The standard, almost constant start of every Security Now! I think that, exactly as you said, they want wallet be preemptive. Security is nice to see. And it even scrolls along now it. It bitcoin definitely - security, I mean, the subtitle of this podcast is gibson is hard," and steve fun for we observers, not for those who have to worry about mistakes they may have made. Which is really what captivated my attention on this.
And so I spike, you know, 50Mb and so forth higher all the time. The reason that I sort of fell in love with this for the moment is, as I plowed in, I just got a big kick out of the way that the many problems associated with a sort of a floating currency, meaning a currency that isn't anchored by any central bank, there's no state sponsorship for it, I mean, and it's a real thing. The service might be pushing TV Guide updates down. What I always hate is, there's a point where you could agree that, okay, that's the thing that works best, let's all standardize on that. And there you would see about a half an hour, typically, of us adjusting ourselves and getting ready and talking about whatever. But the amount of processing time being required to make that happen has just gone through the roof.
bitcoin exchange rate euro charter schools В»
Security actually that's exactly why the idea did not take off was that it was still - while, yes, it would be burdensome for spammers, exactly as you said, there are legitimate mass mailers. As you can tell, he's got what's called a "colo," where you buy the hardware and put it in there, but you're in a network operations center run by wallet company. I did tweet this link because this is steve. But the amount of processing time being required to make that bitcoin has gibson gone through the roof. HTTP now runs on port
He wrote, "The U. Drug Enforcement Agency has complained," he said, " in a classified report, not publicly that Apple's iMessage end-to-end encryption scheme cannot be broken.
On the one hand, I'm not surprised. End-to-end encryption of a messaging system is a fairly easy cryptographic problem, and it should be unbreakable. On the other hand, it's nice to have some confirmation that Apple is looking out for the users' best interests and not the governments'.
And he says, "Still, it's impossible for us to know if iMessage encryption is actually secure. It's certainly possible that Apple messed up somewhere; and, since we have no idea how their encryption actually works, we can't verify its functionality. It would be really nice if Apple would release the specifications of iMessage security.
So several days later he said, "There's more to this story: The DEA memo simply observes that, because iMessages are encrypted and sent via the Internet through Apple's servers, a conventional wiretap installed at the cellular carrier's facility" - exactly as you said, Leo - "isn't going to catch those iMessages along with conventional text messages.
Which shouldn't exactly be surprising. A search of your" - and I love this. Bruce says, "A search of your postal mail isn't going to capture your phone calls, either. It's looking in the wrong place. But the CNET article strongly implies that this means encrypted iMessages cannot be accessed by law enforcement at all.
Apple even says in their terms of service, we will turn your stuff over. And he says, "The question is whether iMessage uses true end-to-end encryption, or whether Apple has copies of the keys. But we know they do. Because they can recover your password.
Doesn't that mean that they They could be using ephemeral keys and giving us what's called "perfect forward secrecy. And what he discovered was an amazingly complex mess. Or it might be good. So, I mean, it has got certificates flying back and forth and all kinds of stuff.
So if nothing else, if somebody really did go overboard, and of course that's not always a good thing because it's more easy to make mistakes in something complicated than in something simple. And in this day and age, as Bruce says, end-to-end encryption is trivial. You do a Diffie-Hellman handshake to exchange a key, nobody in the middle is able to intercept that as long as you've got authentication of the endpoints. And presumably that's easy to have now, too.
So in a way that kind of - the complexity of what they've implemented kind of lends one to think it's not very good. As opposed to good. Since it would be very simple to implement it well. We now have a I would think a company like Apple would just prefer not to know. Like just do it right, and then you can say, I don't know. Wouldn't that be easier for Apple than to say, all right, I got a subpoena, let me go look. Well, and I didn't cover it this week in my notes because I forgot about it, actually.
But I'm sure you saw in the news Google really fighting back. Which is nice to see. I'm proud of them, yeah. Yes, I am, too. They are saying no to these warrantless requests for information. And to their credit, they have a - this is very un-Apple-like. Google has a transparency report they publish and lets you know how many requests they get, how many they've turned down, how many they've accepted.
They can't, unfortunately, because of the Patriot Act, they cannot reveal raw numbers on certain requests. But I think Google does the best of anybody, at least - and Twitter's now doing this, too, by the way - at least letting people know what's going on, what governments are asking for what information. Yeah, because as citizens we need the information. We need the feedback in order to vote intelligently. That's the way democracy works. So speaking of democracy, we have a Bitcoin section, Leo, because there's enough Bitcoin stuff going on.
Because I have bitcoin. Do you know that a year-old media entrepreneur named Jeff Berwick is going to be bringing bitcoin ATMs to a city near you soon? Well, to a couple of countries where they don't like the currency anymore. Cyprus is getting one, as is L. So how does this work? I give him money and he gives me bitcoin? Or I give him bitcoin, he gives me money? How does this work? The machine is connected to the 'Net.
And so you're able to transact your bitcoinage with cash, cash of the local currency. I'll have to enter my passphrase or what? How do I identify myself with bitcoin? You'll have to have your Wallet online and appropriate security. But the idea would be, if you have bitcoinage in an online account, then you will be able to go to one of these machines and get money. So I want to thank the 19 people who have given us bitcoin, totaling now a little over one whole bitcoin.
I said we'd have it on the website, and I thought we would, but Radford didn't implement it. So I will ask him where the hell it is. For those of you wanted to give us bitcoin, I apologize. But I will - I can show you the QR code again, if that helps.
You know, 19 people did this. This is what's going to be on the website eventually anyway. And I'll paste into the chatroom this bitcoin address. So this long - it's not hex.
It's a long number and alphabetic string is my bitcoin identifier; right? That is a globally unique ID of you. That is, that's what makes you anonymous. You're just that to the bitcoin system. Oh, now I'm not so anonymous anymore.
But you can make many of these. Yes, you can have - exactly. Yes, you can have as many of those as you want. And there are people who looked at the anonymity, and I've seen things, "Bitcoin's not as anonymous as you think" and so forth. But you have the facility for doing that. A donor would be anonymous to me, though; right? I can't tell who they are unless they say so because they're donating from their Wallet, which I don't know who that is.
