#412 RSLSteeper, Autismate, Audio Hijack Pro, Mail Security

This week we’ve got the last two video interviews from CSUN Persons With Disabilities Expo. We’ve got RSLSteeper from RSLSteeper.com and Autismate from Autismate.com. In Dumb Question Corner, I show Steve Mandala how to record an Internet radio stream using Audio Hijack Pro from rogueamoeba.com. In Chit Chat Across the Pond we’re going to put the nerd beanies on pretty tight. First Bart walks through how to lock all of your preference panes, then we go full speed as Bart answers Ryan Sakamoto’s question on whether email is secure on our smart phones and how to digitally sign and encrypt your email with S/MIME.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday March 31, 2013 and this is show number 412. This week we’ve got the last two video interviews from CSUN Persons With Disabilities Expo. We’ve got RSLSteeper from RSLSteeper.com and Autismate from Autismate.com. In Dumb Question Corner, Steve Mandala asks me to write, or get someone to write him a script to record an Internet radio stream and I get him an even easier and better answer. In Chit Chat Across the Pond we’re going to put the nerd beanies on pretty tight. First Bart walks through how to lock all of your preference panes (and of course he made a Clarify tutorial on that). Then we go full speed as Bart answers what was SUPPOSED to be a Dumb Question Corner from Ryan Sakamoto on whether email is secure on your smart phone. Hang on for that one, but first I have to complain again about trying to watch television.

Watching TV

HBO
Rock of Ages
oh, it’s like TV, not on demand
what channel is HBO?
did a search using TiVo, found it on 398
turns out it’s in spanish
gave up
moved to Netflix
used Type2Phone
not avail on Neflix
switched to iTunes
Type2Phone stopped working
Can only buy, not rent.
Switch to Usual suspects
can only buy, not rent
switch to Amazon instant video via TiVo
Can rent
click rent
needed 5 digit pin
launch LastPass
found the PIN
Clicked pay
“Unsupported Format – this device cannot support the format requested”
Watched Dodgeball on DVD

Happy Mail

I got a letter this week that really made my day, and we thought you might enjoy hearing it. It’s from John Haller. He wrote:

Allison,
I was food shopping and listening to your podcast and you were ranting about the markings on a gadget which were a O and a vertical line you defined as “pipe.” This is a particular marking that I have been confused about about for years. I was so happy that I wasn’t alone. Some dumb person thought this was intuitive. He was wrong. My son’s always give me a hard time. Dad, can’t you remember? No Dammit.

And then you referred to your Dad saying that additional car options were just “more things to go wrong.” I about fell over laughing. The other shoppers looked quizzically at me wondering what I was listening to. My Dad always said that about gadgets, and he had a point back in the 50’s. He was referring to air conditioning and power windows. Now I won’t buy a car without it, but I always evaluate an option with him in mind.

And then you ranted about cars and big trucks. I have a big truck and love it. And you little car people annoy me. I had to drive a small car for years until I could afford a real vehicle made in America. I accept your apology.

In any case, I am in awe of your skill in producing a podcast which moves effortlessly and is informative and entertaining. Your honesty in describing you abilities and lack of abilities is remarkable. Makes you very human and easy to relate to.

Ok, that last part was just self serving for me to read but I really enjoyed this entire letter. I wrote back to John and explained that he MUST be my long lost (older) brother, because my dad was ALSO talking about power door locks and windows when he used to say “just something else to go wrong.” I’m so glad he’s forgiven me for my comments about big trucks.

RSLsteeper

I’ve got two video interviews from CSUN Persons With Disabilities Expo. Last year I interviewed some folks who were working on a prototype of a device that would be plugged into an iPad, and which would tap into the VoiceOver controls and allow a mobility impaired person to use physical switches to control the iPad. That company didn’t come to production, but RSLSteeper did just that. I’ll play the audio for you here, and when you’re done listening you might want to head over to podfeet.com and watch the video.

Using a Screen Reader? click here

Autismate

At CSUN Persons With Disabilities Expo there are a lot of cool solutions for those with Autism, specifically using iPads. This device that most of us use for watching videos and checking email or doing important tasks like playing fruit ninja, can actually change the lives of those who haven’t been able to communicate before. It’s mind bending to see what a difference the ingenuity of developers combined with a “magical” device have done for families dealing with these challenges. Let’s listen to the folks from Autismate and hear about their applications. Again there’s a video that’s helpful to watch over on podfeet.com, but we’ll listen to the audio now:

Using a Screen Reader? click here

Dumb Question Corner

Steve Mandala wrote in with a question that wasn’t dumb at all, except I have a much easier answer than he asked for. Here’s his email:

Hi Allison, I love the show, I listen to it every week. I heard on one of your recent shows that you created an apple script to perform a certain task. I’m looking to do the following: Go to a certain website every weekday at 1 PM ET and record a radio station for 20 minutes only. Save the file so I can listen to it later in the day.

