Slashdot Mirror

> this would then be the first free service that I know of which doesn't do redirect

Well, there are *tons* of them. And fast. Download this program (if you're on Windows), run it, and see which are good for you. Redirecting and "strict" are marked with different colors.

http://www.grc.com/dns/benchmark.htm

Steve Gibson, is that you?

This was covered in a recent episode of the Security Now podcast http://www.grc.com/securitynow.htm. See episode 80 from Nov 19 "A security vulnerability in SSL". The transcript is also available http://www.grc.com/sn/sn-223.pdf.

This was covered in a recent episode of the Security Now podcast http://www.grc.com/securitynow.htm. See episode 80 from Nov 19 "A security vulnerability in SSL". The transcript is also available http://www.grc.com/sn/sn-223.pdf.

I use foxmarks (or Xmarks, as they call themselves now) for all the web passwords that I'm willing to let Firefox remember. AES encrypted, available everywhere Firefox is. Nice. Simple. Easy and Works.

The passwords that I put in there are variations of a few basic passwords. The passwords are simple plain english words, 3 to 8 characters long, and each letter maps to a random 2 letter assignment. This map is generated by going to GRC's password generator page and taking the first two letters in the ascii printable list and assigning it to "a", the next two to "b" and so on. I then follow with the numbers. The is also a lower/alpha/number list which I do the same thing in case I run across a site that can't take special characters.

For example, when I went to the page for this post. I got the following string: "=f^9]pnLE70:uS6XYhev/ExPy%)Ax}" In this case a := "=f" b := "^9", etc. For the password base I would choose something like sea, which would then get translated into: DeE7=f I would then add a simple (ie: 2-3 char plain text easy to remember), prefix or postfix to the password for the site.

At work I keep the alphabet list printed out and taped to the bottom of the center drawer of my desk. This is secure because people would have to get past the armed guards and two locked doors to get to it. Even if this wasn't the case, they would have to know what the base password is.

For non web based passwords I use KeePassSafe. Even I don't really know what the password is for keepass, as I use both a keyfile, and a statically generated 32 character password (I use a Yubikey in static mode for this. I'm not concerned about losing the file, but if something happened to the key, I admit I'd be screwed. Mostly I use it for the geek factor. Before I got the yubikey, I used the above method with an 8 character base (and the keyfile)

...seem to do the trick for me. I put this huge list of malicious sites into my HOSTS file, so most ads never even show up. http://www.grc.com/sn/hosts_mvps_org.txt

At least Windows 7 Pro has an XP virtual machine, but we don't know how compatible it is yet.

Why not? It's been available since the RC. You do need hardware virtualization support, but that's easy to check (I dislike GRC because of his irrational fearmongering of UPnP, but this tool is the quickest way to check if you have virtualization available on your CPU). It's based on the mature VirtualPC product and running full XP, so if an app worked in XP it should work fine in virtualization.

Windows 7 is a Service Pack to Windows Vista practically, and it is like when Windows XP came out as a Service Pack to Windows 2000. Windows 2000 was version 5.0 and Windows XP was version 5.1, Windows Vista is version 6.0 and Windows 7 is version 6.1.

First, read about why Windows 7 is 6.1. Cliff notes: app compatibility, because too many apps are stupid and don't handle major version bumps properly (witness all of the apps from Windows XP that wouldn't install on Vista simply because it was 5.1 to 6.0 and the installer assumed major version would always be 5 and so just checked minor version, resulting in 0 less than 1 == not supported). Win7 is certainly an enhancement on top of Vista, but then Vista was an enhancement on top of XP (really on top of the Server 2003 codebase, but that came from XP), and XP was an advancement on top of 2000, and so on. Some things haven't changed, like the new WDDM driver model that Vista introduced (though Win7 did bump to WDDM 1.1, which allows for easier/better drivers, especially in the realm of gpus). Other things have changed dramatically, though you wont really notice such as the DWM now being much more efficient, especially if coupled with a WDDM 1.1 driver (nVidia, ATI, and Intel already have such drivers available). In Vista, DWM memory usage would grow linearly with the number of windows open. In Windows 7 with a WDDM 1.1 driver, memory usage is now constant regardless of the number of windows (and with a 1.0 driver, it's still ~50% more efficient than Vista). Another example, Win7 is much nicer to SSD storage. But you should look at the list of new features yourself.

Sadly a lot of XP machines will need RAM upgrades if not video and hard drive upgrades to run Windows 7 as I heard even 1G of RAM is not enough and that Windows 7 is a bit of a hard drive and resource hog like Vista is, because XP runs faster because it has less features and fewer services that start up upon bootup.