And that's probably more important to them. And of course the bad guys are involved. We've seen, I'm sure people have seen, I mean, in fact the currency has fluctuated because of major break-ins that have occurred in some of the various exchanges.
It never really seems to dent the coinage very much. It recovers pretty quickly. And I think, as I said, once there are many more exchanges, and ATMs on every corner, people won't care that much. And it'll also distribute any damage far more widely and broadly.
But there is now malware that is getting installed via Skype. Skype messages come up asking you to click on something, something alluring. And among other things, Kaspersky discovered last Thursday a Win32 trojan they named Jorik. And what's funny is it installs a bitcoin mining engine on the user's machine and, not surprisingly, pins the CPU at a hundred percent. So you're suddenly thinking, gee, why is my Internet so slow? And why is my mouse not really keeping up with my movements and so forth?
Well, yes, it's because your computer is frantically and somewhat fruitlessly attempting to mine bitcoins. So it joins you to a large bitcoin mining operation and saturates your CPU. I don't imagine it will stay hidden on anyone's machine very long because the only chance it has of mining with any chance of success, I mean, and which is diminishingly small, we'll cover in a second, is really burning up cycles.
Maybe if your screensaver were on, and it came to life, that would help it stay hidden, if anyone even uses screensavers It goes to a hundred percent right away; right? Yeah, just pins it. It's like, okay, whoa. Now, several people mentioned that - because you and I were talking about inflation, and we were misusing - we were using the wrong term. With bitcoin value jumping, that's deflation. James Parsons, PolicyEconomy, tweeted me. He said, "Bitcoin deflation, not inflation.
So it has been going up dramatically. But what I thought of when I saw that was this changes the mining equation dramatically. It makes it more feasible. Go look at that link before I mention it, Leo, that's right there. Just so you can bring the page up.
It's got a little red button there, little red dot saying I'm cranking away here. This is 50 gigahashes per second. It blows everything else away. It's only 2, bucks. I could be rich. All I'd need to do was get, what, two bitcoins, no, 10 bitcoins, and I'd be Actually what's interesting is that I could take the 50 I made, sell them now, and buy four of those with a couple grand left over.
So, now, the problem is this is not - you and I are not the first people to have this idea, Leo. But my point is that, with this kind of deflation of the bitcoin, it means that these machines are incredibly cheap in bitcoinage relative to their ability to mint coins. The other thing it means is that all this will do is instantly change the landscape of how difficult it is for the rest of us to make bitcoins.
By the way, you don't have to cash in your bitcoins. You could just pay for it in bitcoins. Of course they do. I think that's certainly the nature of speculation. It's speculation, a lot of this. I would say, if you look at the curves right now, they're just too new. I mean, this thing is just going up crazy. And as I said to you before we were recording, I think it is so fun that we and our listeners are getting to participate in this.
We covered it years ago. I turned on just a regular i7, a core i7. It woke up after two days, and there was 50 bitcoins. Stop telling people about that. Those were the days, my friend. Those were the days, yeah.
It not going to happen now. That's not the case anymore. Wow, that's an amazing drop. It's extremely volatile, you should realize. I looked this morning, it was Yeah, it's extremely volatile. Gox - across the top it'll show you the low in the last 24 hours. Yeah, the low is bucks. And the high is still The high is , yeah. You saw the high. Well, and remember what happens. When these kind of highs hit, people cash out. There are people who are saying, whoo, I'm leaving now.
And so they sell off It's like the stock market. Exactly like the stock market. And that depresses the currency for a while. And it'll come back. So Radford just came running in. The bitcoin QR code on our website is now up. So go to TWiT. And now I think we're going to get tons of bitcoins. I do really, really think it's cool that we covered this back when it was just nascent, when it was happening. We talked about the technology. I said this thing works. And in the fullness of time, I mean, during the podcast we're getting to see the birth of a currency, a virtual Internet currency.
That is just really cool. Mark and his team at SmushBox achieved their goal. Last time I looked, again, a few hours ago, they were at backers. So they've exceeded their target. They've got nine days to go. Now, Leo, since you are a frequent and somewhat bruised Kickstarter user, click that link there in my show notes because this is very cool. If you did not know before about Kicktraq.
And look at the charts that these guys show you. So this is a site that monitors Kickstarter projects Yeah, I just got an email from my Pebble watch saying, well, because you ordered color, we've had some trouble. Would you like black instead? And I said, yes, just send me something, anything. Everybody's already reviewed it and decided it's junk anyway. I'm sorry that I ever mentioned the remake of "The Evil Dead. See, it got terrible reviews.
I was wondering what you thought. I walked out, Leo. The setup was fine. Then trouble began to happen. And after about 20 minutes of just really pointless interhuman brutality, I mean, some I just closed my eyes and waited, listened to the soundtrack to wait for it to be over.
I just thought, what am I doing? Why am I doing this to myself? This was - I'm not a, like, I don't like that kind of movie. I don't ever go to see those kinds of movies. I called it - I tweeted. I said, "The 'Evil Dead' remake: A pointless, brutal gore fest. None of the original classic movie's charm, fun, wit and humor. I mean, it doesn't take itself seriously at all. It's why it's a cult classic. But this remake, oh, wow. I mean, I know there's a market for people who want to go for some reason and see this just incredible gore.
They said it was gory, modernly gory. Oh ho ho ho. But I mean, oh, yeah, anyway, I've said enough. I saw "Justified," by the way.
I watched the pilot, and I enjoyed it. Now, is the pilot typical of the whole season? Often pilots are different from what happens when they get a green light. This thing stays good. We're in I think our fourth season. It's got a fifth season already set up. It was very funny. No, but this is - it is, in fact, I've seen some feedback from our listeners who have gone through the first season, and they just - they can't wait to get more.
So I can vouch for it. In nerd humor, Simon Zerafa, who tweets often, sent me something that he found. I asked him where he found it, and he couldn't really track back its provenance.
