Security Now! - Episode 208
SERIES: Security Now!
DATE: August 6, 2009
TITLE: Listener Feedback 72
SPEAKERS: Steve Gibson & Leo Laporte
SOURCE FILE: http://media.GRC.com/sn/SN-208.mp3
FILE ARCHIVE: http://www.GRC.com/securitynow.htm
DESCRIPTION: Steve and Leo discuss the week's major security events and discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues we have previously discussed.
INTRO: Netcasts you love, from people you trust. This is TWiT.
LEO LAPORTE: Bandwidth for Security Now! is provided by AOL Music and Spinner.com, where you can get free MP3s, exclusive interviews, and more.
This is Security Now! with Steve Gibson, Episode 208 for August 6, 2009: Your questions, Steve's answers. This show is brought to you by listeners like you and your contributions. We couldn't do it without you. Thanks so much.
It's time for Security Now!, the show that covers all things secure - securing your operating system, securing your 'Net connection, fighting off bad guys and spyware, protecting your privacy. And here he is, the czar of security, Mr. Steve Gibson. I think I did, in fact, in my cabinet, make you the czar of security.
STEVE GIBSON: I'm the security czar. Well, I'll tell you, from all of the nonsense I hear about Washington, D.C.'s attempt to find a security czar, no one is applying. They're, like, the gal that's been temporary is stepping down very politely because she wants to put pressure on the administration to find somebody to be the security czar. But the people who are good enough to do that are also smart enough not to, you know, they're smart enough to know better. Because apparently they've got no control over anything, not budget or management or staffing or anything. They're just - and they're split between two different organizations. I mean, it just sounds like a disastrous job, and probably more frustrating than anything. And, like, why would anyone want to hurt themselves and who have, like, the ability to do that?
LEO: A job with all the responsibility and none of the power.
LEO: This doesn't sound good.
STEVE: This is just a lose, lose, lose.
LEO: Yeah. It's like being governor of California, another fine job you do not want.
STEVE: Although I'm sure you know, you heard, that Clinton, Bill, went over to North Korea and brought back our two prisoners.
LEO: I am so happy about that.
STEVE: It was just so cool. It caught me by surprise this morning. First thing I saw is like, hey, very neat.
LEO: We talked about it last night because they worked for Current. Euna Lee was one of the reporters who worked at TechTV. And…
STEVE: Oh, you knew her?
LEO: Yeah, well, I don't remember her, but I think I did know her. But I, you know, there were a lot of people at TechTV. I think she was an intern at the time. But, yeah, and she worked at Current with Sarah Lane. And Sarah was on [email protected] last night, and she said there's reporters on the street, but we don't want to celebrate until we see them get off the plane. Well, they got off the lane. And you know what kind of bugs…
STEVE: They were flying into Burbank Airport for some reason, probably just to…
LEO: Kind of odd, yeah.
STEVE: Yeah. Well, it was apparently a chartered plane. So maybe that was the right place for it to land.
LEO: Thank goodness, because these two women were convicted of spying and sentenced to hard labor.
STEVE: Young women.
LEO: Yeah. Not a good outcome. And so it's a great relief that - and, you know, kudos to President Clinton. I think that's got to be a little scary to fly to North Korea. You don't know what Kim Jong-il is going to do. And so to fly into the lion's den and save those women, I think it's…
STEVE: Yeah. Well, apparently he - Madeleine Albright, his Secretary of State, did visit North Korea during his presidency. So there was some sort of a sense of an olive branch. And the presumption was that Kim Jong-il wanted some attention. And so this gave him…
STEVE: He couldn't - to have any of our current administration go over would have been too much.
LEO: Can't do that.
STEVE: And so, I don't know, I think it was brilliant, in retrospect. And thank goodness that's resolved.
LEO: Whew. Relief. So today is a Q&A day. That means…
STEVE: We have - yes. Because we had to change things around, two weeks ago we did the mega security update. That pushed a Q&A out. I wanted to - there was so much stuff backlogged in the GRC.com/feedback page, our mailbag, that I wanted to spend a couple of those. And this is a big episode for us. Actually this one is, and next one will be. This is 208, which is four times 52. Given that a year has 52 weeks, this is the end, this is the last episode of our fourth year.
STEVE: So, yeah.
LEO: And, you know, kudos to you because we know that because you can do the math. There's no other show I think in the world that has done four years' worth of shows, 208 episodes, without break. I mean, that's unheard of. Not one rerun.
STEVE: I found one message when I was going through the mail yesterday to prepare and select questions for today. Someone asked me, I think it was a woman, said hey, you know, when Leo's on vacation, you're apparently not. Do you ever take a vacation? And first of all, when you're on vacation, I am, too, technically, because I'm not doing podcasts without you. We do extra ones ahead of time so that we have podcasts to straddle any outage. But I just - I truly love what I do so much that, if I were on vacation, I'm just annoyed about all the work I'm not getting done. I just - I love computers and technology and, you know, life. And so I'm on vacation all the time. I'm on vacation right now, doing this with you.
LEO: You know, they say that. They say the only difference between a hobby and work is whether you like to do it. There are people, I think Malcolm Gladwell talks about this in his book “Outliers,” there are people who pay money to drive trucks and trains, even though that's a job for some people.
LEO: For others, it's something they love so much that they'll pay to do it. So I'm not saying I would pay to do this. But I sure, even if I didn't have to, I think we'd be talking once a week one way or the other. Hey, well, let's - so do you have security news and updates?
STEVE: We've got news, we've got a little bit of errata, and we've got our Q&A.
LEO: Steve Gibson, what is the latest security news?
STEVE: Well, we have a bunch of follow-ups, interestingly enough, from last week. We know, for example, that the iPhone was patched, exactly as we predicted, the day after the formal SMS hack of v3 and prior versions was made public. So Apple finally got off the stick, I mean, I guess they were frantic for, you have to imagine, for a few weeks beforehand, since we knew about this problem a few weeks beforehand. It was patched. So if anybody has not been to iTunes recently, you definitely want to do that in order to update yourself to 3.0.1.
LEO: Yes, and I did it immediately. One point to make is, so far no reports, despite the fact that there was kind of a 24-hour, zero-day opportunity, no reports of exploits at this point. That's good news.
