And security what happens is you go to one of these sites. Unfortunately, current Mac security and antivirus software is fairly trivial to generically bypass. I used bitcoin at Now Comics in Los Angeles to buy graphic novels. Any bitcoin can become subject to collapse. They did, bitcoin critical security vulnerabilities which they values in the release version of Reader Now, which you know they use an "X" for that, so Reader X, Security Of values, last Tuesday was February 1st.
So now they have that built-in face-mapping camera. Who is their root certificate holder? Security course, it's not supported by default, by any advertisers that we know of in the world. So anyway, I knew that would be of interest. They are taking all the transactions which have not yet been encased in a block, and now hash all of that along with the hash values the previous block, which that anchors values together and means that you're not able to create a block that isn't linked to the prior one, hash it all together, and then there's a certain amount of bitcoin which is of finding a block that functions by exactly, as we were talking, having a hash with some bitcoin of zeroes from security left end going now.
And do you know if they were, or did they fix it? I just see no, no, no, all green, across the board. It's listed there because it was vulnerable. So they fixed it. So yay to them. Yes, they did fix it. Doesn't have a date of fixing, so I don't know. And FastMail, which I use on the web, is also safe. And Proton Mail also. They jumped on it and got that fixed quickly.
But, I mean, on the web says it is still vulnerable. Yeah, see, this is unclear. So he says "Is affected by Mailsploit? I guess "no" means never vulnerable. And then you've got to check the date. This is not very clear. He's good at finding exploits, but not so good at explaining what it is that is going on afterwards. But interestingly, two vendors, Mozilla and Opera, both said they won't fix the bug. They consider it to be a server-side problem. Well, they might be right.
Like Gmail doesn't have the problem; right? And another one, which is Mailbird, closed the ticket on this guy without responding. So anyway, I'm glad to have the research. And it's interesting, I mean, I guess not that surprising that here again Unicode has bitten us in a way that wasn't - oh, I forgot to also say there are some sites which he also discovered a cross-site scripting hack that can be leveraged in the same way.
So that can be even worse. And on that page that I have a link to, that he links to from his page and that I have a link to in the show notes, he does also have a column for whether they are vulnerable to various cross-site scripting attacks, which a number of them can be vulnerable to.
Google has announced from their blog posting just this month, I think it was on the first, from their safe browsing team, that they're going to start expanding their enforcement of something we covered about a month ago which they called the "unwanted software policy. We now are getting more information about what this means.
In the show notes here I have a big picture of what they intend to display, which would pretty much drain the blood out of anybody. It's this big red screen, big X in a stop sign, Deceptive Site Ahead, saying that attackers on whatever site you're about to visit may trick you into doing something dangerous like installing software or revealing your personal information, for example, passwords, phone numbers, or credit cards. And the default is to go back to safety, meaning don't proceed.
So you're able to click something if you want more details. But this is pretty much going to stop anybody who doesn't really know - I'm not even sure if you can bypass it. It doesn't look like there's an, "Okay, fine, I want to proceed. Additionally, if an app collects and transmits personal data unrelated to the functionality of the app, then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
Basically, as it has been, apps have been able to just, as we all know, when you install it, it says, well, we need all of the following permissions. And it's like, okay. So lots of apps get overly broad permissions from their users at install time and are never accountable afterwards.
Google has decided, okay, enough of that. We're going to, if an app is doing something beyond its clearly intended scope and function, it's going to have to provide a pop-up and say we want to do these things for these reasons, and the user provide affirmative consent. So yay to Google for this. I mean, this is all for the better.
So what's going to happen is that, starting in 60 days, two months from now, this expanded enforcement of Google's unwanted software policy will likely be resulting in warnings shown on user devices via Google Play Protect, or on web pages that lead to these apps. Webmasters whose sites show warnings due to distribution of these apps should refer to the Search Console, that is, Google's Search Console, for guidance on how to deal with remediation and resolution of the warnings.
Developers whose apps show warnings should refer to guidance in the Unwanted Software Help Center. And then developers can also request an app review by Google using the article that Google posted on app verification and appeals. So basically Google's providing a bunch of tools to keep this from being a big deal, but to begin to enforce apps being more responsible. And then apps published in Google Play will have specific criteria to meet Google Play's enforcement of this unwanted software policy, which they announced, and we covered at the time, back in August of So this is great.
This is Google being proactive, holding apps accountable and just tightening up security for everybody who are using Android and Google Play Store stuff. And I think this will, if Google is able to do this, probably serve to essentially fence off a lot of the sketchy things that have been going on without any control. So Leo, you'll remember, because I remember you pulled this up and you poked around at it, when we talked about twofactorauth.
