SSCC 105 – HP printers, Google blocks ad blockers, Apple does the 2-step, and more…


Have you joined thousands of others and become a loyal listener to the “Chet Chat” yet?

One of our most popular podcasts, the regular “Chet Chat” sees Senior Security Advisor Chester Wisniewski discussing the latest security news with industry experts.

The Chet Chat offers actionable advice on what you and your company should do about the issues of the moment.

We try to make each episode as close to 15 minutes as we can, so it’s ideal for your lunchtime security fix, or as part of your commute.

In episode 105, Chester and regular guest Duck (Paul Ducklin) turn their unique blend of insight, expertise and scepticism on recent events in the computer security world.

Listen now:

(27 March 2013, duration 15:12 minutes, size 9.2 MBytes)

Download now:

Sophos Security Chet Chat #105 (MP3)

Chet Chat episode 105 shownotes:

• HP ships debug firmware to customers

HP shipped debug-version printer firmware in a number of printers, leaving a Telnet debug shell that simply shouldn’t have been there.

Duck compares Telnet to a VCR – a throwback to the 1980s – and wonders why you would use it at all, even (or perhaps especially) in debug code.

Chester talks about recent research he learned about from HD Moore on his recent road trip to B-Sides in Austin, Texas, reminding us of the sad fact that there are more listening Telnet and FTP servers out there than are listening for SSH.

• Google blocks ad blockers

Google recently threw ad blocking software out of the Play Store.

90% of Naked Security readers voted in our poll to suggest Google should relent and let ad blockers back in, but Chester sides with the naysayers, arguing that you can’t have everything for free.

If you don’t want the ads, he says, then pay for apps that don’t have them. But don’t begrudge freebie developers their cut of Google’s marketing revenues.

Duck agrees to disagree, counterclaiming that Google’s ironic behaviour was “mean-spirited,” and Chester capitulates, if only slightly.

(You can still vote in our poll, “Should Google let ad blockers back in the Play Store.” You don’t need to leave a name or email address.)

• Apple introduces two-step verification

Apple announced what is almost 2FA, or two-factor authentication, for Apple IDs.

Chester asks Duck to explain why it’s actually called “two-step verification,” not 2FA, and the pair discuss why it’s a good idea despite not using a full-on hardware token like a bank might.

• Changing HTML links after you click them

Duck talks about a “hackette” he wrote about by which a JavaScript coder can switch links from under you after you click them, using JavaScript’s onclick event.

Chester argues that this is a storm in a teacup, because even if you know where a URL leads, you can’t reliably predict whether it’s clean or not, since the crooks rely on compromised legitimate sites almost exclusively these days.

Nevertheless, says Duck, the interesting issue here, as with the Google story, is the irony of how easy it is to change something after you’ve committed to it, and wonders if we’re stuck with design decisions that have favoured slick-and-quick too much.

• Living with the past

Chester reinforces Duck’s lament about the “errors of the past” by pointing out that Internet Explorer 11 tells web sites that it’s Firefox, because so many servers still send special code to IE as a workaround for IE problems fixed by Microsoft three or for versions ago.

Sometimes, replies Duck, you really do need to bite the bullet and break with the past, and concludes with a short burst of praise for Apple because it did break entirely with phone-based account recovery in its 2FA system.

Catch up with Chet Chats and other podcasts

(27 March 2013, duration 15:12 minutes, size 9.2 MBytes)

You can download the Sophos Security Chet Chat podcast episode 105 directly in MP3 format.

And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.