Rubénerd!

It's been a month since my Podcasts Ruben Listens to, December 2012 post, so here we are once again!

New discoveries, old friends

With Build and Analyze and Hypercitical ending their runs, I've filled their niche with Core Intuition, now my favourite tech show. I also found Systematic, after hearing Brett Terpstra on The Crossover. John Siracusa has also been making appearances on other 5by5 shows which has been fun.

I've also rediscovered the Gillmor Gang! I listened to them from their IT Conversations days, but they moved networks so much I lost track of them. I can't even tell where their website is now, though at least their iTunes feed works.

Shows I try not to miss

Shows I catch if I like the topics

My feedback regarding the latest episode of Security Now:

To whomever Gibsons and Laportes this may concern,

I'm not Bill Kurtis.

I thought I'd just throw a message over to you guys to clarify one point that was raised on Security Now Episode 181 "Crypto Rehash".

Steve, you commented that you failed to see the point of putting MD5 or SHA hashes on websites that offered downloads given that if a website was compromised the hash could easily be changed as well. I must admit I had never thought of it that way myself either; I had a hearty chuckle on the train along with you guys much to the bewilderment of my fellow commuters!

I would comment though that I was under the impression that hashes under download links are not provided for the purposes of verifying a file hasn't been tampered with for security reasons, but was instead provided so you could verify that the downloaded file had been received intact. As a FreeBSD user I download ISO images and regularly use the hashes to verify that the finished download wasn't corrupted while downloading before I burn a coaster with one. Not sure if this is really necessary, but it has alerted me to a couple of failed downloads in the past.

Thanks for the great show and all the effort and preparation you put into each one.

Most humbly and securely yours,
Ruben Schade in A Little Street in Singapore

--------------------------
THIS MESSAGE HAS BEEN SCANNED WITH SUPER AWESOME VIRUS SCANNER 2009. IT WILL SELF DESTRUCT IF DELETED.

It's official folks, the Hong Kong Post Office certificate registrar uses the secure SHA1 hash algorithm not the now-vulnerable MD5. Security Now in-joke :-)

For what it's worth, the official title for the Hong Kong government is sure a mouthful isn't it? And here I was thinking the various Australian government departments had unnecessarily long and complicated names!

SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm, and that it's certificate issuer isn't on their black list.

I'm typing this post this evening on my beautiful 2002-vintage iBook with Mac OS X Tiger. Still going strong, definitely the most reliable and dependable system I've ever owned.

To be serious now though: it's official folks, there is now awareness of weaknesses of the MD5 algorithm used to sign secure certificates online. Sites that use the more secure SHA1 algorithm are safer, and RapidSSL is now offering it in place of MD5. Still, some are still using MD5, meaning if you connect to them you're not really using a secured connection.

From CodeFromThe70s.org:

An attack has been demonstrated yesterday that highlights the practicality of the well-publicized weaknesses of the MD5 algorithm. Essentially, any certificate signed with the MD5 algorithm may be counterfeit.

There is [...] a large number of CAs out there, and it is certain that some of them will continue to use MD5 for one reason or another.

Therefore it may be prudent to avoid, or, at the very least, not place much trust in websites that authenticate themselves with the help of MD5. After all, there is no way to automatically distinguish between a chain with a genuine MD5-based certificate signature and a chain with a counterfeit certificate.

A solution to this is a Mozilla Firefox plugin called SSL Blacklist which places a small certificate notice in the bottom right hand side of your browser that indicates whether a page is secured with SHA1 or not secure with MD5. This allows you to make informed decisions when using secured sites, and to let existing web hosts know that they should upgrade.

Even before this vulnerability was demonstrated this plugin was a useful addition to the security conscious internet user's toolkit, but this lastest release makes it indispensable. If you don't have it in other words, grab it now! This is an order!

UPDATE: Steve Gibson also goes into great detail about the exploit and the plugin to protect yourself in Security Now 177.

After listening to a recent episode of Security Now I've gone ahead and purchased myself a Yubikey!

The Yubikey is a phenomenal new device that's smaller than most memory keys that when plugged into a USB port and the loan button on the case is pressed, a one time password is generated and entered. It does this on any HID enabled operating system including my beloved Mac OS X and FreeBSD without extra drivers because it shows itself as a regular USB keyboard. It's so beautifully simple!

The best part is that the API is open and accessible from a number of different programming languages such as Ruby, PHP and Python (not sure about Perl just yet).

In the coming weeks I'm going to try to implement my Yubikey into my Ruby CMS. I'm really excited!

I just got a tweet on Twitterrific from Frank Nora that today (11th August) is the last day to vote for your favourite podcasts on PodCastAwards.com, so don't forget to click on your favourite shows. If you're in my part of the world you have until late Sunday morning (12th August).

I've voted for The Overnightscape (obviously!) every time under General and alternated between MacBreak Weekly and Security Now (GRC link) under Computing. I couldn't decide between the two so I figured I'd vote for both.

I was disappointed Cranky Geeks wasn't nominated in the Video category, and neither On the Economy with Tom Keene nor Alan Kohler's Eureka Report were nominated under Business. Ah well, can't win them all.

Sitting in hospital waiting rooms is really quite boring; I wouldn't encourage anyone to try it any time soon. Anyway in light of this I've spend the last half hour or so chilling to John Legend's Once Again album on my iPod.

That's Security Now, not John Legend! I took the picture, uploaded it and put it here and didn't even notice! I'm more tired than I thought. Take 2:

I must say right up front before I get into the music itself, the quality of the music is excellent. Even on my iPod with my fairly cheap Philips "Bass Boost" headphones ripped as a 192Kb/s AAC, his voice, the piano in the background and the backup vocals all sound amazing. Whichever recording studio he went to, he got his money's worth; the whole thing just sounds great. "Great" of course being the technical audiophile term.

One of the reasons why I really love Michael Franks' music and John Legend's is that they're both capable of recording songs that really contrast each other (look at me trying to be all professional). What I mean is, it's much harder to classify their music under a single genre or style; for example John Legend has a few jazzy tunes, some R&B and even a slightly electronic track all on one album. To me it also feels as though the order of the songs is deliberate rather than just a last minute slap dash composition job. It's one of those CDs you would want to listen to in sequence, the mood and tempo of each track seems to flow from one to the next.

It's really difficult to pick just one track that I would call a favourite! His chart topping song of course was "P.D.A. / We Just Don't Care" which I admit I do like, but I would have to say the first track "Coming Home" and "Each Day Gets Better" would be my top two. Again though it's one of those CDs that have such a diverse mix of styles that sometimes you may prefer some of the songs depending on what mood your in or what time of the day it is.

All around, a pleasure to listen to and a great distraction from these bleak hospital walls. Not to say that I would only listen to John Legend in a hospital; you know what I mean.

When my mixer board and mic arrive from those friggen removalist people's warehouse thing I'll review it in more detail.

My feedback to Steve Gibson and Leo Laporte for the Security Now! podcast.

G'day Steve and Leo!

Long time listener but first time emailer. Just wanted to say I thoroughly enjoy your podcast and look forward to it each week. I'm in my first year of uni doing Computer Science and Economics in Malaysia and Singapore where my nuclear family live as expats and its comforting to hear native English speakers above everything else too... I'm an Aussie ;)

In regards to your latest Q&A episode I took great interest in your brief discussion of Smoothwall and have since deployed it for my family. More than anything else it's a great way to occupy a Pentium MMX machine that would otherwise just sit in a closet. I'm a Mac user and tried it out first in Parallels Desktop and was very impressed with the installation, and the built in DHCP server also works like a charm. Like you said Steve I think these programs are great for people who want to get their hands dirty rather than just purchasing a router. Thanks for the tip :).

Also in regards to your latest episode regarding to the culpability of Microsoft when it comes to Windows security, I do take slight issue. I think it's easy to blame problems with Windows on its large user base, but one of the favourite comparisons I see when this issue is raised is the Apache versus IIS exploits. Despite the fact Apache is installed on many many many more machines, it appears IIS continuously has more issues. If that is a result of people targeting evil Microsoft versus open source I guess is a matter for debate! Again this could be showing my lack of knowlege in this area, but I think it's hard to ignore.

I had a quick question I thought you might know something about: one of the subjects this semester I'm studying is internet technology. An interesting point that was raised in a class last week was about a "processor monoculture", now that Apple has moved over to Intel processors and even Sun offer alternatives to their SPARC architecture, do you think this poses a security risk? My lecturer was comparing computers to biology in that ecosystems with a variety of organisms are more resilient to disease than than ecosystems with less biodiversity. Now that it seems we're all moving towards a universal chip architecture with (mostly) the ubiquitous Windows operating system, are we actually moving in the wrong direction and making ourselves more vulernable? A Wintel virus thesedays can cause enourmous havoc across the planet, but a modern Amiga Workbench virus launched on the net would have very little effect. I hope I'm making sense!

Anyway awesome show, looking forward to next episode. In regards to Amber McArthur Steve, at least you did get to hug her, unlike some of us ;).

Cheers,
Ruben

Security Now! Podcast