1GB is fine. I've used Win7 on netbooks with that little RAM and they were just as snappy (if not snappier) than when running XP. Of course I also like to upgrade netbooks to 2GB, and when you can do so for $20 why wouldn't you? You don't need a new video card, especially if you already have a DX9-capable card (DX9+ required for Aero, will be snappier with a 10.1 card but Aero will still work well). Win7 fits quite well into 16GB on netbooks with plenty of room to spare for your own content, and you can even hack it (though it's not recommended or supported) to get down into 8GB. Win7/Vista definitely have more startup services, but that's also a bit of a red herring as there are new things like the Aero Destop Window Manager and the new Audio server that show up as services now.

Most Windows XP installs don't make use of dual core or higher systems as one has to by the non uniprocessor version of XP to use more than one core or processor.

XP Pro supported 2 processors, so for most people that would be fine (assuming most people have single or dual-core CPUs, not quad-core). What's more important than that is 64-bit really shines in Win7 (it worked well in Vista as well, but it's even better in 7; for XP

And then security only works if it's strictly enforced... the moment I read your message I had to think of Security Now's Horrifying PayPal Revelation of the Week. Check out Security Now Episode 188, and look for "Horrifying PayPal Revelation of the Week"....

I'm going to kill the suspense: the security question was the last 4 digits of the bank account linked to the account, and the person who forgot his password was able to guess these numbers, with a little help from Paypal's customer service rep....

If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)

A simple,fast port scanner exists at http://www.grc.com/ (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.

For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.

Your post reminded me of this discussion on "Security Now!".

original transcript: http://www.grc.com/sn/sn-198.htm

(emphasis mine)
[[snip]]
Steve: MacBreak Weekly, just as we were getting ready to do this. And he made a comment about - you were talking about ripping DVDs. And he said, yeah, you know, you can get a terabyte drive now for 90 bucks.

Leo: Exactly.

Steve: And I'm thinking, yeah, and that's what SpinRite costs. And he said so, you know, there's really no need to burn all those. Just rip them all onto that terabyte drive. And I'm thinking, yes, please do. Because, please.

Leo: Why is that, Steve?

Steve: Good. Put your whole movie collection on there because I will have your money. When that $89 terabyte drive craps out on you...

Leo: We're buying - are you saying people should buy fancier drives, or just this is inevitable?

Steve: Put all the crown jewels, put everything you have on hard disk.

Leo: Well, don't throw away the DVDs. Keep them. But it really is true that, if there's data on there, it's worth more than 89 bucks. It's not a question of buying another drive, it's a question of getting that data back.

Steve: Yes. I mean, people, for a while people were saying, well, gee, Steve, $89, that's pretty steep. And I'd say, yes, I understand. And then they'd say, well, we can buy a new drive for that. Yes, but it doesn't - it's not all of the data that you've got. It's not everything that's been installed in your system before. It's not, I mean, what's your time worth to, like, recreate everything from scratch? And in some cases these are irreplaceable. These are people's entire photo libraries that have never been backed up, never put somewhere else.
[[snip]]

The point is, Terabyte drives fail, too. Keep that in mind for your data retention policy. One might even be so inclined to purchase SpinRite ahead of time to validate the drive's integrity before being placed into use and occasionally validating the drive's integrity from time to time.

Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's.

Absolutely right. Out of curiosity, I recently tested DNS performance as experienced from my home network, using Steve Gibson's excellent DNS benchmark tool. The test was between:

• My LAN's OpenBSD gateway & DNS server (10.19.0.1)
• My ISP's (BellSouth's) DNS servers (205.152.*)
• OpenDNS (208.67.*)
• Level 3's anycast servers (4.2.2.*)

OpenDNS was the clear loser in this test. (Sorry for the lack of numeric labels on this screenshot, but the graph is to scale.) Querying the local DNS server was of course faster than anything that had to go across the DSL modem, but OpenDNS was also significantly slower than the other remote servers tested.

According to IDServe, Bing is running on AkamaiGHost. That's after getting an error on the hostname then querying using the returned IP address.

Yes. Because the Internet has reduced the friction of communication to the point where it is impossible to make a profit selling snake oil.

Hello,

Here is a list of data recovery programs I have put together. Some of them may be a little old, for floppies or optical media only, but should still be useful. Unless otherwise noted, they are all for Microsoft Windows.

