We explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it.
With Kimberly Truong, Doug Aamoth and Paul Ducklin.
Intro and outro music: Edith Mudge.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
WHERE TO FIND THE PODCAST ONLINE
You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.
Or just drop the URL of our RSS feed into your favourite podcatcher software.
If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.
Kolja
Even though I just recently discovered your podcasts I do love them, so kudos!
However, regarding the “oh no” of the week I think you missed the point there, which I am not sure the author intended to make, but still think it is important: Confusion about terminology can be a security risk!
Granted, in this case with the teachers and just understanding the term “subject” differently than the support staff it was just for a laugh and I don’t see a deeper issue here, BUT(!) with other terminology it can get very dangerous.
Let me make a very basic example: If a person asks their colleague to send them their (the colleagues) “key”, this could mean a multitude of things, from a physical key of your home, to a keycard for your office building, or even a SSH key, and within the last one even more than one thing: The private key, the public key, or the pair. The term “key” could even have a long list of other meanings.
It’s likely not the best example one can come up with but I think you’ll understand what I’m getting at. Again, I am not sure if the author actually tried to make that point, I’ve experienced however more than once that terminology confusion caused wildly different results than intended (which is a security risk if it is about an security-related issue).
Paul Ducklin
I don’t think the issue in this particular story was the ambiguity of “reading” (as teaching subject) versus “reading” (as in IT issue, e.g. accessing a file or loading data from a USB key [see what I did there?]).
The original author of the complaint was quite clear that he thought teachers were stupid because they thought he’d be interested in knowing anything about their job. (I wouldn’t be at all surprised if the teachers put their department affiliation in the support request because they are obliged to – probably for budget apportionment reasons – in other cases where they are asking some central support team for help.)
IMO the original author’s remarks were a sad example of the sort of gracelessness in behaviour that’s easy to fall into if you work in a faceless and depersonalised job in a tech support centre, where every contact has to come through a ticketing system and is expected to describe their problem in the sort of clinically dehumanised way that sometimes makes answering the question much quicker and easier – and thus cheaper! – but always makes the process less interesting while at the same time making the final answer less educational.
Methinks that the author could learn a lot from the attitude (perhaps it is a motto?) that was adopted by the teachers I tended to learn the most from when I was at school: “There’s no such thing as a stupid question. Only a stupid answer.”
However, you are right about taking care in choice of words. A simple example is “since”, which in English is used to mean both “from the time that” and “because”. I have found that, in technical writing, it really confuses speakers of other Germanic languages if you use it the sense of “because” – they have to read the sentence a least twice to decode it. The simple fix is to stick to the word “because” to mean “because”, and so that is what I do now.
Kolja
Yeah, I didn’t mean to say that I disagree with that point. For what its worth, I was more pointing to the ambiguity of the word “subject”. If the ticket-form would instead have a more sensibly labeled input field such as “Problem name” it might have avoided the confusion altogether (just like in your because/since example).
Chris P
Thanks, you gave me the idea of reading catch 22 again :)
Paul Ducklin
To understand the dilemma so that it doesn’t make you cynical, you need to read the book. But reading the book, where the dilemma is clearly explained, makes you cynical, so you should avoid reading it.