«Transcript of Episode #478 Page 1 of 18 Transcript of Episode #478 Poodle Bites Description: After catching up with a few interesting events from the ...»
Security Now! Transcript of Episode #478 Page 1 of 18
Transcript of Episode #478
Description: After catching up with a few interesting events from the past week, Steve
and Leo take a deep dive into the details of the Internet's latest security "catastrophe"
which has been named "Poodle." Steve first carefully explains the trouble, then debunks
it completely, showing why the vulnerability should be fixed but will probably never be exploited.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-478.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-478-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. You've probably heard about the "frufarah," the folderol, the fracas around this new exploit called Poodle. Steve says it's just a load of mutton. The latest on Poodle and all the security news, next on Security Now!.
Leo Laporte: This is Security Now! with Steve Gibson, Episode 478, recorded October 21st, 2014: Poodle Bites.
It's time for Security Now!, the show where we cover your security, your privacy online. We talk about hacks, exploits, attackers, the new word Steve's going to use for bad guys on the 'Net.
Steve Gibson: Yup.
Leo: Steve Gibson's here. That's the Steve I'm talking about, of GRC.com, the creator of SpinRite and also a father of spyware. Not that he made it, he discovered it and created the first antispyware tools. It's good to see you once again, Steve. Ten years we've been doing this show. Almost.
Steve: Feels like just the other day you were suggesting this. And I thought, what? I don't think we have enough to talk about. In fact...
Leo: Second show we did on the TWiT network.
Security Now! Transcript of Episode #478 Page 2 of 18 Steve: We have so much to talk about we don't even get to our regularly scheduled stuff anymore. It's like, this week was supposed to be a Q&A to follow up on last week's discussion of the tokenizing purchasing system. And one of my little notes here is just to mention that, of course, Apple Pay went live yesterday. And in fact my phone, I went over, and it was saying, hey, you can update to 8.1 at any time. And I thought, well, okay, I'll do it now. So it's over there doing that.
But what happened was we talked - I mentioned sort of tangentially last week that there were rumors of something that was going to be disclosed, I think I said noon Pacific time on Wednesday, that was, like, synchronized with some particular time in Europe, I don't remember what or why. But it didn't last that long.It was just too big. And so it leaked out later in the day on Tuesday. And that's the so-called and annoyingly named "Poodle" exploit. You know, 2014, looking back on it, I hope we're able to look back on it...
Steve: It's been a rough year. Yeah, boy. Heartbleed, and what was the one we just had? I'm blanking on it. Shellshock. Heartbleed and Shellshock, and now we have Poodle.
Steve: I'm excited about this podcast because this is a really interesting problem which pulls a lot of the different things that we've discussed over the years together. People who have not managed to survive with us over the years or, that is, who haven't been here that long, will still be able to follow along. But what I realized when I was first researching it last week, was that it was nonsense. It's like, whoa, okay, wait a minute.
It turns out that there is a problem, but nobody would ever attack you that way. So, and by the end of the podcast, everyone will understand what I mean by that because it's really not that complicated. But it's got lots of interesting moving parts and details which is the kind of stuff we like to do here. So I think everyone is going to enjoy the next hour and a half or so. And there really wasn't, other than that, that much news. But we'll get to that and then dig into Poodle Puddles.
Leo: All right, Steve.
Steve: Okay. So, like I said, not a lot of news this week. We did have, I just sort of wanted to mention because a lot of people tweeted it, unfortunately we've got the FBI guy, James Comey, who is much in the news lately, now grumbling at his first official speaking engagement at the Brookings Institution in Washington. And this is like his first major policy speech, even though he's been at the FBI for 13 months. I guess someone said, "Come talk to us." And so he's complaining, not surprisingly, because we've been hearing grumbles of this for the last few weeks, about the encryption, the enhanced encryption in Apple and Google products and now, as expected, beginning to make noises about maybe it's time for a legislative "fix," in quotes.
Leo: Oh, oh, a backdoor.
