SSCC 105 - HP printers, Google blocks ad blockers, Apple does the 2-step, and more...

Filed Under: Android, Apple, Featured, Google, Internet Explorer, Microsoft, Podcast, Security threats

Have you joined thousands of others and become a loyal listener to the "Chet Chat" yet?

One of our most popular podcasts, the regular "Chet Chat" sees Senior Security Advisor Chester Wisniewski discussing the latest security news with industry experts.

The Chet Chat offers actionable advice on what you and your company should do about the issues of the moment.

We try to make each episode as close to 15 minutes as we can, so it's ideal for your lunchtime security fix, or as part of your commute.

In episode 105, Chester and regular guest Duck (Paul Ducklin) turn their unique blend of insight, expertise and scepticism on recent events in the computer security world.

Listen now:

(27 March 2013, duration 15:12 minutes, size 9.2 MBytes)

Download now:

Sophos Security Chet Chat #105 (MP3)

Chet Chat episode 105 shownotes:

• HP ships debug firmware to customers

HP shipped debug-version printer firmware in a number of printers, leaving a Telnet debug shell that simply shouldn't have been there.

Duck compares Telnet to a VCR - a throwback to the 1980s - and wonders why you would use it at all, even (or perhaps especially) in debug code.

Chester talks about recent research he learned about from HD Moore on his recent road trip to B-Sides in Austin, Texas, reminding us of the sad fact that there are more listening Telnet and FTP servers out there than are listening for SSH.

• Google blocks ad blockers

Google recently threw ad blocking software out of the Play Store.

90% of Naked Security readers voted in our poll to suggest Google should relent and let ad blockers back in, but Chester sides with the naysayers, arguing that you can't have everything for free.

If you don't want the ads, he says, then pay for apps that don't have them. But don't begrudge freebie developers their cut of Google's marketing revenues.

Duck agrees to disagree, counterclaiming that Google's ironic behaviour was "mean-spirited," and Chester capitulates, if only slightly.

(You can still vote in our poll, "Should Google let ad blockers back in the Play Store." You don't need to leave a name or email address.)

• Apple introduces two-step verification

Apple announced what is almost 2FA, or two-factor authentication, for Apple IDs.

Chester asks Duck to explain why it's actually called "two-step verification," not 2FA, and the pair discuss why it's a good idea despite not using a full-on hardware token like a bank might.

• Changing HTML links after you click them

Duck talks about a "hackette" he wrote about by which a JavaScript coder can switch links from under you after you click them, using JavaScript's onclick event.

Chester argues that this is a storm in a teacup, because even if you know where a URL leads, you can't reliably predict whether it's clean or not, since the crooks rely on compromised legitimate sites almost exclusively these days.

Nevertheless, says Duck, the interesting issue here, as with the Google story, is the irony of how easy it is to change something after you've committed to it, and wonders if we're stuck with design decisions that have favoured slick-and-quick too much.

• Living with the past

Chester reinforces Duck's lament about the "errors of the past" by pointing out that Internet Explorer 11 tells web sites that it's Firefox, because so many servers still send special code to IE as a workaround for IE problems fixed by Microsoft three or for versions ago.

Sometimes, replies Duck, you really do need to bite the bullet and break with the past, and concludes with a short burst of praise for Apple because it did break entirely with phone-based account recovery in its 2FA system.

Catch up with Chet Chats and other podcasts

(27 March 2013, duration 15:12 minutes, size 9.2 MBytes)

You can download the Sophos Security Chet Chat podcast episode 105 directly in MP3 format.

And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.

, , , , , , ,

You might like

One Response to SSCC 105 - HP printers, Google blocks ad blockers, Apple does the 2-step, and more...

  1. Nigel · 890 days ago

    "...Internet Explorer 11 tells web sites that it's Firefox..."

    OHMYGAWD!! At first, I thought there must have been a typo error, or something. But I Googled it and sure enough, it's true.

    I really had to chuckle...especially after just having to mess with some perfectly correct, W3C-validated XHTML code just to get a page to display properly in IE 8...when it already displayed perfectly in seven other browsers.

    I rejoice that Microsoft has finally decided to build a standards-compliant browser. But I will rejoice even more when the older versions of MSIE are extinct, and we can get on with designing W3C-validated pages that will look and act the same for everyone, regardless of browser or operating system...without having to write ersatz code for MSIE.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog