Gov 2.0 Special Tonight

Friday, 27 August 2010, 3:50 pm
Tags: ,

At 5p Pacific/8p Eastern on we’ll be looking at the future of Government with

Join us and discuss Government 2.0.

Live now: Security Now 263

Wednesday, 25 August 2010, 10:14 am
Tags: , ,

tiny-sn.jpgLive now: Security Now 263 with Steve Gibson, our 99th Q&A episode. Watch live at, chat at, or comment here!

Security Updates:

Adobe forced to release Out-Of-Cycle Updates after BlackHat & Defcon:

  • Not scheduled until October 12th but couldn’t wait.
  • Upgrade Adobe Reader to v9.3.34 for Windows/Mac/Unix
  • Adobe Acrobat to v9.3.4 for Windows/Mac
  • Adobe Reader & Acrobat to v8.2.4 (cross-platform).

Google Chrome: v5.0.375.127

    Fixes 10 vulnerabilities, two of which are considered critical and six of which are considered high risk. Google did not release any details about the vulnerabilities. It blocked public access to its bug-tracking database to prevent the flaws from being exploited before most people were upgraded to the latest version of the browser. One of the critical flaws could be exploited to cause memory corruption; the other could cause a crash on shutdown.

Apple: Security Update 2010-005

84 Mb Security Update

  • Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
  • Description: A stack buffer overflow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.
  • CFNetwork: (Core Services Networking Framework)
  • Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections.
  • Impact: Multiple vulnerabilities in ClamAV
  • Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may
    lead to arbitrary code execution. This update addresses the issues by updating
    ClamAV to version 0.96.1. ClamAV is distributed only with Mac OS X Server systems.
    Further information is available via the ClamAV website at
  • Impact: Opening a maliciously crafted PDF file may lead to an unexpected application
    termination or arbitrary code execution
  • Description: A heap buffer overflow exists in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
  • Impact: An attacker in a privileged network position who can obtain a domain name that
    differs only in the last characters from the name of a legitimate domain may impersonate
    hosts in that domain
  • Description: An issue exists in the handling of certificate host names. For host names
    containing three or more components, the last characters are not properly compared.
    In the case of a name containing exactly three components, only the last character is
    not checked. For example, if an attacker in a privileged network position could obtain a
    certificate for www.example.con the attacker can impersonate This
    issue is addressed through improved handling of certificate host names.
  • Impact: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution.
  • Description: A buffer overflow exists in PHP’s libpng library. Loading a maliciously
    crafted PNG image may lead to an unexpected application termination or arbitary code
    execution. This issue is addressed by updating libpng within PHP to version 1.4.3.
  • Impact: Multiple vulnerabilities in PHP 5.3.1
  • Description: PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most
    serious of which may lead to arbitary code execution. Further information is available via
    the PHP website at
  • Impact: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution.
  • Description: A buffer overflow exists in Samba. An unauthenticated remote attacker may
    cause a denial of service or arbitrary code execution by sending a maliciously crafted
    packet. This issue is addressed by performing additional validation of packets in Samba.

Security News

Microsoft/Windows: New Problem: “Binary Planting” / Application DLL Load Hijacking

Acros, a Slovenian security firm last Thursday, published an advisory that identified what they call a “binary planting” flaw in iTunes. If a file type associated with iTunes is opened from a remote network share, iTunes will *ALSO* try to load one more specifically named DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

DLL Search Order used by LoadLibrary(EX):
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

Apple patched the problem in Windows iTunes last March with v9.1 From my own cursory examination using HDMoore’s Audit tool:
CorelDraw, Windows cscript & wscript scripting engines, Firefox, WinRAR, Wireshark.
MSFT: “Insecure Library Loading Could Allow Remote Code Execution”
Microsoft told UC Davis Ph D candidate/researcher:

Microsoft will not issue patches to fix the critical DLL (dynamic link library) flaw in multiple applications, but will instead address the
issue in future Windows and Office service packs.


In the US, the eight privacy-breach class action lawsuits have been consolidated into one and
that may be joined by five others. Google sued in Spain over data collection. NYT: Judge in Spain orders Google representative to appear before her. Meanwhile, for Germany, Google offers an “optout tool” for Street View, available for eight weeks.