So that was the first step. Now we have USB-Dongle Authentication, a similar site showing which sites and services offer the use of hardware dongles for Oh, I love this.
Yes, yes, yes, yes. I'm all in in the YubiKey. I just use it everywhere now. Facebook does, which is great.
And so it's www I can be secure when they're stealing my social graph. And they do the same thing. In order to help people quickly go somewhere and answer a question, they break it down by category: So a complete breakdown there. And then also they have a separate index by devices. So you can click on "dongles," and it will show you all of the current one-time password and U2F dongles, and which ones support which of those or both protocols.
So nice piece of reference information for people who are interested in hardware-enforced second-factor support. Yeah, that's really great. Do you do that? Do you use a YubiKey? You're going to be doing SQRL soon enough. And so we'll see if that - hopefully that will get some traction. I know that Yubico themselves have said that they will be supporting SQRL in their hardware as soon as they're able to.
So we'll see what goes on. But I do, I'm a big user, as we know, of the time-based tokens. I think that's very strong security. Authenticator, using Authenticator, yeah. Do you think that's as good as a hardware key?
The argument you could make is that, well, if somebody got into your phone, and they got into the authenticator data, then they could get all of your private keys. So the authenticator works by having private keys in your phone, which are technically vulnerable.
The advantage of the hardware dongle is the hardware keys exist in it. And so the idea is it can't be hacked, we hope. And so I guess the point would be, if you absolutely really desperately needed security, then it would make sense to do that.
But my sense is you're potentially inconveniencing yourself a lot for maybe only a little bit greater security. I mean, your phone becomes your dongle, basically.
I don't have a problem with that, yeah. And it is inconvenient. I mean, I keep my dongle, my YubiKey on my keys. But I'm always reaching for my keys. And maybe that's a problem because, if you found my keys, you'd have my YubiKey, although I don't know if you'd know what to do with it.
You'd have to figure out who I am, figure out what my logins are, get my passwords, and then you'd have the second factor. And now every listener to the podcast knows Now fake them out, Leo. Put a dummy YubiKey on your keychain and keep it in your shoe or something. I should do that.
I keep two on there. I keep two of them on there. You get to figure out which one. So we have - and this is going to be, unfortunately, an ongoing topic. We have the persistent danger presented by insecure Internet-facing routers. And this is back in the news because last week researchers from Netlab spotted a new publicly available Mirai variant.
You know about the Mirai worm, which was causing huge havoc earlier this year. So an update in the Mirai malware has allowed malware to spread to another hundred thousand networking devices made by ZyXEL. Is that how you pronounce it, ZyXEL? I say ZyXEL [zy-cel]. They've been around forever. Thanks for making a pronounceable name. Oh, yeah, they have, and I have liked their stuff. I think I have a couple of their dumb switches. Remember they used to have modems, really the best, the best.
In the USRobotics phase. So on the end of October, actually on Halloween, October 31st, a new exploit was posted that allowed remote access, unauthenticated remote access to a class of these modems.
Over the course of just 60 hours, starting on November 22nd, when this was deployed into Mirai, nearly , new devices, which almost without exception had IP addresses in Argentina, suggesting that they were all provided by an ISP, like a single ISP would say, here, take this fabulous router in order to use our services, were commandeered by Mirai.
It's a well-known CVE. It's , which explains that affected devices all share the same fixed superuser password, allowing, not surprisingly, remote attackers to obtain root access when a non-root account password is known. And that's also defaulted. So this appeared on October 31st. A couple weeks later Mirai gets it. And now , new devices are under the control of Mirai.
Now, as it happens, the two domains that the attackers were using to control these newly infected devices were seized and quickly sink-holed, which had the short-term effect of stopping the infection from spreading further and preventing the attackers from using the hijacked devices to cause Internet outages.
Remember that's what Mirai did was it was a massive DDoS bandwidth attack that was aimed at various targets.
But those , Internet-connected devices remain insecure. So they are still susceptible to takeover by any other Internet worm that may wish to take up residence in them. And unfortunately, this is where we are today. We have a large inventory, and probably a growing inventory, of insecure and persistently insecure, well-connected routers which are going to be hosts for worms and service attack platforms. I don't know how we get out of that situation. So various classes of software have been injecting their own code into Chrome in order to provide features like accessibility features, but also AV software has been doing this prevalently.
