Leo: I say that because I was talking to Shannon Morse, who is one of And she and Hak5 host Darren Kitchen are doing a new show on . Leo: God. .. TCP makes sense for establishing a relatively persistent connection. Producer: Shannon Morse → dubaiairporthotel.info Editor: Colleen Cavolo Host: Shannon Morse → dubaiairporthotel.info Host: Darren Kitchen. Darren Kitchen · @hak5darren . Shannon Morse Verified account @Snubs 15 Jun More @hak5darren @Snubs LOL Darren you're a fool for that.. Congrats Shannon in your union!! 0 replies 0 retweets 0 likes. Reply.
I'll not say "my home. All right, Steve Gibson. We're now on - you've heard of suicide watch; right? Well, yeah, for people who are suicidal, yeah. We are on Oracle exploit watch, or maybe it's Java exploit watch, courtesy of Oracle. Oh, Java I believe, yeah.
The WiFi Cactus - Hacking Wireless With Zero Channel Hopping! - Hak5 2404
We've spoken about the Polish security researcher, Adam Gowdiak, before, whose company is Security Sounds like a joke. A Polish security researcher. There's a joke in there, but I'm not going to do it. No, no, no, no. He's a good guy with Security Explorations. And he reported to Oracle, and we have discussed this already a couple weeks ago, he reported discovering a very bad zero-day vulnerability that affects all versions of Java - v5, v6, v7.
He provided them with demonstration exploit and an explanation of the problem. And they've essentially blown him off. We're going to have to get a little new musical sounder: They blew him off? They said, well, we were unable to get this into the most recent update.
Remember we just had a massive Java update, different problems fixed, in their October refresh. Well, now they're saying they're going to fix this in February of Kaspersky wrote in their Threatpost blog, they said: Gowdiak's exploit successfully beat a fully patched Windows 7 computer running Firefox The exploit relies on a user landing on a site hosting the exploit. An attacker would use a malicious Java applet or banner ad to drop the malware and ultimately take over full control of a user's then compromised machine.
So being a little bit annoyed, Adam has now explained that he's fixed the problem, which took him, he says, under 30 minutes. It actually took him 26 minutes to fix the known glaring Java zero-day vulnerability.
And what Oracle is saying is that, oh, they're already in the works testing the February update against all of their different platforms, and it's too late to put this into the release cycle, which is, what, four months away. And so Adam wrote: Minor changes are applied to the code. None of them influence what could be described as an externally visible scope affecting third-party applications.
So the question is, this is not in the wild yet. This is privately disclosed. Adam and his group at Security Explorations know what this is.
It's been made public. We know that there is this problem. And so now the question is, does Oracle find themselves more or less deliberately compromising users' machines through their reticence to fix this now, or to add this to their - to respond quickly. But they also have other things they're patching. I mean, it's not like, I mean, they So they're saying they're holding to their February release. That's the next time they're going to update Java.
Just don't use Java. Just stop using Java. This is across all browsers, all platforms, all versions of Java. And this is a remote, I mean, this is as bad as it gets, a critical vulnerability that allows anyone who discovers it to take over your machine. Now, it has to come in through the browser, or you have to run a Java program directly on your computer; right?
Kaspersky, describing it, said: But that's what I mean. It comes in through your browser. Your browser has to execute Java. Presumably they could manage an exploit by writing a program with code like that in it that you would download and run separately. Yeah, but, I mean, for example, this could be in injected in an ad. So you could have a banner ad served up maliciously somewhere. No, I mean, this is the way people are now getting their machines primarily infected is visiting websites that are taking advantage, I mean, even the fiction that we're reading, Mark Russinovich's approaches to how people get compromised is this because this is how it happens now.
And so here's Oracle, knowing that there's a problem and saying, eh, it's not public, so we're going to wait till February of Or until it becomes public, which it presumably will. We just had this huge disaster with the Macs all being compromised, hundreds of thousands of Macintosh machines. So it's like, oh, okay. So we are thus on Oracle exploit watch. We'll see what happens. Now, many people tweeted - and thank you, everybody who tweeted - an annoying announcement. And you probably saw this, Leo.
The headline was covered in many different locations, claiming a tenfold bandwidth improvement through using some algebra. And, I mean, like a typical headline was "Algebra creates tenfold bandwidth improvement.
And it's like, I don't think so. But here's the deal. So quoting from, I think this might have been, it wasn't Wired, it was maybe Techworld. Anyway, all of the stories pretty much used the same boilerplate from the press release that the group that are commercializing this put out.
