Steve Gibson says that MSRT runs when restarting the computer:

… And then it runs the next time you restart your machine

This is not true, not only because MS says so (The version of the tool delivered by Microsoft Update and Windows Update runs in the background – emphasis added), but also because it doesn’t ask you to restart your computer. A caveat: if it found infections for which a restart is needed to be removed, it may ask you to restart your computer. But in most cases, it doesn’t.

There is a discussion of a vaporware project CryptoLink, which seems to be a VPN project, for which no line of code is written at this moment however, by Steve Gibson’s own admission. The discussion contains contradictory statements like:

It has a fundamental TNO, the Trust No One model, so that there’s no third-party involved.

and

I mean, my intention is that it is an incredibly easy-to-use VPN product that, for example, supports the YubiKey natively, supports Perfect Paper Passwords natively, supports OpenID.

Of course supporting OpenID or YubiKey means trusting third parties to vouch for the current user…

Regarding the voting discussion: no, we don’t have all the technology! The fundamental problem of making sure that the one-person – one-vote equation stands does not exists yet. Mind you, that this is different than doing e-Banking for example, because the bank can (and should) know who you are, as opposed to a voting situation where we want to have secret (anonymous) voting.

Regarding the frequent changes in NoScript: first off, you can read the Changelog (even though, based on hist comments, Steve didn’t). Second of all, NoScript includes extensive filtering (blacklisting) technologies (mainly related to XSS AFAIK), which are update when methods of bypassing it are found. It is angering to hear Steve implying that the product is “half-baked”, without him even bothering researching 2 minutes the issue.

Regarding the self-closing netstat command (BTW, the correct term is not “DOS Box” but “Console”): the user is probably running the command from Start -> Run, instead from a running instance of cmd.exe. This way the console is destroyed as soon as the program finishes. What he should do (and Steve should have recommended) is to start cmd by going Start -> Run and typing cmd[Enter], and at the command line type nestat (or even better, netstat -an, which is much quicker).

I have a good news for mister Gibson: SpinRite would actually work on the Mac with VMWare. Because although Macs are EFI based, the hardware emulated by VMWare uses the good old protocols, which means that as long as VMWare has the capability to mount a physical hard-drive in the Mac version (which very probably it has, together with all the other virtualization products for Mac like the Qemu based Q or Parallels), it will have the capability to run SpinRite.

Regarding the multi-factor authentication: theoretically all these discussions are interesting, however as long as the communication channel is as trustworthy as it should be, more focus should be geared towards multi-channel authentication. Also, transaction integrity is the other important problem which should receive more emphasis, because it is nice that you authenticated, but if the integrity of your transactions is not validated, there is still a large possibility of fraud.

The next hypic (aka. hyped topic) is the U3 thingie. The positive thing is that finally a fairly accurate (as far as I know) description of the technology is given. The essence is this: there is a reserved part of the stick which contains a CD-ROM image (something like an ISO file). When the stick is inserted, it contains hardware to signal the presence of two devices: a normal stick and a CD-ROM drive. This pseudo-CD-ROM drive will actually be backed by the image which is on the flash (and, of course because it’s on a read-write storage, the image can actually be altered). The security implications are equal to the ones presented by the autorun feature on the CD-ROM, which we have since at least Windows 95 (more than 12 years ago!). You can disable the autorun for CD-ROMs and for USB sticks, so get over it! the whole USB interface, as convenient as it is, is also a potential serious security threat – it’s no more a security threat than CD-ROM drives.

About the CAPCHA’s: whatever a computer can generate, a computer can decode. These methods (btw, I’ve heard an interesting variation on one of the .NET rocks episodes – it was a simple math puzzle – something like 2 * 4 = ? – but with the twist that if javascript was enabled, the response was automatically computed and the question was never showed to the user) only work because someone is not specifically targeting it. As soon as somebody will have some good reason to spam a site protected with such a solution, they will develop a custom solution which will circumvent it.

Regarding the bruteforceability of the 10 digit pin. 5^10 (because there are only 5 possible buttons, even though each of them have two digits written on them) is ~ 10 000 000, which is very little if the process can be automated. Also, you could always physically remove the memory chips and read them with a reader (much like you could read the platters of a password protected HD).

A quick intermezzo (because the podcast contains a SpinRite advert – what a surprise – at this point): I wonder how many of these people could have used ddrescue with the same success rate?

