====== Security Now! - 2007 ======


[[Security Now Episode 73|Episode 73]] - In preparation for next week’s look at how and why Windows Vista has incorporated the most pervasive and invasive system for digital rights management ever created, AACS, Steve and Leo first take a step back to survey the history and evolution of media property rights and the technologies used to enforce them.

[[Security Now Episode 74|Episode 74]] - Peter Gutmann, the author of the highly controversial white paper detailing the significant cost of Windows Vista’s deeply-entrenched digital rights management (DRM) technology, joins Leo and Steve this week to discuss his paper and his findings.

[[Security Now Episode 75|Episode 75]] - Following last week’s guest appearance by Peter Gutmann, Steve and Leo wrap up the topic of Vista’s new, deep, and pervasive Digital Rights Management (DRM) system. Steve also announces the completion and availability of his latest freeware: “SecurAble.”

[[Security Now Episode 76|Episode 76]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 77|Episode 77]] - In episode #74 Peter Gutmann shared his concerns and fears about the system-wide consequences and impact of the digital rights management (DRM) Microsoft has built deeply into Vista. Microsoft’s Vista Team responded with a comprehensive Blog posting which Steve and Leo read and examine this week.

[[Security Now Episode 78|Episode 78]] - With Steve’s new SecurAble freeware now launched, he and Leo discuss the full impact and importance of hardware DEP technology. Steve explains why he believes that hardware DEP is the single most important Internet-related security technology developed so far.

[[Security Now Episode 79|Episode 79]] - Leo's 'TWiT.tv' and Steve's 'GRC.com' domains are used by spambots which spoof their domains as the source of bogus eMail. This week they discuss the details of eMail “Received:” headers and explain how the examination of those headers can penetrate any spoofing to reveal the true originating IP of any spoofed spam eMail.

[[Security Now Episode 80|Episode 80]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 81|Episode 81]] - Leo and Steve discuss the distressing results and implications of two recent very large population studies (more than 100,000 drives each) of hard drive field failures. Google and Carnegie Mellon University (CMU) both conducted and submitted studies for the recent 5th USENIX conference on File and Storage Technologies.

[[Security Now Episode 82|Episode 82]] - Steve and Leo discuss the interesting topic of state-sponsored Cyber Warfare. While born through the imagination of science fiction writers, the reality of international, inter-nation cyber combat is fiction no longer.

[[Security Now Episode 83|Episode 83]] - Steve and Leo wrap up their quest to get Windows Wi-Fi to 'Maintain Full Radio Silence' by adding one additional important tweak to Windows settings. Then they discuss the detailed security implications, now and in the future, of Vista’s new and powerful user account control (UAC) system.

[[Security Now Episode 84|Episode 84]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 85|Episode 85]] - Steve and Leo begin a three-episode series to discuss and examine web-based remote code injection exploits. Commonly known as 'Cross-Site Scripting' and 'SQL Injection,' these exploits are growing in popularity and strength as hackers discover increasingly clever ways to exploit subtle defects in next-generation web-based applications.

[[Security Now Episode 86|Episode 86]] - In this second installment of their three-part coverage of web-based remote code injection, Steve and Leo discuss cross-site scripting vulnerabilities and exploits. Steve quickly reads through the 28 vulnerabilities discovered in popular software just during the previous month and discusses the nature of the threat and challenge facing authors of modern 'dynamic' web sites and services.

[[Security Now Episode 87|Episode 87]] - Steve and Leo wrap up their three-part series on web-based code injection vulnerabilities and exploitation with a discussion on web-based structured query language (SQL) database attacks. They explain why and how SQL injection vulnerabilities are creating an ongoing plague of vulnerabilities besetting modern 'Web 2.0' applications.

[[Security Now Episode 88|Episode 88]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 89|Episode 89]] - Steve and Leo review the operation of wireless network security and discuss in detail the operation of the latest attack on the increasingly insecure WEP encryption system. This new technique allows any WEP-protected WiFi network’s secret cryptographic key to be discovered in less than 60 seconds.

[[Security Now Episode 90|Episode 90]] - Steve and Leo discuss the theory and practice of multifactor authentication which uses combinations of “something you know,” “something you have,” and “something you are” to provide stronger remote authentication than traditional, unreliable single-factor username and password authentication.

[[Security Now Episode 91|Episode 91]] - Steve and Leo talk with Marc Maiffret, founder of eEye Digital Security of Aliso Viejo, California. eEye has perhaps done more forensic and vulnerability testing research to increase the remote security of Windows than any other group, including Microsoft. They continue to find and report an amazing number of Windows security vulnerabilities.

[[Security Now Episode 92|Episode 92]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 93|Episode 93]] - Steve and Leo tackle the past, present and future of software patents. Their discussion of this non-security topic was triggered by Microsoft’s recent declaration that since free and open source software (FOSS) was infringing at least 235 of their software patents, someone ought to be paying them.

