«Security Now! Transcript of Episode #143 Page 1 of 30 Transcript of Episode #143 YubiKey Description: Steve and Leo delve into the detailed operation ...»
Security Now! Transcript of Episode #143 Page 1 of 30
Transcript of Episode #143
Description: Steve and Leo delve into the detailed operation of the YubiKey, the coolest
new secure authentication device Steve discovered at the recent RSA Security
Conference. Their special guest during the episode is Stina Ehrensvrd, CEO and Founder
of Yubico, who describes the history and genesis of the YubiKey, and Yubico's plans for
this cool new technology.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-143.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-143-lq.mp3 INTRO: Netcasts you love, from people you trust. This is TWiT.
Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting.
This is Security Now! with Steve Gibson, Episode 143 for May 8, 2008: YubiKey. This show and the entire TWiT broadcast network is brought to you by donations from listeners like you. Thanks.
This is Security Now!, Episode 142 [sic], Leo Laporte here, Steve Gibson in Irvine, joining us in our new highly technical studio that isn't really working.
Steve Gibson: With the details still coming together.
Leo: A lot of the details still coming together. Hi, Steve.
Steve: Hey, Leo, great to be back with you for our 142nd [sic] week of Security Now!.
Leo: Practically consecutive. Have we missed any weeks? No.
Steve: No, we have never missed a week.
Security Now! Transcript of Episode #143 Page 2 of 30 Leo: Wow.
Steve: Yeah, you and I used to have to bunch them up when you were running around traveling or when we were together...
Leo: Isn't it nice? I don't have to go to Canada anymore, yeah. I mean, that's really simplified things considerably. Very pleased about that. So we have a guest today.
Steve: We're going to have a guest joining us by phone from Sweden. And that'll be someone I referred to two weeks ago, and maybe even last week, and that is Stina, who is the CEO and one of the founders of Yubico, the makers of the YubiKey, which I just happened to stumble on when I was up at the RSA security conference.
Leo: Boy, that was a lucky thing for both of us.
Steve: Really was. Well, and for our listeners, too. They have received hundreds of emails and inquiries from my mention of the YubiKey when I did the episode two weeks ago on the RSA security conference. And I've been in pretty much constant dialogue with Stina and the technical people that they've got. And the news is virtually 100 percent good. I mean, the more I learn about this, they've been evolving their policies - anyway, so this week's episode is the Yubico YubiKey. As we'll see when we get into it, this is an even better authentication solution than I expected it was going to be when I described it last week, or two weeks ago, as the coolest new thing I had seen at the RSA conference.
So this week's episode is Yubico's YubiKey, and I really think - I'm going to go into all the technical details after we have had a chance to speak with Stina. I asked her to come on because she really has a vision for what she would like to see happen with authentication. I wanted to understand, you know, where this wacky name came from, a little bit about the company, and just sort of get a sense for where they are because I know that when we've talked about and explained issues of authentication there's been a strong interest.
Obviously I'm a person, I mean, I'm on record here on Security Now! believing that authentication, you know, getting this problem solved is an enabling factor for the whole future of the Internet as we go from Web 2.0 to 3.0. More applications are moving onto the web. We hear about now there's, like, all this computing in the cloud where corporations are going to be moving more of their infrastructure onto the Internet as we have people who are able to carry that. So in every situation where we've got a network and you don't have your typical - I think we once described it as like the Andy of Mayberry authentication, where you know Aunt Bee, and you know Opie.
Leo: So you give Opie the drugs when he comes to the drugstore for Aunt Bee.
Steve: Exactly. And so here on the 'Net we need a good way of knowing that the person at the other end is who they say. And we've talked about VeriSign solutions and the eBay and PayPal football and the credit card. We're going to talk about something now which is completely open source, no subscription fee, lifetime free authentication. And, I mean, Security Now! Transcript of Episode #143 Page 3 of 30 it's - I'm excited because this is, as long as you've got a USB port, this is the answer. It doesn't have a display, as we talked about it before two weeks ago. It pretends to be a keyboard. But you just touch the button and it shoots out into your computer, into for example a web form, this long string of random-looking encrypted stuff that then can be authenticated, either by you or by Yubico or whomever. And the advantage is that there's no cost to anyone for all of this.
