Security Hype

 

 Security Hype 7.12-Vista UAC a year later, MiTM attacks at the office, Crypto Key Size Recommendations, Macs under attack - Voicemail line 1-866-527-6606 [29:55m]: Play Now | Play in Popup | Download (2899)

How paranoid are you? keylength.com

What RSA keysizes are you using at your company? What is your guidance? Are you sticking with RSA or moving to ECC?
Macs are under attack (include link to new trojan house): http://machinist.salon.com/blog/2007/11/02/mac_trojan/

eweek article link

full disclosure versus responsible disclosure (link to resp. disclosure RFC)

mac versus windows updates: Windows does a better job because it auto installs, does it auto reboot? Macs will go weeks/months with patches pending and won’t auto reboot. Does Leopard fix this? Do you actually need to *reboot*

 

 How Netscape tried to keep ahead of the hackers [10:37m]: Play Now | Play in Popup | Download (1976)

Bill and Bob invite Bob Relyea back to reminisce on Netscape’s early challenges to keep “strong crypto” out of the hands on “non US Domestic” persons, as declared by US Export Restrictions laws. The race was one! You’ll hear what Netscape crypto engineers did to try to stay ahead of the hackers, and the level of effort the hackers used to circumvent them.  This is the classic “cat and mouse” game. Check out the old Fortify effort, which has been frozen circa 2000 when Netscape released version 4.73 that included 128-bit crypto to everyone.

Paul Kocher did a great job at explaining the real challenge faced by security developers: Why companies want to make this a “Stalemate” problem instead of a “Checkmate” one. (PDF Link)

Send your show suggestions and feedback to comments@SecurityHype.com or call the studio line at 1-866-527-6606.

 

 Security Hype 7.8-Bob Relyea AACS Part 2: Practical implications of key compromises [16:00m]: Play Now | Play in Popup | Download (2246)

Bill and Bob wrap up their interview with Bob Relyea who describes the practical implications to the AACS key compromise.

Bill recounts the story of the satellite pirates who were locked out by DirecTV in the middle of the Superbowl, sometimes called “Black Sunday”. DirecTV had been slowly downloading a pirate detection and lockout routine, byte by byte, over the course of a few weeks. When activated, this routine disabled the hacked cards. So anti-pirate measures can be quite affective, at least in the short term.

We ask Bob Relyea a number of questions about the AACS crack, and whether or not it’s a big deal. Is AACS really better than the old CSS system? We explore the issue of using well-known crypto standards, and if the content protection people learned from their CSS mistakes. We also talk about what steps we might see the studios take.

Here’s a good Wired article: http://blog.wired.com/gadgets/2007/02/the_new_hddvdbl.html

There are loads of other sites on the web. Search for “09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0” or “09 F9 key”.

Send your show suggestions and feedback to comments@SecurityHype.com or call the studio line at 1-866-527-6606.

Thank you for listening!