A-FF Labs - NTFS Undelete and Partition Find and Mount
Access Data - FTK Imager
Acronis - RecoveryExpert
Advanced NTFS Recovery - NTFS Recovery (may handle FAT32 as well)
bitMART - Restorer Ultimate
Brant, Dmitry - DiskDigger
BriggSoft - Directory Snoop
CGSecurity - TeskDisk and PhotoRec
Convar - PC Inspector File Recovery
Digital Assembly - Adroit Photo Recovery (pictures only)
DiskInternals - NTFS Recovery
DIY Data Recovery - iRecover
DTI Data - Recover It All
DataRescue.Com - PhotoRescue (intended for flash RAM cards, which are typically formatted with FAT, may work with other devices as well)
EASEUS - Data Recovery & Security Suite
Fsys Software - DFSee
Gibson Research Corp. - Spinrite
Gillware - GillWare File Viewer
Higher Ground Software - Hard Drive Mechanic Gold
Kato, Brian - Restoration (also here)
LC Technology -
[Continued in next message, as for some reason, Slashdot would not let me post in its entirety (too many URLs?). AG]

Spinrite has worked miracles in the past for me. It's brought back unbootable corrupted windows partitions back to life for me. Supposedly it also fixes physical defects in hard drives as well. It boots off of a image from disc. It costs $89.00 but it's saved my butt in the past.

There is so much FUD about Trusted computting. Go watch Security Now Ep. 99 It will change how you think about trusted computing. It will separate the truth from the FUD.

I take anything Steve Gibson says with a grain of salt, but SecurAble is one of the simplest ways to see if your Windows PC supports hardware virtualization.

This free app will tell you whether your processor will support XP Mode in Windows 7 or Not:

Securable

Just FYI, you can check to see if your processor supports the virtualization mode needed for this feature here:

http://www.grc.com/securable.htm

Yes that was funny. What ever happened to Gibson's original article? I looked around on grc.com but couldn't find it. It used to be at http://grc.com/dos/winxp.htm.

YES. A thousand times yes. I did go buy myself a copy after that podcast (ep #172, here) and I don't know how I survived without it. It's entirely usable right out of the box but with a little configuring you can make it do just about anything you need, without the overhead of running a whole separate VM.

That someone was Steve Gibson, in the show on Truecrypt 5.0
(Transcripts of the show notes are here Search for "faster with encryption" (without the quotes)).

The only way this even remotely makes any sense is if Truecrypt itself is caching a fairly significant amount of data before writing it to the drive, or Steve's tests were with files that were less then the cache size of the drive.

If it a case of unreliable sectors, your best bet would be to use Spinrite, which does an admirable job of getting the data off the bad sector.

After you run spinrite, you should be able to use something like photorec to recover your files. (Boot from a DOS CD, and you'll need a second hard drive to recover to)

If it's just plain text, you can also boot from a Linux CD (a plain old knoppix disk, or if you want a forensic Distro - like Helix which would give you more tools to work with.) and do a simple "strings /dev/sda > /mount/sdb1/recovered.txt" (where sda is the drive that your trying to get data off of, and /mount/sdb1 is the drive that you want to recover to.)

If that doesn't work, Helix has more tools at your disposal.

Or just generate one from here: https://www.grc.com/passwords.htm - I have the same password I generated for around 2 years now, no-one has hacked into it (WPA) and I have it on my Pen Drive as a text file if another computer wants to connect to the wireless, I have to physically set it up so it can get on... Really simple.

Since you generally never have to type a WPA key in, might as well go for maximum entropy.

https://www.grc.com/passwords.htm

Or not even using something that is transmitted over the internet and is TRULY random:

dd if=/dev/urandom bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo

Credits go to someone from the Stupid (Useful) Linux tricks thread.

Since you generally never have to type a WPA key in, might as well go for maximum entropy.

https://www.grc.com/passwords.htm

The idea is dumb, it does put your eggs all in one basket because once someone has your login credentials they have your whole online identity.

If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.

That's what is so damaging about it. Not only does it give a black hat login access to your personal information all over the internet, but it also allows you to create new information under the guise of someone else potentially ruining a person's life.

The above shows off OpenID's biggest weakness. Which is not the "all your eggs in one basket" as the poster alludes to, but rather the phenomenally poor marketing of OpenID. OpenID's web page pretty much sucks in explaining the technologies strengths. The biggest strength is that you don't have to have a static username/password. All the following are valid ways to authenticate with OpenID

• RSA Tokens
• Yubi Keys"
• SMS Texting (The authentication server generates a random string and sends it to a phone via sms. It has the added benefit that you know when someone is trying to access your account.
• A system that uses Perfect paper passwords
• A system that takes an image from your digital photo collection and asks who took it
• A system that asks you to solve a word problem
• Whatever else you can come up with

In addition, the system can be set up so that you can have a list of "high security" sites (ie: a bank) where you have to answer a different set of questions/use a different authenticator then your normal everyday blog site.

