User Tools

Site Tools


security_now_2007

Security Now! - 2007

Episode 73 - In preparation for next week’s look at how and why Windows Vista has incorporated the most pervasive and invasive system for digital rights management ever created, AACS, Steve and Leo first take a step back to survey the history and evolution of media property rights and the technologies used to enforce them.

Episode 74 - Peter Gutmann, the author of the highly controversial white paper detailing the significant cost of Windows Vista’s deeply-entrenched digital rights management (DRM) technology, joins Leo and Steve this week to discuss his paper and his findings.

Episode 75 - Following last week’s guest appearance by Peter Gutmann, Steve and Leo wrap up the topic of Vista’s new, deep, and pervasive Digital Rights Management (DRM) system. Steve also announces the completion and availability of his latest freeware: “SecurAble.”

Episode 76 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 77 - In episode 74 Peter Gutmann shared his concerns and fears about the system-wide consequences and impact of the digital rights management (DRM) Microsoft has built deeply into Vista. Microsoft’s Vista Team responded with a comprehensive Blog posting which Steve and Leo read and examine this week.

Episode 78 - With Steve’s new SecurAble freeware now launched, he and Leo discuss the full impact and importance of hardware DEP technology. Steve explains why he believes that hardware DEP is the single most important Internet-related security technology developed so far.

Episode 79 - Leo's 'TWiT.tv' and Steve's 'GRC.com' domains are used by spambots which spoof their domains as the source of bogus eMail. This week they discuss the details of eMail “Received:” headers and explain how the examination of those headers can penetrate any spoofing to reveal the true originating IP of any spoofed spam eMail.

Episode 80 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

Episode 81 - Leo and Steve discuss the distressing results and implications of two recent very large population studies (more than 100,000 drives each) of hard drive field failures. Google and Carnegie Mellon University (CMU) both conducted and submitted studies for the recent 5th USENIX conference on File and Storage Technologies.

Episode 82 - Steve and Leo discuss the interesting topic of state-sponsored Cyber Warfare. While born through the imagination of science fiction writers, the reality of international, inter-nation cyber combat is fiction no longer.

Episode 83 - Steve and Leo wrap up their quest to get Windows Wi-Fi to 'Maintain Full Radio Silence' by adding one additional important tweak to Windows settings. Then they discuss the detailed security implications, now and in the future, of Vista’s new and powerful user account control (UAC) system.

Episode 84 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 85 - Steve and Leo begin a three-episode series to discuss and examine web-based remote code injection exploits. Commonly known as 'Cross-Site Scripting' and 'SQL Injection,' these exploits are growing in popularity and strength as hackers discover increasingly clever ways to exploit subtle defects in next-generation web-based applications.

Episode 86 - In this second installment of their three-part coverage of web-based remote code injection, Steve and Leo discuss cross-site scripting vulnerabilities and exploits. Steve quickly reads through the 28 vulnerabilities discovered in popular software just during the previous month and discusses the nature of the threat and challenge facing authors of modern 'dynamic' web sites and services.

Episode 87 - Steve and Leo wrap up their three-part series on web-based code injection vulnerabilities and exploitation with a discussion on web-based structured query language (SQL) database attacks. They explain why and how SQL injection vulnerabilities are creating an ongoing plague of vulnerabilities besetting modern 'Web 2.0' applications.

Episode 88 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

Episode 89 - Steve and Leo review the operation of wireless network security and discuss in detail the operation of the latest attack on the increasingly insecure WEP encryption system. This new technique allows any WEP-protected WiFi network’s secret cryptographic key to be discovered in less than 60 seconds.

Episode 90 - Steve and Leo discuss the theory and practice of multifactor authentication which uses combinations of “something you know,” “something you have,” and “something you are” to provide stronger remote authentication than traditional, unreliable single-factor username and password authentication.

Episode 91 - Steve and Leo talk with Marc Maiffret, founder of eEye Digital Security of Aliso Viejo, California. eEye has perhaps done more forensic and vulnerability testing research to increase the remote security of Windows than any other group, including Microsoft. They continue to find and report an amazing number of Windows security vulnerabilities.

Episode 92 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 93 - Steve and Leo tackle the past, present and future of software patents. Their discussion of this non-security topic was triggered by Microsoft’s recent declaration that since free and open source software (FOSS) was infringing at least 235 of their software patents, someone ought to be paying them.