Instead of sending packets, it sends algebraic equations that describe series of packets. So if a packet goes missing, instead of asking the network to resend it, the receiving device can solve for the missing one itself. Since the equations involved are simple and linear, the processing load on a phone, router, or base station is negligible. Well, listeners to this podcast have enough understanding of technology to probably get or guess what's going on.
First of all, there's no way that you get a tenfold bandwidth improvement. And in the press release they talk about how they were demonstrating this by playing a YouTube video on a train somewhere, and theirs was just playing smoothly So, and I don't mean to downplay what they've done. But this is not a tenfold bandwidth improvement thanks to some algebra.
What they've done is they've added error correction code. And something like this has been done recently. I want to say that the Steam distribution system does this also because I know that Mark Thompson and I, a couple years ago, he was implementing his own content distribution technology for a group that he was working with. And so we were talking about this, and he was looking into the code and so forth.
And I've often talked about error correction in the context, of course, of hard drives. And so it's clear that what they're doing is they're actually adding some overhead to each packet sent, such that, if some are missing, using typical error correction technology, which is not rocket science by any means, they can fill in the missing data.
So, I mean, it's cool, and it's clever, but it certainly doesn't get you a tenfold bandwidth improvement. And they talk about how, if a packet were lost, what you would normally have to do is ask for it again. You'd have to send back, oops, we don't have this packet, and get it again. Now, the streaming protocols already get around doing that.
Security Now! Transcript of Episode #
They'll just skip the packet. You and I are talking back and forth on a streaming protocol designed to be tolerant of lost packets. So anyway, so I just wanted to respond to the many people who tweeted saying, hey, can you tell us about this? First of all, calm down, it's not a tenfold bandwidth improvement. That just isn't available. It is, in fact, if you had perfect packet delivery, it would be a slight bandwidth reduction. Yet in the presence of a certain level of lost packets, then that extra overhead ends up benefiting you, if you're in a situation where your particular use of the Internet is intolerant of a roundtrip delay for dealing with a lost packet, because the overhead you've added to every single packet allows you to compute the contents of lost packets.
So anyway, there's a company, Code-on. And I think it's a good thing. Maybe it'll catch on for certain uses. But a tenfold bandwidth improvement, no. I mean, the only way - you'd be hard pressed, actually, to make the system do that. If you had really high packet loss, then at some point even this system won't help you. I mean, I guess it could be dynamically adaptive so that, as your packet loss goes up, it starts putting more redundancy into the packets in order to increase the amount of correction, to increase a tolerance for packet loss.
It doesn't, I mean, these problems have been solved all over the place in all kinds of ways. The dynamics are different here than, for example, on a hard disk drive because here you do have the ability to ask for data again if you are unable to correct it. On a hard disk drive, once the data has been written, then you lose that data from the write buffer, and you now are required to recover it and correct it when you are trying to read it later. So things are a little bit different than in a real-time data flow.
But anyway, it's an interesting thing. But it'd be interesting to see if you could actually demonstrate a tenfold bandwidth improvement. It would have to be an extremely lossy environment, where you were performing heavy replacement of lost packets.
I don't even know. To me that just seems like you're really stretching it. Another little piece of interesting news that a number of our listeners picked up on and made sure I knew about: A mathematician, Zach Harris, received a spoofed email from Google. That is, it looked like an authentic piece of email from Google, from some sort of a headhunter, like offering him a job.
And he wasn't interested in the job, but he was interested in the fact that this was clearly spam, but it should have been impossible to spoof it because it was protected with Google's DKIM, the Domain Keys Identified Mail. We've talked about the technology of DKIM before. The idea is that the mail is signed with Google's private key, and DNS is used for publishing their public key. So this is a very nice, simple, sort of straightforward demonstration and application of the use of public key crypto.
That is, you use DNS to publish the public signing key, which is used to verify the signature done with the private key. The problem is, when Zach, who is a mathematician, took a look at the email headers, he realized that it was a bit public key.
And we all know that's not enough anymore. And Zach said, he was quoted in an article saying, "I like factoring. And then he spoofed his own email back to Google, and it was like between Brin and - is it Serge? Larry Page and Sergey Brin. He faked, he pretended it was him? He faked an email Might as well go to the top. That got their attention. What was his email? Yo ho ho, dude? So what this is - and again, this was - the headlines were ridiculous. The headlines were "Massive Internet Security Vulnerability.
This is for spoofing email. And maybe people thought, well, we'll use a bit key because who's going to bother factoring that, just to spoof. It's not a high-value target. I mean, it's not insignificant, either. The DKIM standard calls for a bit minimum key. And that makes sense because, I mean, bits is fine today.