About the PayPal verification system: I never used PayPal (and it would be very hard given that I’m from Romania) but if this process works as described (ie. by depositing a small random amount of money and asking you what the amount was), then (a) I see no privacy concern with it (they are giving you money after all – although a small sum) and (b) it’s only sort-of a protection (meaning that if you verified you account and your account information gets stolen after the verification, then you don’t have any security benefit from it). It seems more useful to prevent credit-cards being used whose owners never used PayPal (which, in some aspect are the perfect pray, since they are highly unlikely to check PayPal for transactions).

Also, to Steve’s credit, they finally did a pretty spot-on discussion about hardware and software firewalls and the difference between them. It was time.

I’ve talked a lot about authentication in two recent blog postings (Getting ahead of the curve and Two channel authentication with the followup Two channel authentication – part tow), so I won’t really cover episode #94 in detail.

Now for episode #95, OpenID

One of the first confusing things is that they keep mentioning OpenID and multi-factor authentication together. In fact there is no inherent connection between the two. All that OpenID is is a protocol to implement authentication by proxy, that is if you want to authenticate to a webpage P, you would authenticate to your OpenID provider O, which in turn would relay a signal to P saying that yes, s/he is who s/he says s/he is, because the authentication was successful. Of course one of the first question that comes to mind is how trustworthy the proxy is… And also, the proxy itself can employ multi-factor authentication if it wishes, but there is nothing in OpenID which says it must.

On the plus side, the SpinRite story includes mentions of backups (and not just backups, but off-site backups, wow!).

Finally, the most fertile type of episode (from my point of view): listener Q&A. Because, my main grief with Steve is that (a) he fails many times to give credit where credit is due and (b) messes up the concrete examples. The big picture that he provides is usually correct, however, as the say, the devil is in the details and if you get the details wrong, while proclaiming you absolute knowledge of the matter, you end up confusing, or worse, misinforming people, and misinformation is the main problem in day-to-day security.

Regarding the first question: the main answer to the question is right. However the corollary that just by being behind a NAT and disabling scripting you’re safe, if false, false, false. This is very dangerous because it gives people the wrong impression on how they should secure their system. To give you just one scenario: the WMF bug, which Mr. Gibson is surely familiar with, since he made some pretty bombastic claims (that it would be an intentional backdoor created by Microsoft), would have gone through these defenses like a hot knife through butter. If you wish to keep yourself secure, there are basically three things you need to remember:

1. The first and most important is that there is no such thing as perfect security! Anybody who claims to have such a thing is talking BS or wants to sell something :). A corollary to this is that because security and usability are inversely proportional (since security means limiting the possible uses of the system), a perfectly secure system would be totally unusable (by definition). As I said many times, you should inform yourself before making any decision, to make sure that you make compromise which is in line with your values.
2. The second thing is defense in depth. From the fact that there no perfect security follows the fact that there is no one setting or product which could provide it. Every additional layer of protection (if properly created and implemented!) reduces your risk of exposure. Some layers which should be implemented: running as limited user, using an AV software and/or a HIPS (again, depending on the level of (in)convenience you are willing to tolerate) and taking a look at the third point below
3. The third point would be running an atypical system. It is a fact that there are more attacks against popular software than there are against less popular ones. This means that choosing software which is not run by the majority (ie Linux over Windows, Firefox over IE or Thunderbird over Outlook) will keep you safe 99% of the time.

On the next question, where the caller asks what about situations where he would want other to be able to access the information (like his family in the instance of him passing away), there is one more solution that didn’t get mention: key escrow. Basically you give your encryption key to a third party (a company usually) and specify under what circumstances should it be divulged and to whom (for example if a proper death certificate is presented to a family member).

The next question / comment is dead on, and I could now go back and say it took X episodes for this issue to be addressed, but rather I’ll just move on to the next question.

The next question is correctly answered (as far as I can tell – myself not being a Mac user), but programmer Steve gets something wrong, which wouldn’t be so terrible (because after all, we all are humans), would he had prefixed his sentence with as far as I know. So when he says And Windows has nothing like that (about the MacOS X Keychain), he is right only in the most narrowest sense. Windows doesn’t have anything which works exactly like that, however it has a feature called protected storage, which is used for example to store authentication credentials from IE or autocomplete elements and it has a full API for third party developers to use.

On the next question (or rather, the answer) Steve mentions that he records his DVD’s at 1x for backup purposes. I’m no expert at this (see, these little magic words are the ones I miss most in the podcast), but I’ve hear the opinion that recording modern disks at 1x does more bad than good, the idea being that they were created for faster recording and slower recording can cause parts of the disk to overheat.