Can you or one of your talented listeners create a script like this or do a screen steps so I can create it myself. The website I would like to record is newyork.cbslocal.com/station/wfan/. This might sound strange but I like to listen to the opening of this sports talk radio show everyday but I’m not always available to have it on. Thanks for your help in advance.

My first instinct was to try to do it myself, but since I’ve successfully written one script, and I mostly copied stuff form other people and combined them cleverly, that would probably be a bad idea. Then I thought about trying trick Dorothy into doing it for Steve, but since I gave her an extensive assignment this week involving scripting and using a cronjob, that might not fly with her. The good news is that then I remembered there’s a super easy way to do this that doesn’t require any programming skills at all, just the purchase of one of my favorite applications from a great developer.

The application to solve all of this is Audio Hijack Pro from Rogue Amoeba. I use Audio Hijack Pro every week to help create the live show. This app allows you to “hijack” the audio from any application or hardware device, including system sounds. Once you’ve hijacked the audio, you can pipe it somewhere else. I won’t go into how complex my operation is after that, it would just scare you off. Let’s get to the problem Steve wants solved instead.

In Audio Hijack Pro like I said you can define an application, so in Steve’s case we’ll choose a web browser to hijack, say Firefox. On the left sidebar of the application, you click on the plus sign in the bottom left, which opens a new hijack source that says simply, “Select a Source” . If you click on the input tab, you get an option to choose the application.

On that same page, there’s a check box to Open a URL/File/Applescript and after checking that box you can drop in the url to CBS Local that Steve wants. Now that’s all well and good to record NOW, but any dope could do that. The real magic is the next tab, which is called Schedule. In there it invites you to click the plus button to add a timer. The default is to be on, and to record from 10-11pm Monday through Friday. I think they do that so it’s real obvious how it works and how to change it. You can easily make it any day and time I want and set the duration.

At the very bottom of that window there’s a section that says When Timer finishes: and it defaults to Do Nothing, but you can have it execute some scripts (which we don’t need) or we can set it with the pull down to actually quit Audio Hijack Pro. There’s also a checkbox above that to actually quit the source too, so it will quit Firefox when the recording is done.

The next tab you care about is the Recording tab, and in there you can set the location for your saved files. You can also set the name of your recordings, and they nicely show you some options on how to name them with things like date and time markers. You can change the quality of the recordings as well; the default is a 128kbps stereo MP3 which is pretty good for most things, but if you’re either chintzy on space, or an audiophile, you might want to fiddle with those settings. There are a TON more options in Audio Hijack Pro, but I don’t want to scare you guys off with too many options.

One thing I did notice is that Steve will have to get the full url that shows when you click the Listen Live button, which is actually http://betaplayer.radio.com/player/sports-radio-66-wfan-ny. I tested this out by quitting Firefox and setting the timer a few minutes ahead, and sure enough Audio Hijack Pro launched Firefox to the right url and started recording the audio stream. I tested to see if Audio Hijack Pro would launch itself at the prescribed time but that didn’t work, so it appears you do have to have Audio Hijack Pro running so that it’s waiting for the time to record. I suppose if you were clever, you could use the Automator Action I taught you last week to create a calendar event that simply launches Audio Hijack Pro so it’s got time to settle back into an easy chair and get ready to record on time.

Audio Hijack Pro is a grand total of $32 from rogueamoeba.com/audiohijackpro and if you can’t spell Amoeba there is of course a link in the fabulous shownotes. Unfortunately there’s not an app store version of Audio Hijack Pro, because this is just the kind of messing around between Apps that Apple is trying to protect us from now. I’m sure glad there’s still a way to use the interesting applications to solve interesting problems. I like the walled garden but I want a door in it for when I need to go out and play. I hope this answers your question Steve, and I bet you’ll find more and more fun things to do with Audio Hijack Pro.