Soo...Mr lawyer...your saying to take money away from a dying person to ensure their final days are in immense pain is equal punishment for a possible uneducated 19 year old downloading a song. I'm sorry people whom steal and murder don't get those judgement against them. Even after there is 100% undisputable proof. It violates thier civil rights as to cruel and unusual punishment. And being there is no proof that someone in that household actually did that vs. a Russian or Wisconsin hacker downloading via thier control to that PC then copying the files off to thier own hard drive somewhere in the Ukraine or Wisconsin. How can you say that? Do you have absolute positive proof their machine has not been comprimised. You don't And the RIAA has made that mistake before and walked away ruining people lives over a SONG that a hacker downloaded to a remote machine then transferred! Somehow the industry doesn't believe someone can hack a computer illiterates machine, but acknowlege hackers can bring down thier routers and servers with DDOS attacks http://www.grc.com/sn/sn-008.pdf I got a sense off of your comment, that maybe your not as innocent as a newborn lamb either. you probably also believe that when talent writes a song about someone or some event, thy are "inspired" rather than "exploiting". Theft is theft whether you download a song that is not paid for or make money off of people, events or situations that you were not a part of, by writing a song about it. ...then selling it.

Didn't take long to find these...

http://davisfreeberg.com/2008/01/03/bad-copp-no-netflix/
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
http://blogs.zdnet.com/hardware/?p=1865
http://www.grc.com/sn/SN-074.htm
http://www.cypherpunks.to/~peter/vista.pdf

I suggest using SpinRite on your hardrives. Watch the 2 videos on their website, very impressive software. I've been doing emergency data recovery for years and have many tools. I bought a copy and am very pleased, using it on drive I have. SpinRite can't fix everything, some hardrives are mechanically inaccessible and therefore must be recovered the expensive way. At least watch the videos, they are very informative.

Transcript:

http://www.grc.com/sn/sn-133.htm

Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm

So let me get this straight: you're recommending I set my password to what some dude on the Internet is telling me to, and who can trivially connect it to me since he knows the IP address it was sent to ? And the dude, who's presumably advocating this practice since he's going out of his way to enable it, is supposedly a security expert ?

Suddenly, in a flash of pure black light, it dawned on me: all hope is lost. We are doomed.

...Unbelievable. Just plain unbelievable.

Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm

These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)

They just might - ever watch the screens in SpinRite? Supposedly the graph screen shows an analog "strength" of the flux
http://www.grc.com/srrecovery.htm

Not all versions of major browsers behave the way you expect them to when you try to disable third-party cookies.
Check out Steve Gibson's cookie forensics page.
Here's a neat browser stats page showing graphically how GRC visitors have their 3rd party cookies configured by browser.

Not all versions of major browsers behave the way you expect them to when you try to disable third-party cookies.
Check out Steve Gibson's cookie forensics page.
Here's a neat browser stats page showing graphically how GRC visitors have their 3rd party cookies configured by browser.

This nat router, is this the usual linksys or dlink router, or are you talking about corporate level only?

Any NAT router. While an expensive business router should be higher quality and less vulnerable to attacks against it, the whole idea of NAT is what protects the PCs behind it. http://www.grc.com/nat/nat.htm explains it pretty well.

"Oh please. This is why I love Slashdot. I'm as big of a MS hater as the next guy, but those who ignore MS's progress from the Blaster days are just spewing FUD. A default Windows SP2 installation, with non-executable buffers (DEP) left enabled for Core windows services, running on supporting hardware will not get owned by just sitting on an infected network. I challenge any Slashdoter who thinks otherwise to prove it. Of course, when people start browsing porn sites with the default browser things get tricky, but that's no longer a remote, automated attack."

http://www.grc.com/ click on 'sheilds up' and do a 'common port scan' with windows firewall as your only inbound protection. Since i use a dedicated hardware firewall i can't post those results here, but here were my results... note: the first test failed because 1 port identified as 'closed' instead of as 'stealth' as for the last, i didn't disable ping, because i use ping a lot myself.

btw these are the ports scanned "0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445, 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720, 5000" I seem top recall that even with a linksys wireless router, many of these ports were still 'open' to complete internet strangers. yeah, that's part of why i switched to always having a hardware firewall.