On the next question Steve answers exactly the opposing question, but to his credit, he corrects himself in the next episode.

With regards to the last question: in fact it is possible to have a completely secure wireless installation accessible by anybody. However, most probably the municipal WiFi projects won’t be implemented using these techniques.

An other Security Now! episode, an other SpinRite story without mentioning backups. There are few explanations for this, none of which shed a very good light on Mr. Gibson: (a) he doesn’t care, (b) the flaws SpinRite repairs are not at all serious, so with or without SpinRite the harddrive would be just fine or (c) there is some dark conspiracy between Mr. Gibson and the hard drive makers. I don’t believe in conspiracy theories, but like very much the following quote attributed to Einstein: Two things are infinite: the universe and human stupidity; and I’m not sure about the the universe. But I’ve beaten the dead horse enough.

Credit to Steve: he mentions that there is no such thing in law as intellectual property, there are only patents, copyright and trademark.

The discussion was well rounded (although Steve did use the term intellectual property once or twice), however there were two points that I feel are important and were not covered or got very little coverage:

Run-through time for patents – I’ve heard that there is a backlog of at least a year at the patent office, that is, there are at least a year worth of patent material which can potentially affect a given piece of software, however no-one can look at them for the following year. This means that you could everything by the books (search every relevant patent to your field of activity) and still be potentially liable for patent infringement.

The second aspect – which got a little coverage, but not enough in my opinion – is the international aspect. The fact that the USA tries to force its patents on other countries through threats. The fact that it calls countries names when they decide to disregard the American patent system so that they can make an affordable living, other than some kind of moder slaves, but it fails to mention that the USA started itself by disregarding the British patents.

Now I don’t want to bash businesses here, but lets look at the future (or at least how I imagine it – I’ve been known to have a wild imagination :-)):

1. PayPal successfully launches its security key program
2. Marketing will try to sell it as the the best thing since sliced bread, AKA the perfect security solution
3. It gets a considerable user base from the lines of the PayPal/eBay users (lets say 30%). Not only will these 30% be a considerable part of the users, most probably they will be the most active / the people with the most money in their accounts, because probably they will be the most worried about the security of their accounts.
4. The attacks will shift in a very short time from off-line (eg. steal your password and use it later) to on-line / real-time man-in-the-middle attacks.

What do I mean on-line/real-time man-in-the-middle attacks?

Imagine this: the user gets infected with a malicious piece of code which follows every browser request (yes, it can do this despite of HTTPS/SSL/TLS, because it would operate locally before the encryption is applied) and modify the request to redirect founds, or to detect that the user successfully authenticated and then issue some automated transfers. Similar pieces of code are already in the wild, although they are currently (only) used to insert advertisement to unsuspecting third party pages, but the above modification would be trivial.

An other factor which will contribute to the problem is that the mobility of larger number of people is slower (maybe exponentially slower) than those of smaller number of people, because of the communication overhead. In a concrete manner: the attackers can change their tactics very quickly both because they are few (as compared to the employees of eBay and their customer base) and because (from a technical tooling view) they follow a hierarchical structure (that is, there is a very small group of people with the technical knowledge, who supply the tools to the larger – but still small – community of people who actually use them). This hierarchical way of communicating is much more efficient than the semi-chaotic communication which goes on between a company and their user base. Also, the communication between the bad guys is of much higher priority (for them) than the message put out by a company for their customers (eg. If X sends a message to Y saying here is the new version of the tool which can get around the new security measures of Z, this communication is of much higher value to them, and it is much more probable that they will listen / react to it, than a customer getting a security notice or something similar from a company).

My conclusion is (which you are free to agree or disagree with – I’m waiting for your comments) that as soon as this technology gets any significant usage, we will see the scenario described above become a reality very quickly. And not just for eBay/PayPal but for all the participants of this program. The problem is not with the technology itself, but (as it frequently happens) with the way it is used and the fact that its limits are not properly understood by many of the people using it. The most important aspect of this is that these technologies only focus on authentication, leaving aside the problem of message integrity/authenticity! That is, after they build up a connection between the client device and the server device, authenticating both ends, their job is done. However there is still a complicated layer of technology on the client machine (like the browser, operating system and malware) which can modify transactions and/or create transactions on the fly!