The problem is that, in literally sinking their hooks into web browsers through a process known as code injection, they tend to destabilize the browser. They don't know that it's because they've got some flaky AV that hooked itself into Chrome in order to protect them from stuff that they're downloading. They just know that their system crashed when they were using Chrome, and they're not happy.
And of course they blame Chrome, where in fact it's actually a third party that is running in-process stuff. So it induces significant instability, and Google has pretty much had enough of it.
So last Thursday in the Chromium blog they announced their plan to roll back and eventually block third-party software from injecting its own code into Chrome. And they're going to, of course, as Google always does, they're going to do this in a staged - announce it and try to keep anybody from being inconvenienced, but yet the hammer's going to fall.
So in April of next year, , with the release of Chrome 66, Google will begin informing users if code injection causes their browsers to crash. In other words, Google's going to first create some accountability here so it just doesn't, like, oh, Chrome crashed, darn it, and the responsible party is not identified.
So they're going to alert them with the name of the responsible application and a guide to update or remove it, which they can do because they've been collecting telemetry on these apps. They know now who the culprits are. So then, a few months later, in July of , with Chrome 68, they're going to start blocking third-party software from injecting code into Chrome processes.
But if this blocking prevents Chrome from starting, the browser will restart and allow the injection. So again, turns out that there are some situations where the third-party add-on software can have hooked things in a way that Chrome becomes dependent upon it so that, if Chrome then says we're not allowing you to do an injection here, Chrome will have a problem.
So Google will watch that. If it can't start, then it will allow the injection but display a warning guiding users to remove that particular software. So Google's really going to push back. And then finally, one year from now essentially, January of , with no exception, starting with Chrome 72, Google will completely block code injection from any third-party software.
So basically any AV, any accessibility solutions or anything else which is using code process injection in order to change, enhance, protect, whatever the reason, in Chrome, that's going to be impossible. Chrome's simply going to not allow that a year from now. However, in their announcement, Google notes that there are safe means for achieving the same things using the native messaging API that Chrome offers, or just having the application create a standard Chrome extension to add functionality to the browser.
The user would then need to install the extension or the installation of the feature, or the app, the AV, whatever, would have to take them through doing that. So it makes it apparent. But what this does is it then creates a sanctioned means for apps to add functionality to the browser, rather than the third party just autonomously reverse-engineering hooks which they then insert into Chrome and create instability in the process.
So again, I think this is the right way to do it. It's unfortunate that this wasn't blocked from the beginning because then applications would have always had to do it the right way.
That's a large number. So Google is just saying, nope, we know who you are. We're going to warn people in April. We're going to get stronger in July. And we're going to shut it down completely a year from now in January of , which I think seems like the right thing to do. I haven't talked a lot about sharing a real fun success story about SpinRite for a while, but I ran across one in the mailbag when I was pulling the show together.
Canberra, with the subject "SpinRite yet again saves the day. Hope you and Leo are well. Big fan of the Security Now! Love the work both of you do. No, no, no, no, no. Love, love, love them. Keep them coming, please. They always make me feel good, and I love - and then they're all different in various ways. And this one is, too. We haven't had one like this.
That means Windows doesn't recognize it. I decided to pick up and scan the drive anyway. SpinRite encountered trouble that caused it to stop before it was completed. So I came to terms," he said, "with the failure to complete the scan message, and thought the drive is never going to be brought back. Suddenly it dawned on me. I sprinted towards my PC to plug in the drive and, to my surprise, found out the drive was working and allowed me to back up almost all the data off it.
All this time, I didn't think to plug in the drive on my PC to check. I'm so glad that I didn't throw it away. As always, thank you very much for the awesome product. Can't wait for the new version. Keep up the good work.
And that is the case. We know that the problem is that drives are so autonomous now. SpinRite works with them to fix things. But first of all, there's a limit to how much software can do. As we've been saying, ultimately in this battle for the drive to die, it will succeed.
So don't push it too far. We know that, had he been running this on SpinRite periodically, this probably wouldn't have happened. But the message I wanted to share and what I'm so glad he shared was that, if you run SpinRite on it, even if it doesn't seem to have worked perfectly, it very often can have done enough to be very useful to you.
So definitely give it a try afterwards and see if you got enough back. So we've talked about Quad 9, this DNS provider. I think it was two weeks ago, Leo, that we first talked about it. Last week with Father Robert there were many people super excited, some people unhappy that it was too slow for them. They liked the idea of all the security benefits from using Quad 9, but they just, like, okay, it wasn't as fast as my own testing showed it to be.