Leo: Wait a minute. Obviously there's some cost or Yubico wouldn't have a business model.
Steve: No, they want to sell the hardware. That's all they want to do. Anyway, we'll go over this.
Leo: You're giving it all away. We won't have anything left when Stina calls. So hang in there. Now, do you have any news, anything you want to do before we talk with Stina?
Steve: Oh, yeah. We definitely have some news of the week. One little disturbing bit of news was posted on Dave Jevans' blog. Remember, he's one of the main founders and president of IronKey. He posted the news, I guess it was on Friday, that Anonymizer.com was acquired by Abraxas. And the bad news is that Abraxas provides anonymity services for the national security community - NSA, CIA, DIA, and so forth.
Steve: And so, you know, I'd feel much more comfortable if Anonymizer.com had stayed independent and just themselves rather than now being part of a government contractor.
Leo: Wow. Yeah, you've got to really kind of wonder. Did you ever - have you ever heard the rumors that Facebook was partly sponsored by the CIA?
Steve: I've heard something about that.
Leo: It's a persistent rumor which has been consistently denied, as far as I know.
But it's kind of credible. You would think, if you were the NSA, if you were the CIA, that kind of a great way to watch people would be to be part of these social networks. What better thing to do than buy Anonymizer?
Steve: Yeah, yeah.
Leo: TOR is looking better and better, that's what I...
Steve: I don't know that anything untoward is going on, of course. But I just wanted our listeners to know, if any of them are Anonymizer customers, that Anonymizer is no longer independent. It has been acquired, and acquired by a company that does a lot of business with the three-letter-initial intelligence services of the United States.
Leo: When you said "untoward," did you mean that as a pun?
Steve: You're at the top of your game this morning.
Leo: It's that quinti venti latte, man. You're right, those things work. So let's - okay, so that's one big story. What else is out there?
Steve: Also there was a - this is just sort of just to keep our eye on. A disturbing constant theme of the FBI has been their request for ISPs to retain data. There was a recent congressional hearing where FBI director Robert Mueller again called for federal data retention laws to force ISPs to keep records of what their customers do for two years.
Leo: He's been trying to do this for a long time.
Steve: I know. And what's really confusing is he's not saying what he wants kept. Now, the weakest information that would be kept would probably be at least the IP addresses that customers have had over that period of time, which frankly would not be that burdensome, I mean, for the ISPs to retain. But there's talk about it being all the way up to and including a website trail, that is, what websites people are going to.
Leo: You mean the kind of stuff that Google keeps track of with its web history.
Leo: Oh, actually more than that because Google's only tracking your searches. Your ISP knows everywhere you go because of the DNS requests.
Steve: Oh, yes. Well, it's watching your click stream, as it's now becoming called. And of course he immediately marches out the child porn peddlers and online predators, saying oh, we could do a much better job of catching them. Well, of course everyone is sympathetic to that. But it's creepy to think that this whole, I mean, that our ISP that's connecting us to the 'Net has the power that they do to see everything that we're doing and that they would be required by the government to maintain two years of logs of everything every individual does on the Internet.
Leo: That's the old argument...
Steve: I mean, that's really - I'm sorry.
Leo: That's the old argument, if you're not doing anything wrong, what do you have to fear?
Steve: Yeah, and unfortunately our government doesn't have the best track record of dealing with this kind of information aggregation.
Leo: Well, no government does. And anybody should be suspicious of any government. Yeah, I trust our government, but any government that wants to collect this information, that's a bad thing.