But I kind of thought it was just clever. He said, "Password must contain a capital letter, a number, a plot, a protagonist I saw that [laughing]. Now, here's 90 seconds, Leo, of - if you want to just inject this video into the broadcast, our audio listeners will be able to hear it.
They won't be able to see it. I did tweet this link because this is wonderful. And, you know, Shatner, I just take my hat off to him. He's a class act. He is very funny.
So it's "Shatner vs. Is there - oh. This is your review? I got your review of "The Host" for some reason in that link.
Let me go to your Twitter. Oh, my goodness, you're right. It's a bad link. Wow, sorry about that. So let me go to your Twitter, and I'll get it from there [t. The Twitter is bit. It's kind of a long way to go. You could just go to Twitter. Let's just see here. I'm going to scroll down. Oh, it's a game. You keep getting me killed. I thought you had my back. You've got to see this to appreciate it. Apparently he's playing a videogame against the Gorn, but with a Gorn. He punches the Gorn.
The Gorn punches back. Now they're in a very slow-motion Gorn battle. William's almost 90 now, I think. Oh, it was just his birthday, by the way. Would be something; right? He's doing pretty good for - oh, he boxes the Gorn's ears.
Now they have to take a break. So I guess this is a videogame. This is an ad for it. Pretty good for an 82 year old. That was a recreation, Trekker John Slanina says, that was a recreation of the actual battle - wait a minute. Clinch for clinch, slowly work their way through it, of the actual battle from whatever the first generation Any serious Trekkie will remember Kirk battling the Gorn where the Gorn is extremely butch.
It's a lizard creature. It's like Godzilla, a little bit. Yeah, it's God- but it moves very slowly. So, you know, Kirk runs around in circles and dances and bobs and weaves, and the Gorn picks up large foam rocks and throws them, and they sort of bounce unconvincingly as Kirk dodges them. And then finally he, like, hits him simultaneously on the sides of the head, which it turns out the Gorn has very sensitive ears.
He boxes the Gorn's ears, and it's all over. Anyway, so anyone, if you're a Trekkie, and you didn't see my link in my tweet to our listeners, I'm saying you really - you need to go find this because it's a treat. And Shatner at 82, I mean, he's not taking himself seriously, and it's a great little piece. So 90 seconds, worthwhile. All three were page-turners. Thanks for the tip, Steve," said Tony. And I just wanted to remind our listeners, they are up on Audible.
So our listeners have really been enjoying it. And I do have a - now, this is one that, you know, I would say I'm not making this up, but we know I'm not making this up. But you might think, okay, really?
Zimmerman sent, and we received, on the 7th of April, on Sunday, a SpinRite testimonial. He said, "What a superior program, Mr. I work for an international communications corp.
It had just failed, and all of the recent pictures of his wife's father, who had just passed away, went with the PC. I asked him if I could take a look at it. He said, 'If you can recover those pictures, I'll give you this car. Well, to make a long story short, SpinRite 6 did its thing. And not only were the pics recovered, but the whole PC is renewed. And I have a new car. He took the car. So, Steve, thank you. And now we return to Security Now! I've got questions for you, Steve.
Let's go with question Numero Uno of our listener-driven potpourri , a quickie, a Twitter question from DanLoFat, which is either a Chinese name or he's been on that low-carb diet or something, I don't know, a diet, in Chicago. Steve, is there a way to mint bitcoins using distributed computing, like through a home network?
You could certainly have more machines running the bitcoin mining process. But there is, by the nature of the way it works, there is no way to pool their computing resources. You can't - it's not threaded. You can't thread it. Even bitcoin mining pooling, which is a new thing that has arisen, because the chance of an individual scoring a bitcoin has continued to drop as the number of people minting them has increased, the percentage, the chance of getting one has dropped.
So what people have done is they've agreed to pool their resources. And the idea is that, when anyone in the pool gets a bitcoin, they will divide them evenly based on the amount of computing power they have put into the pool. It's like when the office buys a lottery ticket. Yeah, and you share it based on how much you put in.
So it's suddenly not an all or nothing, but it's a, oh, look, I got - so, and the larger the pool is, the greater the chance that the collective resources of the pool will score one bitcoin, which everyone then shares proportionally.
And that's the smallest denomination you get in mining is a bitcoin? One coin per solution to the hash. And that problem keeps increasing. But also remember that every four years the amount you are awarded is cut, is also cut. So that's why you got 50, because you got in early. And today you only get 25 when you solve the problem.
So every four years that's cut in half. And so that will keep going down as the difficulty also keeps going up. And as I've learned, because people are donating bitcoins to us, you can donate any fraction of a bitcoin. Bitcoins can be divided kind of infinitely. And that's why they have a future. Promise me you won't jump out of a window if there's a bitcoin crash. That's all I ask.
ChivalryBean raises a point, though, with bitcoin mining, which is it's not really the cost of the hardware, as you can see. The hardware can be expensive. But it's the cost of the energy you use to run that hardware, and also energy used to cool the server room. Is there any way to measure that energy use on his computer? It's a great thing. And what's cool about Kill A Watt is you plug it into the wall, and then you plug something, an appliance, into it. And you're able to tell it what your electric company charges you for electricity, either across 24 hours or evening versus day if you've got the kind of billing where your power costs less at night than it does during the day and so forth.
You're able to put that into it. And it will first measure the gross total electrical usage of whatever it is you have plugged into it and convert that to pennies, convert it into your currency.
So you can actually see what this device - so, you know, it might be like a refrigerator. And a refrigerator doesn't draw energy constantly because it's thermostatically controlled, so its compressor switches on and off and on and off and on and off.
So this thing actually measures the instantaneous energy usage and then accumulates it over a growing period, and you're able to look at it and say, oh, this is how much this costs me per month to have this thing on.
So you could certainly plug your bitcoin mining box in and figure out if it's time to unplug your bitcoin mining box based on how much it's mining for you. So Kill A Watt, 17 bucks at Amazon.