I wanted to tell people that there is now a points-of-presence map for the service. Yeah, they're all over the place. They've got something at release a couple weeks ago, and they're intending to go to , so many, many more. There is a Network Security and Certification books bundle at Humble Bundle that I wanted to tell our listeners about. It's got a lot of time left, 13 days. And the books are, as the title, it's network-security-certification-books, all hyphenated.
I've got the links in the show notes. A dollar gets you five of those. That's all of the first five plus those four for eight bucks. So anyway, I knew that would be of interest. And those of course eBooks that you're able to purchase. These are all published by Wiley. This is a Wiley bundle, whereas the previous was - there was a sci-fi set, and then there was also another, oh, it was the Java.
And those were all O'Reilly offerings. And, finally, some great feedback from our listeners. Looks like most glitches were fixed. Maybe Apple actually QC'd this version. No, I think it was Friday, wasn't it. And so I've updated all my stuff. And I caught your talking on MacBreak about the subtle little new things.
Like a second bug, yeah. I hadn't noticed that little gray underline. Oh, that bar, yeah, that was weird. And the weird spinning Yeah, the fidget spinner underneath the icons, yeah. I don't know what that is all about. Also the black, theblack - I don't - theblack - I don't know what this - theblacktandog, I guess is his name.
Also, big news, thanks to a number of our listeners who sent me this. I noted here the first person who I encountered, and that was Dan Kutka, who said: So there is a secondary secure, that is to say filtered, DNS. I had said last week or the week before, my own observation of Windows, and I have studied what Windows does with DNS because of course I wrote the Benchmark, it always issues the primary. And then, if that fails, it issues all.
And then it remembers who responded first. I did see some comment somewhere that there were some systems that always issued all and then used whoever came back first. So it suggests you do want to, if you can, if you want to use Quad 9, use the filtered IPs.
And so for the secondary you want the And so thanks to everyone for making sure that I knew about that. In Finland it works perfect," he tweeted. Phone is occasionally unresponsive and unstable. It didn't do this at all in Finland. For me it seems to be entirely performance. There were cosmetic bugs. And I heard you refer to them exactly that way in the last podcast also, Leo. So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.
And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio. Quarter size, bandwidth-conserving, 16 kbps lower quality mp3 audio file. This week we discuss continuing Spectre updates, how not to treat Tavis Ormandy, a popular dating app where you'd really hope for HTTPS but be surprised to find it missing, the unintended consequences of global posting of fitness tracking data, gearing up or not for this year's voting machine hack'fest, another record broken by a cryptocurrency exchange heist, bad ads and fake ads, the unclear fate of the BSD operating systems, a caution about Dark Caracal's CrossRAT Trojan, another way to skin the Net Neutrality cat, a bit of errata and miscellany, one of the best SpinRite testimonials in a long time, and some closing the loop feedback from our terrific listeners.
This week's transcripts will be a few days delayed. The Dark Caracal This week's news continues to be dominated by the industry-shaking Meltdown and Spectre vulnerabilities.
We will catch up with what's new there, then discuss the Net Neutrality violation detection apps that are starting to appear; a new app and browser plugin from the search privacy provider DuckDuckGo; a bit of welcome news from Apple's Tim Cook about their planned response to the iPhone battery-life and performance debacle; a bit of errata; and some feedback from our terrific listeners.
We also have a bit of errata and some fun miscellany. Quad Nine This week we discuss Windows having a birthday, Net Neutrality about to succumb to big business despite a valiant battle, Intel's response to the horrifying JTAG over USB discovery, another surprising AWS public bucket discovery, Android phones caught sending position data when all permissions are denied, many websites found to be watching their visitors' actions, more Infineon ID card upset, the return of BlueBorne, a new arrival to our "Well, THAT didn't take long" department, speedy news for Firefox 57, some miscellany, listener feedback, and a look at the very appealing and speedy new "Quad 9" alternative DNS service.
ROCA Pain This week we discuss the inevitable dilution in the value of code signing, a new worrisome cross-site privacy leakage, is Unix embedded in all our motherboards?
The DNSSEC Challenge This week we take a look at a well-handled breach-response at Discus, a rather horrifying mistake Apple made in the implementation of their APFS encryption and the difficulty to the user of fully cleaning up after it , the famous "robots.
