FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:   || 2 | 3 | 4 |

«Transcript of Episode #478 Page 1 of 18 Transcript of Episode #478 Poodle Bites Description: After catching up with a few interesting events from the ...»

-- [ Page 1 ] --

Security Now! Transcript of Episode #478 Page 1 of 18

Transcript of Episode #478

Poodle Bites

Description: After catching up with a few interesting events from the past week, Steve

and Leo take a deep dive into the details of the Internet's latest security "catastrophe"

which has been named "Poodle." Steve first carefully explains the trouble, then debunks

it completely, showing why the vulnerability should be fixed but will probably never be exploited.

High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-478.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-478-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. You've probably heard about the "frufarah," the folderol, the fracas around this new exploit called Poodle. Steve says it's just a load of mutton. The latest on Poodle and all the security news, next on Security Now!.

Leo Laporte: This is Security Now! with Steve Gibson, Episode 478, recorded October 21st, 2014: Poodle Bites.

It's time for Security Now!, the show where we cover your security, your privacy online. We talk about hacks, exploits, attackers, the new word Steve's going to use for bad guys on the 'Net.

Steve Gibson: Yup.

Leo: Steve Gibson's here. That's the Steve I'm talking about, of GRC.com, the creator of SpinRite and also a father of spyware. Not that he made it, he discovered it and created the first antispyware tools. It's good to see you once again, Steve. Ten years we've been doing this show. Almost.

Steve: Feels like just the other day you were suggesting this. And I thought, what? I don't think we have enough to talk about. In fact...

Leo: Second show we did on the TWiT network.

Security Now! Transcript of Episode #478 Page 2 of 18 Steve: We have so much to talk about we don't even get to our regularly scheduled stuff anymore. It's like, this week was supposed to be a Q&A to follow up on last week's discussion of the tokenizing purchasing system. And one of my little notes here is just to mention that, of course, Apple Pay went live yesterday. And in fact my phone, I went over, and it was saying, hey, you can update to 8.1 at any time. And I thought, well, okay, I'll do it now. So it's over there doing that.

But what happened was we talked - I mentioned sort of tangentially last week that there were rumors of something that was going to be disclosed, I think I said noon Pacific time on Wednesday, that was, like, synchronized with some particular time in Europe, I don't remember what or why. But it didn't last that long.It was just too big. And so it leaked out later in the day on Tuesday. And that's the so-called and annoyingly named "Poodle" exploit. You know, 2014, looking back on it, I hope we're able to look back on it...

–  –  –

Steve: It's been a rough year. Yeah, boy. Heartbleed, and what was the one we just had? I'm blanking on it. Shellshock. Heartbleed and Shellshock, and now we have Poodle.

–  –  –

Steve: I'm excited about this podcast because this is a really interesting problem which pulls a lot of the different things that we've discussed over the years together. People who have not managed to survive with us over the years or, that is, who haven't been here that long, will still be able to follow along. But what I realized when I was first researching it last week, was that it was nonsense. It's like, whoa, okay, wait a minute.

It turns out that there is a problem, but nobody would ever attack you that way. So, and by the end of the podcast, everyone will understand what I mean by that because it's really not that complicated. But it's got lots of interesting moving parts and details which is the kind of stuff we like to do here. So I think everyone is going to enjoy the next hour and a half or so. And there really wasn't, other than that, that much news. But we'll get to that and then dig into Poodle Puddles.

Leo: All right, Steve.

Steve: Okay. So, like I said, not a lot of news this week. We did have, I just sort of wanted to mention because a lot of people tweeted it, unfortunately we've got the FBI guy, James Comey, who is much in the news lately, now grumbling at his first official speaking engagement at the Brookings Institution in Washington. And this is like his first major policy speech, even though he's been at the FBI for 13 months. I guess someone said, "Come talk to us." And so he's complaining, not surprisingly, because we've been hearing grumbles of this for the last few weeks, about the encryption, the enhanced encryption in Apple and Google products and now, as expected, beginning to make noises about maybe it's time for a legislative "fix," in quotes.

Leo: Oh, oh, a backdoor.

Security Now! Transcript of Episode #478 Page 3 of 18 Steve: Exactly. And of course our listeners will know that I felt this happening a couple years ago, which is why I stopped working on CryptoLink, was because it just felt to me like the way the country was going there was going to be some legislation, or if nothing else we were going to go through a painful period. And we're not in it yet. We're approaching it. The Huffington Post covered this, and I liked their reporting of it. They said that Comey said he understood the, quote - and I love this, this is like poll tested the 'justifiable surprise' many Americans felt after former National Security Agency contractor Edward Snowden's disclosures about mass government surveillance." Yes, we were justifiably surprised, Leo.