STEVE: Yeah. Who knows whether…
LEO: It could have happened because you may not know; right?
STEVE: Correct. If you didn't know, if you didn't update your phone - it seems to me that the intersection of reality needed to make this happen is relatively small. Somebody would have to know your phone number, I mean, probably targeting you specifically, who also had the skill or ability to get this thing from the 'Net and perpetrate the hack. So…
LEO: I think going forward we and Microsoft and Apple and everybody should make the distinction between a completely theoretical attack, an attack that we know how to do but hasn't been in the wild, and then one that is actually out there in the wild. Do they make that distinction?
STEVE: Oh, yeah. Normally there will be specifically, well, for example, one of the things we're going to talk about is that BIND has been fixed. We talked about the master server update problem which could crash and potentially take over BIND servers, but it was only known to cause a crash, and that a fix is available. But at the same time, that vulnerability is now being actively exploited on the 'Net to crash BIND servers. So normally there is, certainly in the Microsoft case, they will say that exploits are in the wild and that this is something you really need to patch for that reason.
LEO: Yeah. And Apple doesn't do that. In fact, Apple is very notoriously kind of tight-lipped about what their updates do. I don't think, I don't remember anyway, when the 3.0.1 alerted me, it didn't say you must get this right now, there's a big SMS hack. They just said here's an update.
STEVE: Oh, by the way, yeah.
LEO: I think they might - in their tech note I think they said this patch is the SMS vulnerability. The irony is you still have to download the full firmware. It's almost 300MB, even for this one little fix, which could have been a few bytes, I mean, who knows. I wish they would reveal a little bit more about what they fixed.
STEVE: Yeah. Of course then the flipside is the more they, I mean, here we are worrying about after-the-patch attacks on people who have not been patched. Even though Apple has said, hey, we fixed it, they're still not disclosing a lot. So clearly they're wanting to keep a lid on this, recognizing that there is still an attack surface among those people who do not update for whatever reason, or until they update, until they next check in with iTunes or the word gets to them somehow. So I guess I can understand that. But it's this double-edged sword we have with security and vulnerability. On one hand we want these companies to be open. But to be open means unless there's a system like Microsoft has that is pushing these patches out, and Microsoft can be, oh, you know, fairly certain that the bulk of their customers are going to be updated because lord knows they don't make it easy not to get updated any longer. it is certainly a tradeoff you have to make.
STEVE: Firefox, my version 3 - I'm not at 3.5 yet, I'm still back at 3.0 - I was at 3.0.12. It updated to 13.
LEO: I noticed that, yeah. Or mine up- oh, I'm sorry, go ahead. Because 3.5 updated, too.
STEVE: Well, 3.5 has gone to .1 a couple weeks ago.
LEO: And now it's .2.
LEO: So you were right to hold off.
STEVE: Yeah, well, there's an interesting hack which was revealed at the Black Hat conference, which is - I think it's the first question that we've got in our Q&A. So I will cover it more then. But I'm very pleased that Firefox instantly responded. IE hasn't yet and is vulnerable. But Mozilla immediately responded to that. We'll discuss what that is in our first Q&A. They also fixed a heap buffer overflow in their security certificate handling. Firefox 3 had been bringing along sort of a flexible, regular expression-parsing approach to certificates that 3.5 never had. 3.5 used a more traditional sort of standard approach to parsing certificates. It turns out there was a vulnerability in that older, longstanding, sort of inherited from the Netscape days parsing, which they've now fixed.
LEO: Ooh, ooh.
STEVE: So the good news is, that's gone. That's fixed in 3.0.13. And these things were also fixed in 3.5.2 that you mentioned. So Firefox is updated. Anybody using Firefox probably already knows. I found out this morning when I fired things up and logged in and got going. It says, oh, we've got an update for you. It's funny, too, because I depend upon my Firefox session manager remembering all the tabs I have open. It just has sort of become a big database repository for me. But I had two Firefox windows open at that moment. And so I wasn't sure that it would remember them both. So I had to, like, work through the tabs on one, although I could have dragged them all over to the other because you can drag tabs across windows now.
LEO: You still use that sidebar tab extension.
STEVE: I'm liking it a lot, yes. But now unfortunately my sidebar is scrolling because I've got so many tabs.
STEVE: It's like, okay, I'll get around to this one of these days.
LEO: You know, we had Kevin Rose on TWiT a few weeks ago. And he said, okay, quick, tell us how many tabs you've got open. And everybody on the show had, like, 20 tabs open. So this sidebar tab thing is great. But if you've got that scrolling, there's no help for you at all. That must be, like, 60 or 70 tabs open.
STEVE: Like I'll get around, I'll get back to that one of these days.
LEO: The name of that, by the way, for people who want to know, is Tree Style Tab.
STEVE: Yep, exactly.
LEO: Steve recommended that a few weeks ago.
STEVE: So we talked about BIND, which fixes are now available. So anyone who is an admin responsible for their corporate DNS server, it's likely a master. It probably didn't need to receive update messages, but there was a problem that was found, we talked about it last week. I just wanted to let everyone know that patches are available. So you're going to want to update your BIND to the current release and solve this problem. And again, this is being actively exploited by creeps on the Internet. All it really lets them do is crash people's DNS servers. It's like, okay, well, oh, boy. It's annoying, but people are doing it all over the place.
STEVE: So, yes. You want to get yourself updated to prevent that from happening. And in the Adobe Flash Player news, we talked about their problems last week, which were not fixed, but they had said they would be fixing them soon. I chuckled a little bit because I'm sure our listeners will remember me rolling my eyes, figuratively for those who don't see video, but I was rolling my eyes…
STEVE: Yes, when Adobe announced that they were going to be doing their - they were increasing their patching protocol or patching formality, going to be more responsive, and so they were going to do quarterly patches, whereas Microsoft does them monthly. And I remember at the time saying, what? I mean, that makes no sense at all. We'll see how long this lasts. Well, it didn't last even a quarter because they had some bad problems in 9.1, and they needed to update themselves immediately to 9.1.3, I think that's where they are, and v10. Anyway, I wanted to make sure people knew that Flash Player updates for 9 and 10 are now available. So you'll want to check and make sure you get updated. And I did turn a machine on the other day that said, oh, we got an update for Flash. It's like, okay, good. It's time. And I'd noted, you know, we've been talking about Adobe, like people will probably notice, every week, which is not what you want to be talking about.