The Great DOM Fuzz-Off This week, Father Robert and I follow more Equifax breach fallout, look at encryption standards blowback from the Edward Snowden revelations, examine more worrisome news of the CCleaner breach, see that ISPs may be deliberately infecting their own customers, warn that turning off iOS radios doesn't, look at the first news of the FTC's suit against D-Link's poor security, examine a forthcoming Broadcom GPS chip features, warn of the hidden dangers of high-density barcodes, discuss Adobe's disclosure of their own private key, close the loop with our listeners, and examine the results of DOM fuzzing at Google's Project Zero.
Apple Bakes Cookies This week Padre and I discuss what was up with SN's recent audio troubles, more on the Equifax fiasco, the EFF and Cory Doctorow weigh in on forthcoming browser-encrypted media extensions EME , an emerging browser-based payment standard, when two-factor is not two-factor, the CCleaner breach and what it means, a new Bluetooth-based attack, an incredibly welcome and brilliant cookie privacy feature in iOS 11, and a heads-up caution about the volatility of Google's Android smartphone cloud backups.
The Equifax Fiasco This week we discuss last Friday's passing of our dear friend and colleague Jerry Pournelle, when AI is turned to evil purpose, whether and when Google's Chrome browser will warn of man in the middle attacks, why Google is apparently attempting to patent pieces of a compression technology they did not invent, another horrifying router vulnerability disclosure -- including ten 0-day vulnerabilities, an update on the sunsetting of Symantec's CA business unit, another worrying failure at Comodo, a few quick bits, an update on my one commercial product SpinRite, answering a closing the loop question from a listener, and a look at the Equifax fiasco.
This week we have another update on Marcus Hutchins. We discuss the validity of WikiLeaks documents, the feasibility of rigorously proving software correctness, and the fact that nearly half a million people need to get their bodies' firmware updated. Shattering Trust This week we cover a bit of the ongoing drama surrounding Marcus Hutchins, examine a reported instance of interagency hacking, follow the evolving market for 0-day exploits, examine trouble arising from the continued use of a deprecated Apple security API, discover that Intel's controversial platform management engine CAN, after all be disabled, look into another SMS attack, bring note to a nice looking TOTP authenticator, recommend an alternative to the shutting-down CrashPlan, deal with a bit of errata and miscellany, then we look into an interesting bit of research which invokes "The Wrath of Kahn".
Security Politics This week we discuss the continuing Marcus Hutchins drama, the disclosure of a potentially important Apple secret, a super-cool website and browser extension our listeners are going to appreciate, trouble with extension developers being targeted, a problem with the communication bus standard in every car, an important correction from Elcomsoft, two 0-days in Foxit's PDF products, Lavalamps for entropy, the forthcoming iOS 11 TouchID killswitch, very welcome Libsodium audit results, a mistake in AWS permissions, a refreshingly forthright security statement, a bit of errata, miscellany, and a few closing the loop bits from our terrific listeners!
Inching Forward This week we discuss and look into DigiCert's acquisition of Symantec's certificate authority business unit, LogMeIn's LastPass Premium price hike, the troubling case of Marcus Hutchins' post-Defcon arrest, another instance of WannaCry-style SMBv1 propagation, this week's horrific IoT example, some hopeful IoT legislation, the consequences of rooting early Amazon Echoes, the drip drip drip of Wikileaks Vault 7 drips again, Mozilla's VERY interesting easy-to-use secure large file encrypted store and forward service, the need to know what your VPN service is really up to, a bit of errata, miscellany, and some closing-the-loop feedback from our always-attentive terrific listeners.
Yeah, and, I mean, I can vouch for the pervasiveness of Firefox use. I mean, I know that GRC is going to tend to have a savvier user base come by. But so that says that it's not as if we all have to sit around now waiting for Microsoft to do something before anyone's going to take this seriously.
I just hear people more and more talking about that they're using Firefox. And of course Chrome is coming on very strong, too. Google, as we also discussed last week, has made some motion in this direction, this whole do-not-track deal. So the good news is, this has been a problem for years, and we're beginning to see some solutions. Hopefully we'll get to a standard. It's good that the different browsers are trying different things.
Maybe we can see what works, what catches on. What I always hate is, there's a point where you could agree that, okay, that's the thing that works best, let's all standardize on that. Rarely does that happen. Usually we go through a long march of everybody sticking to whatever it was the started with. Well, which we already have, for example, with NoScript that has its own format of do-not-track, different from what the Mozilla folks adopted, unfortunately.