Spanair’s 2008 crash which killed 154 of 172 people because take-off flaps and slats failed to extend as they should have, may have malware implications

Spanair’s Maintenance System was infected with malware, believed to have been spread
through a Flash Drive, which might have prevented it from alarming about the problem which,
had it done so, would have grounded the plane pending investigation. Internal Spanair documents pointed to “Trojans” causing its central computer — designed to monitor fault messages transmitted from the aircraft — to fail.

Windows 7 graphics-related kernel problems found (grumble)


Question [ 01 ] – Nick in New Brunswick, CANADA wonders about “The Math
behind Password Strength”

Hi Steve, love the show, and love the way you explain complex
issues. I was wondering if you could explain the math behind password
strength sometime and how bit-entropy relates. I have been doing a lot of
research and discovering more questions that need answering.

For example, when someone says, the NIST recommends a 128 bit
password… how is that calculated. I understand that bit entropy is
calculated by LOG2 of a base (where the base is number of possible
characters), and by multiplying that result with the number of characters in
the password you achieve a bit entropy length for the password. But is that
the same as stating “my password is x Bits long” ?

Question [ 02 ] – Joshua Backes in Shreveport, LA believes that he got “rebound”…

I believe that our Netgear router at my job, where I am the computer
tech, had fallen victim to this new type of attack! A few weeks ago our
computers started randomly redirecting to a few different websites as well
as a… and would not load the page intended. After
reinstalling windows on two machines, we discovered they began
redirecting within in a couple minutes. Our final resolution was to reset the
router to default … then the rest of the computers began working fine.

Question [ 03 ] – Thorarin Bjarnason in Vancouver, BC, Canada is concerned that:
“Michael McCollum’s Wikipedia page is being considered for deletion”

Hi Steve,

You pointed me towards the Gibraltar Series. I downloaded Gibraltar
Stars today and did a wiki search on the author, only to find his wiki page
being considered for deletion.

I think that Michael’s page should be kept, not only because I think
his Gibraltar series is great Sci Fi and worth note, but also because I think
his business model is interesting. He sells easily copyable PDFs directly to
consumers who can choose, rightly or wrongly, to distribute the digital
content immediately, and widely.

I think his trail-blazing methods of selling his wares is of potentially
more note than his literature, and this alone should justify his existence on

Perhaps you can help summon the security now army to keep his page
on wikipedia, and maybe the more literate among us can contribute to his

Yours Truly,
Thorarin Bjarnason

Question [ 04 ] – Harold Kravatsky in Florida found a Windows LNK-Checker that
works with Widows 2000:


I have w2k and I wanted protection from the .lnk exploit. Sophos had
a program but it only works with xp, Vista and win 7. I tried it and it would
not let me install on win2k.

I searched further and found a program from G Data that runs under
Windows 2000. After installing it I had to restart Windows 2000 to
complete the installation. The icons still look normal. Below is more info
from G Data.

Harold Kravatsky, Happy SpinRite customer

Question [ 05 ] – Toby Wilkins in Wales, United Kingdom rightly worries about the
new “Contactless Payment Systems”

Hello Steve,

I have some information you and security now listeners may be
interested in regarding a new “feature” my Bank in the United Kingdom is
rolling out to all its customers. Wireless credit card payments! (Barclays
bank is a very large bank chain in the UK.)

Today I received my new Barclays bank debit card. I Opened the
letter to find a small booklet boasting Barclays new “contactless” wireless
payment feature built in to the card. UH OH *Alarm Bells*.

The booklet claims payments of up to £15 (~$25) can be made from
any new “contact-less” enabled debit (credit?) card by simply holding it
close to a newly released reading device. NO PIN IS REQUIRED!

I called up the information number (freephone 0800 009 4220). The
polite lady confirmed the above and stated this feature is being rolled out
with all new Barclay cards.

I asked what was to stop a thief walking around a busy railway station
with a reader. Her defense was these devices are physically big, but
admitted she had never been asked this question before. We know that
readers are only going to get smaller and I’m sure its only a matter of time
before hackers rustle up a nifty little reading device to take advantage of
this. When asked, she did not know if the technology used RFID. (blackhat
& defcon spring to mind)

Okay, so only £15 will get taken. This adds up to a lot of money
when taken from hundreds of passers by in a public location. What happens
if a card is “pinged” or “virtually swiped” a number of times under the
counter while you pay? Even with manual swiping of cards, Signatures and
pin numbers; card fraud and “skimming” earns thief’s big bucks. Adding a
wireless, no pin “feature” is only going to make this game much easier for
the bad guys.