LEO: No kidding.
STEVE: If you're the target of this conversation on a security podcast. There's an editor of the SANS newsletter - which is an excellent, excellent SANS security newsletter - Stephen Northcutt, who's also the president of SANS Technology Institute; and they sometimes add little - their editors' comments to the bottom of their reports or problems. And I got a kick out of his comment in this most recent newsletter this week. He said, quote, “I think organizations should avoid Adobe if possible. Adobe” - and this is not who you want to have saying this.
LEO: No, SANS is highly respected.
STEVE: Yes. It says Adobe - he goes on, saying “Adobe security appears to be out of control.”
LEO: Oh, dear.
STEVE: “And using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can.” And it's like, ouch.
LEO: Wow. Wow.
STEVE: Yeah, yeah. Carnegie Mellon did a study which hit the news, which basically stated that in their relatively small survey, it was only about a hundred people, but apparently 55, meaning more than half, of the people that they watched encounter expired security certificates, ignored the expiration…
LEO: I'm surprised it wasn't higher.
STEVE: …and went on anyway.
LEO: Most people would just go, I don't know what this is. Okay, I just want to surf.
STEVE: That's exactly the problem is that people were confused by the notices, didn't really read them, just sort of said, uh, okay, whatever, and said what button do I push so that I can continue? And it's funny, too, because, I mean, I saw that, I witnessed it myself firsthand. You'll remember that GRC's own security certificate expired, to my extreme embarrassment, a few months ago, and I scrambled around. I was set up at Starbucks in the morning when it came to my attention. So I zipped home and had to go through, jump through hoops to get VeriSign to issue me an update, a renewal, as quickly as I could. However, SpinRite sales continued even in the face of that security certificate being expired. Now…
LEO: Now, they're giving you credit card information, too. I mean, it's not just a visit.
STEVE: Yes, exactly. It's not just go to Perfect Paper Passwords or Perfect Passwords and pick up a password. It's I want to buy SpinRite, and I'm going to put in my credit card information into this site. We might assume, however, that visitors to GRC are more sophisticated, and they were able to see, oh, look, it says here that Gibson's certificate expired yesterday, so I imagine he's scrambling around right now, as indeed I was, to get it caught up to date. But people did push past that. And there's now discussion about whether it should be possible in a browser to push past that because it's up to the browser's discretion to allow you to either disallow any SSL that has a certificate that is deemed invalid for any reason. You know, certainly mismatching domain names, you never want to get past that.
But, I mean, I've encountered other people with certificates that expired just recently, and I've forgiven them because it's like, okay, I can see how that could happen. I'm sure they're scrambling just as I was. So it was interesting, though, that more than half of people, when they see an expired cert, will say okay, fine, I still want to do what I want to do. So make an exception and move on.
LEO: Never mind, yeah.
STEVE: And then my very favorite story of the week comes to us from the Black Hat and DEFCON conferences in Las Vegas.
LEO: Boy, it's been an adventure this week, hasn't it?
STEVE: Oh, there was a ton of stuff.
LEO: Oh, man. Not just the iPhone thing.
STEVE: What I loved was the fake ATM machine.
STEVE: Which was found during the DEFCON conference.
STEVE: People were putting their credit cards, were like swiping their ATM card, putting in their PIN, and nothing was happening. It wasn't giving them cash. And then they thought…
LEO: That's kind of a red flag.
STEVE: Exactly. And then the way it was discovered was that some, I mean, here we've got security-aware conference attendees. Someone noticed that the black hole above the screen where normally the video camera would be didn't seem to have any lens reflection coming off of it.
LEO: There's nothing in there.
STEVE: So they shined a flashlight in and saw a PC sitting behind, literally sitting behind the screen, pretending to be an ATM. And that was their clue that maybe this was a bogus ATM. And the Secret Service came and took it away.
LEO: Wow. Wow.
STEVE: So I got a kick out of that happening…
LEO: How long was it there before they figured it out? Do we know?
STEVE: We don't know. We don't know at what point it appeared. It was placed near the security entrance - which, interestingly enough, had no security. It's an area where there was a camera blackout. For whatever reason, there weren't monitoring cameras that covered its location. So someone snuck it in, and it sort of sat there, and no one really noticed it until it began not giving people money back.
STEVE: So I have a couple little bits of errata.
LEO: Can I give you one story that just broke?
STEVE: Oh, yeah, yeah.
LEO: Critical Windows 7 bug.
STEVE: Oh, haven't heard of it.
LEO: It's not a security issue exactly. But it is what they call a “showstopper.”
STEVE: Uh-oh. Oh, and so RTM is no longer RTM?
LEO: Apparently not. This affects the RTM build, 7600.16385. Enterprise Desktop column. Randall C. Kennedy at InfoWorld says a massive memory leak involving chkdsk, when you run chkdsk against a secondary drive, not the C drive but a secondary drive, using “/r,” which means read and verify, in both 32-bit and 64-bit versions of Windows 7, Blue Screen of Death, out of physical memory.
STEVE: Well, and you can't do a “/r” on the primary drive because it'll tell you that it's in use.
LEO: Right, right.
STEVE: And it'll ask you if you want to defer the chkdsk for the next time you reboot the machine so that it's able to briefly get exclusive use of the drive before Windows starts opening files and doing everything it does.
LEO: So no idea if, you know, maybe if you do do that reboot and then do a “/r,” if it does it on the main drive. But it does do it on the secondary drives.
LEO: So I don't know what Microsoft's response is going to be. But this is - a number of people are reporting this right now.
STEVE: You know, I wouldn't be surprised if 7, and I don't know this at all for a fact, you and Paul probably do know because I've - it's going to be a long time before I'm messing with Windows 7 except as a curiosity. But I noted that IE8 now, when you install it, it asks you, may I bring myself current with all security updates before we go any further? And I wouldn't be at all surprised if that's Microsoft's new policy for when you install something, before it even starts it says, okay, hold on a second, I'm going to - who knows how long it's been since this particular code you've just used to set me up, how old that is. I'm going to go ping Microsoft and see if there's anything I need to do right now before we even start. So it could be that even though this is a problem with the RTM, that they can fix this in patch 00001 of Windows 7, and so no one will see it. It will, immediately upon installing, it'll say, wait a second, we're going to update ourselves. Oh, look, we found something. It's like, okay.