Within the same browser, even. Within the same browser. So, like, Giorgio, when Mozilla announced this, Giorgio, the author of NoScript, he posted immediately, said, uh, you know, I already put this in here. Happy to have you guys use the same header. But why not use the same header instead of use a different header? So now the query that has - a query from Firefox of v4 Beta 11 that has the Mozilla do-not-track turned on, and is using NoScript with Giorgio's options turned on, will have multiple headers saying the same thing in different ways.
And nobody listening at this point, exactly. Verizon is coming out with their own version of the iPhone this week.
And they have very quietly announced some new policies regarding throttling the top 5 percent of data users, as well as some, what they're calling "content optimization. Yeah, which I thought - and I wanted to mention this just because I thought it was - the details of content optimization I thought was really interesting.
They said on a PDF that they made available on their site, quoting first this issue of bandwidth throttling - just I wanted to bring it to our listeners' attention for any of those who would be affected. To help achieve this, if you use an extraordinary amount of data and [thus] fall within the top 5 percent of Verizon Wireless data users, we may reduce your data throughput speeds periodically for the remainder of your then current and immediately following billing cycle to ensure high-quality network performance for other users at locations and times of peak demand.
Our proactive management of the Verizon Wireless network is designed to ensure that the remaining 95 percent of data customers aren't negatively affected by the inordinate data consumption of just a few users.
I think, you know, this is a replacement for maintaining your network at proper capacity. They're worried that they're going to get some bad press if their network gets clogged. And so what's an easy way to do it? Throttle down some people. But if you want to do that, you've got to put a policy in place that explains who you're going to throttle down.
So this doesn't - a lot of people are saying, oh, if you're in the top 5 percent you'll be throttled for two months. That's not exactly what they're saying here. They're saying, we reserve the right to periodically throttle you, basically when we need to. I think that, exactly as you said, they want to be preemptive. They want to say, look, just to let you know, if you are, I mean, really hogging bandwidth.
Because I got my Verizon iPhone yesterday, and I've got unlimited bandwidth use on it. That was the plan I chose. And I'm never going to be a heavy user. But I know that there are people who, I mean, they're sitting there watching all of their video consumption through all of the various online services now, and over time using a huge amount of bandwidth.
So Verizon is saying, look, for people who are really at the top tier, as you said, we may need to throttle you. Now, what's also interesting is, from a technology standpoint, I got a kick out of what they've acknowledged they're doing.
And anyone who's interested in the details, I'm going to run through them. But you can see the whole document at VerizonWireless. These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. For a further, more detailed explanation of these techniques, please visit www.
And I saw a couple things that I wanted to bring to our listeners' attention. First of all, this only applies over port 80, which is to say, HTTP. Well, that's a nice little workaround. So, exactly, that is. And the reason this is interesting is that they really are - so what they're trying to do is they're trying to conserve the air bandwidth, that is, bandwidth in the air.
You can choose lower compression, higher quality, where the image stays, like, ultra crisp sharp. Or you can make a JPEG image, the file, physically much smaller at the cost of some fuzziness. Basically, in terms of the type of compression JPEG uses, something called discrete cosine [transport] compression, DCT, it's expensive to transmit the data of a sharp edge. It's much less expensive to transmit the data of a gradual change, the way this type of compression works.
So if you back off from requiring your images to have sharp edges, then you can get a much greater level of compression. So what Verizon is doing is they're literally parsing the stream, looking at the objects which are being downloaded from web servers, and here they're saying they're reserving the option to change the data. They will take a low-compression JPEG and recompress it to a higher level in order to minimize its size.
They will even transcode video, on the fly, across formats. They'll go from, for example, they might take an AVI that's low compression, or RealMedia or something. If they know what your device is capable of, they will transcode it, and this document talks about this, to H. And so what they're saying is, at their discretion, they're going to preserve the bandwidth of their over-the-air service and compress things. Now, what's really amazing is that they're not doing it based on URL or even filename.
They look at the first 8K, which is typically multiple frames of a video, to determine if they've seen it again. So they're watching the start of your video and using that to key their own caching technology to see whether they have already seen this video before and compressed it for somebody else. And, if so, they switch you to that stream, and that's what they send.
So you're sharing streams. I mean, this is aggressive optimization. Maybe they weren't carrying the iPhone until now because they weren't ready for it. That very well may be true with all of this work. And couldn't they have - this is a cheap shot, but I'm going to say it anyway.
Couldn't they have spent that time and money on capacity? Well, this is a long-term investment. I salute them for doing this. And this is some serious technology. I mean, this is state-of-the-art caching and WiFi bandwidth optimization. It'll be interesting to see if users notice any effect. I mean, you could imagine, that, like, you could have two videos that start the same because they were edited from the same source material, but then are different.
