This show is guest-hosted by Bart Busschots. The show starts with a little rant about how Apple did not accidentally admit to practicing Planned Obsolescence, no matter what the tabloid press (or Irish radio) say. Allison teleports in from the past with an interview with PRC from CES 2016, Bart recommends the Hardcore History podcast, and finally, Bart does a solo Security Bits.
Bart again back with another guest post while Allison is away.
I want to share a podcast recommendation with you. Well – I say podcast – the content is delivered as a podcast, but it’s anything but a typical podcast actually. The content is meticulously scripted, performed, and produced, making it more like a collection of high quality audio books than a podcast. The schedule is also very atypical – a three to four hour show about four times a year. Some of the topics covered stretch over multiple shows, so they can build into 15 or even 18 hour epics – a meticulously produced 18 hour story with a well defined beginning, middle, and end – that really is an audio book IMO.
The show is called Hardcore History, and the brains behind it is Dan Carlin – a self-professed ‘history fan’. Dan is quick to point out that he is not an academic historian. He does not do original research – instead, he reads as much of the work put out by academic historians as he can, and then builds all that knowledge into a compelling story. The magic ingredient in my opinion is Dan’s ability to teleport you into the past. It’s not just a bunch of stuff that happened, it’s fully rounded human beings living in a fully colourised world having to make tough decisions. Dan spends a lot of time and effort trying to get into the minds of ancient peoples – trying to understand what made them tick, and hence, understand why they did what they did, why they reacted to situations in the way they did, etc.. Another very important part of what makes Hardcore History work is Dan’s understanding of the importance of context. Dan tends to start a new topic by going back in time to before the story he wants to tell so we can understand the world in which the action starts, and then watch that world transform as the events unfold. A story generally ends by projecting forward, contrasting the word before with the world after.
Continue reading “Hardcore History – A Podcast Recommendation”
In case you can’t tell from the tone of this post, this is Bart here standing in for Allison this week.
This morning I was listening to the radio, like I always do when getting ready for work. I listen to RTÉ 1, Ireland’s national radio station for serious adults (lots of talk, very little music), and at the time I’m getting ready for work, I get to listen to the first half of Ryan Tubridy’s show.
The news came on at the top of the hour, we still don’t have a government, and then Ryan got stuck into his hour. His first main topic was Apple – ruh roh – I always get a little nervous when RTÉ take on tech topics. In my experience they have generally proven to be about as technologically literate as my cat. Ryan had a supposed tech expert come on to explain that in their environmental report, Apple had accidentally admitted to practicing planned obsolescence. In case anyone didn’t understand what that was, they explained that in the early years of the last century the lightbulb manufacturers had a cartel which they used to artificially shorten the lifespan of light bulbs to boost sales. The implication was clear, Apple is doing the same kind of thing, designing their iPhones to die early so they can sell more.
Really? Could this really have happened and it not show up on any of the many tech news sites I read? Colour me VERY sceptical.
- This week it emerged that Dell started rolling out an updated version of it’s Dell Foundation Services software (or crapware as I call it) that comes with a root certificate that gets installed into Windows. The certificate shows up in the Windows Certificate Manager as
- Initially it was thought it only affected laptops sold since August, then it emerged that it was on Desktops too, and the last shoe to drop was that the cert was also being pushed to people with older Dell computers via updates to the Dell software.
- This root cert is installed with its ‘PRIVATE’ key, and all computers have certs with the same private key, and the password ‘protecting’ that private key is
- A second, similar cert was found later in the week also from Dell called
When I do Security Lite with Allison as part of our Chit Chat Across the Pond segment I often tell people that there is no need to set your hair on fire. This is one of those times. Before I explain what happened and why it’s not a catastrophe, I want to start with a simple list what LastPass users should do now:
- Change your master password
- When setting your new password, make sure that your password hint is as cryptic as possible
It should not be possible to determine your password from your hint!
So, what happened?
The short version is that attackers were found to have accessed LastPass’s user authentication database, and that gave them access to email addresses, password hints, and very well protected master passwords. It’s important to note that people’s encrypted password databases were not in the breached database.
So, what of value did the attackers actually get?
The reason is that LastPass did a great job designing their architecture, so people’s data is very safe, even when attackers gain access to such a sensitive-sounding database. The reason people like Steve Gibson recommend LastPass is that their design is robust. The system was designed to keep your data protected, even if the LastPass servers were breached. Given that sooner or later every system gets hacked, that was very much the right thing to do.
Lets dig into the specifics – LastPass never store your actual master password, instead, they store an irreversibly encrypted version (more on how they do that later). When you need to prove you are who you say you are, the password you submit is irreversibly encrypted, and then that encrypted version of your password is compared to the encrypted version on file. Since LastPass don’t actually have your password, they can’t lose it!
The only thing the attackers can do with the protected passwords they have is guess what the password is, run it through the encryption process, then check if the encrypted version of their guess matches what was in the database they stole.