LEO: So, and by the way, I should point out that if you've got a memory leak that can cause that to happen, that often is a - isn't that often a first step in an exploit? Maybe not. It's not a good exploit.
STEVE: Well, it's not even clear that that would actually - that doesn't sound to me like a memory leak. That sounds like some allocation error maybe that's been misreported, for example. If you used to try to run Windows 98 on a system with more than a gigabyte of memory - 98 was quite happy with 512MB, you'll remember. And if you actually tried to run it on a system with more memory, it would say that you didn't have enough memory. It would report “out of memory” error rather than “I don't know what to do with all this.” So it could just be a fluke of whatever's gone wrong is resulting in this particular problem. It may well not be an out-of-memory error. It just might be saying that it is. So without really looking at it, it's hard to say.
LEO: And I imagine that's an easy thing to fix. I mean, it's not a kernel problem, probably. Although Microsoft's saying it might be a driver issue.
STEVE: I'm sure it's easy. In fact, there was news about the - remember we talked last week about the big Microsoft glitch in the ATL, the Active Template Library, that had been part of Visual Studio for a long time, which meant that all of the ActiveX controls which were made with Visual Studio and this ATL, all had a problem. It turns out it was a single ampersand bug. There was an ampersand that was there that shouldn't have been that caused the whole problem. They called it a typo. It's like, okay, well, I guess a lot of bugs are typos. But this Blue Screen of Death from running chkdsk might be something similar. Who knows. Whatever it is, it's obviously wrong.
LEO: Yeah. If you dereference a pointer, that could be a typo, but it also could be a programming error.
STEVE: Yeah, exactly. And that's what I'm thinking is going on with an ampersand. So it's like, okay, well, they didn't know what they were - someone isn't happy about the ampersand, but that doesn't mean it's a typo.
LEO: A typo, yeah. So…
STEVE: Well, one of our listeners was kind enough to point me to the scifi-az website, where…
LEO: Our good friend…
STEVE: …Michael McCollum publishes his science fiction. He posted a progress report last week, Monday before last, on the status of the third and final book in the Gibraltar series. I love the series. “Gibraltar Earth” was the first one; “Gibraltar Sun” is the second one; “Gibraltar Stars” will be the third one. And he just posted an update to sort of let people know where things stand. He just finished the first draft. The book is…
LEO: See, I'm holding off. I started “Gibraltar Earth,” and I thought, I'm going to wait till he finishes the trilogy.
STEVE: I don't blame you. I read “Earth.” Then when “Sun” came out I reread “Earth” and read “Sun.” And I've offered, and he has accepted, to edit the final book for him because when I have read through them, I have found typos. And since I'm reading it, in this case, in a Palm, it's easy for me to mark the section and make a note. So I've sent him, like, little corrections for his eBooks in the past.
LEO: Can you get those on the Kindle? Weren't you trying to help him do that?
STEVE: Absolutely. He's got it now in amazing variety of formats. I mean, you can get it on your back molar format.
LEO: I don't want to read it on my back molar.
STEVE: Anything you've got, his stuff will read on.
LEO: Oh, good. Oh, good.
STEVE: And so he's at 130,000 words. And he's going to go through it now, he's going to reread it. And what he's - the way he phrased it on his site, he said, 15 percent will be removed to, quote, “maintain dynamic tension” or, as he says, “to take out the boring parts.” And so he, too, he's going to reread “Earth” and “Sun” to, like, remind himself what they were. Because this has been going on, this series straddles about 10 years. So as he puts it on his site, he wants to remove any small discrepancies that creep in over the better part of a decade of writing a series. So he's just going to make sure everything is consistent. Because of course you know us geeks, we'll read it and go, hey, wait a minute, you said that the Plurion race drank this rather than - it's like, okay, fine.
LEO: I can't imagine doing what he's doing. I mean, and keeping track of all that.
STEVE: Well, they're very complex plots. I love his plots because they're - he is a nuclear engineer, literally. And his - I find his books really fun. I mean, they're not literature. They're space opera. But they're really engaging. And he has created, he has set up a problem for the human race which I've never seen before in all the sci-fi that I've read, which is really interesting. I mentioned before that there's a race called the Broa. And they haven't stumbled on us yet, but they are a huge supremacy. They just absorb any other cultures and alien races that they encounter, getting bigger in the process. And we would immediately be enslaved if they knew about us. And so this is a problem because it's by the merest coincidence of positioning that our radio hasn't - our expanding radiosphere hasn't yet touched them. But and they've got listening posts scattered around because they're looking to acquire new species to take over. So, oh, it's just - it's a spectacular space opera.
LEO: Yeah, yeah. And, well, I will go back to it. I'm glad to know he's working on the third edition, or third volume.
STEVE: Yup. I will let you know…
LEO: How do you like - have you been reading “Red Mars”? What do you think of it?
STEVE: I've got them all on my Kindle. I just haven't had a chance to start. I've been massively engaged in research elsewhere, which will be the topic for next week's podcast. I also wanted to mention Sony is coming out with a pocket eBook reader at a sub-$200 price. It's got a five-inch screen. It's not very sub-$200, it's one dollar sub-200. It's $199. Supposed to be end of August. And their store is up to about 100,000 books, whereas Amazon is at 330,000 books. So Amazon still has a big lead. Of course, Sony has access to all, to a million public domain books through Google and is also an open eBook format, whereas the Kindle is closed. And finally, Apple is reportedly working on an eBook reader.
LEO: Well, it's tablet. We don't, you know, it's going to be more than an eBook reader.
LEO: It's really like a big iPhone, I guess.
STEVE: Well, and wouldn't that be…
LEO: We don't know what it is.
STEVE: I mean, can you imagine anything better than exactly being an iPhone, but really big format, and being a tablet running the Mac OS? It's like, ooh.
LEO: We may know soon. I mean, there's debate over when it'll be announced. But some say as soon as next month.
STEVE: Oh, no kidding.
STEVE: Oh, good good good good. Okay. And one last thing, just this is - this came out of nowhere. This was actually again from - oh, no, it was from Steve Bass. And you know Steve.
LEO: I know Steve, yeah.