In the UK nearly all credit/debit card transactions take place by
inserting the card into a physical reader and typing your personal PIN
number in to the device. When I visit the united states, this does not seem
to be the system used. I have never understood why the US has not adopted
this system like we have in the UK.

I hope you found this information interesting. I’m a great fan of the
show. I recently graduated from university with a computer security degree
with a first class honours results. I am sure that listening to Security Now
was the reason for this great result.


Question [ 06 ] – Antonio Lorusso in Swindon, UK has a thought about “Strict
Transport Security”

Hello Steve & Leo,

You spoke of one small problem with STS in that if a computer
connects to a fraudulent site, say a site trying to imitate before
it has connected to the real to receive the STS token the user
will not be protected. Here is one solution.

If I were operating an STS site I would ask for browsers that support
STS to come pre-installed with an STS token with a large expiry date for
my site. This would not even require browser manufacturers to take the
burden of verifying the validity of the request for a pre-installed STS token
simply by insisting that the request is digitally signed for the site requesting
the pre-installation of the STS token. Pre-installed STS tokens could also
be added or updated by browser updates.

The only theoretical fly in the ointment for pre-installed STS tokens
that I can see is that this requires that the provision of browser software and
browser updates be secure. However if browsers software is not being
provided in a secure manner we have more serious problems than the STS
system being compromised, but it would be something to bear in mind with
this pre-install system.

Question [ 07 ] – Thomas Crowe in Virginia Beach, VA worries about a “Self Denial
of Service attack on STS”


First of all I want to say that I’ve been listening security now since
the very beginning, well maybe since episode 10 and quickly caught up.
Thanks for the great podcast!

After listening to your latest podcast number 262, Strict Transport
Security a second time, I started to think about enabling this on my own
web site. But I realized that I could easily shoot myself in the foot if I were
ever to decide not to keep up with my site’s SSL certificate.

Another troubling scenario in general would be: what if a domain
name changes ownership at some point? That domain would not be
accessible by someone who sells it unless they use SSL for the next 40
years or so (whatever the last STS token was set to).

It would make sense to somehow tie this to DNS, where the
ownership of control of the domain is actually implemented. It doesn’t
make nearly as much sense to put this in at the HTTP level — where it is

I think the browser should somehow check against the DNS
expiration date or see if it was renewed. As it is now, it just seems to be a
temporary fix and not a real solution to the problem. Any thoughts to this?
Anyways, thanks for the show. I really enjoy listening every week!

Question [ 08 ] – Matt Bender in Madison, WI wonders about “Adoption Delay”…


Every now and again when listening to Security Now! you make
(usually proud) reference to the fact that you’re still on XP, and not too long
ago we know that you were still using Windows 2000. So, like you, I’m
cautious about adopting new technology the minute it comes out so it can
get the bugs worked out. For example, I would never buy a new model line
of car the first year it comes out. From what I can remember, your
reasoning in not adopting the latest technology/OS is just that very reason,
it’s too new and the bugs need to be ironed out as well as possible security

But based upon your reasoning, if you’re still using XP, why have you
adopted the iPad? It’s a new technology running a relatively infant OS that
has some proven security flaws… I’m not bashing the iPad (or any
technology for that matter), in fact I really like it (I don’t have one
though…). I’m just wondering what your thought process is on adopting
new technology both for you personally and for use at “GRC”.

Take care and keep providing quality work!

Matt Bender

Question [ 09 ] – Steve in Florida worries that “STS will block the adminstration of
his router due to Linksys cert mismatch!”

Steve, great show on STS. I’ve been using it in NoScript for a long
time. BUT … whenever I log on to my router’s administration page, I get a
certificate mismatch error, essentially: “You are trying to connect to However, the name on this certificate is Linksys… (etc.)” I
click past it, but from what you said, I wouldn’t be able to do that when
STS is fully implemented.

I have configured the router’s admin page to accept secure
connections only, to help prevent my wireless network being used by a bad
guy to mess with the router. It seems I’d have to disable that, allowing
insecure connections to the router, or else I’d never get past the certificate

Of course, the default password has been changed, but I’d still hate to
change the security settings on the router admin. Any thoughts?

