In this episode

FTC imposes a $250,000 fine for "false advertising" of encryption

NY wants to ban encrypted smart phone sales

Another clear case of legislators being clueless?
What about all the existing technology, and kit you can buy across state lines?
http://www.zdnet.com/article/apple-iphone-ban-new-york-looks-to-outlaw-sale-of-encrypted-smartphones/

Las Vegas casino is suing cybersecurity firm over "woefully inadequate" work

Are there ethical implications here of a competitor defining negligence?
Burden of proof is on casino to prove "woefully inadequate" - but against what standard?
Does this ultimately raise quality, price or both for IR services?
http://thehackernews.com/2016/01/casino-hacker.html

The FDA issues draft guidance of security guidelines

If everyone is doing it, why not the FDA?
As James points out, why does every industry need their own unique (exactly the same issues as everyone else) guidelines?
Interesting mention of "full lifecycle" and disclosure of vulnerabilities
Of course it's all non-enforceable
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

OpenSSH bug found, fixed

OpenSSH bug creates a "malicious server" scenario
User has to successfully authenticate first, then server can read/steal memory
Can be used to compromise SSH private key from host
Great pivot method if you've compromised an SSH server w/this bug, to compromise the users of the server
http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/

>>> Please consider clicking the link above to support the show!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHq
LinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
X/Twitter: https://twitter.com/dtsr_podcast

DtSR Episode 177 - NewsCast for January 19th, 2016