To make this as hard as possible, LastPass got two very important things right.
Firstly, every single LastPass users’s password is one-way-encrypted using a different random number known as a salt. This means that the password ‘open123’ encrypts to a different value for every user, so attackers have to re-do all their work for each user. Passwords protected in this way are referred to as hashed and salted.
Secondly, they did not just store the plain salted hashes, they ran them through a process designed to be computationally hard. A legitimate user doesn’t need their password validated often, so it’s not a problem that it takes a lot of CPU power each time. Attackers have to test trillions and trillions of password guesses, so the extra computational complexity really adds up for them.
This kind of password inflating is known as password based key derivation, and LastPass run the salted hashes of users passwords through 100,000 iterations of a password based key derivation known as PBKDF2. This is ten times more than the currently accepted best-practice of 10,000 iterations of PBKDF2.
Basically – LastPass were not just doing things by the book, they were doing things even better than that!
What this means is that even weak passwords will stand up to a lot more of an attack than you might expect.
Finally, once you change your password, the data the attackers have becomes useless, so, the inflated salted hashed passwords only have to stand up to attack for the short time window between the breach happening, and users resetting their passwords. So, if you are a LastPass user, go rest your password NOW as a precautionary measure.
Let’s talk about password hints
I do want to draw your attention to one subtle detail – the attackers got users’ password hints. We have seen from past breaches that some users do very silly things with password hints – there is the infamous example from the Adobe breach where some clown used the password hint ‘rhymes with assword’. The only people who need to panic here are those with dumb password hints. Given that a hint is shown whenever you can’t remember your password, those accounts were ALWAYS in danger, and they have been made even more vulnerable by the breach.
To me the biggest take-away from this is that LastPass have been tested, and they have not been found wanting – their good design has paid off, and protected their users. Secondary to that, this breach serves as a reminder to be very careful when setting password hints on anything – if you make the hint too obvious, you have effectively published your password!
For more details, see this excellent Naked Security article: https://nakedsecurity.sophos.com/2015/06/16/bad-news-lastpass-breached-good-news-you-should-be-ok/
The show starts with a review of the Canon EF-S 10-18mm wide angle lens from listener Steven Goetz. That’s followed by a dumb question from listener Lynda who’s having trouble getting Back to My Mac to work through Double NAT. Then we hand over to Allison for two more interviews from CES, one with the Z-Wave Consortium, and one with bag maker LooptWorks. That’s followed by a Security Medium about the FREAK SSL/TLS vulnerability. As a pallet cleanser before Security Lite listener Sean reviews the game Zombies Run, and the show ends with a Chit Chat Across the Pond (desk really) with Irish classical music blogger Bren Finan, who shares his experiences trying to live his digital life on just iOS.
Bart Busschots is guest-hosting the show this week. Allison tells the story of Move Mouse – a Mac app written for a Nosillacastaway by a Nosillacastaway! Bart answers a great dumb question from listener Lynda on the security of old Macs, Ken Wolf from the Manhattan Repertory Theatre reviews Chronicle, Bart fills us in about the POODLE vulnerability that’s been in the news this week, Allison describes how you can become a hero with Clarify, and in Chit Chat Across the Pond Bart talk to George Starcher about security from a Mac user’s point of view.
Bart Busschots from the Let’s Talk podcasts guest-hosts this week’s show. Bart starts with a short tribute to a co-worker and friend who passed away unexpectedly last weekend, Liam Burbridge. Next we have a review of the RadioShack Bluetooth Cassette Adapter submitted by Steve Davidson, then Bart answers a Dumb Question about Whole Disk Encryption which Steve also sent in. After that Konrad Dwojak gives us some tips for composing interesting landscape photos, before Allison briefly interrupts with the good news that Clarify 2 has been released. Bart then returns with a review of the fun but utterly silly Monty Python’s Ministry of Silly Walks app for iOS & Android, before Allison makes another guest appearance to share her love of Doodle with us. Finally Bart is joined by Mark Pouley of Twin Lakes Images for a Chit Chat Across the Pond segment all about capturing the lovely light at dusk (or dawn).
This show is guest-hosted by Bart Busschots of the Let’s Talk Apple and Let’s Talk Photography podcasts. Bart gives us the low-down on the Goto Fail bug, Dave Allen reviews the Sony NEX6 Camera, Bart reviews Worms 3 for iOS & OS X, and Antonio Rosario joins Bart for Chit Chat Across the Pond to talk about Switch to Manual.
This week Bart from the International Mac Podcast stands in for Allison, while next week it will be Allister Jenks. Please remember to send your audio reviews to Allister at email@example.com. BJ reviews Worms Revolution, we talk Java Security and safely nuking and paving in Dumb Question Corner, Ian Douglas reviews Palua, Bart does Security Light before Kevin Allder joins him to talk about life as a slider on Chit Chat Across the Pond.