And their cache could be fooled by that. I was going to ask about that. I wonder when we get the first people on purpose spoofing videos that are popular to deliver some maybe images that people weren't expecting. The other thing that they're doing along the same lines is that they're deliberately sending only enough video ahead to keep your player running. Yeah, I was thinking this would be a nifty way to take advantage of their transcoding, if you wanted to change videos to H.
But you don't actually get the whole file. And again, they're being smart about this. They're recognizing that many people don't watch the whole video that they download, yet they downloaded it all. So Verizon is saying, we're going to be buffering in your player, but we're only going to stay enough ahead that, if you stop watching something after a few minutes of a minute presentation, for example that YouTube I just talked about, then we won't have wasted our over-air bandwidth delivering video that was never seen.
So potentially this is all good, as long as it doesn't cause problems. I would say it's tricky technology. I salute them for being this aggressive. I hope it doesn't have any downside. I imagine there will be people who'll be playing with it. I think you're absolutely right about that.
The other thing I've been seeing in the news lately are a lot of reports about how mobile is now the new battlefield for malware because we just had a report yesterday saying that smartphones outsold PCs in the last quarter of So there's some news from McAfee about this?
Yeah, Symantec had issued a report. We're beginning to see reports from the major security guys, and McAfee just, I think it was yesterday, issued their report where - and paraphrasing them, they didn't use the phrase "new low-hanging fruit," but that's how I would describe it.
What's happening is that PC technology, and Windows specifically because it's been such a target for attack - I mean, what, this podcast is in its sixth year. Leo and I have been talking about Windows security, Internet security, security, security, security, every single week for six years. Meanwhile, smartphones come along and are being adopted, as you just said, at a fantastic rate, and often, frankly, being used by people who are even less tech savvy than Windows users, who have figured out what it is they have to do in order to be safe.
Less of a barrier to entry, so to speak. And maybe there's even more temptation. Maybe it's just that people aren't yet as afraid as they need to be about phones. But arguably, a smartphone, I mean, we know that it's running a full operating system now, given all that they're able to do. But the thing that malware wants more than anything else is connectivity. And while it's true that PCs are connected, I would argue smartphones are even more connected. I mean, there's more channels.
You've got text, you've got all the social networking things, you've got email, you've got web browsing, and you've got applications, which, I mean, and this is of course a problem and a concern over on the Android platform, where people you don't necessarily know real well have created these things that look like, oh, wow, I really need that, and bang, now it's loaded in my smartphone.
Well, what is it doing? It has all access to potentially this massive communication resource on the little computer that you're holding in your hand. So I just wanted to say, once again, that we are seeing sort of the people who are watching security trends, they're saying that malware exploits are trending rapidly in the direction of smartphones. So for our listeners, just stay on your toes. We're going to get into our main topic, BitCoin, a digital currency.
But I know you have a testimonial for SpinRite to read first. Just, yeah, a nice letter that someone, a listener of ours named Mark Folkart, sent, with the subject "Yet another SpinRite story. I wanted to say thank you and relay yet another success story of SpinRite. Her husband is not a client, but you know how that goes.
He works for a large brokerage company I won't name. He had gone to his IT department, and they were unable to assist him. At our urging, they unencrypted the drive and returned it to him still broken. And his sales database was still inaccessible and trapped locally. Couldn't even slave the drive.
I used a copy," and he says, " they had purchased a licensed copy of SpinRite and went to work. Less than two hours later we were back in business. He had his contacts back and a working machine. Although I received no direct compensation, it certainly increased my credibility to a good customer, and how do you put a price on that?
I will continue to use and recommend your product and just wanted to say thanks. It's amazing to me that an IT department wouldn't - and I've had it happen. I won't name the workplace, but I have been in a place where my drive crashed, and I was like, hey, can you recover the data off this?
I was like, well, no, it can. So our big topic today is BitCoin. You called this a "crypto currency. Well, it's really, really clever. The reason that I sort of fell in love with this for the moment is, as I plowed in, I just got a big kick out of the way that the many problems associated with a sort of a floating currency, meaning a currency that isn't anchored by any central bank, there's no state sponsorship for it, I mean, and it's a real thing.
Anyone who's interested, and I would encourage our listeners, if this podcast and what they hear about it makes them curious, go check it out. Just put "bitcoin" into Google, and you'll start seeing pages of stuff.