STEVE: Yes. He's the ex-president of PIBMUG, the Pasadena IBM PC User Group. He has a newsletter that he sends out from time to time. And he often has a section of time wasters. Well, this thing is a piece of - it runs in Flash. And do not put this URL into your browser now, Leo, or I will lose you for the rest of the podcast.
STEVE: It is just spectacular. It's a toy, puzzle, beautiful thing: www.playauditorium.com.
LEO: This has been around for a while, actually.
STEVE: Oh, has it. I hadn't seen it before. Just, oh, just spectacular.
LEO: Yeah. I've wasted a lot of time with it.
STEVE: Yeah. I will be, too, because it's exactly the kind of puzzle and toy that intrigues me because you're not in a hurry. There's no time limit. There's no clock counting down. It seemed like there's multiple way to solve these puzzles. As you stumble on and experiment with ways to solve them, you learn more about this. It's just wonderful. So I wanted to turn our listeners onto it: www.playauditorium.com.
LEO: It's kind of amazing what you can do with Flash; you know?
STEVE: I'm very impressed with it.
LEO: And it makes beautiful music. I should play, well, you have to do it, you have to solve the problem before it'll make the music. But once you do, it makes great music.
LEO: Yeah. It's really, really neat.
STEVE: And so lastly, a fun SpinRite story provided to us by Juan Guevara Torres. He says, “Hi, Steve. I'm a Mac user, so I do not own a copy of SpinRite. However, the other day I went to a computer store in Houston to get a new device for my network, following the Trust No One policy I've learned from Security Now!. A poor fellow, a PC user and his wife, visibly worried about their data, was in the tech support department. Since this person was ahead of me in line, I was able to overhear the following conversation.” He calls it “'The store's pseudotechnician' says, 'I'm sorry, sir, your hard drive has been damaged. You will need to pay $299 for a technician to attempt to recover as much data as possible. This is not a guarantee, but we can try. And that does not include the new drive you will probably need, as well.'”
So the “poor fellow” is quoted as saying, “'But for that price, I can get a new drive, and what about my data? So you're saying I might not recover all of it?' The store's pseudotechnician replies, 'We will try. But once again, it's not a guarantee. Should I start filling out this work order for you?' The wife of the poor fellow says, '$299? I told you not to take your laptop on our trip. Now your pictures are lost, and we'll be out 300 bucks for nothing.' So losing data” - I guess this is now Juan editorializing. “Losing data is bad; losing data and paying $299 is very bad; but there is nothing worse than having an upset wife about losing your data and paying $299. That poor fellow was doomed to hear this story for the rest of his marriage, and maybe for life.”
So now Juan says, “Listening to all the praise SpinRite users have been sharing with all of us in the podcast, I approached the couple and the technician. I asked flat out, 'I would imagine the software you use for recovering data is SpinRite; correct?' The pseudotechnician gave me a dirty look. The couple looked at me with a little bit of WTF? The technician answered, 'Yes, we use that software. You know, it's a very complex process.'”
LEO: Oh, yes.
STEVE: Juan says, “'I'm sure it is,' I said. Then I turned to the couple - still with the WTF look on their face, I might add - and I said, 'I'm sorry to just cut into the conversation. However, the software the technician is talking about is available on the Internet for less than a hundred dollars. I understand it's a very easy-to-use piece of software, as well. So before paying $299, why don't you go to GRC.com and give it a try? In any case, that's what they are going to do anyway.' The poor fellow, with a slight smile on his face and a huge Texan accent, said, 'Thanks, Bud, I'll try it.'” And then Juan finishes, saying, “'Here is my email. Drop me a line and let me know how it worked,' I said. So then he says, “Yesterday I got an email from the not-so-poor fellow anymore. 'Juan, thanks, Bud. SpinRite did the trick. Those 80-something dollars I paid saved my data, and I'm telling you, man, my marriage.'”
LEO: Now, you don't guarantee that data will be recovered, we should say.
STEVE: No. We do guarantee that, if you're not happy with your purchase, we'll refund your money.
LEO: Oh, I didn't know that. That's good.
STEVE: Absolutely, 100 percent, satisfaction guarantee. Anybody who tries it and they're not happy, just let us know, we'll put the money back on your card.
LEO: There's all sorts of reasons why your data might be lost that SpinRite - like if you erased it - that SpinRite's not going to find it.
STEVE: Well, yeah. Or if the platters have frozen, or the heads have fallen off, or it no longer spins at all. I mean, there are limits to what software can do to repair hardware. SpinRite pretty much pushes that all the way to the limit. And again, if it doesn't work, we'll give your money back.
LEO: And a large, a surprisingly large number, certainly the majority of problems can be fixed by SpinRite. That's kind of the sweet spot of where hard drives have problems.
STEVE: It really does work.
LEO: Yeah. All right. We've got questions; Steve's got answers. We're going to get to those questions and answers in just a second. Steve, if you want to take a sip of water?
STEVE: I'll sip my coffee.
LEO: Sip your coffee, your triple, what is it, a venti, quad venti you got today?
STEVE: It's two shots of espresso in a large - in a venti container.
LEO: Oh, you're a lightweight. You're a lightweight. Alex Lindsay has got me drinking triple talls now, which is the smallest.
STEVE: It's an Americano. It's not - it's just hot water.
LEO: Oh, you have an Americano, yeah. Although they say - oh, but they make it with espresso, though.
STEVE: They do.
LEO: Because they say that brewed coffee, and I bet we're going to start a whole debate on that, but that brewed coffee has more caffeine…
STEVE: Oh, it does. Much more caffeine…
LEO: …than espresso.
STEVE: …than espresso. The longer you roast the beans, that roasts the caffeine out. And so even though it's a much stronger taste, it's actually less espresso. I'm sorry, less caffeine is what I mean.
LEO: Less caffeine. Not that it doesn't get you going.
STEVE: I like it.
LEO: I had my triple tall today, and I'm feeling fine.
STEVE: I don't need any more caffeine.
LEO: No, I don't either. Now, Mr. Steve Gibson…
STEVE: Well, while you were reading that, Leo, I just bought a PDP-11.
STEVE: Yeah, I just won an auction on eBay.
LEO: [Laughing] I gave him a break, and what does he do? He buys an obsolete mini computer.
STEVE: Beautiful, for $225.94.
