I sort of smiled and chuckled when I saw this because a topic that comes up every so often in GRC's newsgroups is people saying, hey, why don't you release the source of these freeware that you create because, after all, it's free. So why not let us see your mojo and magic and how you're doing this? And then, if I don't respond immediately to that posting, if I don't get around to it, somebody will weigh in and say, well, you know, Steve writes everything in assembly language, so just disassemble the executable if you want the source code. Now, the fact is, if anyone has seen my source code, they'll know, and sometimes I'll settle the argument by posting a screenshot from my editor showing what mind looks like because mine is heavily indented, heavily commented, beautiful variable names that are long and descriptive, I mean, it almost reads like English. I also use all of the Microsoft MASM conditional flow tools - if, then, else, while, do. All of those map down into single instructions. So I'm really writing, I'm writing assembly language, but it's really pretty and much easier to read than the stuff you often see posted on, like, random hacker sites, where it's just a string of opcodes running down the left-hand margin of the page. That is what you get if you disassemble my code, is a string of opcodes running down the left-hand margin of the page. And you don't get nice variable names which are multiword and descriptive when I create them. All you get is an address of something. And of course you get no comments. Those are all stripped out as part of the assembly process, as well. So there's a big difference between what I produce and what you get if you disassemble the post-assembly code. But to answer the question which actually Jamie didn't ask, but I'll answer because it's the one that is posed so often in the newsgroups, the reason I don't offer my source is it would make it extremely easy for someone to clone my apps and then post them on the Internet and have them masquerading as mine. And it's not that I would mind if they identically cloned them because, you know, that's the same as just rehosting my EXEs. But they could also make them evil. They could have the DNS Benchmark doing something behind your back that you don't know. It would look like a really tasty tool, even if they didn't say it was from me. If it was a really nice benchmarking tool, lots of people would want to use it. But if they made it also evil at the same time, then they would be suckering people into using something that they didn't know was being bad for them. And of course there's lots of other things that do that already. I just don't want to contribute to it. And I don't see any benefit to me in releasing it as open source. I like the fact that my stuff is sort of uniquely small and special. And you come to if you want to get it.

Question: [ 05 ] - Sami Lehtinen

I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily. While the router is booting - it's quite a long process - parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns. As far as I can tell, that's a very serious security issue. 60 seconds is more than enough for automated attacks to get through, even if somebody would claim it's just a short moment. And this is not just one case. I have noticed similar functionality in other products like this earlier from the same manufacturer. I assume the basic system they're using is flawed. It shouldn't start networking before everything else is ready. It's very easy to notice this functionality when configuring the firewall because, if you run ipconfig/renew after reboot, it's trivial to get a public IP from the ISP's DHCP pool and use the Internet for about one minute. After that one minute the network stops working until you again renew the lease, and then you'll get the IP address from the local LAN DHCP pool, as expected.

Well, this is a fantastic observation, and I'm not at all surprised this is going on. But it's something that had never occurred to me before. Many of the fancier, higher end routers are based on Linux, and they've got a fundamental networking architecture which is supported at the low-level OS level. But then they layer on many more features which run as independent processes and, for example, hook into the network in order to add filtering and NAT routing functionality and so forth. But without those things running, that is, before they hook into the network layer, you have a generic bridging router with none of the security features enabled. So this is a very real problem. What, I mean, the takeaway from this actually is to - what I would do is, and I'm probably going to do it from now on, I don't reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside. What he was saying, just to clarify, and this is one way to test this, he was saying that shortly after rebooting the router, if he then - he was using the Windows command, "ipconfig /renew," which tells Windows to go send out a query for its auto configuration, the DHCP, Dynamic Host Configuration Protocol, send out a query to get an IP. What he discovered was that, if you do this shortly after the router comes up, you are actually connected directly out to the public Internet. And traffic is flowing both ways. You have a simple, non-NATed bridge to your network. So you send out a DHCP query, it goes to your ISP, not to your router. Which means you will get back a public routable IP, the one that would normally be acquired by your own router. You would obtain that. And your system would be on the Internet during that time. Eventually, the router's own DHCP server comes up, and its interception technology, NAT and so forth, comes up, the stateful packet inspection and all that. Then you get normal routing functions. But what he observed, and this doesn't surprise me, but it's certainly something to be aware of, is that with a router which is actually probably Linux-based OS, it's going to take a while to get itself going. We know that these are not fast processors. They're little, cheesy, I mean, they're slow, barely enough to handle the normal traffic that you have through the router, and they're cutting costs every way they can. So minimizing the complexity and the speed of the processors is one of the things that they do. So what that means is that it's fine once it gets going, but it really takes it a while to come up and get going. And during that time, you could actually have zero protection. I think that's really interesting.

