I got to be on Bart’s show Let’s Talk Apple at lets-talk.ie. Why Steve and I still buy physical DVDs and how I use DVDpedia from Bruji.com to catalog all of our DVDs, and sync over to Pocketpedia for iOS. Intergalactically famous Honda Bob reviews the POWER-ALL Portable Power Bank to charge your devices AND even jump start a car, which you can get over at Amazon. In Chit Chat Across the Pond Bart explains how he’s programmed his xkpasswd secure password generator and the math behind how he knows the passwords it generates are secure. Check out the project page at http://www.bartb.ie/xkpasswd.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday August 3, 2014 and this is show number 482. This week I had the great pleasure of being on Bart’s show, Let’s Talk Apple with Nick Riley (also known as @spligosh) and the infamous Gary Malpas (aka @Gazmaz). We had a great time, fabulous chemistry and I hope you’ll go check it out at lets-talk.ie. While you’re there, consider poking one of the two support buttons on Bart’s site. You’ve gotten years and years of entertainment and instruction from Bart so throw him a bone to help support his new shows. You can donate via the traditional method of a Paypal button or you can support him via Patreon, which is the gift that keeps on giving. You set up a donation amount per show and if he produces the show, he gets the moola. I figure each show HAS to be worth at least a dollar, but if you’re strapped for cash you don’t have to go that high. If you’re really strapped for cash, have a listen and then give your opinion in iTunes so the shows get some buzz! Ok, let’s get into THIS show already!
In case you missed the memo, Clarify 2 has been released! It’s available in the Mac App Store on sale right now, and on their website at clarify-it.com in more ways than you can practically count! You can get a Mac version, a Windows version, a cross-platform license, an upgrade of any of those and if you bought recently it’s probably a free upgrade! If you do buy through their website, be SURE to use the coupon code JUST for NosillaCastaways. (Listen to the show to get the code!) It’s ONLY good till September 1st so don’t delay.
Clarify 2 has a lot of improved features over Clarify 1 and ScreenSteps Desktop. For Clarify 1 owners, Clarify 2 is obviously the upgrade path for you. But if you own ScreenSteps Desktop 2.9, and you don’t need the collaboration features and knowledge base capabilities of ScreenSteps 3.0, then Clarify 2 would also be the upgrade path for you.
Clarify 2 includes improved exporting options to Dropbox, WordPress, HTML, Word, PDF and Evernote. It also has improved authoring features such as auto-numbering of steps, inline code formatting, indenting/outdenting, multiple images in a step, numeric lists, aligning annotations, and nested steps. Plus, you can put HTML in a step instead of an image. So if you export to WordPress, Dropbox, or Clarify-it.com, you can include things like video embed and it will play in your Clarify document.
But perhaps most important to many of you, it now works on retina!
Here are the details of the upgrade: If you purchased Clarify 1 directly from Blue Mango after April 1, 2013, lucky you! You get a free upgrade. If you purchased ScreenSteps Desktop (2.9) anytime after January 1, 2013, then you will be eligible for a free upgrade to Clarify 2.
If you purchased from the Mac App store you will not receive a free upgrade. But you can take advantage of a price reduction at the App store – from now until August 11, you can get Clarify for only $14.99. After August 11, it will jump back up to its regular price of $29.99
If you need to pay for an upgrade, it will cost $14.99 for Mac OR Windows, and $19.99 for a cross platform. If you don’t have Clarify at all, you can also get it directly from Blue Mango – they are matching the MAS price of $14.99 from now until August 11th, ($24.99 for a cross platform).
Whew – that’s a lot of data so if you missed a price just go over to clarify-it and find the option that’s right for you. A whole pile of NosillaCastaways have been writing in – some with delight that even their MacHeist version was a free upgrade, but everyone is happy it’s finally here!