Question [ 10 ] – David Jaundrew (pronounced John-Drew) in Victoria, BC, Canada
came up with an STS-based Denial of Service Scenario:

Hey Steve,

Great discussion on Strict Transport Security! I was very excited to
hear about this new security feature, though I thought of a scenario that
could allow STS to be incorrectly enabled for non-HTTPS sites using a
man in the middle attack:

– A Starbucks WIFI hacker sets up a man in the middle attack for a
user connecting to the open access point.

– The user attempts to connect to a site that does NOT have HTTPS
support (i.e. http://randomblog.example/) MANY don’t!

– The hacker intercepts the HTTP: request, returning a page that
redirects the user’s browser to httpS://randomblog.example/

– The user’s browser then attempts to connect via the HTTPS URL,
which is AGAIN intercepted by the man in the middle attack (likely using
on-the-fly self-signed certificates). The hacker now sends back an HTTPS
page with the STS header, thus enforcing and requiring the use of HTTPS

– The user clicks through the certificate warning, and the browser
reads the STS header, adding the site to its list of STS-enabled sites.

– The user is now no longer able to connect to
http://randomblog.example/ from ANY internet connection, as their
browser now requires an HTTPS connection, to which the server does not

Now granted, the application for this is strictly a Denial of Service attack
on the individual user, as once STS is enabled, the browser would then be
forced to require proper certificate authentication for the intercepted site.
I suppose my two questions are:

– are the STS headers able to be initially sent when the site is using a
self-signed certificate?

– where has my logic failed me?

Thanks for the podcast, and congratulations on five years!

I Got My Binky Back!

Monday, 23 August 2010, 2:48 pm
Tags: ,

I'm a happy Buzzer!It is fixed. Thanks so much to the Google Buzz team which tracked down a pretty nasty bug in Buzz that had made me invisible for 17 days (see my post from Sunday morning).

In their own words…

From: Google Buzz Team To: @Leo Laporte

Thanks for reporting this issue — and sorry we didn’t get to the bottom of it until today. You helped us uncover a very rare bug that has existed for a while, one that only someone with a ton of followers was likely to uncover.

Here’s what happened: If one of your followers deleted their Google Account (this probably happened around August 6th), Buzz failed to deliver your post to all of your followers. Your post still existed in your Buzz stream, it just wasn’t sent properly to the people who wanted to see it.

We’re in the process of fixing this bug now, and it should be resolved in the next day or two. We’re really sorry that you had this experience and really thankful that you reported it to us so we could fix it.

I’m happy to say the bug is fixed, I’m back on Buzz, and the lesson is learned. I’ll start content here on my blog, but push links to it to Buzz, Twitter, and Friendfeed. Any comments you post on those fora will be automagically piped back into my comments here (thanks to JS-Kit Echo). Best of both worlds.

And thanks to everyone on Buzz and at Google who put up with my tantrum!

Buzz Kill

Sunday, 22 August 2010, 1:06 am
Tags: , , ,

Was you ever stung by a dead bee?Something happened tonight that made me question everything I’ve done with social media since I first joined Twitter in late 2006.

You know me – I’m a complete web whore. I sign up for every site, try every web app, use every service I can find. It’s my job, but I also love doing it. I believe in the Internet as a communication tool. I love trying the myriad new ways people are using it to connect and I believed that social media specifically had some magic new potential to bring us together.

When Google announced Buzz last year I was one of the first to jump on the bandwagon. I welcomed a competitor to Twitter that had the community features I loved in Friendfeed and Jaiku, and I thought Google had the best chance to create a second generation social network. I defended Google for its initial privacy stumbles and I began to use Buzz exclusively, replacing Twitter, Friendfeed, and Facebook. I built a following of over 17,000 people. I was happy.

Then last night I noticed that my Buzzes were no longer showing up on Twitter (I use a service called Buzz Can Tweet that has been pretty reliably rebroadcasting my Buzz posts to Twitter.) I looked more closely at my Buzz feed and noticed that there had been considerably less engagement over the past few weeks. Then I noticed that I wasn’t seeing my posts in my Buzz timeline at all. A little deeper investigation showed that nothing I had posted on Buzz had gone public since August 6. Nothing. Fifteen posts buried, including show notes from a week’s worth of TWiT podcasts.