We already know that isn't. There's been no, I mean, that's like where the contests are. The factoring contests are sitting at - looking for factoring a bit key.
We need bits. So I imagine everybody will pretty quickly strengthen their antispoofing public key crypto to bits. It must be, again, remember these are relatively expensive operations. Public key crypto using RSA style is expensive. This is another reason why switching to ECC, elliptic curve crypto, for this sort of application would make sense. Because mail is being processed a lot, obviously. There's huge amounts of mail going back and forth.
And this requires a relatively expensive crypto process in order to process email headers. So that's probably why they were sort of hoping they could get away with a shorter bit key because it would be lower processing overhead.
Doesn't look like that's going to be possible any longer. Because we've got lots of people who like factoring. Yeah, and know how to do it. And we've talked about PIN pad compromises in the past where somebody would maliciously sneak a little radio into the design of the pad. This is 63 stores, geographically spread. This was found because people were getting their debit cards, ATM cards compromised, and fraudulent charges were showing up on them.
And so this problem was located.
This was a hardware hack. They were able to get some hardware. Well, and then there's still not full information available. I tried to dig down, and they're now saying this has happened, but it's not clear whether it's hardware or software.
It would be, I mean, I just don't know. But they are saying it is the PIN pad. The stories show a picture of one, as if it's that physical thing. But it could be, for example, PIN pad firmware, which is in the gray zone.
Is that hardware, or is that software? So specifically the word means it's somewhere between soft and hard. So last week I mentioned Michael McCollum's newest novel, which I had just finished reading; and, as a consequence, we were able to have our regularly scheduled podcast on elliptic curve crypto.
I read right up to the finish line Tuesday night. And it is now published. In order to tweet about it as I did yesterday, I wrote a review on Amazon. They rank among my most favorite sci-fi, which I recommend routinely and without hesitation.
They're so much fun that I've read most of them more than once; and, if you haven't yet discovered his Gibraltar and Antares trilogies, don't stop shopping after you have grabbed this latest work, 'Euclid's Wall. You know, those PhDs again. Thus the sailing ship on the book's cover, years post-catastrophe, as humanity struggles to recreate and rebuild pieces of what has been lost.
Lost was the technology required to fly, along with pretty much everything else we take for granted these days. The whole idea is really quite thought-provoking, and more than a little chilling. Though I finished the book several weeks ago, it has remained with me, a bit haunting, like a recent vivid dream.
I rated this book five stars because I think it deserves every one of them. I bet you think so, too. And he's got his books - he publishes them himself. He bought all of the equipment a long time ago to print and bind softcover novels, just because he wanted to be vertically integrated. But also it's available at Amazon on the Kindle store. So it's a really fun book. I actually listen to the audio books in the car to and from work. I can't thank you enough, and the others who mentioned it to you as well, for bringing this series to my attention.
It was my very first sci-fi series, and it was simply incredible. Once I started reading, I didn't look back.
I dropped Security Now! I read all 13 books, then broke off and went through almost all the short stories, then back to re-read 'On Basilisk Station' again.
But my favorite book by far was 'Echoes of Honor. But I've got to be honest, you and Leo are a bit of a letdown compared to the Honor Harrington series. Still, I admit, I've missed you guys. For that I can't thank you enough.
Now, with regard to Security Now! What is it again? Generally the way she ends her meetings, she'll And I've been flooded with really neat health-related low-carb feedback from our listeners, whom I asked to send me their results and experiences of any sort. And so we will verify that the calendar is free this coming Sunday, October 28th, 2: Pacific time, in which case we will, if it is free, record Episode No. Mom fortunately still has some painkillers left over, so She can medicate herself.
Giving her a good warning here. Well, I don't - Chad's not here yet, but I don't anticipate any difficulty doing that this Sunday. So plan on it. So anyone who wants to listen live, we're targeting at this coming Sunday, October 28th, 2: It'll of course be a TWiT Special, so you'll be able to grab the podcast any time after that. As we have the other things.
And I just did want to mention briefly, since I'm an iPad lover, that yesterday was the big keynote and introduction of the, I mean, anticlimactic iPad mini announcement, as well as a refresh of a number of Apple's other things. And I think the thing that I like most about the mini, Leo, is that they managed to get very slim margins on two sides, where they don't have the camera or the home button, holding it in portrait mode as opposed to landscape orientation.
In portrait mode it would be the left and right edges. And so that gives it an overall sort of svelte feeling, which I like. And it was 9. Oh, I didn't even think of that. And it looks like a nice device. I guess the criticism has been that it's on the pricey side.