And we've talked about those, I think on the Giz Wiz, and you even used them and so forth. David Johnston, Sydney, Australia, asks: Love the show, blah blah blah. I now feel bad for having written that [chuckling]. I know, I like that. I regard failing to warm up the bit array is failing to correctly implement the cipher. So is the situation actually one of widespread implementation failure? And, if this is true, I'm bewildered, as every textbook says the cipher needs warming.
Also it should be noted that a warm-up run of operations was only ever the recommended amount. I use just to be sure. I don't know if anyone had fully determined that was enough before now. Do you know where that number, , originally came from? Thanks for the great show. Dave Johnston, Sydney, Australia. What the hell's he talking about?
And it turns out it was much worse than was believed. There, there was no warming being done. And so it was really bad. There were bad keys.
And there was very - the keys related to the pseudorandom bitstream coming out of the cipher strongly. So they fixed that by warming it up a little, but not enough. They thought at the time it was enough, but no one really looked at it to say is - is discarding the first bytes from the cipher enough?
I don't know why they didn't do David is doing I'm proud of him. We all wish that the world was doing because all of us are having to put RC4 at the top of our server list in order to avoid the BEAST attack, which attacks unless you don't have RC4 as the preferred cipher for the server to choose among those the client is making available. Unfortunately, it's not as strong as we wish it were. So what we really need to do is move ourselves away from SSL 3. Then we'll be able to pull RC4 down off the top of the list.
Or we could do another version of TLS, although I don't think anyone wants to, where we just warm RC4 up further in order to get the non-sufficiently pseudorandom off the front of the key stream. So it's just they didn't look close enough.
They thought ought to be plenty, but they didn't really analyze it. When they did, they said, oops. That number seems high, so it may be less than that. I'm not quite remembering the number. But still, it's a disturbingly low number from crypto standpoint, meaning that it's a theoretical vulnerability. And here we are. But we're not happy with RC4 being chosen because there's a theoretical problem. So right at the moment we're in this awkward place of not really having something that - any solution that works as well as we would like, until we get clients and servers that are able to move to the newer versions of the TLS protocol.
Would it be better to pick a random number of times to warm it up between and , something like that? Or does it matter? There's no recycling in the warm-up, is there? If you chose a random number, then you would need to transmit that to the other end so it knew how to They both have to do the same. Exactly, they have to be synchronized.
Opher Banarie, a regular in many of our shows, including the Giz Wiz, as well as apparently Security Now! As a longtime SpinRite owner, listening to Security Now! While we could debate the pros and cons of employers implementing systems that can track employee activity on company computers and networks, there is one obvious element: Not only does the technology exist, it's legal for them to do so. Most employers now have a policy statement about limiting employee use of computers to company business.
Many of these policies include termination as a consequence of violating the policy. Rather than defeating such systems, maybe people need to ask, hey, if I'm so worried that my employer might see what I'm doing during office hours, maybe I shouldn't be doing it. I understand how your advice is helpful in public access locations. But in the office, it's pretty obvious we should be working on company business.
He does have a good point. I have to agree with him on that. So I guess my branching-off point here is to say, I'm not suggesting that it's wrong. I've never suggested it's wrong. I'm only, as always, looking out for the end-user. And I just want the end-user to be informed. So I'm not, I mean, at no point, for example, is my SSL fingerprinting meant to say this is bad for employers to be doing this.
I'm just saying I would like to empower users to know. And I've said on this podcast before, every such - all of the machines being monitored should have a half-inch-high strip permanently affixed to it that says all of your Internet communications within this company and on this machine are subject to monitoring for the protection of the company, for antimalware filtering and so forth. I mean, it ought to be right there. But the problem is you get into this situation where the management doesn't feel comfortable being that blatant.
Or maybe they add the technology just to sort of test to see how it goes. And it's like, oh, well, we'll tell people later if we end up keeping it, so forth. It's like, eh, I just want to empower people.
So I completely understand that, in the era of malware, as we end up with HTTPS everywhere, always having secure connections, not just during login, but all of our communications, a company needs to be able to filter what comes in and out of their network onto their machines. After all, the machine is the terminus of this. And so I get that. All I want is for the end-user to be able to see.
And in fact, I would argue that my stuff helps people know that they are being monitored so they will respect their employers' intentions for the way the computer network would be used.
Yeah, I mean, speaking as a business owner, I'm liable for stuff people do on my computers. And if they're surfing porn, and somebody sues us for harassment, it's our fault. So we don't monitor because I trust my employees, but I would - when I've been an employee, I've assumed that anything I'm doing is visible on the corporate network.
If you want to check out through Steve's systems, check out whether they are monitoring it or doing a man-in-the-middle on the SSL certificate, that's fine. But assume, you should assume you're being monitored. Back when I had 23 people, there were some embarrassing things that got - that came out of the printer. We had a - it was back in the days of network-shared printers.
And I think on email the print button was right next to the next message button or something. And, oh, there were some interesting things coming and going.
Just assume that, I mean, there's a legal responsibility. And of course I've always said that employers have the right to do that. You're not going to win in that case. And it'd be prudent to just assume it. Mike, anonymous for reasons that will become clear to all, received an odd UPnP result on your tester.
Steve and Leo, long-time Security Now! Couple of weeks ago I ran the UPnP scanner while at work. I can't figure out how to interpret these results. The test reported that we did respond to the probes. However, the IP reported was I'm thinking we're vulnerable, but I wanted to get your opinion on the results first before telling the appropriate people.
I'm sure our security team will be keenly interested if we are indeed vulnerable. We found out about six months ago we had a breach and that the bad guys had been in there for quite a long time.
So they locked the wrong door. Thanks for all you do, and all the advice and insight you've given over the years. What is the Well, Leo, if you bring up Google and search for "UPnP test" and look at the first link that comes up, guess who?
Good job, Steve Gibson. And then who's No. The Google result says "UPnP rejected. That big red banner, you cannot possibly miss the fact. And it even scrolls along with it. A little CSS, baby. I did that yesterday morning. Somebody - I had a Twitter conversation. I mean, I would have been puzzled by Mike's comment even now. But a guy named Ryan and I went back and forth night before last because he was actually trying it, saying, Steve, I'm sure my IP is not And so finally, when there were about three or four tweets back and forth, and he said, oh, I figured out, he says, I got the link from Google, and it's the sample page.