[[Security Now Episode 94|Episode 94]] - Having discussed the first three “factors” in multifactor authentication (something you know, something you have, something you are), Steve and Leo explore aspects of the power and problems with the fourth factor, “someone you know.”

[[Security Now Episode 95|Episode 95]] - Steve and Leo examine the open, platform agnostic, license free, OpenID secure Internet identity authentication system which is rapidly gaining traction within the Internet community.  It may well be the “single sign-on” solution that will simplify and secure our use of the world wide web.

[[Security Now Episode 96|Episode 96]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 97|Episode 97]] - Steve and Leo discuss the recent news of the FBI’s announced crackdown and pursuit of “bot-herders” who individually control networks of remote control DoS and Spam zombies numbering in the many tens of thousands.

[[Security Now Episode 98|Episode 98]] - Steve and Leo discuss the user experience and operation of Microsoft’s “CardSpace” technology which hopes to completely change the way users identify themselves on the Internet by doing away with traditional usernames and passwords.

[[Security Now Episode 99|Episode 99]] - Steve and Leo explain the virtues and misbegotten negative reputation of the entirely benign and extremely useful emergent crypto facility known as the “Trusted Platform Module.”

[[Security Now Episode 100|Episode 100]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 101|Episode 101]] - Steve and Leo explore the Internet’s rapidly growing need to automatically differentiate human from non-human automated clients.  They discuss the advantages and limitations of many past and current approaches to this problem while paying close attention to the most commonly used visual “CAPTCHA” solutions.

[[Security Now Episode 102|Episode 102]] - Steve and Leo open the Security Now! mailbag to share and discuss the thoughts, comments, and observations of other Security Now! listeners.

[[Security Now Episode 103|Episode 103]] - Steve and Leo talk with Michael Vergara, PayPal’s Director of Account Protections, to learn everything they can about the PayPal security key effort and its probable future.

[[Security Now Episode 104|Episode 104]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 105|Episode 105]] - Steve and Leo discuss the history, purpose, and value of personal firewall leaktesting. They examine the myriad techniques clever developers have found for accessing the Internet and sending data out of PCs even when those PCs are being protected by outbound-blocking personal firewalls.

[[Security Now Episode 106|Episode 106]] - Steve and Leo open the Security Now! mailbag to share and discuss the thoughts, comments, and observations of other Security Now! listeners.

[[Security Now Episode 107|Episode 107]] - Steve and Leo discuss two topics this week: The availability and operation of VeriSign Labs' OpenID PIP (Personal Identity Provider) beta, offering many useful features for online identity authentication; and Steve’s recent redesign of the algorithms behind his popular Perfect Passwords page.

[[Security Now Episode 108|Episode 108]] - Steve and Leo discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 109|Episode 109]] - Steve and Leo delve into some of the non-obvious problems encountered during the creation of a robust and secure eCommerce system. Steve explains the hurdles he faced, the things that initially tripped him up, and the solutions he found when he was creating GRC's custom eCommerce system.

[[Security Now Episode 110|Episode 110]] - Steve and Leo discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 111|Episode 111]] - Having several times addressed the value and potential of the open source, open spec., and popular OpenID system, which is rapidly gaining traction as a convenient means for providing “single sign-on” identification on the Internet, this week Steve and Leo examine problems and concerns, both with OpenID and inherent in any centralized identity management solution.

[[Security Now Episode 112|Episode 112]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 113|Episode 113]] - In this first of a two-part series, Steve and Leo discuss Steve's recent design of a secure roaming authentication solution for GRC's employees. Steve begins to describe the lightweight super-secure system he designed where even an attacker with “perfect knowledge” of an employee's logon will be unable to gain access to protected resources.

[[Security Now Episode 114|Episode 114]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 115|Episode 115]] - Steve reveals and fully describes the unique, simple, clean and super-secure one-time password solution he came up with for providing roaming authentication for GRC's employees. He also describes his own freely available software implementation of the “PPP” system, as well as several other recently created open source implementations.

[[Security Now Episode 116|Episode 116]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 117|Episode 117]] - Steve and Leo discuss the updated second version of Steve's Perfect Paper Passwords (PPP) system and examine a number of interesting subtle questions such as whether it's better to have fully random equally probable passwords or true one-time-only passwords; and how, whether, and why attack strategies affect that decision.

[[Security Now Episode 118|Episode 118]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

[[Security Now Episode 119|Episode 119]] - Steve and Leo dissect the “Links” on PayPal's site with an eye toward reverse engineering the reason for many of them routing PayPal's users through servers owned by DoubleClick. They carefully explain the nature of the significant privacy concerns raised by this practice.

[[Security Now Episode 120|Episode 120]] - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.