LEO: Not a simulator, not a - this is the original.
STEVE: It's a PDP-11, 1123, full height stand. The description says “One complete digital DEC micro PDP-1123 system. Amazingly, this unit was still being used in an office environment and was fully operational when shut down. Everything inside the case is intact and untouched. Dual front floppy drives and hard drive. Maintenance log is included. Rare find.”
LEO: Aren't you amazing.
STEVE: $225.94. So I scored on that one.
LEO: How many do you have now?
STEVE: About 15.
LEO: What are you going to do? Are you making a cluster? What are you…
STEVE: No, I'm just, you know, they might die. I might, you know, you know how many Palm Pilots I have.
LEO: Do you have them in the freezer?
LEO: Well, it'd be kind of cool to line them up all on the wall, you know, and you could…
STEVE: Well, they're all various types, makes, and models. And someday I'm going to program them.
LEO: Great. I love it.
STEVE: In the meantime, we're actually going to do a Q&A.
LEO: A Q&A, yeah, now that you've scored. Brian Mooney - Question 1, Mr. G. - in Springdale, Arkansas, brings news of a new SSL problem: Steve, It looks like they've found another method to work around SSL. And here I am saying how secure SSL is. This isn't based on the faults in the encryption, but on faults in how browsers handle null characters. And he's quoting an article in Mac World magazine from July saying the only “safe” browser is Firefox 3.5.
“Frylock” also raises the issue, are SSL certs completely broken and useless? He says: Huge fan of the show since Episode 1, ran across this on Hackaday.com. Does this not render SSL certificates useless? Please, what's the story?
STEVE: Oh, this is so wonderful, Leo. This surfaced during the Black Hat conference in Las Vegas. It turns out that a null character, that is, a zero, is - to give a little bit of background about how computers process strings for our listeners, a string, like “Now is the time for all good men to come to the aid of their country,” a string in some languages, like you may remember Pascal, you had a byte for the length, it was the first character, that is, the first byte of the string was the length, and then you just had the characters that followed.
LEO: Does anybody still do it that way?
LEO: They're all zero-terminated now, null-terminated.
STEVE: Yes, because the problem with that was that you could not, in Pascal, the original UCSD Pascal, you could never have a string longer than 255 characters.
LEO: Oh, because you only had a byte length to represent it.
STEVE: Because you had a byte. And so, you know, those designers back then said, well, that's plenty.
LEO: No one will ever need more than that.
STEVE: Exactly. Now, what that allowed you to do was to have zeroes in the string because the zeroes didn't have any special meaning.
STEVE: Contemporary languages, like most notably C, there are so-called null-terminated strings, meaning that it's - a string is any collection of characters going on as long as it wants to until a zero byte, a so-called null character. So strings are null-terminated, meaning that you read them until, you know, you follow the string character by character until you hit a zero, telling you, ah, I just hit the end of the string. And in fact that characteristic is indirectly responsible for many of the security vulnerabilities we have because it turns out that it's one of the ways you're able to get exploits to, for example, copy code from one place to another and do your bidding is fancy uses of this null termination. Well, it turns out that browsers, all browsers except at this point now Firefox 3 has been fixed, 3.5 was, and NSS, which is the Mozilla package that handles secure socket technology. They fixed that, too. But other browsers are stopping the parsing of the domain name in a security certificate at a null. It's not very surprising. That's sort of what you'd expect. The problem is that the security certificate issuers are not looking at nulls in the domains that you apply for. So here's the scenario. This is wonderful. You apply for a certificate for www.paypal.com[null].mymalicioussite.com. So what that looks like to your certificate authority is you're asking for a subdomain certificate of mymalicioussite.com. Much like, for example, I might - I did get, like, a certificate www.grc.com. So it's GRC.com is the root domain; www is a subdomain, as we know, of GRC.com. But in this case the subdomain is www.paypal.com[null], then mymaliciousdomain.com. So since you control mymaliciousdomain.com, the certificate authority says, make sure that you want a certificate for this subdomain. You say, yes, I would like one very much, please. So they issue it to you. Now you have a valid certificate for this funky domain.
The problem is that browsers, not knowing any better, stop at the first null they encounter. Technically the second null in this case is the actual end of the domain name. But the browser really can't even be faulted for not knowing that. So now the one thing that you could normally not do with an SSL connection is a man-in-the-middle attack because there is no way for you, if you were able to use, for example, ARP spoofing or just splice yourself into a connection somehow, there's no way for you in the middle to pretend to have the valid certificate for PayPal.com because only PayPal has it, as long as certificate authorities do their job.
But now you can now do a man-in-the-middle attack. So if you can arrange to intercept traffic, then as soon as you see somebody attempting to go to PayPal.com, you splice into that connection, and you return your certificate with the www.paypal.com[null] subdomain. Since it was a valid certificate issued by a certificate authority, your browser checks their certificate, sees that it's valid. Now it does a comparison of the domain you entered in the URL to the name on the certificate. It stops at the first null, www.paypal.com matches, and it says yes. You are connected to PayPal.com. So it is a functioning, valid, SSL certificate-spoofing technique that is currently unpatched on any but Firefox browsers.
STEVE: Really cool. I mean, this is just a beautiful hack.
STEVE: You know, hats off for the guys who discovered this one.
LEO: So how would you be bit? You would go - you'd have to go to a malicious site to begin with that was posing as PayPal; right?
STEVE: No. This requires traffic interception.
LEO: Oh, it's a man in the middle, yes, yes, yes.
STEVE: So I don't want to - now having talked about how cool this is, I want to back the terror level off from all of our listeners because this isn't going to a malicious site. This isn't - they're like, in order to do this, this is a man-in-the-middle attack. So it's only somebody who can be filtering your traffic, who can be - now, for example open WiFi. Open WiFi is prone to man in the middle because there's no encryption on your connection. So this is a perfect example of something that ARP spoofing, which for example in a hotel that uses hubs instead of routers that we've talked about years ago, or in an open WiFi situation, you can imagine a toolkit where that could be developed. I'm sure they're in the works right now. It may well already be that Metasploit supports this because it doesn't take them long to do, to update their Metasploit framework for these kinds of things.