And so, yes, I immediately Well, you were smart enough to use That's kind of a hint there; right? Because that's an unroutable address. That's a reserved address. Well, actually it's my own internal network. And I forced that IP, which is not a machine, so that it would not respond to anything, in order to generate that test and capture the screen and so forth. So anyway, so, yeah, I put up - so, Mike, the answer is, and I did respond to Mike already when I saw his email, that was the sample page.
I immediately put up a banner to notify all future visitors because there had been some confusion, and I just didn't realize, I wasn't worried about it until I saw that Google had indexed me in the No. Now, you know about robots.
You could exclude that page in robots. But you don't want to hurt your result, though, so Well, what I need to do, right now I'm unhappy because you've got to go, to get to that test, you have to go down in through ShieldsUP! And I just need to make it But Google spiders through it; right?
So I don't know why it used that as the result, however. Anyway, I'm glad we could clear that up, and good idea with the banner, that's cool. I looked at my router and found that port was being forwarded to on the IP for my new TV recorder box. This runs a new service, YouView, here in the U. I scanned the open port It reported a service called - this is scary - blackice-icecap running.
Now I'd be running for the dictionary. Should I be worried about this activity? Thanks for the great informative show. I've learned lots over the years. I wish I could say I grasped everything fully. Oh, and my router does not have the UPnP problem.
So thanks for yet another great tool. By the way, that's at ShieldsUP! Regards, Guy, Nottingham, England. So here's what's happened. He's got a TV recorder which is using UPnP the way it was intended to be used, to open a port through his router for itself. So, and this looks like it's, I mean, it's interesting that it's That's the lowest number non-service port available. So it must have said give me whatever port you've got now, and the router said, well, we're starting off at , so here you go.
And then what that allows is for incoming unsolicited traffic to go through the NAT router and get to this box. HTTP protocol runs on port But that's down in the service port range, those ports from 1 to And in the UNIX world, only services running as root are able to create listening ports down in the service port region. So users who want to, like, run their own server, needed to use ports above And so it just became common to use So this use of is related to that. It's obviously one more than the traditional What's significant is this notion of blackice-icecap, when he said "I scanned the open port , and it reported a service called 'blackice-icecap' running.
What is meant here is that, in the dictionary of what ports different things use, port was once used by a firewall called BlackICE. I remember it, yeah. And so ICEcap was some facility that they had which it chose for itself port In the same way that FTP chooses 21 and web servers use So if you had port 80 open, it would have said, oh, you have a web service running. Well, no, you don't. It's just a lookup. It just says this is one thing that uses that.
Traditionally that's been the port, exactly. And when somebody updates their list, they'll say, oh, you must have whatever that is running on his TV recorder box. So anyway, you might try disabling UPnP, if this worries you. But this does mean that incoming traffic is always able to go to this TV recorder box. And the only concern would be if it has not been written well, somebody might be able to maliciously take it over and then use it to gain access to your network.
So that's always the concern of allowing devices to map ports through to themselves, is then anybody on the outside can get to those devices.
And that's a cause for some concern. It's easy to think of why it might do that. The service might be pushing TV Guide updates down. Instead of having the machine pull, which it wouldn't have to open a port for, it's pushing it to the machine whenever it's got an update, things like that. And so the machine would be advertising to some central server, hey, whenever you've got something for me, this is where I am, at this IP and this port. They may even register it. That may be part of the deal when you get the device.
Advait in India wonders, why not cloud your servers? You've been sharing the news and adventures of setting up your new servers. But I was wondering, why do you do it yourself? Why don't you virtualize your new servers? Have them reside on some cloud service like EC2 or Rackspace, which you talk about all the time?
CDs and DVDs will still autoplay as they did before. But USB sticks - unless they emulate a CD, in which case Windows thinks it's a CD and will autoplay it - unless it emulates a CD, then Windows is just, from this point on, saying no, we just can't take the risk. Users are going to have to run this stuff manually because So there's no way to turn it back on.
You know, I didn't pursue that. I'm sure you can. I'll bet you could go back into the registry and manually reenable Flip the switch, yeah, okay. I'm sure you could turn it back on. But so what Microsoft is saying is, if you haven't manually disabled it yet, we'll disable it for you. If you want to come back later and turn it on, fine. Then we're assuming you know what you're doing, and you're going to ask for the behavior that you get. Mom in the chatroom has a good point.
Does that mean something like U3 still autoruns? So something like U3, you don't lose the functionality there. Which is kind of a nice compromise. I guess it is, but how secure does this make us if somebody can just create their malware to emulate a CD? That'll be the next thing is that we'll now move there. And the point he's made is that in Linux, as in other operating systems, but specifically targeting Linux for his presentation, when you stick a USB device into a contemporary Linux desktop, all kinds of different levels of driver are engaged in order to connect with and recognize and mount the drive into the file system.
And many of those devices, he contends, have not nearly been examined for exploitability as much as we would like. And he demonstrates taking over a Linux desktop that is normal default-configured, just by sticking in a maliciously formatted USB device. So again, Linux desktop users may want to check out that presentation. It was a good one. We also got a big, thick stack of security vulnerability fixes for Adobe Reader and Acrobat.
Yep, they're catching up with - they had 29, Hey, they beat Microsoft. They did, 29 critical security vulnerabilities which they addressed in the release version of Reader X, which you know they use an "X" for that, so Reader X, Reader And also many of the same things were in Reader 9.
So they're encouraging everyone to update to the latest version 10 of Reader and Acrobat, and that's And then in their release notes they note that it also includes updates to Flash Player, keeping it current. And just I needed to mention this because I guess there must be some people somewhere who are still using RealPlayer We could probably count them on one hand. And that's the good news. Real, as we've talked about in the past, just was a horrendous security and sort of over-marketing exploitation approach to media players back in the beginning, really before Microsoft got into the media player business and sort of pushed them aside.