Question: [ 06 ] - David

My kid gets around the Windows parenting filter that I put in place by booting into safe mode. Do you know a way to disable that? This goes to what we were talking about earlier. Whenever you make a blacklist, people find a way around it. Is there a way to turn off safe mode, though?

First of all, I got a big kick out of the question. And it's probably, behind the scenes at his kid's school, they're all talking to each other, and they have figured out this is the way you get around what Mom and Dad have done to the computer is you boot into Windows Safe Mode. So I poked around to see whether there was a way around it. Some crazy guy is suggesting that you can hex edit the ntldr.sys file, which is a core component of Windows. Do not do that. You really don't - it's version dependent, and it's search for a certain pattern, and it's like, oh, goodness. I mean, now all these components are signed. That would break the signature for the signed driver files, so you don't want to do that. I did find somebody who is selling something. If you Google, just the phrase with no spaces, "nosafemode," you Google that, the first hit that Google brings up is a page ending in that dot html. And that appears to be a respectable piece of software which you could install which will, specifically for this purpose, disable Windows safe boot mode. It is available, I think it was a 30-day trial. So you could try it, see if it does what you want, and then buy it if it works. So I did find that. But I just got a kick out of the question and wanted to share it with our listeners and offer that little, although I can't vouch for the app at all because I have not tried it, it looks like it's reputable and would do the trick.

Question: [ 07 ] - Jim Hyslop

I have an analogy to share and a question to ask: Listening to the most recent Q&A, it occurred to me that a better analogy for bandwidth is a conveyor belt. You put your packets on the conveyor belt, and they get whisked off to their destination. The conveyor belt moves at a constant speed, so the limitation is not how fast the data moves, but rather how much data you can put on the conveyor belt at any given moment. If you have a lot of people trying to put data on the conveyor belt at the same time, some of it has to wait until there is room. The classic "I Love Lucy" chocolate factory sketch is a perfect illustration of, not only bandwidth, but also how routers can drop packets when they get too busy..." because she drops the chocolate all over the floor. Secondly, I want to cover an extension of one listener's question about how to get people to understand security. Your virtual-to-physical security analogy is great, but I sometimes run into people whose attitude is "Why would anybody want to break into MY computer/website/whatever?" Do you have any suggestions on what to say to those people?

His analogy is great. I love the analogy of a conveyor belt because we all like to have visual aids. And for our listeners who are trying to explain stuff to other people, this is perfect because the idea being that packets are like blocks, essentially, and this conveyor belt is moving along, this imaginary conveyor belt, at a certain rate. And so the idea is that that is the shared broadband that all of the subscribers on a leg of the ISP's network share. And so the idea being that you're given a percentage of the conveyor belt's capacity, and you put packets on, along with everybody else putting their packets on. Some people get a bigger percentage; some people get a lesser percentage. But the actual rate at which the individual packet moves is shared by all users and the same. What differs is how often you're able to put your packet onto the conveyor belt, sharing the space with everybody else. So I love the analogy a lot. Anyway, great analogy. And Part 2 was ... And that is a great question. And it is the defense that people who want to be lazy about their own security use, is nobody cares about me. The question is, I would - I think, again, trying to relate this to people who are resistant, ask them if they think viruses care who they are. Viruses don't. Viruses are agnostic to who you are. They just want to infect everybody they can. Email spam carrying infected links don't care who you are. These bad guys want to get their malware into everybody's machine. They don't care who you are. They would like to set up a bot trojan in your machine and use it to attack others. They would like to install Zeus into your machine, Zeus being the very successful, distressingly successful banking trojan, in which case they don't care who you are as long as you've got money in your bank account, which they would be happy to help you drain. So you get Zeus installed in your machine, you're anonymous to them. But this thing watches you log into your Bank of America website, present you with a fake page showing the balance you expect, while behind the scenes it sends your money off to Russia. So absolutely, just in the same way that viruses don't care, none of this stuff cares who you are. It's just happy to have your money.

Question: [ 08 ] - Mark Wonsil

I hadn't seen this before, but maybe you had, an animated CAPTCHA. I wonder if this defeats some of the image recognition software like Google Goggles - for now. And there's an example at So essentially it's a normal-looking CAPTCHA, but it ripples. It's like an animated GIF.