And this got everybody intrigued. But it means that you have to have your traffic intercepted. So absent that, there's no way that somebody could use this funky certificate. You can imagine all the certificate authorities who also know about this are going to get on the ball and be careful not to issue domain names with null characters in them, and that very quickly all the browsers will be updated in order to be smarter about this. So I think this will close fast. But it's open at the moment, except for Firefox.
LEO: And you probably don't have anything to worry about.
STEVE: And you probably don't have anything to worry about. I mean, it would really require someone have access to your traffic. I would say, in the habits that most people have, nonsecured WiFi is the really - is the only obvious place where this could happen. And frankly there it's trivial.
LEO: Sparky is saying, what about a blended threat using a DNS spoof, perhaps?
STEVE: That's a very good point. That's another way of somebody getting you to go to the wrong site. So if you - because normally the DNS spoof would take you to the wrong IP for what you thought you had entered. Oh, wait, no, that wouldn't work because you would - your browser would think it was going - let me think. Would that work or not? The certificate - oh, yeah, that would work, absolutely. Your browser thinks it's going to PayPal.com. It goes to the wrong IP.
LEO: But gets the certificate.
STEVE: Yes. The server there returns its valid certificate that's got PayPal.com on the front and mymaliciouswebsite.com on the back, and your browser would be completely happy with it. So, yes, that's another - DNS spoofing does allow and support a man-in-the-middle attack. But again, you know, that's still less common than anybody using open WiFi. Which, I mean, I'm, in Southern California I'm surrounded by it.
LEO: Oh, everybody, yeah.
STEVE: Exactly. People are annoyed that Starbucks makes you log on. Of course, once you do it's still unencrypted. So it might as well be open. So, yeah, anyway, this is just very cool. And I imagine we will see immediate updates for the SSL back-end components of all of the browsers just as quickly as they can deal with it. And of course we'll let our listeners know.
LEO: Question 2, Andrew H. in Texas says Microsoft Security Essentials not free for all: Hey guys, sorry to be the bearer of bad news. I think we said it was free. Microsoft's Security Essentials is not free for commercial use. According to the website, it says “for your home PC,” and it will not run on Windows Server. Also David Horwitz in Denver, Colorado says the same thing: I really learn and enjoy your weekly podcast, Steve. I'm using Microsoft Security Essentials beta, very happy with the usability of the product. What is your ability, I'm sorry, your opinion of the product, and when will it be available without the beta label? Thanks for all the good information. David. So, yeah. It's not for commercial use.
STEVE: Essentially what happens is Microsoft has taken their high-end corporate IT Microsoft Forefront product - that's where this came from. That's Microsoft's big iron sort of formal corporate level. They've been able to test it and round it out and make it work, develop all the signatures and patterns and really nail this thing down. Then what they're doing is they're peeling off a sort of like a junior version of it, which will be available for home PC users. They're deliberately crippling that, that is, the Security Essentials, so that it senses whether it's running on a - someone's attempting to run it on a server platform. And it will not run on their Server versions of Windows. Which Microsoft has done similar things like this before.
So I remain bullish on Security Essentials, to answer also David's question. I am so excited that Microsoft is going to get into this. The people, security researchers who have been looking at it, are very impressed…
STEVE: …with its zero false-positive track record so far.
LEO: Okay. That's good. But does it also - how accurate is it in finding viruses?
STEVE: It's deadly accurate.
LEO: Oh, that's excellent.
STEVE: I mean, I think this puts everybody else in real trouble. So, I mean, I'm not shedding a tear because I know, you know, I've got so many people who are just not that computer savvy. And they'll be much happier, I mean, these are the people I can't drag away kicking and screaming from IE. So it's like, okay, fine, stay there. But just tell Microsoft you want Security Essentials. And as far as I know it's going to be later this year. So later in '09 it's supposed to be happening, out of beta.
LEO: We've been talking about it on Windows Weekly. And I just don't remember off the top of my head what the official date is. But anyway, yeah, soon.
STEVE: Good news, and we'll certainly let everyone know. And it's the first AV I will use. I just, you know, I've gotten along without one being careful. But I'd like the idea of it being - the problem is, so many of these are just glommed onto Windows and cause more trouble than the virus, especially if you never get any.
LEO: Right. And, you know, I'm just saying - beta tests started June 23rd…
STEVE: And immediately shut down because they offered 75,000, and it just sold out in less than a day.
LEO: And all they say is by the end of calendar 2009, as you said.
LEO: Question 3, Phil in Los Angeles wonders about cellular broadband security. This is a good question: Steve, I've recently started tethering my G1 phone to my laptop to get Internet when I'm not near a wireless connection. I was wondering what are the security implications for doing this? By tethering, or using something like the MiFi, which is the $60 a month EVDO solution…
STEVE: I'll have one by the end of the day, Leo.
LEO: I love it. I love it. Is the connection as unsafe as hardwiring my laptop to the Internet without a router? If so, what should I be doing to keep my computer as safe as possible while tethering? In the event you answer this question, please keep the response as simple and pedestrian as possible. I'd like to understand the answer. Me, too, Phil.
STEVE: Okay, Phil. There's many different areas of broadband security. One is the idea of cracking the relatively - even more than relatively - the very weak encryption of the connection. There are cracking devices around. They're not common. They're expensive. But they exist, meaning that the “encryption,” unquote, that is being used for our digital cellular connections today is not near the grade of encryption that is available everywhere.
LEO: Really. Oh, I didn't know that.
STEVE: Yeah, they used - remember the problem is that these standards were put in place when phones had calculator watch chips in them, you know, really low power technology is when these standards were put in place. So now we're all carrying computers around in our pocket that decompress highly compressed MPEG-4 video at 30 frames per second. I mean, these things have computing power just falling out of themselves. But that wasn't the case back when these standards were built.
So, for example, there are multiple shift registers with prime numbers of bits which rotate in a circle, and the outputs are XORed in order to create a pseudorandom bit stream which is XORed with the digital data. We know that if that pseudorandom bit stream was really high quality, really random, and could not be guessed, that XORing your digital data with that makes virtually uncrackable encryption. I mean, it's very good encryption. The problem is, if you just use some shift registers that everyone knows about - I mean, this is in the spec, it's in the standard. They tried to keep it secret, which of course is the first bad sign. They didn't want anyone to know. But inevitably this information got loose.
