Your passwords sux!

I have facebooked that LastPass is the tool everyone needs to be using.  I am not always clear as to why I select the tools that deserve your attention.  Every week I get some news and security tidbits from the below podcasts.  What I love about this particular source of information is that Steve Gibson provides ALL the details, dives deep and leaves no stones unturned.  I know this is the second post in a row about Steve’s stuff – but I really did get a Facebook message from a cousin today asking why he should trust LastPass with his passwords.

The short answer is that LastPass does not get your passwords (not exactly).  All that is sent to them is your encrypted stuff.

Most if not all of the password decryption runs in your browser – but it may look like it is on their site.  I am no longer 100% clear on this but myself I will have to re-listed to the first podcast below.

Lastpass and why you can trust it:
Text http://www.grc.com/sn/sn-256.htm Audio http://media.grc.com/sn/SN-256.mp3

Lastpass and why you should use it:
Text http://www.grc.com/sn/sn-366.htm Audio http://media.grc.com/sn/SN-366.mp3

There are some password recovery items the paranoid should look into and disable (but think, know, trust, what you are doing when you do so).

Always Swim Up

Math is fun, yes indeed.

I love to listen to these guys chat, Leo and Steve.  Recently I needed to get a friend up to speed on secure key exchange. Not the simplest topic on the roster.  Just how do we share a secret over the Internet.  While we know others are watching and intercepting our communications.  We do it with math.  Math , when used like this, forces you to want to learn even more math.  Really, math is fun and you will be smart if you learn math.

The first 15 minutes of this podcast prove to me that the more math you can take in the better off you will be in life.

http://media.grc.com/sn/SN-034.mp3 100% relevant regardless of when it was recorded.

Who did not see thing one comming? Verified by…

Visa and others.  The first time the page came up “verified by Visa” you said cool this is a very good thing Visa is making the web safer.  If you thought that you can now go to the back of the class.  You should have been thinking what sort of phishing scam is this?  Where is the URL bar for this pop up and why would I sign up for this service from this little dialog on some site?  Does Visa even have a web site?  Does my bank know about this?

Now for those of you at the back of the class the zbot botnet has been augmented to shoot phish in a barrel.  You are the phish unfortunately.  Thank you Visa for the swimming lessons (NOT).

Click to read more news on the zbot botnet and how it is mimicking the Verified by screens.

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=56#sID301

If you can think it – cloud computing – super nova

Everyone wants to have a cloud “solution” and I respect that.  Few define what a cloud is but that’s not really the point.  For this post I’ll assume Google or Amazon like clouds that provide raw compute or storage.

He he.. So you have a huge bot net, and you are having a tough time selling denial and destroy functionality.  The whole extortion racket is a little hard to maintain?  This is the post for you!

Why not convert the amazing power and storage capabilities under your control to sell “legitimate” cloud computing solutions.  I mean do we REALLY know those other players have actual databases and physical machines for their clouds?  Maybe they just have enough code running on enough people’s machines to provide a service people will pay for.  You could rent some big buildings, make them “secret”, use huge amounts of power to heat pools and play indoor whatever games, write it all off as expense, and have people pay you to use other people’s computers as part of your cloud service offering.

In today’s tough times with the FBI and other agencies getting wise to all your prior antics – isn’t it time to step it up a notch?

Heck, your bots can be distributed as legitimate software that allow people to take part in providing cloud resources.  You may even pay people to join their computers to your cloud system.  Half a million PCs or so and you can resell almost all of that capacity as if it were your own.  How cool will that be!  Why not 10 million machines!

In fact – you’d be so big and so popular that you could be called something entirely new.  Those little puffy clouds would look silly far up in the sky, disconnected from everything, raining here and there but not everywhere.  Nothing on Earth could describe the power.  We’d have to call it “Black Hole” computing.

Join the darknet