It's very clever. And I wanted to share this with our listeners. We've talked about CAPTCHAs at length. So it's the contact form, as you said, Tom, And I commend it to our listeners to take a look at it. Essentially, it uses the fact that our brain is able to integrate an image over time, so that, if we watch this thing rippling, we can read it. But it's because we're seeing it stretched out over time. There's a numeral - actually, I guess it's going to be different for everybody, so the one that I saw will not be what everybody sees, obviously. But in the one I saw there was a numeric digit on the end that happened to be a digit "5." And it was actually sort of sliding under a fold in this ripple-y fabric sort of animation, so that you could see that it was a five. But the point is that it would take some extreme intelligence on the part of software, first of all, to realize this is a multi-image, probably a GIF, an animated GIF image, and then to look at every separate frame. No single frame contains the CAPTCHA. It's only over time that your brain reassembles this into what this waving flag, sort of a printed waving flag is. Anyway, that's very clever, and something I had never seen before that I wanted to share with our listeners. So thank you, Mark, for pointing it out to us. Yeah, and it's not just like sort of revealing something static over time. Because that would be easy to sort of programmatically fix. These things are sliding under ripples and under folds. And I think it's very clever. I don't know where it came from. But I'm sure looking at the page source you could probably figure out where they were getting their CAPTCHA technology because to me this looks like it would slow things down, probably for quite a while.

Question: [ 09 ] - Rob

I manage a help desk where we see our share of failed hard drives. Most data is backed up, so I'm not usually too concerned with bringing a dead hard drive back to life. But the other day a user came to us because her laptop would no longer boot. We didn't have a spare laptop drive on hand, so I had my tech run SpinRite so that, hopefully, she could keep working until we could get another drive and re-stage her laptop. SpinRite worked like a charm, and she was able to work the rest of the day without a problem. SpinRite, as it always does, came through in a pinch. But I have a question: We received a replacement drive and took out her bad drive, which SpinRite had been keeping alive, and reinstalled her operating system, programs, et cetera. But would it be okay to use a program like Clonezilla to clone the dying hard drive? That would save time, and the end user would still have their customizations that take the user so much time to reset. Would this work, or do we run the risk of copying errors into the cloned image?

Interesting question. And I get people from time to time asking questions that are sort of SpinRite-related, and I say I sort of don't want to, like, turn this whole thing into a big commercial for SpinRite. Certainly our listeners are well aware of SpinRite. But I've seen questions like this before. We got a burst of SpinRite sales back when Microsoft was offering the converter from the FAT16 to the FAT32 file system. I don't even remember what that thing was called now. But it was when they were moving people to Win98, I think, from Win95. And drives were getting bigger, so they needed to expand the file system size. But people were wanting to convert, in place, their file system from 16 to 32 bits. And the point was that any single error anywhere on the drive failed that process. And so what people realized was running SpinRite first would fix the FAT16 file system, and then the converter, which would previously have failed, was then able to succeed. Well, the same is true with drive cloning because typically the cloning software, I mean, it's not SpinRite. It's just doing a simple sector copy from one drive to another. Anything that causes it to glitch will cause it to fail. So one of the reasons people today still purchase SpinRite is they're trying to back up a drive that won't back up because the image software will say there's an error on your drive. SpinRite will fix that, and then you're able to perform your copy. So the answer to Rob is, yes, running something like SpinRite, well, or SpinRite - actually there is nothing else like SpinRite, so running SpinRite first to fix the drive's errors will then allow a drive cloning or copying system which was previously failing to succeed.

Question: [ 10 ] - Steve Fintel

Hi Steve. I've been an avid listener of Security Now! since Episode 1, and followed your Tech Talk column before that. I recently attended a security conference where one of the speakers talked about methods to attack HTML5. Many of the conference attendees started getting upset at the obvious step backwards HTML5 represented from a security perspective. I would love to hear you dedicate a Security Now! episode to this topic.

We certainly will be talking about it, at least in piecemeal. It would be hard to do an episode, like, preemptively because what I can tell you is we're going to have problems. We've already had problems with HTML5. For example, there's something in HTML5 called Offline Web Applications, which is an explicit caching technology that allows sites to cache their web pages statically in your machine. The problem with that, which has already been exploitedm is that if you briefly go to an insecure location, like Starbucks's Open WiFi, and get some malicious JavaScript in your machine, whereas it would only have been able to live in a transient form on the web pages previously, by leveraging this explicit application caching, there is already malicious JavaScript which is able to set up shop in your computer, thanks to HTML5. So there's an instance where it's a feature of HTML5 being repurposed. And I know that we're going to see, as we always do, clever hackers come up with ways of abusing things which are extensions of our browsers' capability a la HTML5, creating problems that we didn't have before. The second class of problems will be your classic coding errors, and they already exist. For example, HTML5 brings a much-advanced rendering to us. There's a canvas metaphor into which you're able to draw with vectors or pixels in order to perform sort of on-the-fly local graphics rendering, which we have never had before. Now we have it, and there's mistakes in the code. So there have already been exploits, for example, taking advantage of buffer overflow mistakes in the screen canvas rendering technology in some browsers in order to run code that was - run code rather than graphics in your browser. So generically I can say HTML5 is going to keep our podcast busy. I would say that browsers are rapidly moving towards it. But we're not rapidly using it. It'll have a slow uptake because of course websites can't use it robustly until all the browsers support it uniformly. And we're still - the browsers are rapidly moving in that direction. And there are some cool things. I mean, there are also some disturbing things, like there is persistent data storage which is explicitly available in HTML5, or a la HTML5, that we've never had before. It's like mega cookies. It's another place for identification stuff to be stored in your browser, so we're going to have to have some control over that.

