Talk:Security Now 197

From The Official TWiT Wiki
Jump to: navigation, search

Mac Java flaw -- "permission" vs. "permissions"

LEO: Even in the mega-patched Macs, the vulnerability could be used to perform something they call a "drive-by download," the ability to infect a computer by visiting a web page. The flaw allows malicious code to run commands with the permission of the current user. So you have to say yes, apparently.

Ummm, apparently ... not. It runs with the PERMISSIONS (plural) of the user, i. e., the user's privilege level, including full/admin if applicable. You don't need to "permit" this vuln to run for it to run.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet . The issue is trivially exploitable.

(emphasis mine) Source: [1] Stevenumbertwo 01:21, 23 May 2009 (PDT)

Fingerprint readers -- bad idea

STEVE: Now, one thing that's new that I talked about first was the so-called "biometric framework." They call it WBF, Windows Biometric Framework. It's in response to the fact that an increasing number of machines, probably primarily principally laptops, have built-in fingerprint readers. ... Oh, in fact, User Account Control can be tied to the fingerprint reader now. So, for example, in a home environment, the kids would be running as a limited user. And you can then put parental controls on things which are tied to the fingerprint reader. So that in order to do something, the box comes up, and the kids have to say, hey, Mom, can you come here for a second, I need permission to whatever it is, charge a micro payment on your credit card or something. Mom comes over, scans her finger, and bing, it works.

Or the kids lift Mom's fingerprint off of her drinking glass or coffe mug, tape it over their own, and swipe it. Gummy Bears have been used to fool a "foolproof" system.

STEVE: ...and we've talked about how, for example, that a problem with biometrics is that unlike, for example, a password, you can't change your fingerprint. The fact that you can't change it means you don't want it to get away from you.

You can't stop it from getting away from you. Fingerprints are unique, but not secret. *Any* authentication method must be in *both* Venn subsets. We leave fingerprints everywhere. Whoever steals your laptop can probably lift a good print off of it somewhere. The German Minister who advocated fingerprint-based ID had his fingerprint found via ordinary means, and published. (Both linked articles © Bruce Schneier.)

Schneier has debunked fingerprint ID in many other articles and places. Encrypt your sensitive data or entire HDD, and find another way to keep the kids on the right side of the Net - there are plenty. Stevenumbertwo 18:19, 25 May 2009 (PDT)