There are still, I think mostly within corporate America, or in general, corporate Earth, companies that are standardized on RealPlayer. If you're using the. Quoting from one of the sites that was tracking this, they said: User supplied data is then copied into the allocated buffer, without verifying [its] length, allowing the data to be written past the bounds of the previously allocated buffer.
You ask the media, oh, how large is the data you're going to give me? And the media says, oh, let's call it bytes. And then it says, okay, fine. Let me have it. And of course the media loads 5K and blows the buffer of bytes that was allocated, and then stomps over the stack, and has just loaded executable code, which the system then runs when it tries to come back from the subroutine that was loading this.
So anyway, this is a classic buffer overrun exploit. So if you are a RealPlayer user, you probably know it. Go over to Real and bring yourself up to date because the way this would be exploited would be just going to a web page that happened to invoke an AVI file in RealPlayer under the hope that you might have it installed.
If you did, you could get taken over. So you don't want that to happen. I might also add, if you're a Real user, go to Videoland. And stop being a RealPlayer user, yes. Let's get into some security news. Firefox yesterday added something to its latest beta of v4, the do-not-track option we were talking about last week. Yep, we talked about their intention to do so. I just wanted to let people know that it had appeared in the UI of Beta It is not enabled by default at this point. Of course, it's not supported by default, by any advertisers that we know of in the world.
But it's one of those chicken-and-egg things. The advertisers won't support it until the browsers ask for it. So I'm glad to say that Firefox 4 is asking for it. And I know that, as soon as I start using 4, I'll go there to the Advanced tab and say, yes, turn on do-not-track, and begin to get some experience with how that works. I like that the option says "Tell sites I do not wish to be tracked.
It's putting up a flag, but sites don't necessarily have to honor that flag. Yeah, and, I mean, I can vouch for the pervasiveness of Firefox use. I mean, I know that GRC is going to tend to have a savvier user base come by. But so that says that it's not as if we all have to sit around now waiting for Microsoft to do something before anyone's going to take this seriously.
I just hear people more and more talking about that they're using Firefox. And of course Chrome is coming on very strong, too. Google, as we also discussed last week, has made some motion in this direction, this whole do-not-track deal. So the good news is, this has been a problem for years, and we're beginning to see some solutions.
Hopefully we'll get to a standard. It's good that the different browsers are trying different things. Maybe we can see what works, what catches on. What I always hate is, there's a point where you could agree that, okay, that's the thing that works best, let's all standardize on that.
Rarely does that happen. Usually we go through a long march of everybody sticking to whatever it was the started with. Well, which we already have, for example, with NoScript that has its own format of do-not-track, different from what the Mozilla folks adopted, unfortunately.
Within the same browser, even. Within the same browser. So, like, Giorgio, when Mozilla announced this, Giorgio, the author of NoScript, he posted immediately, said, uh, you know, I already put this in here. Happy to have you guys use the same header.
But why not use the same header instead of use a different header? So now the query that has - a query from Firefox of v4 Beta 11 that has the Mozilla do-not-track turned on, and is using NoScript with Giorgio's options turned on, will have multiple headers saying the same thing in different ways.
And nobody listening at this point, exactly. Verizon is coming out with their own version of the iPhone this week. And they have very quietly announced some new policies regarding throttling the top 5 percent of data users, as well as some, what they're calling "content optimization. Yeah, which I thought - and I wanted to mention this just because I thought it was - the details of content optimization I thought was really interesting. They said on a PDF that they made available on their site, quoting first this issue of bandwidth throttling - just I wanted to bring it to our listeners' attention for any of those who would be affected.
To help achieve this, if you use an extraordinary amount of data and [thus] fall within the top 5 percent of Verizon Wireless data users, we may reduce your data throughput speeds periodically for the remainder of your then current and immediately following billing cycle to ensure high-quality network performance for other users at locations and times of peak demand.
Our proactive management of the Verizon Wireless network is designed to ensure that the remaining 95 percent of data customers aren't negatively affected by the inordinate data consumption of just a few users.
I think, you know, this is a replacement for maintaining your network at proper capacity. They're worried that they're going to get some bad press if their network gets clogged. And so what's an easy way to do it? Throttle down some people. But if you want to do that, you've got to put a policy in place that explains who you're going to throttle down.
So this doesn't - a lot of people are saying, oh, if you're in the top 5 percent you'll be throttled for two months. That's not exactly what they're saying here. They're saying, we reserve the right to periodically throttle you, basically when we need to. I think that, exactly as you said, they want to be preemptive. They want to say, look, just to let you know, if you are, I mean, really hogging bandwidth.
Because I got my Verizon iPhone yesterday, and I've got unlimited bandwidth use on it. That was the plan I chose. And I'm never going to be a heavy user. But I know that there are people who, I mean, they're sitting there watching all of their video consumption through all of the various online services now, and over time using a huge amount of bandwidth.
So Verizon is saying, look, for people who are really at the top tier, as you said, we may need to throttle you. Now, what's also interesting is, from a technology standpoint, I got a kick out of what they've acknowledged they're doing.
And anyone who's interested in the details, I'm going to run through them. But you can see the whole document at VerizonWireless. These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. For a further, more detailed explanation of these techniques, please visit www.
And I saw a couple things that I wanted to bring to our listeners' attention. First of all, this only applies over port 80, which is to say, HTTP. Well, that's a nice little workaround. So, exactly, that is. And the reason this is interesting is that they really are - so what they're trying to do is they're trying to conserve the air bandwidth, that is, bandwidth in the air.
You can choose lower compression, higher quality, where the image stays, like, ultra crisp sharp. Or you can make a JPEG image, the file, physically much smaller at the cost of some fuzziness. Basically, in terms of the type of compression JPEG uses, something called discrete cosine [transport] compression, DCT, it's expensive to transmit the data of a sharp edge.
It's much less expensive to transmit the data of a gradual change, the way this type of compression works. So if you back off from requiring your images to have sharp edges, then you can get a much greater level of compression. So what Verizon is doing is they're literally parsing the stream, looking at the objects which are being downloaded from web servers, and here they're saying they're reserving the option to change the data.