"Solicited TCP Packets: RECEIVED (FAILED) -- As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

Unsolicited Packets: PASSED -- No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) -- Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

I would love to see how long a windows xp pro without spk2 but behind a router takes before being owned....

Behind a properly configured NAT router, never. NAT inherently blocks all inbound connections to a specific device, therefore a bad guy can't directly connect to the XP box to exploit any vulnerabilities. See http://www.grc.com/nat/nat.htm for more info.

Obviously, the clueless user could still do something to cause an infection. Once it's compromised that way, the floodgate for malware is opened up and anything goes. However, an outsider can't initially connect directly to the XP box to exploit it.

So, the answer is clearly... do whatever works for you!

A detailed explanation is in progress on the Security Now podcast at www.grc.com/securitynow hosted by Steve Gibson and Leo Laporte.

Part was covered last week, a lot more to come in tomorrow's episode.

Well worth following along.

I can't stress this enough. You need a company information security policy.

Your information security policy should at a minimum cover the following items:

• Definition of critical business information (CBI)
• Definition of personally identifiable information (PII)
• Who can and cannot have access to CBI and PII
• How CBI and PII must be protected when stored
• How CBI and PII must be protected when transmitted
• How systems which store, transmit, or process CBI and PII must be protected to ensure the safety of the information (e.g. anti-virus, disk encryption, firewalls, etc.)

I plan to write a blog post today or tomorrow at our blog, http://securitymusings.com which will go into a little more detail on this.

Now for a direct answer to your question: strongly encrypt the data using a 128-bit (or longer) standard encryption algorithm such as 3DES, AES, or Blowfish. If you are using password-based encryption, use a long and random password, such as those generated by any good password generation application. (GRC has a web-based one.) Use at least 20 random characters to create a sufficiently entropic password. Communicate the password out-of-band, such as via telephone, fax, or mail/fedex. There are lots of available tools to do proper encryption, such as PGP/GPG, WinZip, etc. Use one, don't write your own.

My understanding is that the file transfers don't work because of firewall issues. At least one party has to not be behind a firewall (or have ports forwarded) for them to work.

There's a Security Now! podcast explaining NAT traversal that addresses this issue, I think.

Here's a link to one-time password system with lots of explanation and discussion. https://www.grc.com/ppp.htm There are several free and open implementations: "GRC offers a complete and free (though not open source) PPP CryptoSystem implementation for Windows platforms, and other open source solutions are already available for Windows, Mac, Linux, and Java-equipped cell phones."

as found on https://www.grc.com/ppp.htm you use the list that you generate, scratch off item #1, only next attempt to login will accept item #2 (rinse/repeat.) very easy to use ONE TIME PAD; truly, it can not get any easier. CAH

Steve Gibson has a demo program http://www.grc.com/ct/freeandclear.htm that shows how ClearType works. "The Genesis of these pages was Microsoft's Comdex announcement of their new breakthrough font rendering technology, dubbed 'ClearType'. This announcement gave the industry a much needed wake-up call. Although Microsoft mistakenly believed that they had discovered something new, they certainly deserve the credit for helping to bring years of prior display system research and development into the forefront of personal computing practice." Click the Tune button and use the Magnify slider to see the effects of various render modes.

If you read the follow up you'll see that that is not a feature of Leopard, but the result of sub-pixel rendering. It's a technique for making text look better on LCDs.

Steve Gibson has an interesting article on it here:

http://www.grc.com/ct/ctwhat.htm

*plays theme song for Security Now!*

Really? When I saw the headline I couldn't figure out why Steve Gibson of Gibson Research had a patent issue with Guitar Hero.

(sigh)

Please read up on https/SSL/PKI technology used in web browsers. The SecurityNow podcast did a nice series introducing cryptography and the certification schemes it makes possible.

Cryptographically-signed certificates are verified by the browser and a trusted third party (the certificate authority) as a pre-condition for establishing the link. The encrypted nature of the link is almost beside the point: SSL certs guarantee that the site (somedomain.com) you think you are talking to is the real McCoy. That is why the lock is displayed on the address bar, because it signifies the validity of the domain name currently being accessed.

The certs cannot be faked without being detected by the browser. An attacker would have to somehow steal the private key of the site you're connecting to, or the CA's private key, in order to stage a MITM, arp cache or similar attack undetected.

The system assumes that you know beforehand what domain name(s) you want to connect to. It doesn't try to decide for you which sites are "good" or "bad", it simply ensures that the "bankofamerica.com" server you're connecting with is the one that was actually registered with the CA. Thus, you have to check domain spelling.