Security Now! Transcript of Episode #478 Page 3 of 18 Steve: Exactly. And of course our listeners will know that I felt this happening a couple years ago, which is why I stopped working on CryptoLink, was because it just felt to me like the way the country was going there was going to be some legislation, or if nothing else we were going to go through a painful period. And we're not in it yet. We're approaching it. The Huffington Post covered this, and I liked their reporting of it. They said that Comey said he understood the, quote - and I love this, this is like poll tested the 'justifiable surprise' many Americans felt after former National Security Agency contractor Edward Snowden's disclosures about mass government surveillance." Yes, we were justifiably surprised, Leo.
But he said, the Huffington Post said he contends "that recent shifts by companies like Apple and Google to make data stored on cell phones inaccessible to law enforcement" have gone too far. Comey said, quote: "Perhaps it's time to suggest that the postSnowden pendulum has swung too far in one direction" - okay, now, I would argue it's still on its upswing, away from center, where it had been. And he said: "...in a direction of fear and mistrust. Justice, he said, may be denied because of a locked phone or an encrypted hard drive." And when I saw that I got a little chill. It's like whoa, ho, okay, what, what? An encrypted hard drive, uh-huh.
So Comey said that the FBI was seeing, quote, "more and more cases," unquote, in which law enforcement officials believe there was significant evidence on a laptop or phone which they couldn't access - so we are talking about hard drive encryption, too due to encryption. It's not clear, however, that any of the cases he specifically referenced, and apparently he talked about a murder in Louisiana and a hit-and-run homicide in California, that they could not have been solved with a traditional warrant to cellular service providers.
And then, happily, Matthew Green, our assistant crypto professor at Johns Hopkins who's been much active recently, he was approached by the Huffington Post for his reaction to this, and he said: "Law enforcement has access to more data than they've ever had. As a society we're just finally trying to get back to a point where it's a little more in line with what law enforcement would have been able to get back in the '80s," you know, meaning that we have to have some sense of balance here.
And then on background the Huffington Post finished by saying: "Snowden's revelations have provided a crisis abroad for major U.S. tech companies, which could lose billions as foreign customers leery of American software and devices compromised by the NSA turn to other providers. Comey said that he was, quote, 'not trying to jump on the companies,' like Apple and Google, that implemented encryption systems closed off to law enforcement and that he believed they were, quote, 'responding to a marketing imperative.'" So anyway, it's just, okay, I mean, back when the whole Snowden revelations occurred, one of the things we said on this podcast was that this was going to happen, that math is fundamentally unbreakable. We have unbreakable math. And the fact that we've been maybe somewhat lackadaisical in deploying it or enforcing it doesn't mean that it's not available to us. And it really hasn't taken long at all. What, a year? Because I think it was just about a year ago. And look at, you know, the terrain from the protection of the consumer's privacy today looks very different than it did a year ago.
And all of us would argue, I mean, I heard you on MacBreak Weekly covering the China government hacking story, where they were basically using a weak browser to get manin-the-middle interception of their citizens' access to iCloud and using it to capture their usernames and passwords in order to decrypt their data. And so it's not anti-law enforcement. I mean, I understand from the FBI position that's their bias and the way Security Now! Transcript of Episode #478 Page 4 of 18 they see it. But it's truly as much protection against foreign governments and attackers as it is against law enforcement. I mean, it is just privacy that the math makes possible.
So anyway, we were talking before we recorded...
Leo: Yes, [indiscernible].
Steve: Yes, you and I both received envelopes from Yubico, our friend Stina Ehrensvrd at Yubico. My Twitter feed went crazy starting around midnight last night. Google posted on their blog, and Yubico sent out coordinated news and also provided you and me both with two of their latest toys. Yeah, you've got the little blue one right there, and then there's a little tiny one called the Neo-n.