Episode 94 - Having discussed the first three “factors” in multifactor authentication (something you know, something you have, something you are), Steve and Leo explore aspects of the power and problems with the fourth factor, “someone you know.”

Episode 95 - Steve and Leo examine the open, platform agnostic, license free, OpenID secure Internet identity authentication system which is rapidly gaining traction within the Internet community. It may well be the “single sign-on” solution that will simplify and secure our use of the world wide web.

Episode 96 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 97 - Steve and Leo discuss the recent news of the FBI’s announced crackdown and pursuit of “bot-herders” who individually control networks of remote control DoS and Spam zombies numbering in the many tens of thousands.

Episode 98 - Steve and Leo discuss the user experience and operation of Microsoft’s “CardSpace” technology which hopes to completely change the way users identify themselves on the Internet by doing away with traditional usernames and passwords.

Episode 99 - Steve and Leo explain the virtues and misbegotten negative reputation of the entirely benign and extremely useful emergent crypto facility known as the “Trusted Platform Module.”

Episode 100 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 101 - Steve and Leo explore the Internet’s rapidly growing need to automatically differentiate human from non-human automated clients. They discuss the advantages and limitations of many past and current approaches to this problem while paying close attention to the most commonly used visual “CAPTCHA” solutions.

Episode 102 - Steve and Leo open the Security Now! mailbag to share and discuss the thoughts, comments, and observations of other Security Now! listeners.

Episode 103 - Steve and Leo talk with Michael Vergara, PayPal’s Director of Account Protections, to learn everything they can about the PayPal security key effort and its probable future.

Episode 104 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 105 - Steve and Leo discuss the history, purpose, and value of personal firewall leaktesting. They examine the myriad techniques clever developers have found for accessing the Internet and sending data out of PCs even when those PCs are being protected by outbound-blocking personal firewalls.

Episode 106 - Steve and Leo open the Security Now! mailbag to share and discuss the thoughts, comments, and observations of other Security Now! listeners.

Episode 107 - Steve and Leo discuss two topics this week: The availability and operation of VeriSign Labs' OpenID PIP (Personal Identity Provider) beta, offering many useful features for online identity authentication; and Steve’s recent redesign of the algorithms behind his popular Perfect Passwords page.

Episode 108 - Steve and Leo discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

Episode 109 - Steve and Leo delve into some of the non-obvious problems encountered during the creation of a robust and secure eCommerce system. Steve explains the hurdles he faced, the things that initially tripped him up, and the solutions he found when he was creating GRC's custom eCommerce system.

Episode 110 - Steve and Leo discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues they have previously discussed.

Episode 111 - Having several times addressed the value and potential of the open source, open spec., and popular OpenID system, which is rapidly gaining traction as a convenient means for providing “single sign-on” identification on the Internet, this week Steve and Leo examine problems and concerns, both with OpenID and inherent in any centralized identity management solution.

Episode 112 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 113 - In this first of a two-part series, Steve and Leo discuss Steve's recent design of a secure roaming authentication solution for GRC's employees. Steve begins to describe the lightweight super-secure system he designed where even an attacker with “perfect knowledge” of an employee's logon will be unable to gain access to protected resources.

Episode 114 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 115 - Steve reveals and fully describes the unique, simple, clean and super-secure one-time password solution he came up with for providing roaming authentication for GRC's employees. He also describes his own freely available software implementation of the “PPP” system, as well as several other recently created open source implementations.

Episode 116 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 117 - Steve and Leo discuss the updated second version of Steve's Perfect Paper Passwords (PPP) system and examine a number of interesting subtle questions such as whether it's better to have fully random equally probable passwords or true one-time-only passwords; and how, whether, and why attack strategies affect that decision.

Episode 118 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

Episode 119 - Steve and Leo dissect the “Links” on PayPal's site with an eye toward reverse engineering the reason for many of them routing PayPal's users through servers owned by DoubleClick. They carefully explain the nature of the significant privacy concerns raised by this practice.

Episode 120 - Steve and Leo discuss questions asked by listeners of their previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world “application notes” for any of the security technologies and issues they have previously discussed.

security_now_2007.txt · Last modified: 2014/12/04 14:07 (external edit)