On the long run this will mean that cost of implementing this solution is money thrown out of the window. (Then again as one of my favorite quote from economics says Long run is a misleading guide to current affairs. In the long run we are all dead. – John Maynard Keynes). So why are companies using these solutions as opposed to more secure solutions which are already being deployed by other companies in the same business (read the description of ING described in this post for an example)? I can only theorize, but a few reasons may be:

• Lack of information on the part of the decision maker, who might not be a technical person and relies on his/her technical advisors to provide the information
  Update: see episode 56 of the Linux Action Show, where they explain how the CIO magazine (which you can consider a type of advisor) gets it all wrong when it talks about Linux in the enterprise (again you can theorize if this was pure lack of knowledge from the part of the article writer, the fact that he believes everything PR/marketing departments feed him or he actually gets payed to try to twist things).
• Misleading information from the vendor (in the same vein as nobody got fired for buying IBM, the solution vendor X must be good since (a) they are successful, (b) they say they hold a lot of patents and (c) it solves the current attacks)
• Other factors, like favors and small attentions (as they say it here in Romania) from an interested party (which may be a vendor, a consultant, etc) to the decision maker
• And finally: it is real possibility (although I don’t think that it happens very much) that the costs (like user training, user annoyance) and benefits (like the fact that this actually reduces the fraud on the short term) got carefully weighted and the result was such that it made sense to implement this solution, while possibly preparing the roll-out of a more complex solution in the long term.

Two final thoughts: in the show Leo mentions that it is still possible to log-in even though the one-time password is not provided, by answering a secret question. This still leaves the system vulnerable to off-line abuse, since a man-in-the-middle attack can be performed, where the attacker claims that there was a system error or an other plausible exceuse and asks the user for his/her answer to the secret question. Using these data, the account can still be used by a third party without needing to possess the token. I understand the convenience aspect of the problem, but there are other solutions (like SMS-ing an one-time password to a predefined number – something that even got mentioned in the show) which are much more secure.

And also: because of this hierarchical or layered structure of the (semi-)organized-crime, antivirus companies have still a long life ahead of them. The reason being that, although there are a very great number of people perpetrating electronic crime, only a very small percent of them actually create their own tools, the others live off of their back, which means that the AV needs to be able to detect only a smaller number of malware. This small group of people may also employ algorithms to create different variants of the same malware (essentially creating a program which creates a program), but given that computers are deterministic, these algorithms can be reversed and AV products can provide methods to detect every piece of malware produced by the given algorithm.

The podcast kicks off again with a SpinRite story with no mention about the importance of backups and changing the failing drives, but I digress.

Steve says:

Now, you could be running through multiple layers onion routing, or any other kind of proxy server. So that’s an issue. Although, if it’s a secure connection, as we assume it would be, an SSL connection, that cannot be routed through onions because you need to have a matching certificate from the far end.

which is not entirely true if you use something like Tor. Tor acts actually a SOCKS proxy, not a HTTP proxy, which means that it doesn’t try to interpret / modify the contents of the IP packets, aside from the source and destination address. Because SSL/TLS is one layer up in the connectivity chain, it has absolute no influence on it, aside from the fact that the remote host will see a different source IP address.

They again talk about software/hardware firewalls and and actually bring up some valid points, however Steve’s comment I’m taking the gamble of being really careful that nothing evil gets in because my whole theory is, once that happens, it’s over anyway. I mean, it’s too late. fails to realize the need for layered security and assumes that there is something like a perfectly safe computer system or a behavior which ensures perfect safety. This is very dangerous, because how can he assure for example that there is no remotely exploitable vulnerability in the firewalls of the systems he directly connects to the Internet? Remember, that all the remote code executions vulnerabilities which became public in Windows XP were probably there for 6 years or so (since its launch), no one can guarantee that they were not independently discovered and exploited. So, again you can’t have perfect security and probably most people would prefer to at least know if they got compromised.

This was an interview episode, so there is not much I can comment on. SpinRite appears again to save the day, again without the notification that backups are important and that a hard-drive which had a physical failure is very probable to fail completely in the short term and get in a state where no software can do anything with it.

Steve again rants about how browser scripting is enabling your client, your browser client, to run code from any site you visit. However what he fails to realize or to say that in the big picture any communication with an untrusted (and possible malicious) remote host can be dangerous, and that in the big picture scripting is not the problem. Admitedly scripting can be used to obfuscate these exploits and do other neat (from the attackers point of view) things, like tailoring the exploit to the exact platform the user is running, but in the end many exploits (like the ANI one for example) can just as well run without scripting as with it.