And about two years ago the project was registered, a little over two years ago, by a Japanese cryptographer, Satoshi Nakamoto. And it's an open source project on SourceForge, so none of this is black art stuff. The goal is to really solve, I mean, to offer an honest-to-god, non-hobby-level, but industrial-strength, Internet-based, peer-to-peer currency where real value can be exchanged between two parties without any intermediary being involved.
And that's one of the trickiest things because you've got all kinds of problems. First of all, where does the currency come from? What creates the currency? How much currency is flowing through the system? How do you monitor that and regulate it?
How do you prevent it from being inflated? How do you keep people from fraudulently creating currency? How do you keep someone from, if they have some, from reusing the same currency? All of that has been solved with this system in some very clever and very new ways. Which is really what captivated my attention on this. So wait a minute.
So we have currencies. We have euros and yen and dollars. How can you invent a currency? What makes that work? So, think about it, a currency is nothing really but an agreement among the parties that this synthetic thing has value. Once upon a time, when the dollar was anchored to a gold standard, the idea was that there was gold backing up dollars.
And so when you had a so-called "promissory note," it was equivalent to X amount of gold. And we were of course famously taken off of the gold standard. The problem was we needed more money than we had gold; so we had to disconnect, in the case of U.
It's kind of that incredible innovation in human society, when you think about it, that this works at all. Because it started out you would carry around your chickens because you just wanted to trade what you had of value for what the blacksmith had. That got inconvenient, so gold became a good standard because everybody valued gold, and everybody kind of had the same value of gold. But we've gone from that to this sort of agreement that, well, I'm going to agree that a dollar's worth of work is worth a dollar's worth of merchandise, and it doesn't have to be backed by anything.
We'll all agree that that's the way to pay stuff. So I guess that's all they have to do is get enough people to agree that this currency is valuable?
Well, and notice also that we chose gold because it was scarce. We didn't use water, for example, because you'd just go over to a stream and dip your bucket in. And the problem is, of course, anybody could go do that. There's a famous scene in one of the Douglas Adams novels where they decide leaves will be their currency.
And it has the same problem. Well, of course money grows on trees, so, yeah. And so we chose gold because it was scarce. And famously in the days of individual gold miners, they'd go out and try to find it because they would - basically they were creating more currency to put into the system at a controlled rate.
And initially, when there was lots of gold around, we were digging it up and turning it into bars and coins and so forth. And over time, it became increasingly difficult for us to find more gold, so it became increasingly scarce, and its value has increased. And in some ways we have a virtual currency with the dollar and the euro and all of these. And in some ways that is a little more fair because someone can't just go out and find a bunch of money, unless they're robbing a bank, I guess.
But, you know, you can't just go digging in the hills and luck into a bunch of money. It has to be earned in some manner. So what has been created with BitCoin has all of these attributes. There is this concept of bitcoins, the currency - in the same way that the abbreviation for U. And so this network of computers exists now on the Internet, peer to peer. You can go to BitCoin. That is, literally start making money. So you are making money out of nothing, just by being a member? I mean, how does this - this just sounds like some sort of BitTorrent situation.
It sounds wacky, but So you are making money. The way you make money is by processing transactions within the bitcoin system. So, and this is complicated, but unfortunately it needs to be complicated in order to be robustly secure, which it really is. But the idea is that you want a transaction trail of every single transaction between two parties that has ever occurred. And they're occurring all the time. Now, this is not just - this currency is virtual, but it has been anchored now to real currencies.
There are websites that will trade real currencies for bitcoins. At this point in time, about two years after it was launched, the current currency trade of U. I think it's, like, 93 cents for a bitcoin. And there are organizations which accept bitcoin payments.
11 Feb TOM MERRITT: This is Security Now!, with Steve Gibson, Episode , recorded February 9, BitCoin CryptoCurrency. It's time for Security Now!, the show you need to listen to if you want to be safe on the Internet. And joining us to help us figure out all of the confusing things that could happen to you. Security Now! Weekly Internet Security Podcast. This week describing the newly revealed SockStress TCP stack vulnerabilities. network segmentation, last week's emergency out-of-cycle patch from Microsoft, a mitigated vulnerability in Apple's HomeKit, Valve's ending of Bitcoin for Steam purchases, finally some REALLY. 7 Dec Security Now! Weekly Internet Security Podcast: This week we discuss the long- awaited end of StartCom & StartSSL, inside last week's macOS So the recent rise in bitcoin price, and as we know it's dancing around $12, now - it briefly touched it a couple days ago, it's at the moment - it's created.