Question: [ 11 ] - Craig

I don't want to beat a dead-horse topic, but something's been bugging me about the recommendations for lithium-ion battery management. Everything you've said on Security Now! about the topic makes perfect sense, and it even helps to explain why my laptop occasionally seems to be charging my battery even though I never use it with A/C power. My confusion, however, comes from my cell phone. I have a Samsung Continuum which was made within the last year or so, and the manual for the phone quite specifically mentions unplugging the charger when the battery reaches 100 percent. The phone itself even beeps and pops up a message saying "Battery fully charged. Unplug charger." If all that you have taught us about lithium-ion battery management is correct, then why do some manufacturers still lead us, the consumers, to believe that these batteries can be overcharged or that we should be draining them all the time?

It's a great question. And I loved it because it highlights a distinction that I have made before, but I clearly need to make more clear. And that is, there is an absolute separation or difference between the chemistry and the technology of lithium-ion battery function and the management of that chemistry. And I'm aware of it, and I'm careful when I'm talking on the podcast to make sure I use the right words. But it would be very easy for someone who didn't recognize the importance of the distinction to miss it. And so the idea, for example, is that we've talked about lithium-ion batteries not being trickle-charged. That is, some battery technologies like, famously, good old lead acid batteries, you're able to trickle-charge. You're able to, after they come up to a full charge, you drop the current to them and just feed it in at a very slow trickle, which has the effect of keeping lead acid, old, like, car batteries, full topped off. That kills lithium-ion batteries. They do not - the chemistry, the actual electrochemistry does not behave well if it's trickle-charged. You will damage it. So the proper way to charge a lithium-ion battery is to charge it to a terminal voltage and then stop all charging. Now, there's no reason that Samsung hasn't done that except that they chose not to. Their manual says unplug it when it's fully charged. The phone says, "Unplug me, unplug me." Now, here's Apple and all other laptop makers, they don't have any problem with stopping charging when their battery's full. I don't know why Samsung has a problem. But they've chosen to. So it's not that their lithium-ion batteries are different from anybody else's. It's that, for whatever reason, they've chosen to manage the same electrochemistry differently than others. Maybe there's some advantage to them doing this that isn't apparent. I can't really see what it would be. But they've sort of - they've transferred some of the responsibility of proper battery management from their own hardware and firmware over to their users. So anyway, so the distinction is, I've tried to be careful about assigning the responsibility in the proper place. But I would say that, Craig, the upshot of this is absolutely definitely do what the manual tells you. But the management aspects are different from the electrochemical aspects, which are pretty much absolute.

Question: [ 12 ] - Paul Brogger

Have you heard that HP has released the HP-15C in a limited edition model? The original batch sold out instantly. It's out of stock right now, but more to come.

I tweeted this, and I wanted to thank Paul for bringing it to my attention. I've often talked about those. They're a family of calculators which are 30 years old, I think. Well, maybe not 30, maybe 20. But long since discontinued, except for the 12C. For some reason the financial version has stayed in continuous availability over time. But my favorite one was the 11C, which was iterated to the 15C. It's a landscape-orientation calculator rather than sort of the more traditional portrait orientation. I just love my 11C. And, I mean, it's sitting right next to me. I've got various of them in various places in the house so that I always have one near me, depending upon where I'm working. And so I tweeted the news and wanted to let our listeners know, for anyone who's interested, if you just put in "HP 15C" into Google, you can find HP's website. It's $99 for this limited-edition HP-15C. It is, in my opinion, the best calculator ever made. It is just, I mean, and it's RPN, and RPN only. So you've got to be a Reverse Polish Notation person. But I'm dyed-in-the-wool that way. Ever since I was in high school, I spent the $400 that I saved up from a summer job to buy myself the HP-41 was the very first scientific calculator that Hewlett-Packard produced. So, love those machines.




Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.