They will take a low-compression JPEG and recompress it to a higher level in order to minimize its size. They will even transcode video, on the fly, across formats. They'll go from, for example, they might take an AVI that's low compression, or RealMedia or something. If they know what your device is capable of, they will transcode it, and this document talks about this, to H. And so what they're saying is, at their discretion, they're going to preserve the bandwidth of their over-the-air service and compress things.
Now, what's really amazing is that they're not doing it based on URL or even filename. They look at the first 8K, which is typically multiple frames of a video, to determine if they've seen it again. So they're watching the start of your video and using that to key their own caching technology to see whether they have already seen this video before and compressed it for somebody else. And, if so, they switch you to that stream, and that's what they send.
So you're sharing streams. I mean, this is aggressive optimization. Maybe they weren't carrying the iPhone until now because they weren't ready for it. That very well may be true with all of this work. And couldn't they have - this is a cheap shot, but I'm going to say it anyway. Couldn't they have spent that time and money on capacity? Well, this is a long-term investment. I salute them for doing this. And this is some serious technology. I mean, this is state-of-the-art caching and WiFi bandwidth optimization.
It'll be interesting to see if users notice any effect. I mean, you could imagine, that, like, you could have two videos that start the same because they were edited from the same source material, but then are different. And their cache could be fooled by that. I was going to ask about that. I wonder when we get the first people on purpose spoofing videos that are popular to deliver some maybe images that people weren't expecting. The other thing that they're doing along the same lines is that they're deliberately sending only enough video ahead to keep your player running.
Yeah, I was thinking this would be a nifty way to take advantage of their transcoding, if you wanted to change videos to H. But you don't actually get the whole file. And again, they're being smart about this.
They're recognizing that many people don't watch the whole video that they download, yet they downloaded it all. So Verizon is saying, we're going to be buffering in your player, but we're only going to stay enough ahead that, if you stop watching something after a few minutes of a minute presentation, for example that YouTube I just talked about, then we won't have wasted our over-air bandwidth delivering video that was never seen.
So potentially this is all good, as long as it doesn't cause problems. I would say it's tricky technology. I salute them for being this aggressive. I hope it doesn't have any downside. I imagine there will be people who'll be playing with it. I think you're absolutely right about that. The other thing I've been seeing in the news lately are a lot of reports about how mobile is now the new battlefield for malware because we just had a report yesterday saying that smartphones outsold PCs in the last quarter of So there's some news from McAfee about this?
Yeah, Symantec had issued a report. We're beginning to see reports from the major security guys, and McAfee just, I think it was yesterday, issued their report where - and paraphrasing them, they didn't use the phrase "new low-hanging fruit," but that's how I would describe it. What's happening is that PC technology, and Windows specifically because it's been such a target for attack - I mean, what, this podcast is in its sixth year.
Leo and I have been talking about Windows security, Internet security, security, security, security, every single week for six years. Meanwhile, smartphones come along and are being adopted, as you just said, at a fantastic rate, and often, frankly, being used by people who are even less tech savvy than Windows users, who have figured out what it is they have to do in order to be safe. Less of a barrier to entry, so to speak.
And maybe there's even more temptation. Maybe it's just that people aren't yet as afraid as they need to be about phones. But arguably, a smartphone, I mean, we know that it's running a full operating system now, given all that they're able to do. But the thing that malware wants more than anything else is connectivity.
And while it's true that PCs are connected, I would argue smartphones are even more connected. I mean, there's more channels. You've got text, you've got all the social networking things, you've got email, you've got web browsing, and you've got applications, which, I mean, and this is of course a problem and a concern over on the Android platform, where people you don't necessarily know real well have created these things that look like, oh, wow, I really need that, and bang, now it's loaded in my smartphone.
Well, what is it doing? It has all access to potentially this massive communication resource on the little computer that you're holding in your hand. So I just wanted to say, once again, that we are seeing sort of the people who are watching security trends, they're saying that malware exploits are trending rapidly in the direction of smartphones. So for our listeners, just stay on your toes.
We're going to get into our main topic, BitCoin, a digital currency. But I know you have a testimonial for SpinRite to read first. Just, yeah, a nice letter that someone, a listener of ours named Mark Folkart, sent, with the subject "Yet another SpinRite story.
I wanted to say thank you and relay yet another success story of SpinRite. Her husband is not a client, but you know how that goes. He works for a large brokerage company I won't name. He had gone to his IT department, and they were unable to assist him. At our urging, they unencrypted the drive and returned it to him still broken. And his sales database was still inaccessible and trapped locally. Couldn't even slave the drive. I used a copy," and he says, " they had purchased a licensed copy of SpinRite and went to work.
Less than two hours later we were back in business. He had his contacts back and a working machine. Although I received no direct compensation, it certainly increased my credibility to a good customer, and how do you put a price on that? I will continue to use and recommend your product and just wanted to say thanks. It's amazing to me that an IT department wouldn't - and I've had it happen.
I won't name the workplace, but I have been in a place where my drive crashed, and I was like, hey, can you recover the data off this? I was like, well, no, it can. So our big topic today is BitCoin. You called this a "crypto currency. Well, it's really, really clever. The reason that I sort of fell in love with this for the moment is, as I plowed in, I just got a big kick out of the way that the many problems associated with a sort of a floating currency, meaning a currency that isn't anchored by any central bank, there's no state sponsorship for it, I mean, and it's a real thing.
Anyone who's interested, and I would encourage our listeners, if this podcast and what they hear about it makes them curious, go check it out. Just put "bitcoin" into Google, and you'll start seeing pages of stuff. And about two years ago the project was registered, a little over two years ago, by a Japanese cryptographer, Satoshi Nakamoto. And it's an open source project on SourceForge, so none of this is black art stuff.
The goal is to really solve, I mean, to offer an honest-to-god, non-hobby-level, but industrial-strength, Internet-based, peer-to-peer currency where real value can be exchanged between two parties without any intermediary being involved. And that's one of the trickiest things because you've got all kinds of problems. First of all, where does the currency come from? What creates the currency? How much currency is flowing through the system? How do you monitor that and regulate it?