Chit Chat Across the Pond – Start 21:30 minutes
- HP security researchers warn of yet another reason to avoid IE – a weakness in the sandbox that MS has no intention of fixing – http://arstechnica.com/security/2014/08/microsoft-security-sandbox-for-ie-still-broken-after-all-these-years/
- The TOR project warns than an attack on the network may have de-anonymised users, the attack was on-going for five months –http://arstechnica.com/security/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/
- ‘Fake ID’ flaw revealed in Android – OS has not properly validated some certificates since version 2.1 was released in 2010, allowing any app to gain extra privileges simply by including a fake certificate, Google state they have patched the bug and scanned the store and found not apps abusing exploiting the issue – http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/
- iOS instagram app does not properly secure connections, making account hijacking trivially easy – http://nakedsecurity.sophos.com/2014/07/30/how-anyone-can-hack-your-instagram-account/
- Cloud users take note – US judge rules US courts have world-wide jurisdiction to demand data be handed over no mater where it’s hosted (the case involves Ireland and I’m not impressed at the disregard for our sovereignty – imagine if an Irish court tried to insist it had jurisdiction in the US!) – http://www.macobserver.com/tmo/article/u.s.-appeals-court-rules-microsoft-must-turn-over-email-hosted-in-ireland
- An up-coming talk at BlackHat called Bad USB is catching a lot of media attention – Naked security has a good explanation of what the fuss is about – http://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/ (there is even speculation this might explain what security researcher Dragos reported seeing last year in what became known as BadBIOS – http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/)
- CIA boss apologises for spying on US Senate – http://arstechnica.com/tech-policy/2014/07/cia-boss-apologizes-for-snooping-on-senate-computers/
- This year’s DEFCON to host ‘SOHOpelessly BROKEN’ home and small office router hacking competition (this P0wn20wn but for SOHO routers like those most of us have at home) – http://arstechnica.com/security/2014/07/sohoplessly-broken-hacking-contest-aims-to-test-home-router-security/
- A cautionary tale from the UK – free WiFi may not be the free lunch you hope it is – http://nakedsecurity.sophos.com/2014/07/30/uk-city-of-york-dangles-free-wi-fi-in-exchange-for-its-residents-data/
- Italian data commissioner gives Google 18 months to update it’s user data handling practices – http://nakedsecurity.sophos.com/2014/07/23/google-given-18-months-to-change-its-handling-of-user-data/
- Siemens still selling industrial control systems that are vulnerable to HeartBleed – http://arstechnica.com/security/2014/07/critical-industrial-control-systems-remain-vulnerable-to-heartbleed-exploits/
Security Medium – The Zdziarski iOS ‘back door’:
- This has generated a lot of media hype with plenty of link-bait headlines decrying doom and suggesting government spying, but much of the coverage was incomplete and a lot of it missed the point
- One reason for this is that the reports come from a presentation given by a security researcher at a security conference, and hence using language in the way a security researcher does, not in layman’s terms. It is normal for security researchers to write from an adversarial perspective, which provides lots of dangerous sounding words, but, an adversarial perspective is not a balanced view, by definition!
- Add to that that the paper is long, and behind a paywall, and much of the reporting is based on just the slides from the talk, which were not meant to be read stand-alone, but simply as extra info for the attendees at the presentation
- What an adversarial view-point describes as a ‘back door’ Apple describe as diagnostics functions, features to enable sync, and features to enable device management.
- What the paper states clearly at the start (but does not repeat over and over again), is that all these functions are only accessible if the computer connecting to the iOS devices is paired with the iOS device. I.e., if it has been plugged into the computer, the unlock code entered, and permission granted to trust the computer.
- What I consider the important points:
- Any computer you pair your phone with is given a set of encryption keys it can use to access your phone (that’s what pairing means). If someone hacks your computer and steals those keys, the attacker can copy those keys onto a different computer, and then that computer will be seen by your iOS device as a paired computer
- Pairings do not expire – the only easy way to get rid of them is to do a factory restore on your iOS device
- It is very difficult to see what computers your iOS device trusts
- It is very difficult to selectively remove a pairing
- If you go to the trouble of using Apple’s Configurator app you can mange the pairings, but realistically, this is the realm of corporate IT, not home users
- Apple could, and should, make it easier to see what pairings exist, and, make it easier to remove any pairings you don’t want
- Apple could, and should, expire pairings after a given amount of time – ideally the dialogue that asks for permission to pair should allow you to choose for how long to pair – an hour, a day, for ever etc..
- What you need to do – if the pairing dialogue comes up when you don’t expect it (say when you plug in to charge somewhere), say no! Avoid pairing with computers you don’t control.
Main Topic – XKPasswd 2 – Time: 44:10
Introducing the whole new XKPasswd Perl Library!
The XKPasswd.net website has not been updated yet (that’s next on the agenda), but the code library that will underpin it is ready for public use, and is now easier than ever to use on your Mac, including with Automator.
- Project Home Page (with donate link): http://www.bartb.ie/xkpasswd
- GITHub page where the code can be downloaded (with quick install instructions): https://github.com/bbusschots/xkpasswd.pm
- Perl Module Documentation (including the philosophy and maths underpinning the design): http://bbusschots.github.io/xkpasswd.pm/pod.html
- Tutorial showing how the module can be used to create a an OS X Service with Automator – https://www.bartbusschots.ie/s/2014/08/16/xkpasswd-2-service-with-automator/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, Blue Mango Learning at bluemangolearning.com makers of Clarify. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at email@example.com, follow me on twitter and app.net @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.