But he said, the Huffington Post said he contends "that recent shifts by companies like Apple and Google to make data stored on cell phones inaccessible to law enforcement" have gone too far. Comey said, quote: "Perhaps it's time to suggest that the postSnowden pendulum has swung too far in one direction" - okay, now, I would argue it's still on its upswing, away from center, where it had been. And he said: "...in a direction of fear and mistrust. Justice, he said, may be denied because of a locked phone or an encrypted hard drive." And when I saw that I got a little chill. It's like whoa, ho, okay, what, what? An encrypted hard drive, uh-huh.

So Comey said that the FBI was seeing, quote, "more and more cases," unquote, in which law enforcement officials believe there was significant evidence on a laptop or phone which they couldn't access - so we are talking about hard drive encryption, too due to encryption. It's not clear, however, that any of the cases he specifically referenced, and apparently he talked about a murder in Louisiana and a hit-and-run homicide in California, that they could not have been solved with a traditional warrant to cellular service providers.

And then, happily, Matthew Green, our assistant crypto professor at Johns Hopkins who's been much active recently, he was approached by the Huffington Post for his reaction to this, and he said: "Law enforcement has access to more data than they've ever had. As a society we're just finally trying to get back to a point where it's a little more in line with what law enforcement would have been able to get back in the '80s," you know, meaning that we have to have some sense of balance here.

And then on background the Huffington Post finished by saying: "Snowden's revelations have provided a crisis abroad for major U.S. tech companies, which could lose billions as foreign customers leery of American software and devices compromised by the NSA turn to other providers. Comey said that he was, quote, 'not trying to jump on the companies,' like Apple and Google, that implemented encryption systems closed off to law enforcement and that he believed they were, quote, 'responding to a marketing imperative.'" So anyway, it's just, okay, I mean, back when the whole Snowden revelations occurred, one of the things we said on this podcast was that this was going to happen, that math is fundamentally unbreakable. We have unbreakable math. And the fact that we've been maybe somewhat lackadaisical in deploying it or enforcing it doesn't mean that it's not available to us. And it really hasn't taken long at all. What, a year? Because I think it was just about a year ago. And look at, you know, the terrain from the protection of the consumer's privacy today looks very different than it did a year ago.

And all of us would argue, I mean, I heard you on MacBreak Weekly covering the China government hacking story, where they were basically using a weak browser to get manin-the-middle interception of their citizens' access to iCloud and using it to capture their usernames and passwords in order to decrypt their data. And so it's not anti-law enforcement. I mean, I understand from the FBI position that's their bias and the way Security Now! Transcript of Episode #478 Page 4 of 18 they see it. But it's truly as much protection against foreign governments and attackers as it is against law enforcement. I mean, it is just privacy that the math makes possible.

So anyway, we were talking before we recorded...

Leo: Yes, [indiscernible].

Steve: Yes, you and I both received envelopes from Yubico, our friend Stina Ehrensvrd at Yubico. My Twitter feed went crazy starting around midnight last night. Google posted on their blog, and Yubico sent out coordinated news and also provided you and me both with two of their latest toys. Yeah, you've got the little blue one right there, and then there's a little tiny one called the Neo-n.

Okay. So Stina and the Yubico engineers have been working with - of course we know that they have a longtime past affiliation with Google because it's one of the reasons that Stina moved Yubico from Sweden over to the peninsula was so she could be here in Silicon Valley in the hotbed of all this. And of course Google is a major player here. So she's been working with them, and she's also - I think I read that she's on the board of directors now of the so-called FIDO Alliance. And the FIDO Alliance is some hundred-plus companies that are all gathered together to try to arrive at an open standard for sort of next-generation Internet authentication. All of their work is device-based, that is, like the Yubico YubiKey.

And I guess I would characterize it as like sort of heavyweight. I mean, it is a - there's two specifications in FIDO, and U2F is the lightweight, sort of possible to actually implement specification, as opposed to - I don't even remember what the acronym for the other one is. But that one is so complex that only one company I'm aware of has got it working, and they're the company that helped to write the spec. And, you know, they like to sell stuff. And so it's more in their interest to keep it complicated and license their software than it is to make it open and easy.

