NC #557 CES Impressions, Jacoti ListenApp, PicoBrew, URB-E, Security Stuff

I’ll give you one person’s impression of the adventure they call CES (which isn’t the same for anyone else). We’ll hear interviews from CES. We’ll start with Jacoti about their free iOS ListenApp for the hearing impaired, we’ll learn about the PicoBrew home brewing system, we’ll talk to URB-E about the Compact urban electric vehicle, and we’ll hear about the awesome work SyFy Labs is doing with the TV show The Expanse. Bart Busschots joins us to talk Security Stuff, including explaining the SLOTH attacks, and how the Internet lost their minds about the way Microsoft is handling Windows Disk Encryption Recovery Keys.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Saturday January 10, 2016 and this is show number 557. We’re back from CES and ready to regale you with an awesome set of recordings from the show. As always we’ll parse these out over time instead of inundating you with too many all at once. The videos will be up on podfeet.com before they’re in the shows so you can peak ahead if you like.

We’ll do four interviews but before that I want to tell you about what CES is actually like. After the interviews we have Security Stuff with Bart. So buckle up, because it’s a monster show!

Blog Posts

What is CES Like?

Jacoti Hearing Technologies’ ListenApp for iOS

Make Craft Beer at Home with PicoBrew

URB-E Compact Urban Electric Vehicle

SyFy Labs Enhances Viewing of The Expanse

Security Stuff

Security Medium 1 – the SLOTH attacks

We have known for a long time that the MD5 hash is very weak, and that the SHA1 hash is weak. You'd imagine that the crypto industry would have responded by abandoning all these hashes altogether, but that's not what happened. Instead, the attitude taken was that these obsolete algorithms would still be used in some circumstances where they were assumed good enough, because they require less compute power than newer hashes. This attitude can be be summarised as ah sure it'll be grand.

It's probably no surprise that many cryptographers felt deeply uncomfortable with this on-going use of MD5 and SHA1.

Some of those cryptographers have been hard at work putting their money where their mouth is, and have released a paper details a list of attacks against main-stream protocols like TLS (HTTPS) and SSH 2 which leverage these protocol's on-going use of MD5 and SHA1 to greatly reduce their security.

To hammer home the point, and, because only security vulnerabilities with a cool name seem to get any traction, they titled their collection of attacks SLOTH, with the backronym Security Losses from Obsolete and Truncated Transcript Hashes.

So, if these attacks work against HTTPS and SSH, it must finally be time to set out hair on fire right? Not quite. The attacks are, for now, either not practical at all, or, only practical for large organisations with a lot of resources.

The real story here is that the ball has been firmly thrown into the industry's court – both the TLS and SSH protocols need urgent revision to expunge all the legacy cruft from them.

Security Medium 2 – Windows Disk Encryption Recovery Keys & OneDrive

The internet lost it's collective mind over a questionable practice by Microsoft. When you encrypt your disk, the data is utterly inaccessible without the key. If you forget your password, all your data is lost. This is not something most muggles are used to – they expect Microsoft to be able to help them if they lose a password. To meet this expectation, MS saves a copy of the key in your OneDrive.

By having a copy of the key in your OneDrive, your disk is still protected from thieves, and, you can get your data back even if you forget your password. However, it means MS can be forced to give the key to government actors, and it means anyone who hacks your OneDrive gets your disk encryption key too.

The problem here is that MS do this without making it clear that is what is going on, and, without asking for permission. Apple have a similar feature in OS X where they offer to store a copy of your key in iCloud. The big difference is that Apple ASK you if you want to do this, and allow you to say no.

IMO, the mistake MS made was not providing this potentially very useful feature, but not being transparent about it, and not asking our permission first.

If you have Windows, and you encrypt your disks, you can remove the keys from OneDrive – it's just annoyingly fiddly. First you have to delete the key from OneDrive, then you have to generate a new one, and make sure that new one never gets pushed to OneDrive.

Important Security Updates

Apple release a security update for QuickTime for Windows – support.apple.com/…
Adobe patch a Flash zero-day – krebsonsecurity.com/…

Important Security News

GM embraces white-hat security researchers with new public vulnerability disclosure program (editorial by Bart: given the auto-industry's security record, it's great to see moves like this out of Detroit) – arstechnica.com/…
Uber reach a settlement with the NY attorney general to end two probes into the company. Uber will pay a $20k fine for not reporting a data leak in a timely fashion, and, will implement a list of changes to better protect user data – nakedsecurity.sophos.com/…
Google removed 13 Android apps from their official Play Store after they were found to be malicious, making un-authorised downloads, and attempting to root the phone so they could not be removed. The apps had millions of downloads, and rave reviews, but, that is at least in part down to the fact that the compromised apps downloaded each other, and left each other rave reviews! If you are infected with this malware, your only option seems to be to re-flash your device – arstechnica.com/…
This month's Android bug fixes includes a patch for another stage-fright-like bug in the media server component of Android. If you have an Android be sure the patch managed to filter through to you – nakedsecurity.sophos.com/…
Don't believe the headlines claiming OS X was the most vulnerable OS of 2015 (editorial by Bart: it boils down to the old cliché lies damned lies and statistics) – www.intego.com/…
All IE versions older than 11 will be obsolete next week – they will receive their last ever patches in the January Patch Tuesday. If you're still on IE 8, 9, or 10 (let alone anything older), you need to upgrade to 11 – EVEN IF YOU BROWSER WITH A THIRD PARTY BROWSER! IE is a part of the OS, your Windows computer can't be secure if you have an obsolete IE installed – nakedsecurity.sophos.com/…
Security firm Rapid7 warns users of Comcast's home security system that these systems are vulnerable to attacks that render them useless – arstechnica.com/…
A British security researcher finds spectacular security vulnerabilities in a burglar alarm that meets supposedly high EU standards – nakedsecurity.sophos.com/…
Google slam AVG for force-installing a buggy Chrome Plugin that neutralised some of Chrome's own security protections – arstechnica.com/…

Notable Breaches

There is growing evidence that Dell's customer database has been compromised. There are ever more reports of people being phoned by scammers who know all about them, and their Dell product, including the products makes and models, service tags, and, the history of support calls relating to the devices. If someone phones pretending to be from Dell – be on your guard, even if they appear to know everything about your Dell product – arstechnica.com/… & www.10zenmonkeys.com/…
TimeWarner and Linnode are warning of possible breaches – arstechnica.com/…