Clarify

In Security Light coming up next, Bart will be answering what was supposed to be a dumb question about how to make sure preference panes stay locked when you close system preferences. Evidently it’s hidden pretty well, but Bart figured it out. What do you think he did after he figured it out? Well of course he created a tutorial using Clarify from BlueMango Learning. After he created the tutorial, he published it to his Evernote account. I knew you could do that to store the tutorial files, but next he did something I didn’t know you could do. Inside Evernote there’s a Share button that allows you to publish the tutorial to the web. The cool part about that method is that it also gives the Clarify document to people in case you want to share that so they can edit for their own use or to keep locally. It’s good to know it CAN do that but sometimes you don’t want to share your work for editing. If that’s the case, from within Clarify you can click the share button and it goes up to clarify-it.com but you’re just giving people the tutorial, not the Clarify document. I think it’s really cool that Bluemango Learning have created so many different ways you can post your content. If you want to buy Clarify, use the big Clarify logo on the left side of podfeet.com, or if you want to try before you buy, head on over to BlueMangoLearning.com and use their free 30 day trial.

Chit Chat Across the Pond

Followup Regarding Locking System Pref Panes

Last time we talked about locking down the ability to change the time on the Mac as a way of protecting against the sudo bug, and I said “just close the padlock and you’ll be grand” – but it seems that the padlock keeps defaulting back to open unless you change the default for all padlocks in syspref to closed. The option to do that is quite well hidden, so I created this Clarify tutorial on how to lock Preference Panes once and for all.: (thanks to Jim Sewell for the question about this)

Security Light

Important Security Updates:

• Apple release iOS 6.3 (http://support.apple.com/kb/HT5704) – patches two lock screen bypasses, but a new one has since surfaced, though it even more complex, and involves popping out the SIM at exactly the right moment and only affects people with Voice Control enabled from the lock screen: http://www.zdnet.com/apple-ios-6-1-3-fix-contains-another-lock-screen-bypass-flaw-7000012912/
• Apple release OS X 10.8.3 and Security Update 2013-001 – http://support.apple.com/kb/HT5672
• Apple surprise many by patching Safari on OS X 10.6 SnowLeopard – http://www.intego.com/mac-security-blog/apple-shocks-security-world-with-safari-5-1-8-for-snow-leopard/
• Apple release Apple TV 5.2.1 – http://support.apple.com/kb/HT5702

Important Security News:

• It’s been a good news bad news two weeks for Apple ID security – they had to take their iForgot password reset page offline because of a common coding error (http://www.imore.com/anatomy-apple-id-password-reset-exploit), but they also released two-factor auth. The setup process for two-factor auth gives users very clear information about the pros and cons of setting it up, and about how it will work, but I still found this how-to from TMO helpful: http://www.macobserver.com/tmo/article/how-to-enable-two-step-authentication-for-itunes-icloud
• A new Mac Trojan called Yontoo surfaces – Apple respond quickly by blocking it via XProtect – http://www.intego.com/mac-security-blog/apple-updates-xprotect-to-detect-yontoo-adware/
• An anonymous security researcher has mapped the internet using a ‘benign’ worm and discovered that a staggering number of devices on the internet have open telnet ports with default usernames and passwords. This gave the researcher access to millions of internet connected devices running Linux that could leveraged to spread the worm and continue the building up of the map. The worm was about as white-hat as you could make a worm – it didn’t brute-force passwords but just used a few common combinations (things like admin+admin or root+password). Once in the work scoped out the resources on the device, and only ‘infected’ it if it had enough resources that running the worm would be unlikely to kill it. After a certain amount of time the worm then deleted itself. The important take-home is that there are a staggering amount of devices on the internet that could be taken over by any botnet with only the tiniest of effort, and put to malicious use. These are mostly embedded devices that have not been explicitly configured to have telnet on, but have simply been plugged in with their default settings left intact. We are talking mostly things like routers and printers. What should you do about it? Simple – run the “Common Ports” Shields up Test on yourself (https://www.grc.com/shieldsup). If you see all stealth or closed next to the ports, you’re good (even if it says FAILED at the top). If you are interested in learning more Steve & Leo have a great discussion about this on Security Now Episode 396: http://www.grc.com/sn/sn-396.htm
• We need to stop advising people to hover over links to see where they go – that is REALLY easy to fake (http://nakedsecurity.sophos.com/2013/03/26/anatomy-of-a-feature-change-link-after-clicking/) – the best advice is still to get people to type in links in emails, and on the web in general, check the URL bar after you arrive, not before you click. It would be trivial for example to make a link look like it goes to PayPal but instead take you to another site that looks like PayPal to get you to enter your password. If you look before you click you will be hosed. If you look after you will spot the problem before you enter your details.