Okay. So Stina and the Yubico engineers have been working with - of course we know that they have a longtime past affiliation with Google because it's one of the reasons that Stina moved Yubico from Sweden over to the peninsula was so she could be here in Silicon Valley in the hotbed of all this. And of course Google is a major player here. So she's been working with them, and she's also - I think I read that she's on the board of directors now of the so-called FIDO Alliance. And the FIDO Alliance is some hundred-plus companies that are all gathered together to try to arrive at an open standard for sort of next-generation Internet authentication. All of their work is device-based, that is, like the Yubico YubiKey.
And I guess I would characterize it as like sort of heavyweight. I mean, it is a - there's two specifications in FIDO, and U2F is the lightweight, sort of possible to actually implement specification, as opposed to - I don't even remember what the acronym for the other one is. But that one is so complex that only one company I'm aware of has got it working, and they're the company that helped to write the spec. And, you know, they like to sell stuff. And so it's more in their interest to keep it complicated and license their software than it is to make it open and easy.
And by comparison, because people will say, well, how does FIDO compare to the work I've been doing for the last year on SQRL, SQRL is like super lightweight. You can explain it quickly and easily and implement it quickly and easily. It can use hardware, but it doesn't, it's not tied to hardware, where the FIDO stuff always will be. So there's certainly room for more than one solution in the industry, and we'll see how all this pans out.
But so what Yubico has now is the most inexpensive solution they've ever offered. That blue key - the blue pill - the blue key you are holding, Leo, is only $18 on Amazon. And if you're a Prime Member, shipping is free, so it's $18. And that will not do all of the things we've talked about before with Yubico. That is, it's not a one-time password, touch the thing and it emits a string of sequentially encrypted one-time password tokens.
Leo: Because it looks exactly the same as those.
Steve: It's pretty much, well, and the blue color, that's how you know, is it's blue. But it's also much less expensive than their prior technology. But all it does is the FIDO U2F, which currently is supported by Google and Chrome, but being an open standard can spread if it's going to. So, and knowing Stina, it'll be spreading.
Leo: Yeah, see, because here's the old YubiKey.
Steve: That's true, yeah, so you can - if you can't tell the difference. So that one's inexpensive and does U2F. Their newest product is the - oh, and that's called the Security Key. Google uses the term. I didn't see Yubico mentioned anywhere on Google's page, which I thought was a little bit - I don't know.
Steve: No, actually. I think I noticed there was one other...
Leo: Yubico, they say in the letter they're on the whatever, the panel, the board, the...
Steve: Yeah, yeah, exactly. Anyway, so there's the - I think it's the Neo and the Neo-n are the two other new technologies. The NEO is 50 bucks, and the Neo-n is 60. And the Neo-n, the "n" of the Neo-n stands for NFC. So that gives you near field communications technology. And both of those are these cute little almost square things that are just sort of like just the plug part of a USB, sort of like you took the YubiKey and snapped it off like where it inserts. Anyway, those are both available. And they do, not only the new FIDO U2F, but all the other traditional Yubico protocols - one-time password, something called JavaCard which is another standard, and a couple other standards.
So they're very much standards-based. And where necessary, Stina goes and creates new standards, like she has with basically the bifurcation of FIDO into U2F, which it's actually possible to use, and the other thing that's not off the ground yet because it's like the Spruce Goose of authentication. So anyway, if you just go to Yubico, Y-U-B-I-C-O, dotcom, which is what I did this morning, and click on Products, it takes you to a nice grid where you can see the lineup of the various hardware offerings, the suggested retail pricing, and then what protocols each one supports and so forth. So the good - yeah, then click on Products up there in the menu.
Security Now! Transcript of Episode #478 Page 6 of 18
Steve: Okay. Well...
Leo: I'm looking at this, and I don't see NFC on the Neo-n, just on the Neo.
Steve: Oh, it does - so it does show it on the - that's weird. So the Neo is less expensive than the Neo-n. I don't know, I guess I don't understand that. Anyway, that's why I recommended people go there, because the grid is comprehensive.
Leo: I think the only one that has NFC is the Neo. The Neo-n does not.
Steve: Okay. Maybe that's what the "n" stands for, "not." No NFC.