And by comparison, because people will say, well, how does FIDO compare to the work I've been doing for the last year on SQRL, SQRL is like super lightweight. You can explain it quickly and easily and implement it quickly and easily. It can use hardware, but it doesn't, it's not tied to hardware, where the FIDO stuff always will be. So there's certainly room for more than one solution in the industry, and we'll see how all this pans out.

But so what Yubico has now is the most inexpensive solution they've ever offered. That blue key - the blue pill - the blue key you are holding, Leo, is only $18 on Amazon. And if you're a Prime Member, shipping is free, so it's $18. And that will not do all of the things we've talked about before with Yubico. That is, it's not a one-time password, touch the thing and it emits a string of sequentially encrypted one-time password tokens.

Leo: Because it looks exactly the same as those.

–  –  –

Steve: It's pretty much, well, and the blue color, that's how you know, is it's blue. But it's also much less expensive than their prior technology. But all it does is the FIDO U2F, which currently is supported by Google and Chrome, but being an open standard can spread if it's going to. So, and knowing Stina, it'll be spreading.

Leo: Yeah, see, because here's the old YubiKey.

–  –  –

Steve: That's true, yeah, so you can - if you can't tell the difference. So that one's inexpensive and does U2F. Their newest product is the - oh, and that's called the Security Key. Google uses the term. I didn't see Yubico mentioned anywhere on Google's page, which I thought was a little bit - I don't know.

–  –  –

Steve: No, actually. I think I noticed there was one other...

Leo: Yubico, they say in the letter they're on the whatever, the panel, the board, the...

Steve: Yeah, yeah, exactly. Anyway, so there's the - I think it's the Neo and the Neo-n are the two other new technologies. The NEO is 50 bucks, and the Neo-n is 60. And the Neo-n, the "n" of the Neo-n stands for NFC. So that gives you near field communications technology. And both of those are these cute little almost square things that are just sort of like just the plug part of a USB, sort of like you took the YubiKey and snapped it off like where it inserts. Anyway, those are both available. And they do, not only the new FIDO U2F, but all the other traditional Yubico protocols - one-time password, something called JavaCard which is another standard, and a couple other standards.

So they're very much standards-based. And where necessary, Stina goes and creates new standards, like she has with basically the bifurcation of FIDO into U2F, which it's actually possible to use, and the other thing that's not off the ground yet because it's like the Spruce Goose of authentication. So anyway, if you just go to Yubico, Y-U-B-I-C-O, dotcom, which is what I did this morning, and click on Products, it takes you to a nice grid where you can see the lineup of the various hardware offerings, the suggested retail pricing, and then what protocols each one supports and so forth. So the good - yeah, then click on Products up there in the menu.

Security Now! Transcript of Episode #478 Page 6 of 18

–  –  –

Steve: Okay. Well...

Leo: I'm looking at this, and I don't see NFC on the Neo-n, just on the Neo.

Steve: Oh, it does - so it does show it on the - that's weird. So the Neo is less expensive than the Neo-n. I don't know, I guess I don't understand that. Anyway, that's why I recommended people go there, because the grid is comprehensive.

Leo: I think the only one that has NFC is the Neo. The Neo-n does not.

Steve: Okay. Maybe that's what the "n" stands for, "not." No NFC.

Pages:   || 2 | 3 | 4 |

Similar works:

«Implementation of the Peace Accords in Guatemala 1990-the Present: Relationships of Cooperation, Complementarity, and Competition between the Government and NGOs By Nicole Kleiman-Moran Thesis submitted to the Faculty of the College of Literature, Science, & Arts at the University of Michigan in partial fulfillment for the requirement for the degree of Bachelor of Arts (International Studies with Honors) Thesis Committee: Professor Sueann Caulfield Doctor Anthony Marcum I Abstract Title of...»


«Australian Government Department of Families, Community Services and Indigenous Affairs Evaluation of the National Disability Advocacy Program Final Report Social Options Australia PO Box 6570 Halifax St Adelaide SA 5000 Tel: 08 8326 8033 July 2006 Evaluation of the National Disability Advocacy Program: Final Report Contents 1 Executive Summary 2 Recommendations 3 Introduction 3.1 Background 3.2 The evaluation project 4 Methodology Employed in the Evaluation 4.1 Review of Selected Literature...»

«ERCO 3222 EL ERCO 4022 EL Cod.4-102142 1.0 del 03/04 Italiano Manuale d’uso English Operator’s manual Français Manuel d’utilisation Deutsch Betriebsanleitung Español Manual de uso I diritti di traduzione, di memorizzazione elettronica, di riproduzione e di adattamento totale o parziale con qualsiasi Italiano mezzo (compresi microfilm e copie fotostatiche) sono riservati. Le informazioni contenute in questo manuale sono soggette a variazioni senza preavviso. A ll rights reserved. No part...»