One reader asked my opinion about the Blink product they talked about in the podcast. (Disclaimer: this is my personal opinion, I doesn’t necessarily reflect the opinion of any of my past or current employers, blah, blah). I didn’t actually try Blink, but generally speaking if you have an environment which is different enough from the mainstream (like running as a limited user), you will be protected against 99.99% of the generic malware out there. Of course this probably will not protect you against targeted attacks, because that can be tailored to your exact environment. However this is only an issue if you are a company. So using something like Blink together with other good security practices will make your computer withstand 99.99% of the attacks. Additionally it might protect you against some exploits of the automatic kind (meaning where you don’t have to do anything specific to get exploited), which is definitely a good thing. Also, I will have to check out its user interface to get a feel about how difficult it would be for an average user to make sense of it. In the end however it can’t prevent the dancing bunnies problem, where the user is social engineered into making some actions (like downloading an executable and explicitly enabling it to bypass the security measures), out of which we see more and more.

In conclusion: it’s probably a good product, especially given its price (free!), however it’s not a silver bullet and caution still needs to be exercised even with this product installed.

Towards the start of the show Leo mentions that SSL certificates used by the sites to authenticate themselves to the users are single-factor. And this is true, however one has to add that there is nothing wrong with single-factor authentication as long as good security practices are followed, that is (for passwords for example):

• Long passwords are used
• Passwords are not easily guessable
• Passwords are stored in a way that it is hard for attackers to access them
• Passwords are transmitted in a way that it is hard for attackers to intercept them

The problem is that it is much easier for a company which has much more (financially speaking) at stake that a single user to implement and adhere to these measures (and even so, in many cases they are unable to), than for users. Also, there is a psychological problem of the user not being in business mode when doing the purchase (that is not concentrating on the rules s/he should follow) when doing an online purchase for example, while the company (or more precisely the employees of the company) is more likely to be in business mode. So there is nothing wrong with single-factor authentications as long as good practices are followed.

Steve mentions the fact that weak authentication can mean plausible deniability, however fails the mention the process of creating an audit log (which in IT means the recoding of the details of the actions) or event correlation (which means piecing together information from multiple sources) which do limit these attacks.

As a counterexample for the example given by him (that you can say that someone else logged on as you if you had a weak password): if you have the IP addresses recorded in the audit logs from where the connection originated, that can increase or decrease the probability of that claim (mind you, in security you can never claim to prove or disprove anything with a 100% certainty because there are may ways – for example the attacker might had proxied a connection through the users computer). Or if you had event correlation and you knew that the user was in one town (based on his badge being scanned at entry in the building) and the login came from an other town (based on IP Geolocation), you knew that that was a possible attack.

The following generic discussion is accurate as far as I can tell. And this is the strong part of Steve – making general presentation. However when going a little deeper he often times makes mistakes or gives confusing statements.

Like for example in the discussion of the Bank of America SiteKey. Disclaimer: I never used BofA and didn’t study the SiteKey method, however it is clear that from the following three claims (all of which were made during the discussion) only one can be true:

1. The displayed image is based on your IP
2. The displayed image is based on a cookie (or flash cookie) stored on your computer
3. The displayed image is based on your username, which you’ve entered before the image becomes visible

Most probably it is the second option (because it would be non-sensical to base the system on your IP address – you might have dynamic IP for example which changes from time to time without your intervention – and but still displays the symptoms which were used to justify it – the fact that when you have a different IP it doesn’t show – probably because you’re on a different computer which doesn’t have the cookie).

Update: I’ve forgot to mention that they discuss in this podcast also a version of the RSA token which could be installed on a mobile phone or even on the computer. While this has some usability advantages (such as not requiring an extra device which has to be carried around and may be lost), it has the definitive disadvantage that it can be copied! In fact what makes items such as the RSA tokens unique is the fact that the unique data in them (the encryption key / random seed / serial number) is hardcoded and can not be read easily. As soon as this data becomes known for a particular user, theoretically her token can be emulated perfectly. While I’m sura that RSA did a great job preventing the leakage of this information through the generated numbers (that is, you most probably can’t guess it by observing the generated numbers, or if so, you would have to observe a very large amount of numbers), but as soon as the data becomes available to other programs, the risk for it to be stolen is greatly enhanced.

Related to the SpinRite story (which are present in every episode): again, I don’t know WTF (pardon my language) people are doing with their computers, but in my 15 years of computer usage I never (knock on wood) had a hard-drive fail on me or known somebody personally who had a hard-drive failure! Anyway, the important thing I want to stress, that if your hard-drive failed and it wasn’t a software failure, change your harddrive! If it was a software failure, or your unsure and don’t want to spend the money just because of a hunch, start backing up! This is an advice which I hear too infrequently on SN, given how much they talk about hard drive failures (yes, they do mentioned from time to time, but very rarely!).

