Risky Business #428 -- Cross-platform Tor Browser pwnership with Ryan Duff

Putting your life in TBB's hands is maybe not so wise...
22 Sep 2016 » Risky Business

On this week’s show we’ll be chatting with security researcher Ryan Duff about the rabbit hole that is the Tor Browser Bundle certificate pinning bug. The bug itself is interesting, but the questions it raises about how suitable Tor is for genuinely critical use are, you know, substantial. That’s a really, really interesting chat with Ryan Duff, coming up after the news.

This week’s show is brought to you by Hewlett Packard Enterprise Fortify! Of course HPE Fortify makes both static and dynamic analysis tools to help their customers weed out bugs in their software… but what are the relative strengths of static versus dynamic? Where should you use these tools? As this week’s sponsor guest Michael Farnum explains, the trend these days is to not only use both, but move them both as far to the left as possible in the development cycle. That’s this week’s sponsor interview, coming up a bit later.

Mark Piper is this week’s news guest.

Oh, and do add Patrick on Twitter if that’s your thing.

Show notes

Snowden Slammed by House Committee Report | Threatpost | The first stop for security news
Researchers wirelessly hit the brakes in a Model S, Tesla patches quickly | Ars Technica
North Korea Has Just 28 Websites | Motherboard
How the FBI Could Have Hacked the San Bernardino Shooter’s iPhone | WIRED
SWIFT hopes to thwart fraudsters with detection system in wake of bank heist | Ars Technica
Hackers Hit ‘Some’ Cisco Customers With Leaked NSA Hacking Tools | Motherboard
Ransomware Getting More Targeted, Expensive — Krebs on Security
Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years — Krebs on Security
KrebsOnSecurity Hit With Record DDoS — Krebs on Security
DDoS Mitigation Firm Has History of Hijacks — Krebs on Security
Someone Is Putting Malicious USB Sticks in Australian Mailboxes | Motherboard
The Cryptographic Key That Secures the Web Is Being Changed for the First Time | Motherboard
Undercover FBI Agent Busts Alleged Explosives Buyer on the Dark Web | Motherboard
Florida Man Found Guilty of Running Child Porn Site ‘Playpen’ | Motherboard
Alibaba fires employees for hacking their way to free mooncakes | Ars Technica
Teenager uncovers route to free Web surfing on T-Mobile network | Ars Technica
Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher $16K | Threatpost | The first stop for security news
Bugs in Signal Messaging App Corrupt Attachments, Crash App | Threatpost | The first stop for security news
Bug that hit Firefox and Tor browsers was hard to spot—now we know why | Ars Technica
Mozilla plans Firefox fix for same malware vulnerability that bit Tor [updated] | Ars Technica