And so they also used frequency hopping so that it's not - you don't just put up an antenna and suck this stuff in. You need to be clever about tracking the frequency jumps that the digital signals make. But that's all been done, too. So there's that aspect of it. But when he specifically asks relative to hardwiring an external router on his computer, that makes me think that he's talking in terms of, like, the attack, external attacks within the channel, which is itself not as secure as we would like, as I was just saying. And I just realized I completely blew him out of the water because he wanted a simple and pedestrian answer, and I don't…
LEO: I wasn't going to - I was going to let you finish, and then I was going to say, okay, now tell me the answer [laughter].
LEO: No, keep going with the technical one. I think that that's important.
STEVE: Okay, so…
LEO: But then we'll get the bottom line after that.
STEVE: So there's the one problem of someone actually cracking the wirelessness of your connection. And that exists, but it's very, very slim. Then there's the problem of you being on the Internet. And so in that sense it doesn't matter how you're on the Internet. In this case he's on the Internet using broadband cellular.
Now, there's two possibilities. And we actually discussed these a little bit last week. Remember there was a - someone wrote in and asked why do I sometimes have this IP, and it was like 142.something or other, meaning a public IP, and why do I sometimes have 10.something, which is a private IP? So if you had a public IP, then it's very likely that any traffic out on the Internet can come to you.
If you are behind - if you have a private IP, like 10.something, then that means that someone somewhere, no doubt your ISP, your cellular broadband provider, has a NAT router, which is a NAT just like you might have. It's not quite the same as yours because it's possible that other people on the cellular network could have access to you. They also have a 10-dot IP. So do you. So there might be some visibility from one phone connection to the next, so it's not as private. But at least you're protected from the public Internet behind a NAT router that doesn't know how to send traffic to you unless you've got a connection established to that external location.
So again, the problem is this isn't a simple, easy answer to - or easy question to answer, if you're going to broadly look at the implications of cellular broadband security.
LEO: I guess the question is should I - are there any precautions I should take? Should I stay away from banking? What should I not do?
STEVE: Okay. If he talks about as unsafe as hardwiring his laptop to the Internet without a router…
LEO: It's not that unsafe.
STEVE: Then really the only thing a router is providing you is essentially a hardware firewall. So you've got a software firewall in any computer you're now using. The Macs have them, Windows has them, Linux machines have them. So if you're behind your software firewall, since you're not concerned about malware in your machine messing with it, you're concerned about external threats getting in, you're safe.
LEO: Okay. But don't assume that every transaction is encrypted. Or safely encrypted.
STEVE: That's very much the case. Well, you've got encryption on your broadband.
LEO: Just weak encryption.
STEVE: It's not state-of-the-art powerful. It's not AES, SSL-style, or triple DES even. I mean, it's weak encryption. But it's way good enough so that it's very unlikely that anyone is going to be able to hack in and track your spectrum frequency jumping cellular phone all around.
LEO: And they'd have to be going after you particularly?
STEVE: There's now equipment which is very good about cracking this kind of stuff. But it's very expensive. It's not stuff that hobbyists have.
LEO: Okay. So I guess the pedestrian answer is you probably don't need to worry about it. Theoretically it's a possibility. But it would have to - it's a pretty high-end thing to do.
STEVE: And wherever possible use SSL. If you've got an SSL connection, then irrespective of everything else, even if they could hack into your frequency spectrum-hopping, pseudorandom stream-encrypted connection, then they hit real industry-strength encryption, and they don't go any further.
LEO: I always, you know, of course your banking and all your purchases are probably SSL anyway. But I try to - the one thing that really is a vulnerability it seems to me is your email. If you're not sending that password encrypted, if you're not reading the email encrypted, you should. And most email providers will let you do that.
LEO: John Jones in Wirral, U.K. is seeing red in Firefox: Hi, Steve. After having problems with some sites that I need to visit responding very sluggishly, I finally complained to the admin of one of those sites. He said, “Well, you're using IE7. That could be the problem.” He says his site was not meant to be used by such an old browser. It's not that old.
LEO: Whilst I balked at the thought of IE7 being old, I thought, oh, well, what the heck. I got the latest version of Firefox and have been forcing myself to use it after hearing that you are now exclusively, except for updates, doing the same.
LEO: The good news is all my sites are indeed much snappier now. However, I have noticed something in Gmail that is bugging me. I have my account settings to always use HTTPS. This is exactly what we were just saying, which is he's using SSL when he logs in and reads his email in Gmail. And when I initially log into my account, it shows HTTPS and the rest of the URL in green text as one would expect. I'm safe. But after a few minutes of maintaining my emails, I've noticed the text in the URL has gone to red. It still says HTTPS, but now it's red. If I right-click and view the page info it says, “Connection Partially Encrypted.” This is - I get this message a lot from IE, as well. Well, this page is only partially encrypted. You want to continue? Doesn't tell you what part.
If I further click on Details it says, “Parts of the page you are viewing were not encrypted before being transmitted over the Internet. Information sent over the Internet without encryption can be seen by other people while it's in transit. The URL text never goes back to green until the next time I log in, but never stays green. What's going on? Are my transmissions encrypted or not?
STEVE: Well, people who used to use IE may be familiar with the little popup that IE generates. It says, “This page contains mixed content.”
LEO: Mixed content, yeah.
STEVE: That's what they used to say. And I can't diagnose what's going on with Gmail, but I can explain what this means. It's probably not something to concern yourself with. But my guess is there's a little glitch in Gmail somewhere.
LEO: Well, I think I can answer. I mean, I think some of the text that's sent by Gmail, perhaps the Google ads, they're not encrypting. But I'm pretty certain your email is encrypted.
STEVE: And that's why I'm suggesting that it's really not something to worry about. Now, remember that the way a web page is built is that there's the main body of the page, which is the text typically that you get from the URL. It says HTTPS, which is your assurance that that portion that is the original sort of text content is encrypted. The problem is that when the browser receives that, it contains requests, other URLs to other stuff, for example, images and other components of the page. They all, if they don't specify any HTTP://, that is, if it's a so-called relative URL, where for example it'll just say the URL is /images.google.com and then the name of the image, what the browser does is, it just says, oh, this is relative to the current page, meaning that whatever encryption the current page is using, that fetch for that asset, that image will also use. So there you sort of automatically get all of the assets of the page fetched over the same encryption or not as the main page.