Maybe I did something wrong to my Google settings. Maybe I flipped some obscure switch. I am completely willing to take the blame here. But I am also taking away a hugely important lesson.

No one noticed.

Not even me.

It makes me feel like everything I’ve posted over the past four years on Twitter, Jaiku, Friendfeed, Plurk, Pownce, and, yes, Google Buzz, has been an immense waste of time. I was shouting into a vast echo chamber where no one could hear me because they were too busy shouting themselves. All this time I’ve been pumping content into the void like some chatterbox Onan. How humiliating. How demoralizing.

Thank God the content I deem most important, my Internet and broadcast radio shows, still stand. I believe in what I’m doing there, and have been very fortunate to have found an audience. I’m pretty sure I would have heard from people if there had been 16 days of dead silence there. Hell, if we miss one show I get hundreds of emails. But I feel like I’ve woken up to a bad social media dream in terms of the content I’ve put in others’ hands. It’s been lost, and apparently no one was even paying attention to it in the first place.

I should have been posting it here all along. Had I been doing so I’d have something to show for it. A record of my life for the last few years at the very least. But I ignored my blog and ran off with the sexy, shiny microblogs. Well no more. I’m sorry for having neglected you Leoville. From now on when I post a picture of a particularly delicious sandwich I’m posting it here. When I complain that Sookie is back with Bill, you’ll hear it here first. And the show notes for my shows will go here, too.

Social media, I gave you the best years of my life, but never again. I know where I am wanted. Screw you Google Buzz. You broke my heart.

On The Road To Las Vegas

Tuesday, 5 January 2010, 8:55 pm
Tags: ,

fear_loathe_.jpgWe’re off on the road to Las Vegas for the 2010 edition of the Consumer Electronic Show, or as it’s known around here, nerdstock.

I haven’t been to CES since 2004 and I’m sure looking forward to it. This is the premiere technology event of the year with 100,000 visitors, thousands of exhibitors, and dozens of football fields worth of booths. I’m bringing the entire staff down along with most of our gear for the most complete coverage TWiT has ever done for an event.

Dr. Kirsten Sanford will join me as co-host and we’ll be getting visits from many of the TWiT regulars including Paul Thurrott, Dick DeBartolo, Scott Wilkinson, Wil Harris, Ryan Shrout, Tom Merritt, Becky Worley, Patrick Norton, Roger Chang, and on and on. Not to mention interviews with CES keynoter and Ford CEO, Alan Mulally and other luminaries.

We’ll be streaming live from the parties Wednesday and Thursday evenings, and all day Friday, Saturday, and Sunday from the CES show floor, and doing many of our regular shows including The Tech Guy, The Daily Giz Wiz, Windows Weekly, and TWiT and TWiG. Watch live at as usual, or subscribe to our special CES podcasts at

Thanks to SYNC, Citrix, and Audible for sponsoring our trip, and the hard work of the entire team for making it possible. See you in Las Vegas!

UPDATE: Here’s how to follow us in Vegas

Podcasts: (click the Subscribe dropdown to add the feed to iTunes, Zune, etc.)


Text Updates: (watch for the #CES hashtag) (I’ve decided to focus on Foursquare for location updates)


Pictures: – I’ve hooked up my camera to autopost to Flicker via Eye-Fi

Everything I do is also piped to my Friendfeed account.

Battle The TWiT Army

Thursday, 27 August 2009, 6:14 am
Tags: ,

generaltwit.pngThe TWiT Army has finally found a battle it might be able to win. The .comwars Tech Community Outdoor Laser Tag and Picnic this Labor Day, September 7, at Junipero Serra Park in San Bruno.

We’re fielding a team commanded by General Colleen Kelly with buck privates Tony Wang, Erik Lanigan, Lisa Kentzell, Mike Kentzell, Abby Laporte, and me. (We can have up to 10 players so I’m going to recruit a few more TWiTs – preferably someone who can run through the woods without stumbling on a log or crying for his mommy.)

makeloveandwar-combat1.jpgYou can come and watch for $15 which includes a catered picnic lunch, or field a team for $52/player which includes rental of state-of-the-art radio-based Battlefieldsports outdoor lasertag equipment rented from specopsliveplay. We’re looking for a few teams we can beat play – I’m talking to you Google and Apple! Sign up at

Thanks to Ziggy and Funcrunch for putting this cool event together!