The first thing I would object to is the fact that nowhere is there a mention of the fact there is WPA2 or the fact that authentication with WPA/WPA2 can be done using certificates (also known as WPA-Enterprise), which are equivalent from a security standpoint to a very long and very complex key. I know that this podcast is aimed at the home user, however it would be nice to at least mention these options.

Steve says:

All Ethernet LAN endpoints, that is, all NICs, Network Interface Cards, they actually are addressable by their MAC address because the IP protocol is just one of many protocols that they could support. You could be Token Ring, you could be any of a number, for example, IPX, SPX, the old Novell protocol, all these things run on Ethernet. So the IP protocol needs a way to figure out which adapter card on the Ethernet we want to send our data to.

While generally correct, you need to mention that that IPX and SPX are part of the same protocol stack and rarely (if ever) are used alone (just as you don’t see TCP over anything other than IP, although it is theoretically possible) and are written correctly as IPX/SPX which stands for Internetwork Packet Exchange/Sequenced Packet Exchange and it is the old Novell protocol, so the sentence would be correctly written as IPX/SPX (the old Novell protocol). While it is possible that this is a transcription error (as I work off the transcript), the confusion between Level 2 and Level 3 (as it relates to the OSI model) is clearly Steve’s fault: Token Ring is a level 2 protocol while IPX/SPX is a level 3, so the analogy is erroneous and misleading.

PS. The percentage of the show which deals with technical content started to go down (for example in this show more than half of it was advertisement and-or chatter – not that there is anything wrong with that, for example this is the reason I listen to TWiT), this being one of the reasons why you see less content in these blog postings (the other being that I’m lazy :))

The site I’m talking about is grcsucks.com (again, I didn’t provide a link, because you would be met with a generic this domain has expired message). Fortunately most of the content (if not all) is still available at archive.org’s wayback machine (which as of the time of this writing seems also to be down – this is all a conspiracy I tell ya! :-)). The site consists of a (relatively) large set of materials criticizing Steve Gibson, and, even though the domain name is rather inflamatory, the content is well balanced. Hopefully it will come back someday.

PS. The existence of this site is both reassuring (in the sense that there are others who have similar opinions, and not just anybody, for example the author of Snort is one of them!) and intimidating (because if so many well written material couldn’t get Steve to at least tone down his hype-machine, it’s very improbably that I can).

And finally here is a quote to remind everybody what I object against (from episode #99, taken directly from the transcript) – the premise of this is that somebody has written in to counter one of Steve’s arguments:

STEVE: “In the days before international banking, banks would build elaborate buildings. The reason for this is often considered by non-economists to be competitive. However, economists know that if it were out of competition, there would be similar architectural arms races in other industries. Yet banks were different somehow. The real reason is that the bank could afford to build beautiful buildings, while the fraudsters, who would open a bank and then skip town with the money deposited, could not. A baroque building was a signal of legitimacy. These scenarios are called ‘signaling games’ in economics and game theory that only a legitimate bank could afford to send.

“The problem in the online world, as you well know, is that people use the same rationale. If they go to a phishing site, and it has a nice layout with scripting and menus and animation, they assume it’s real. Enter EV certificates, the online equivalent of building a nice bank. It only makes economic sense to get one if you plan on sticking around. A nice website is a signal that anyone can duplicate, and therefore it isn’t a good signal at all. An EV-enhanced certificate that costs $15,000 per year is not easily duplicated and therefore is an effective signal. If you are legitimate and can’t afford one, you probably are not a target for phishing in the first place.” Which actually I thought was sort of a really good point that he made. “If you don’t have the same need to signal your legitimacy as PayPal, eBay, Amazon, or an online bank, all of whom can afford one.” And then he says, “I’ve written more on this exact topic if you’re interested,” blah blah blah. But anyway, I just – I loved what he said. I mean, this is the kind of really good stuff that’s appearing in the mailbag now, so…

Now please direct your attentions to exhibit A, aka the sentence where Steve refuses to give real credit to the guy (Google to the rescue), even though they praise the letter. This is selfishness and disrespectful of the listeners, who put time and effort into the show and without whom there would be no show!

Update: Archive.org’s Wayback machine is back up again, so here is the link to the last stored version: http://web.archive.org/web/20070521043538/http://grcsucks.com/