Hosts: Leo Laporte, Jeff Cannata, Tom Merritt, Jason Calacanis, and Denise Howell.

The Palm Pre, Apple’s WWDC 2009, voting on advertisements, Bing, E3, Google gets cozy with the White House, and more.

Show Notes

MacBreak Weekly 144: WWDC Wrap Up

Hosts: Leo Laporte, Alex Lindsay, and Andy Ihnatko

WWDC report, a new iPhone, AT&T, Palm Pre, App Store power, video, voice dialing, compass, and more.

Show Notes

Security Now 200: Your Questions, Steve’s Answers 68

Hosts: Steve Gibson with Leo Laporte

In this mailbag episode we discuss IPv6, Non-VPNs, Microsoft ClickOnce, expired SSL certificates, and more.

Show Notes

Windows Weekly 111: An F.U. To The E.U.

Hosts: Paul Thurrott and Leo Laporte

Europe getting 7 without IE, Bing is taking off, Morro, Google goes after Exchange, and more.

Show Notes

iron wil

Topics

• future topic: keyed message authentication code

News and Errata

• Quicktime 7.6 Update for both Mac and Windows, critical, 7 exploits patched
• illegal iWork ’09 with a trojan that will deeply infect your Mac with a bot net
• you have options for your windows automatic update, choose the one right for you, make sure you are patched
• Yubikey, limited size of password discussed last show, someone wrote in to say longer password is possible
• http://cryptolink.com trademark is in place now
• http://My.BarackObama.com forum, people were putting up trojans

Crypto Recap

3.5 year review of all the security pieces that have been talked about

threat model – what is it we can do? what are we trying to do?

for example, we assume the endpoints are secure while we try to secure the communication between the two endpoints – keystroke logger, for example, we can’t secure against – if someone gets physical access, we’re insecure

we assume non-infinite computational power because all of the crypto is subject to brute force attack, no matter how long the key is

“perfect” security? yes, one-time pad – still isn’t secure if someone has physical access

much crypto depends on this fact: it is very easy to multiply two big prime numbers together, not easy to factor the result into those two original primes

taking something to a power is easy, taking the log is hard – also a fundamental assumption of security at present

you want there not to be a single point of failure, even if single communications is cracked, all the rest of the communications should still be secure – a single shared key is a bad idea for this reason

assume endpoints secure, path inbetween (the internet) totally insecure

what do we mean by security? in this context where we’re protecting traffic between two endpoints, we want 3 things:

1. confidentiality, interceptor in the middle cannot read the messages
2. integrity of message, guard against message being modified
3. authenticate the endpoints, are we really talking who we think we are?

encryption gives confidentiality, symmetric (same key at both ends used to encrypt and decrypt), asymmetric (two different keys used, one to encrypt a random symmetric key that’s used to encrypt the message, the other to decrypt that symmetric key), key agreement

message integrity, using hashes to create a signature (md5, sha1, etc), a hash is a digest of a much-larger communication, a fingerprint – any change to the original message will change that fingerprint – not computationally feasible to make a change to the original message and deliberately produce the same signature – md5 has been broken in this respect

in a couple of weeks we’ll talk about keyed digest, giving an authenticated signature, which we don’t have now

endpoint authentication, certificates and chain of trust anchored to a root authority

get yours here.

iron wil

Security Update 2008-007

• Apache
• Certificates
• ClamAV
• ColorSync
• CUPS
• Finder
• launchd
• libxslt
• MySQL Server
• Networking
• PHP
• Postfix
• PSNormalizer
• QuickLook
• rlogin
• Script Editor
• Single Sign-On
• Tomcat
• vim
• Weblog

Read the details here.

iron wil