Suggested Reading:

• Facebook plugs another privacy hole (this one exposed things like political beliefs and sexual orientation by leaking the events users had attended despite having set that information as private) – http://nakedsecurity.sophos.com/2013/03/21/facebook-plugs-timeline-privacy-hole/
• A new tool underscores what has been known for a long time – Skype leaks your IP address to the world – http://krebsonsecurity.com/2013/03/privacy-101-skype-leaks-your-location/
• Google share as much information as they legally can (which is not a lot) about the US government’s spying activities on Google users – http://www.wired.com/threatlevel/2013/03/google-nsl-range/
• Security concerns over Samsung’s custom version of Android – http://threatpost.com/en_us/blogs/vulnerabilities-continue-weigh-down-samsung-android-phones-032013
• Microsoft does a U-turn with regard to Flash in IE10 in WindowsRT/8 – http://news.cnet.com/8301-1023_3-57573755-93/microsoft-backs-away-from-flash-ban-in-ie10/

Main Topic – Understanding Email

Dumb Q from Ryan Sakamoto:

“How secure is email on your iPhone or smart phone?

With people having access to their email 24/7 on their smart phone, what are the odds of a hacker grabbing any information from my iPhone?”

This deceptively simple question is actually very difficult to answer, and I think the best approach is to take some time to explain how email works, and the things you can do to protect yourself as much as possible.

Ultimately though, email is an inherently insecure medium – I like it to think of it as the digital equivalent of the postcard.

There are three protocols involved in sending and receiving email:

1. SMTP (Simple Mail Transport Protocol) – this is the protocol used to send email both from your computer to a mail server, and from one mail server to another. This is the protocol used to transport email across the internet. It is OLD, having first been defined in an RFC back in 1982 – http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
2. POP3 (Post Office Protocol Version 3) – this is a protocol for downloading email from a mail server to a mail client. POP is also an old protocol, the first version dating from 1984, and POP3 from 1988 – http://en.wikipedia.org/wiki/Post_Office_Protocol. POP3 really should be obsolete by now, but quite a few people still user it. If you do, consider changing to IMAP.
3. IMAP (Internet Message Access Protocol) – this protocol allows a mail client to access email messages stored on a remote server. If modern PR has been around when it was invented in 1986 (http://en.wikipedia.org/wiki/IMAP) it would have been called “cloud email”, because it gives a view into a “cloud” server rather than pulling messages down from the server to store them in a local email client. If you have more than one device that needs access to your email then IMAP is for you. In the modern connected world, IMAP really is for almost everyone!

The thing to notice about these three protocols is that they are OLD! They date back to the early days of the internet, and suffer from the same problem as all the venerable old internet protocols do, they were created in a more innocent age when security just wasn’t a consideration. Annoyingly, with the exception of Telnet which has now been mostly replace with SSH, most of these insecure-by-design protocols are still in use, it’s inexplicable to me that ANYONE would use FTP in the 21st century, but we do, and, we also still use SMTP, POP3, and IMAP, despite their inherent insecurity. We have put some bandaids onto these old protocols, but they are of limited user – more on them later.

The life cycle of an email:

So – lets say I want to send an email to Allison – how does that work?

I start by opening a mail client of some sort, be it an app on my Mac, phone or tablet, or by using a web-based email client like GMail, and typing the email. I enter Allison’s address, which will be of the form [identifier]@[domain_name], I enter a subject, I type my message, and I hit “Send”. My mail client will then contact the SMTP server it has been configured to use (it might be an SMTP relay belonging to my ISP, or an SMTP server belonging to my email provider). The SMTP protocol is entirely in plain text, and is so old that it is actually written to be human-readable! When lecturing Information Processing a few years ago one of the assignments I gave my students was to send an email by telnetting to port 23 on the university’s mail server and manually issuing the SMTP commands – it is staggeringly easy!

Below is a sample SMTP conversation:

Client: HELO

(Server responds with version header and greeting message)

Client: MAIL FROM: [email protected]

(Server responds with OK message or error message)

Client: RCPT TO: [email protected]

(Server responds with OK message or error message)

Client: DATA

Subject: My Subject

Mail Message

.