State of the TWiT 2009

Monday, 17 August 2009, 8:09 pm
Tags: , , , , , ,

Here’s the latest from the TWiT Cottage. We’ve been pretty busy!

First, Colleen has done it again! Introducing Streamasaurus…

Streamasaurus is a worthy successor to Skypesaurus, and in a similar vein. Skypeasaurus is the four-machine Skype setup I described here last March. This time we’ve created a six-computer setup to support our streaming video. Each computer will serve one stream: BitGravity high and low quality streams (right now that 1mbps and 350kbps), Stickam, Ustream desktop and Ustream iPhone, and a sixth (we’re looking at providers now – your input is welcome).

Streamasaurus consists of six Mac mini computers, two running OS X for our Bit Gravity streams, and the rest running Windows and Flash Media Encoder for our other providers. We use three analog-to-digital converters to convert the S-Video output from our video switcher and analog audio from our mixer (well it’s analog for a few more days – more about that in a minute) into the Firewire audio and video our Macs require. We’re using Canopus ADVC converters: one ADVC 700 and two ADVC 110, each with dual outputs for a total of six streams. The Macs are connected to our symmetric 9Mbps Ethernet-in-the-First-Mile (EFM) broadband connection from

We built Streamasaurus to give us more — and more consistent — streams. For the first year TWiT Live was streamed on Stickam alone using a Dell laptop and an ADVC 300. In February we expanded to stream on and Bit Gravity. More providers give you more choices, and provide us with more reliability. But they also require a more sophisticated set of streaming computers. Hence, Streamasaurus.

We are using Streamasaurus to take advantage of a special feature offered by BitGravity. When you watch the stream at the player will automatically adapt to your bandwidth, giving you our highest quality stream (a whopping 1Mbps) if you can handle it, or a 400Kbps stream if you can’t. If you use VLC you can choose to play either high,, or low, stream directly. You’ll really see the benefit of this when we upgrade our cameras and switcher to HD. We’re waiting for Newtek to release the Tricaster HD, and as soon as it does we’ll go hi-def. Expect that later this year.

And that leads me to item two: We are making a major upgrade to the studio this week. On Thursday, after Paul and I finish Windows Weekly, Colleen and a crew from Telos Systems will pull out our all our analog audio cables and lovely Onyx mixer and replace them with CAT-5 and an Axia system from Telos. This is an all-digital system consisting of a honking big dedicated computer system called the PowerStation and a control surface that looks like a mixer. All the audio comes and goes over Ethernet, though. The only analog devices remaining in the studio will be the mics, but their output will be quickly turned into bits and passed along into the PowerStation via CAN-bus. This all-digital system will sound cleaner and be much easier for us to use. We’re very grateful to Telos, and Kirk Harnack, Telos’s Executive Director for International Development for making this possible. It’s a major upgrade to the audio for all our shows.

Finally, I would like to welcome two new employees to the TWiT family. Erik Lanigan is a 2009 Florida State graduate who converted the Student Broadcast Center into a podcast production studio, edited some hilarious student videos, and has worked part-time as the IT guy for his dad’s law practice since the age of 13. He has interned for the Colbert Report, is a fantastic audio and video editor, and a great fellow all-around. Erik will be working with Tony Wang on audio and video editing, but like all the TWiT staff he’ll be pitching in everywhere, and you can expect to see him on the air from time to time, as well. We’re thrilled that he survived the arduous TWiT interview process.

We’ve also hired a business manager. Lisa Kentzell started a year ago as our part-time bookkeeper and has proven so invaluable that we’ve asked her to officially come on board. She built her previous business from five people to 150 and has already put TWiT on a much more sound financial footing. Lisa will help us manage our growth as we continue our march to become the CNN for geeks. We’re so glad to have her expertise and twisted sense of humor.

Frankly, running the business was beginning to take its toll on Dane. He’s off this week taking a well-deserved vacation. When he comes back, and dries out, he’ll be taking a larger role in content production and show development.

Thanks to all of you for making this possible. TWiT wouldn’t exist without our incredible community. Remember, before there was Twitter, there was TWiT. And before there was TWiT, there was you. Thanks for all your support!

(Incidentally – take a look at our cool new comment system, Echo from JS-Kit – let me know what you think!)

