Hack the Gibson #106

Read the reason for these posts. Read Steve Gibson’s response.

I have a good news for mister Gibson: SpinRite would actually work on the Mac with VMWare. Because although Macs are EFI based, the hardware emulated by VMWare uses the good old protocols, which means that as long as VMWare has the capability to mount a physical hard-drive in the Mac version (which very probably it has, together with all the other virtualization products for Mac like the Qemu based Q or Parallels), it will have the capability to run SpinRite.

Regarding the multi-factor authentication: theoretically all these discussions are interesting, however as long as the communication channel is as trustworthy as it should be, more focus should be geared towards multi-channel authentication. Also, transaction integrity is the other important problem which should receive more emphasis, because it is nice that you authenticated, but if the integrity of your transactions is not validated, there is still a large possibility of fraud.

The next hypic (aka. hyped topic) is the U3 thingie. The positive thing is that finally a fairly accurate (as far as I know) description of the technology is given. The essence is this: there is a reserved part of the stick which contains a CD-ROM image (something like an ISO file). When the stick is inserted, it contains hardware to signal the presence of two devices: a normal stick and a CD-ROM drive. This pseudo-CD-ROM drive will actually be backed by the image which is on the flash (and, of course because it’s on a read-write storage, the image can actually be altered). The security implications are equal to the ones presented by the autorun feature on the CD-ROM, which we have since at least Windows 95 (more than 12 years ago!). You can disable the autorun for CD-ROMs and for USB sticks, so get over it! the whole USB interface, as convenient as it is, is also a potential serious security threat – it’s no more a security threat than CD-ROM drives.

About the CAPCHA’s: whatever a computer can generate, a computer can decode. These methods (btw, I’ve heard an interesting variation on one of the .NET rocks episodes – it was a simple math puzzle – something like 2 * 4 = ? – but with the twist that if javascript was enabled, the response was automatically computed and the question was never showed to the user) only work because someone is not specifically targeting it. As soon as somebody will have some good reason to spam a site protected with such a solution, they will develop a custom solution which will circumvent it.

Regarding the bruteforceability of the 10 digit pin. 5^10 (because there are only 5 possible buttons, even though each of them have two digits written on them) is ~ 10 000 000, which is very little if the process can be automated. Also, you could always physically remove the memory chips and read them with a reader (much like you could read the platters of a password protected HD).

A quick intermezzo (because the podcast contains a SpinRite advert – what a surprise – at this point): I wonder how many of these people could have used ddrescue with the same success rate?

About the PayPal verification system: I never used PayPal (and it would be very hard given that I’m from Romania) but if this process works as described (ie. by depositing a small random amount of money and asking you what the amount was), then (a) I see no privacy concern with it (they are giving you money after all – although a small sum) and (b) it’s only sort-of a protection (meaning that if you verified you account and your account information gets stolen after the verification, then you don’t have any security benefit from it). It seems more useful to prevent credit-cards being used whose owners never used PayPal (which, in some aspect are the perfect pray, since they are highly unlikely to check PayPal for transactions).

Also, to Steve’s credit, they finally did a pretty spot-on discussion about hardware and software firewalls and the difference between them. It was time.

, , ,

One response to “Hack the Gibson #106”

Leave a Reply

Your email address will not be published. Required fields are marked *