And, for example, other companies, high-volume producers like Amazon, have a much lower price increment as you increase the amount of nonvolatile memory on their devices. Well, and Google has an announcement on Monday, in which I think they're going to update the Nexus 7. It's for a 16GB.
So compare to That's not - a 70 bucks premium for access to the Apple iOS Store and all of that, I think that that is about as good a price as one would expect from Apple. Yeah, when you put it that way, I think you're right. By the way, you don't have to order one.
Orders start Friday at midnight, Thursday-Friday at midnight.
Interview: Shannon Morse
And then they'll arrive the following week. And of course we order one because we have to. So I'll be getting the WiFi one. I think what I'll probably do, I won't own one until I make the mistake of walking into an Apple store. Well, that's why - I want to hold it because some people have said - and of course I didn't go to the event, and people who did held it. And it looked like it was maybe a bit of a stretch for the hand. I don't know if you can hold that in one hand, even though that's what they're promoting.
And frankly, I'm a little wondering about - I like the thin margins, the thin frame. On the other hand, it's useful that it's a holdable dead zone on the current size pad. And I find myself, sometimes my hands will wander on the screen and, like, trigger something that I don't mean to do.
So you won't be able to do that on this pad. Well, apparently they've patched iOS to reject accidental touches on the side. Again, no one knows till they try it. Somehow it knows when you want to touch it and don't. Remember, that was a problem with the first Kindle was you'd hold it, and it'd turn the page by accident. Oh, my god, yes. It was so annoying because everyone would want to take it from me, but it was all page-turn button.
And I'd be like, uh, okay, hold it right over here in order not to lose Amazon did fix that. So, you know, I'm withholding judgment until I actually hold one in my hands. I can't tell if it's going to be worth it. I certainly, I love my Nexus 7. I like the idea of a 7" tablet. I really liked the Galaxy 7 when it came out. So we'll just withhold.Can DNS speed up your Internet connection? - Hak5 2406
And for me, I guess we have the iPad 1 resolution that's been reduced in size. So the pixels per inch increases, yet the overall resolution is still x So it's the same quarter of the resolution of the third-generation and fourth-generation, the newly announced fourth-generation full-size iPad.
For me, I think that's still the sweet spot. I like having a screen that's that size. Because, I mean, I use it more than I use any other device.
I just love my iPad. Have you got your Paperwhite yet? Oh, I was just going to take us there. Take us there, baby. I really like it.
It's interesting because, if you turn the - there was a lot of hype about it. And I was interested to see, for example, if they actually increased the resolution, if they actually increased the contrast. They carefully designed the fonts, which absolutely makes total sense to have done that. So I think - and I remember when they went to, like, the DX versus the earlier one. They were saying, oh, yeah, we've done much more contrast. They keep making the frame around it darker so that the background of the eInk screen looks lighter by comparison.
So now the Paperwhite, I mean, don't get me wrong, I love it, but I'm annoyed by bogus claims. And so with no light on, they are identical gray on gray, dark gray on light gray. As you bring the illumination up, it has the effect of only lightening the background and not apparently lightening the dark print. And so with that illumination turned up, even just like a quarter of the way or a third of the way, not so that it's a flashlight, but just so that it really does increase the contrast.
And so it's super effective. And in fact I was only talking about it from a lighting standpoint. And I gave Jenny hers the day after it came, and she wrote the next morning, and she said the light is not my favorite part. It's all the other features, the what is it they call it, the "bones" of the book? I think that's the I can't remember the term. There's, like, they've done something that gives you much more visibility into the structure of the book itself.
Oh, yeah, yeah, yeah. Yeah, I can see where your mind was going with that. Look into the book. They do that with movies and TV, and it's kind of interesting. On the Kindle Fire HD, as you're watching a movie, it will pop up in the controls the name of a cast member on the screen, and you can click it.
It will go to Wikipedia. It's an interesting idea. Yeah, a nice way of leveraging the medium. He said, "Hi, Steve. Thanks for the look under the hood of SpinRite. Your explanation of the way it flips all the bits twice to test the surface was fascinating.
I have a question, though. As a satisfied user, I know that, when SpinRite gets to a problem area on a drive, it slows down and can take hours before moving on. How does that work? Is it just flipping the bits continuously until they come back the same as they are sent? The bit-flipping that I talked about is what SpinRite does to test the surface and, in modern drives, essentially assist the drive itself in recognizing there's a problem.