Steve: Yeah. And finally, four researchers at Carnegie-Mellon University, UC Berkeley, and University of Pittsburgh, they've come up with an automated, they call it APEG, Automated Patch-Based Exploit Generator. Essentially this thing is able to take a look at Windows Updates, analyze the pre and post patch, and design an exploit for the vulnerability that the patch fixes. And so we've talked about how hackers are looking at Windows Update updates and then manually reverse engineering what it was that was changed. Well, these guys, these computer science researchers have essentially automated that process. And so they are now urging Microsoft - I mean, no. Their point is, if they can do it, so can the bad guys. And we know there's big money behind developing, quickly developing exploits for vulnerabilities. And there's a window of opportunity between the time the vulnerability is known about, the exploit is generated, and everyone gets themselves patched.
So they're urging Microsoft to somehow really work to minimize this vulnerability window. For example, maybe getting the updates all distributed, but having them encrypted so that then a key is provided to just, like, simultaneously decrypt them all in place. Maybe use peer-to-peer networks somehow to push these fixes out much faster.
Because right now, I mean, they trickle out of Microsoft. When you consider the number of systems that need to be updated every second Tuesday of the month, I mean, it's often the case that my computer doesn't alert me that it's got some updates for several days after those patches began to get pushed out. So essentially what's happened is there's been a reaction to this constant patching that we're now seeing from Microsoft.
Security Now! Transcript of Episode #143 Page 6 of 30 And these researchers are saying, hey, if we can automate it, so can the bad guys. And you've got to believe that there's a huge incentive for them to do so.
Leo: You bet. You bet. Automated Zero Day. I like that. I mean, I don't like that. But it's, I mean, you have to admire their technical prowess, if nothing else. And you know, it's really all taken off since there's been a financial incentive for them to do it.
I mean, that's the key thing. As long as they can make money at it, well, we'll throw resources at it.
Steve: That's the change in the last five years. This went from being script kiddies screwing around say, hey, look, Ma, what I can do, to now to organized crime saying, okay, we're going to pay you hackers to do that. And it's big money.
Leo: Amazing. Amazing. Any other news?
Steve: Well, I did have one, since we're waiting for Stina to call...
Leo: Well, she's actually here. She's already here.
Steve: Oh, there she is.
Leo: But let's just finish up, and then we'll get to Stina because I don't...
Steve: Well, I had an interesting piece of email that caught my eye, as I always do. This one the subject was "SpinRite helps kids with cancer." And I thought, okay, how is data recovery going to do that? So this is a letter from Pete Harmon that I got a couple weeks ago. It said, "Dear Steve, I wanted to drop you a line and let you know how much good you're doing in so many ways that you probably never considered possible the day you sat down to develop SpinRite." He said, "I'm a FedEx pilot" - so a Federal Express pilot and I have gotten a reputation as a computer hobbyist/geek around flight operations."
Leo: Well, if he's listening to Security Now!, that's true.
Steve: Yeah. He says, "On more than one occasion I've provided tech support to friends and fellow pilots." He says, "I run a website for our pilots called PilotSwap.net." And he said, "Several weeks back I got a phone call from Bill, who told me his computer was dead, and he heard I may be able to help. He described the problem, that his laptop was working fine one day in Honolulu and wouldn't boot at all when he landed in Sydney the next day." Obviously carrying FedEx packages across the globe. And he said, "I asked him if he could hear the hard drive spinning, and he said he thought he could, but stated it was just clicking and clicking, but nothing was happening.
was stumped. His computer was simply not going to boot from either CD or the hard drive. So just for grins, I removed the top two screws holding the hard drive panel on and took his hard drive out, brought it home with me. I hooked it up to my PC at home using an EIDE-to-USB cable I have, and the drive spun right up. But it was mostly unreadable and made lots of noise when I tried to access what few files I could even see in Windows Explorer. I rebooted my machine with my SpinRite CD and was able to quickly see Bill's drive. I set SpinRite to work, and about four hours later the data rescue routines were complete.