«Área Académica: Lic. En Derecho Tema: El Juicio Ordinario Civil Profesor: Lic. Esteban Flores Espitia Periodo: Junio-diciembre 2011. Keywords: Demand, actor, defendant, trial evidence, arguments, terms, timing, decision. Tema: LA DEMANDA • PODEMOS DECIR QUE EL PROCESO CIVIL ESTA COMPUESTO POR UNA SERIE DE ETAPAS, LAS CUALES SE INTERRELACIONAN UNAS CON OTRAS CON LA FINALIDAD DE LLEGAR A LA SENTENCIA DEFINITIVA DE UN CASO CONCRETO. EN DONDE EL JUZGADOR TIENE LA RESPONSABILIDAD ÉTICO...»

«Enabling High-Speed Data Rates in Connectors for Aerospace and Defense Applications Executive Summary Introduction: The Need for Speed High speed is a relative term used within the interconnect industry. High-speed electronic circuits must respond to fast input signals. A measure of the ability of a circuit to respond to fast input signals is known as an edge rate or rise time (as illustrated in Figure 1). When this time is 500 picoseconds or less, a high-speed connector is required. The...»

«LIVING WATER Reflections and activities for Lent Living water Ash Wednesday “Come, all you who are thirsty, come to the waters.” —Isaiah 55:1 (NIV) In preparation for your Lenten journey, spend a few moments reading the introductory reflection for Ash Wednesday. Life began with water. Before the first day of creation, water covered the earth—and God’s Spirit covered the water (Genesis 1:2). Life depends on water—which is another way of saying that life depends on God, since it is...»

«COMMODITY FUTURES TRADING COMMISSION 17 CFR Part 4 RIN 3038-AD03 SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 275 and 279 Release No. IA-3308; File No. S7-05-11 RIN 3235-AK92 Reporting by Investment Advisers to Private Funds and Certain Commodity Pool Operators and Commodity Trading Advisors on Form PF AGENCIES: Commodity Futures Trading Commission and Securities and Exchange Commission. ACTION: Joint final rules. SUMMARY: The Commodity Futures Trading Commission (“CFTC”) and the...»

«ENCUENTRO ASIA-EUROPA; ASIA EUROPE MEETING (ASEM) Webs de Referencia: http://asem.inter.net.th http://europa.eu.int/comm/external_relations/asem/intro/ http://www.iias.nl/asem/ PAÍSES MIEMBROS Pertenecen al ASEM China, Corea del Sur, Japón, Tailandia, Vietnam, Filipinas, Brunei, Malasia, Indonesia y Singapur (miembros también de ASEAN) por parte asiática, e Italia, Alemania, Francia, Países Bajos, Bélgica, Luxemburgo, Dinamarca, Irlanda, Grecia, España, Portugal, Austria, Finlandia,...»

«DRAFT CAAP 166-1(2) Operations in the vicinity of Civil Aviation Advisory Publication non-controlled aerodromes July 2013 This Civil Aviation Advisory Publication will This Civil Aviation Advisory Publication (CAAP) provides be of interest to: guidance, interpretation and  all operators and pilots who operate at, or in the vicinity explanation on complying with the of, non-controlled aerodromes in all types of aircraft. Civil Aviation Regulations 1988 (CAR) or Civil Aviation Orders (CAO)....»

«The Bartlett School, University College London General Aviation Small Aerodrome Research Study Aerodrome Categorisation Using Secondary Aerodrome Data T Lober September 2004 GASAR Project Aerodrome Categorisation Contents INTRODUCTION METHOD RESULTS: CATEGORY “A” CATEGORY “B” CATEGORY “C” CATEGORY “D” CATEGORY “E” CATEGORY “F” CONCLUSION ACKNOWLEDGEMENTS: APPENDIX A: THE CLUSTER DENDROGRAM T Lober, The Bartlett School, University College London. Page 1 of 18 GASAR...»

«House Booklet 2015 2016 This sketched map of the school campus shows Hallward’s House at the centre bottom and the rest of the school panning out from there. It was drawn by an Old Hallwardian and is used each year now to help new girls find their way around the school in the early days. WELCOME TO HALLWARD’S HOUSE! A little information for you about the story behind Hallward’s House: Hallward’s House was opened in September 2004 with 24 girls (there are now 85!), some day and some...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.