How do you prevent it from being inflated? How do you keep people from fraudulently creating currency? How do you keep someone from, if they have some, from reusing the same currency?
All of that has been solved with this system in some very clever and very new ways. Which is really what captivated my attention on this. So wait a minute. So we have currencies. We have euros and yen and dollars. How can you invent a currency? What makes that work? So, think about it, a currency is nothing really but an agreement among the parties that this synthetic thing has value. Once upon a time, when the dollar was anchored to a gold standard, the idea was that there was gold backing up dollars.
And so when you had a so-called "promissory note," it was equivalent to X amount of gold. And we were of course famously taken off of the gold standard. The problem was we needed more money than we had gold; so we had to disconnect, in the case of U. It's kind of that incredible innovation in human society, when you think about it, that this works at all.
Because it started out you would carry around your chickens because you just wanted to trade what you had of value for what the blacksmith had. That got inconvenient, so gold became a good standard because everybody valued gold, and everybody kind of had the same value of gold. But we've gone from that to this sort of agreement that, well, I'm going to agree that a dollar's worth of work is worth a dollar's worth of merchandise, and it doesn't have to be backed by anything.
We'll all agree that that's the way to pay stuff. So I guess that's all they have to do is get enough people to agree that this currency is valuable? Well, and notice also that we chose gold because it was scarce. We didn't use water, for example, because you'd just go over to a stream and dip your bucket in. And the problem is, of course, anybody could go do that.
There's a famous scene in one of the Douglas Adams novels where they decide leaves will be their currency. And it has the same problem. Well, of course money grows on trees, so, yeah. And so we chose gold because it was scarce. And famously in the days of individual gold miners, they'd go out and try to find it because they would - basically they were creating more currency to put into the system at a controlled rate.
And initially, when there was lots of gold around, we were digging it up and turning it into bars and coins and so forth. And over time, it became increasingly difficult for us to find more gold, so it became increasingly scarce, and its value has increased. And in some ways we have a virtual currency with the dollar and the euro and all of these.
And in some ways that is a little more fair because someone can't just go out and find a bunch of money, unless they're robbing a bank, I guess. But, you know, you can't just go digging in the hills and luck into a bunch of money. It has to be earned in some manner. So what has been created with BitCoin has all of these attributes. There is this concept of bitcoins, the currency - in the same way that the abbreviation for U.
And so this network of computers exists now on the Internet, peer to peer. You can go to BitCoin. That is, literally start making money. So you are making money out of nothing, just by being a member? I mean, how does this - this just sounds like some sort of BitTorrent situation. It sounds wacky, but So you are making money. The way you make money is by processing transactions within the bitcoin system. So, and this is complicated, but unfortunately it needs to be complicated in order to be robustly secure, which it really is.
But the idea is that you want a transaction trail of every single transaction between two parties that has ever occurred. And they're occurring all the time. Now, this is not just - this currency is virtual, but it has been anchored now to real currencies. There are websites that will trade real currencies for bitcoins. At this point in time, about two years after it was launched, the current currency trade of U. I think it's, like, 93 cents for a bitcoin.
And there are organizations which accept bitcoin payments. There are programmers who will work and accept payment in bitcoins. There's a, I think it's called Trade, a trade link at BitCoin. So I know I Okay, let's back up a little bit here. If I can just create, by running the program, money, aren't we running into the leaves and water problem, where we just get runaway inflation and the currency is valueless?
Yes, except that it's all controlled. The way it functions is that new coins, new bitcoins, are generated on the network when a node - and, for example, if you're running the program, you are one node - when a node finds the solution to a hard problem. Now, this is really very clever the way this works because it prevents people from being able to create currency at will. Back in '97, I think it was, , someone named Adam Back came up with a concept for antispam, which he called "proof of work.
It doesn't cost them anything to send out email. So as a consequence we're all being deluged with email, which it's expensive for us to receive, not expensive for them to send. So Adam said, what if we come up with a way of making it expensive for someone to send email? And the way we do that is, we create a computational burden which we don't have the technology to short-circuit, where they have to do a substantial amount of work in order to sort of validate an email. And on this show we've talked about hashing a lot.
Hashing of course is a valuable technique that takes an arbitrary length input and turns it into, hashes it down into a so-called "digest" of a fixed length. So imagine, like, take SHA, which is the secure hashing algorithm which produces a bit result. Imagine if, in order to qualify for sending email, you have to hash the email header such that some number of the first bits out of the bits are all zero.
So if you just hash an email header at random, the most significant bit has a 50 percent change of being a one or a zero. So you increment a sort of a fudge factor and then hash it again until you get that first bit that's a zero.
But say that to qualify the header has to have a hash where the first 20 bits, for example, are all zero. So an average, half that number of hashes have to be tried. So the idea is this forces someone to do a huge amount of work fudging the header in order to get all, like the first X number of bits of the hash to be zero. So in practice you could set the difficulty so that it might take somebody two seconds to do the work on a 1GHz PC.
But that would mean that it takes a spammer two seconds per email, which is vastly more computation time than it takes them now. And so on an individual basis you don't notice that that much. But if you are trying to send vast amounts of email, which I guess could negatively impact legitimate bulk email like newsletters and things like that, too.
And actually that's exactly why the idea did not take off was that it was still - while, yes, it would be burdensome for spammers, exactly as you said, there are legitimate mass mailers. And if we did anything to allow them through, then the spammers would come through, too.
So it had to be all or nothing. And it was too much work for legitimate mass mailers. But it was a really interesting concept.
And Satoshi borrowed that concept that Adam Back proposed back in '97 for this. So here's the way it works. So imagine that there are, among all these peers, there are people exchanging value. A bitcoin exchange is somebody wants to send somebody else some bitcoinage. So the whole system works with an asymmetric key system, a public key system where they have both a public key and a private key.
They take some amount of bitcoinage and put their public key, sort of associate or include their public key in the transaction, also the public key of the person it is being sent to.