Episode 13 of the Naked Security podcast is now available.
This week I step in to host the show with Sophos experts Mark Stockley and Greg Iddon.
We discuss Twitter’s two-factor authentication faux pas [10’51”], the risks of copy and pasting code from Stack Overflow [22’20”] and an Android zero-day with a difference [35’50’].
This week we’re recording an additional episode about the cultures of social media in honour of National Cybersecurity Awareness Month, so come back later this week to listen.
Listen below, or wherever you get your podcasts – just search Naked Security.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
rrogers31
A suggestion: how about a database/list (i.e. common resource) that people can go to to check that the “version number”/patch is current? You have to realize that reeling off a string of numbers and letters is both un-memorable and changes on a very regular basis. I run about 3-4 operating systems at home and make mistakes in getting the correct can of soup at the store. I do have automatic updates on, but sometimes I take systems off-line, for a while; and also don’t always trust vendors to update in a timely manner.
Paul Ducklin
As dull as those CVE numbers are, they were devised as a vendor-agnostic, “one true way” of relating updates that you download to the actual bugs they’re supposed to patch.
CVEs always have the form CVE [dash] the year they were found as four digits [dash] a four or five digit number. Once issued, *they never change*, and that’s by design.
The problem with common resources that give handy lists is that they end up being indexed by yet another number – for example, Sophos has its own sequence of Knowledge Base numbers, starting KB-; each Linux distro has its own Security Advisory series; Microsoft has its own identifiers; and so on. So many attempts to tame the “security bugs have boring numbers so here is a friendlier list” problem simply make it worse.