Go West Young Man

Monday, 29 June 2009, 7:55 am
Tags: , ,

asia.jpgI’m off for China on Thursday with my son, Henry. As you’ve probably figured out by now I love to travel. Last year I was lucky enough to visit Egypt, Australia, and France, but going to Asia has been a lifelong dream. I was a Chinese Studies major in college and yet I’ve never been closer to China than a one week trip to Singapore a decade ago.

I began planning for this trip last year when Neil Bauman of Insight Cruises asked me to go on MacMania 9. I love these Geek Cruises but I’ve been so busy building up TWiT that I haven’t had a chance to take one since 2006. When Neil told me the itinerary included China, Korea, and Japan I knew I couldn’t miss this one.


I’ve been working on four lectures for this cruise: 60 iPhone Apps in 60 Minutes, 60 Freeware Apps in 60 Minutes, Using a Mac mini as a Home Theater PC, and Using Social Media for Fun and Profit. They’re far from done but that’s what trans-Pacific flights are for, right?

The cruise itself is pretty quick and we only get one day each in Cheju, Korea, and Fukuoka and Nagasaki, Japan, so I opted for a one week land tour of China in the week before the trip. There’s no way I was getting that close to China and spending only one day there. Eight days is not nearly enough to see the vast Middle Kingdom, but Don McAllister of Screencasts Online, Henry, a half-dozen other intrepid Mac fans and I will get to hit the highlights: Beijing, Xi’An, and Guilin.

I’ve posted my full itinerary on – what a cool site. You can forward your confirmation emails to them and they automatically build your itinerary, plus there’s an API so a number of third party programs can also use the data.

IMG_0043.PNGThere’s a free Tripit app for the iPhone but I’m using Travel Assistant Pro instead. It updates flight information and helps you store checklists and notes. Plus there’s a cool presentation mode you can use for check-in at hotels and airports. Friends can view my itinerary on Tripit, too – and I can share details with other members.

I hope to post regularly from Asia. I’m buying an International Data Plan from AT&T for my iPhone and the hotel has broadband. I expect to be using the full social media toolkit including Brightkite, Twitter, Facebook, Smugmug, and Flickr. All of it pipes right into Friendfeed so that’s probably the best place to follow my trip.

Dom’t worry, TWiT will continue mostly intact while I’m gone. There won’t be much live video, but we pre-recorded all The Tech Guy, Security Now, and Daily Giz Wiz podcasts. Additional shows were recorded for FLOSS Weekly, net@night, and Windows Weekly, too. John C. Dvorak will host TWiT on July 5 (tune in early at 5p Eastern/2p Pacific for a special wine Q&A with John). I’m not sure yet who will host on 7/12.

There will also be some special events on TWiT Live. July 15 Chris Marquardt will take over the studio with a full day of photography interviews and information. I hate to miss that! And Alex Lindsay will be in (new baby willing) on many other days to host shows.

I’ll be back live July 19. See you then!

UPDATE: Don McAllister has one-upped me with a lovely iWeb page he’ll be using to post from the trip.

TWiT TV for Windows 1.10

Wednesday, 15 April 2009, 6:03 pm

Thanks so much to Graphics Point Engineering LLC for writing an amazing Windows app for watching TWiT Live. You can choose from the Bit Gravity, Ustream, and Stickam feeds, chat in the IRC or Ustream chat rooms, visit other TWiT sites, and even listen to Geoff Smith’s anthemic “I’m A TWiT” song.


Download a copy for any version of Windows here.

For Peter Elst’s Adobe AIR app that runs on Windows, Mac, and Linux, read on!

TWiT Live Desktop 2.0

Wednesday, 15 April 2009, 3:55 pm
Tags: , ,

The great Peter Elst has done it again.

The TWiT Live Desktop 2.0 is out. It’s written in Adobe AIR so it will work on Windows or OS X…

[airbadge]TwitLive,, 2.0, null[/airbadge]

If you don’t have AIR already installed the installer will download and install it first, then install the app.

A couple of things you need to know about using it. Double-click on the video to go full-screen. Right-click (or control-click) on the window to get the pop-up menu. From there you can open the Interactive window which has links to chat, the Army, the calendar, and more.

A really nice, minimum screen real estate, maximum functionality app from Peter. Thanks!!!!

« Previous PageNext Page »