SERIES: Security Now!
DATE: March 27, 2013
TITLE: Listener Feedback 164
SPEAKERS: Steve Gibson & Leo Laporte
SOURCE FILE: http://media.GRC.com/sn/SN-397.mp3
FILE ARCHIVE: http://www.GRC.com/securitynow.htm
DESCRIPTION: Steve and Leo discuss the week's major security events and discuss questions and comments from listeners of previous episodes. They tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues we have previously discussed.
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Oh, get ready for this. We've got a Q&A episode. We're going to talk about security. We're going to talk about DDoS attacks. We're going to talk about telnet exploits. But we're also going to talk about coffee and Bitcoin and science fiction. Stay tuned. Security Now! is next.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 397, recorded March 27th, 2013: Your questions, Steve's answers, 164.
It's time for Security Now!, the show that's designed, carefully cultivated, and in fact proven, four out of five doctors recommend it, for protecting you online - your privacy, your security. And we thank this guy right here, the Explainer in Chief, Steve Gibson, for making it possible for six-plus years now. Hi, Steve. Happy Birthday.
STEVE GIBSON: Hey, Leo. Thank you. Yesterday was the big day for me, 58.
LEO: When you started this show you were just a young man of 52.
STEVE: That's right. Actually, I feel better today than I did then. I don't really know why, but…
LEO: I know why, and you know why. You just don't want to say it.
LEO: Because of your regimen, your Vitamin D and your…
STEVE: Before I turned 50 I started, I decided I was going to get serious about looking into nutrition and supplements and physical condition. And it's like, okay, I have the time now, I'm going to do it. And I've…
LEO: You're never going to die now, Steve. Never.
STEVE: I've learned a lot, yeah.
LEO: You're going to live forever.
STEVE: So a bunch of nice stuff this week. We've got a Q&A episode, our 164th Q&A. At the top of the news we've got both good news and bad news regarding Apple and authentication.
LEO: Oh, what a mess that was.
STEVE: Oh, my goodness. Well, the bad news is a really great case study for us and our listeners because it was such a mess.
LEO: It was a cross-site forgery exploit, as I understand it.
STEVE: No, not at all, actually.
STEVE: It was just a mistake. So it had nothing to do with cross-site anything. It was just a very simple web app programming mistake. Okay, so this involved an “I forgot my password” problem. So this was so-called “password recovery” at Apple. And until this came to light - and to Apple's credit they shut it down quickly, that is, within a day it was fixed. But it was so easy to fix because it was such a glaring, obvious mistake. So, I mean, this is What Not to Do 101 on Internet security. You'd go to iforgot.apple.com. And you went through a series of steps. You give them your email address for your registered account, and then they want your date of birth. So you put that in. Then you answer two security questions which you had previously provided, obviously, the answers to before. Then you enter the new password you want to use for your account.
Well, the mistake they made, first of all - let's back up a little bit and remember how we've sort of forced the web, which was originally designed to deliver content, how we forced it to accept content, that is to say, like the answers to these questions, the email address, the password and so forth. The Internet never was designed for this, really. It was designed as a read-only medium with links, hyperlinks - oh, what a concept - that you click on, that take you to other read-only pages that may have their own hyperlinks that you click on, and they take you to others. So that was the original concept.
And then someone said, what if we want to, like, log in to, like, we want to protect some of these pages so just not everybody can click on the links and get to them. And then the gurus of old said, “Hmm. Really? We hadn't really planned for that.” And the people said, “Yeah, but wouldn't that be cool?”