Amazon’s Secrets | TechSNAP 49

Amazon’s Secrets | TechSNAP 49

Microsoft has released an extremely critical patch, the race against hackers has begun. We’ll give you the details on this important update.

Secrets about Amazon’s EC2 back-end have been revealed, and we’ll share them with you.

Plus, this week’s war story is a real pisser, urine for a treat!

All that and more, on this week’s TechSNAP!

Thanks to: Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before the end of March to secure your own .co domain name for the same price as a .com.

Private Registration use code: march8

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans



Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Support the Show:


Show Notes:

Microsoft releases patch for RDP vulnerability, recommends everyone patch immediately

  • Microsoft has released a major security update to fix two critical vulnerabilities in the Remote Desktop Protocol (formerly Terminal Services), CVE–2012–0002 and CVE–2012–0152
  • The first vulnerability is to do with the way RDP accesses memory that has been improperly initialized or deleted, and allows an attacker to send specially crafted packets to the RDP service and cause attacker supplied code to be executed on your machine, this means the attacker can install a trojan, add full privileged users, access or modify data, and otherwise take over your machine
  • The second vulnerability is a denial of service vulnerability in the way RDP processes packets, where an attacker who exploits the vulnerability can cause the RDP service to stop responding, thereby locking the all RDP users out of the machine
  • The vulnerability affects every version of windows, and Microsoft has released patches for all supported versions of Windows (Windows XP SP3, XP x64 SP2, Vista SP2, Windows 7 SP1, Server 2003 SP2, Server 2008 SP2, Server 2008 R2 SP1, Server 2003/2008/2008R2 for Itanium, and all ‘Core’ versions of Windows Server). Windows 8 Developer Preview is also affected.
  • Official Microsoft Security Bulletin MS12–020
  • List of March updates
  • The Race for MS12–020

Amazon AWS powered by nearly half a million servers

  • Just like Google and others, Amazon does not publish details about their infrastructure, however researches have made an educated guess that Amazon has no fewer than 454,400 servers spread between its 7 data center regions
  • Based on estimates generated by analyzing IP address space utilization, Amazon has approximately 5000 racks full of servers in the various data centers that make up the US-EAST region, representing over 70% of all Amazon Cloud capacity
  • By contrast, it is estimate that the most expensive US-WEST location in Oregon has only 40–50 Racks, which are known to be deployed in containers
  • The article contains more details about the estimate methodology and some contrary evidence
  • Amazon data center size
  • Amazon suffers multiple outages over the past week. March 10: 57 minutes, March 15: 20 minutes TarSNAP creator

    Are multiword pass phrases actually more secure?

  • Is it better to use am easier to remember multi-word pass phrase, or a random string?
  • Research in to the topic has been spurred by the simple fact that auto-complete of dictionary words would simply entering multi-word pass phrases on mobile devices
  • Research in to the advantages of multi-word pass phrases covers some analysis of how users choose random phrases and how they can introduce weakness in to their passwords. The research focuses on data provided from the now defuncted Amazon PayPhrase
  • Research from Cambridge University suggests multi-word pass phrases still vulnerable to dictionary attacks
  • Coverage from Bruce Schneier
  • “even 5-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users”
  • Using a sentence makes the password more predictable, it is better to use random words


Reminder: BSDCan is in Ottawa May 11th and 12th at the University of Ottawa
Talks will include:
+ Unified Deployment and Configuration Management
+ Virtually-Networked FreeBSD Jails
+ pfSense 2.1: IPv6 and more
+ Intro to DNSSEC
+ Crowdsourcing security
+ Fast reboots with kload
+ Optimizing ZFS for Block Storage
+ and the BSD-A

War Story:

At one point in my tech support career I managed to get myself transferred onto “Mobiles Gold” which was basically laptop support for corporate customers like Insurance companies. It was a more prestigious position but turned out to have less call volume and when a call did come in, I was only required to work out if the problem was hardware or software. Hardware issues were sent to service sites and software issues were sent to onsite technicians for replacements while reloads were done. Too simple, too boring and I frequently found myself listening to calls from people around me to stay amused.

Thanks to my lack of work at one point I picked up on the following call:

Agent: Ok Sir, when did you first notice that the keyboard on your Aptiva (desktop PC) has stopped working?

User: Eh, it was this mornin’ right after breakfast.

Agent: Have you changed any software or hardware settings recently?

User: I don’t think so. It was working fine last night but today it does nothing.

Agent: Would you happen to have another keyboard in the house that we could try instead?

User: Well, now that I think about it, I might have one in the garage. I’ll be right back,

At this point, the agent started typing up the case in the ticketing tool to save time later but was interrupted by a woman’s voice on the phone.

Woman: Uh, hello? Is anybody there?

Agent: Yes, I’m with IBM Tech Support Ma’am. I’m waiting for the man who called to return.

User: Ok, that’s my husband. Is his computer thingy not working no more?

Agent: No Ma’am. The keyboard appears to be faulty.

Woman: Well, that might be my fault. Since my husband bought that damn computer he’s been paying less and less attention to me. We had a big set to after dinner last night and when he stormed off in his truck….I peed on his keyboard!

Agent: Thank you for that Ma’am, that will definetely help me with diagnosing the problem.

Woman: That’s good. I hope it helps.

Over the next few minutes, the agent had time to think of how to approach this issue with the user and had a devious look on his face before long.

User: Hi there, you were right. The other keyboard works perfectly. Can you send me out a replacement keyboard?

Agent: Yes sir, that won’t be a problem. I just need your credit card details first.

User: Why do you need my credit card details. This computer is only a month old!

Agent: Because I need to bill you for the replacement as your warranty does not cover urination.

I’m sure there was more after that but I was too busy rolling around on the floor laughing to have heard any of it.


Question? Comments? Contact us here!