Remember that once upon a time drives were dumb. And so SpinRite had all of the technology in it for relocating defective sectors somewhere else. It understood the file system. It knew how to mark the sector bad in the low-level format to prevent it from ever being used again, even if you reformatted the drive. It understood how to parse everything in the file allocation table and directories and everything so that it was able to essentially dynamically relocate data that had been recovered to somewhere safe and then knit the file system back together with the data moved.
None of that is necessary today because drives have taken over that responsibility. The problem is, having responsibility and executing on that responsibility are two different things. As I have said before, it's only when the drive is asked to read the data that it's able to detect that the data can't be or is difficult to read.
And so there's like a gray zone, if you can think of it that way. If it reads with no trouble at all, then the drive's happy. If it's unable to correct the data, then the drive is not happy, and that's when it returns an error saying I can't read the sector.
It's only when you're in between that, when there was a problem that required correction, and that the correction was severe enough that the drive starts to get worried that it may not be able to correct it next time, that then the drive is stimulated to relocate the sector to somewhere safe. So SpinRite's arduous recovery process happens first. And only after it's able to recover the data from the sector does it then invert that twice in order to see whether there's actually a problem on the physical sector, or whether, for example, today, the track densities are so high that, if you bump the drive while you're writing to it, the head will be jerked off center, and so it could write that track a little bit away from center.
So there's nothing wrong with that location, it's just that some vibration hit it at the wrong time. So once SpinRite recovers the data, it then does its double bit flip to show the drive whether there's a problem or not. And if there's not a problem, it'll put it back down where it got it.
The WiFi Cactus - Hacking Wireless With Zero Channel Hopping! - Hak5
If there is a problem, then the drive will say, ooh, it's not safe to put the data here, and it'll handle the relocation on our behalf. So it's a little complicated, but it all works.
Let's get to questions. Starting with Question No. I, by the way, just love our international audience. We have a strong international audience, yes. Well, this show especially, I think. Because, as you said, there's nothing like this anywhere in the world. Well, and I guess the feedback allows us to get a sense for where our listeners are because otherwise you're just sort of broadcasting to the Internet, and you don't know where everybody is.
But we do know. And it has now become my stock question. Okay, who's traveled the farthest? How many of you are outside the U. And there's at least two or three international listeners always in the audience, often from Scandinavia. And that was adorablized into Snurbs and stuff?
Like, Ermahgerd, Snurbs ChrisDantes. Does it bother you, the way nerds are portrayed on TV? Like the dudes are always fat neckbeards with fedoras, and the women are always quirky girls in glasses who dress weirdly. Shannon Well, I dress weird, so no.
For example, people think hackers always wear black hoodies and tennis shoes. The cute girls are all cheerleaders, the popular guys are jocks, etc.
But it seems like as adults, the cute girls grow up, and the popular guys grow up, but the nerds stay the same.
Shannon Same goes for the women — lady nerds are supposed to be pixie girls with cute glasses and tiny boobs. Sorry, but women all over look differently and have different styles. Our industry does not equal our style choices. I once had a dude get mad at me in a YouTube comment for not having properly manicured nails. I was like, really though?! I did a secret study once. I did a segment a couple years ago where I wore a geeky gamer shirt and discussed something I studied. The comments were all very positive.
I then did a similar segment on another topic, and wore a floral blouse. The reaction in comments was much more negative. Most of the negativity was about either my looks or my education. It showed me that people subconsciously or maybe consciously make a bias towards you based on what they think you should wear.
The negativity had nothing to do with my segment at all! While the gamer shirt was positivity about the content. Then in real life, they treat the pretty gamer girl terribly. The internet just made it easier for them to display their prickidity. Or when the cute girl wears the hipster glasses and thinks that it magically makes her a nerd. People would bully you, even worse than they bullied everyone else.
Then nerd became cool. I blame superhero movies for that. Shannon Yes, when I was in school it was hard for me too. I used to draw a lot of anime characters back in middle school, and was treated as an outcast because of it. But I found a core few other kids that liked the same thing as me and we stuck together.
There were different groups. But I like computers. We could each be geeky about our thing, and were generally accepted. To outsiders, we were all the same. I think it was the moment that I realized that I am a voice in the industry. A year or two ago I started being asked to take part in other podcasts and events as an influencer. So other podcasters and InfoSec persons started inviting me to come on their shows as an expert in the industry or as their guest.
That for me, was big for me. I do think that I still have a lot of time to grow and learn though. There were the so called script kiddies, and the guys on watch lists.
You help people to learn, while being one of us. I have such a passion for what I do now. I love my job. Do you write your own scripts? Shannon I am in charge of the shows.