(Server responds with OK message or error message)

Client: QUIT

(Server closes connection)

This all happens over and unencrypted connection – so you can see how trivial it is to eves drop on an email it is it being sent to the SMTP server.

Once the SMTP server gets the email, it makes a DNS query to get the MX (Mail Exchanger) record for the recipient’s domain name. It then has the same SMTP conversation with the SMTP server specified in the MX record as the client had with it – so again, your email is flying through the internet unencrypted.

The SMTP server pointed to by the MX record is often not actually your recipient’s mail server, but some form of mail gateway that process the mail in some way (e.g. spam filtering and/or virus scanning) before using SMTP yet again to pass the mail on to your recipient’s actual mail server (there could be anywhere from one to infinity hops between the originating SMTP server and the recipient’s mail server).

Once the mail is on the recipients server their mail client (again, it could be an app or a web app) will then retrieve the email by using POP3 to transfer the mail from the server to their client, or IMAP view it on the server. POP3 and IMAP are also human-readable plain-text protocols just like SMTP, so again, eves dropping is trivially easy, and worse still, you have to send a username and password to the server over POP3 or IMAP!

Security Bandaids:

If you are in an internet cafe sending and receiving email then all your fellow diners, and everyone outside but still within wifi range can:

1) read any email you send

2) read your username and password (and if you re-use those elsewhere …..)

3) read any email you download via POP or read via IMAP

Bandaid 1 – SSL/TLS:

Clearly, something had to be done, so there have been some updates to try retro-fit come security to these protocols. The approach was very similar to that taken with HTTP, SSL/TLS was bolted on, to give encryption between clients and servers. HOWEVER, not all email providers provide SSL/TLS support, so you need to check your mail settings to see whether or not you are using these optional security bolt-ons.

The biggest risk is that communications between your mail client and your mail servers will be intercepted by someone else on the same network as you, so the things you need to check are:

1) that your mail client is configured to use Secure SMTP (AKA SMTP+TLS/SSL) when sending email

2) that your mail client is configured to use Secure POP3 or Secure IMAP (AKA POP3+SSL/TLS or IMAP+SSL/TLS) when downloading/viewing email

HOWEVER – you have no control at all about what happens between your SMTP server and the recipient’s mail server – there will be one or more hops between those servers over which you have no control, and which could be sending the email in plain text, so you have to assume that your email is being read, and never ever email anything sensitive to anyone with one exception – if the sender and receiver use the same mail server, and if that server uses SSL/TLS for all it’s communications with clients, then you can be sure your mail is not flying around the internet unencrypted.

Bandaid 2 – S/MIME:

If you need to send something sensitive via email to someone who does not share your mail server, then you MUST encrypt it using S/MIME (or something like PGP or GPG). To do this you’ll need an S/MIME certificate signed by a trusted CA and it’s matching private key. This certificate is basically the same as the certificates websites use for HTTPS, but it authenticates to an email address rather than a domain name.

To get started encrypting email with S/MIME you’ll need to get a certificate from a trusted CA. You COULD spend money and get one from Verisign or someone like that, or, you could get a one-year one from startSSL.com for free (they charge for longer duration certs). Bonus tip – if you are doing this from a Mac, use Safari, because it uses the OS X keychain rather than it’s own custom keychain like FireFox does, and this will save you two steps later on.

If you don’t have an account with startSSL already you’ll have to set one up, which will involve the installation of a certificate in your browser (if you use the email address that you plan to encrypt then the cert generated to sign up will actually be an S/MIME cert for that email address so you won’t even have to generate a cert).

If you do already have an account, and you didn’t sign up with the same email address you want to encrypt from, then you need to first validate the email address using their Validation Wizard, then, generate the cert using their Certificate Wizard. When the cert is generated it will be installed into your browser’s keychain along with it’s matching private key. If you use Safari and Mail.app then you don’t have to do anything with the cert after it is installed. If you use any other browser and mail app combination you’ll have to export the certificate and key from the browser as a .p12 file and then import it into the OS X keychain and/or your email client. Even if you use Safari + Mail.app you should export a copy of the cert from the OS X Keychain as a .p12 file (an encrypted format) and save it somewhere safe (I stick it in 1Password).

Once you have your S/MIME certificate installed in your mail client you can immediately begin to digitally sign your emails. This will not protect the content of your messages from being seen as they pass through the internet, but it will prevent them being altered, and prove to your recipient that the email really is from you, and not from an impostor. The added bonus of sending signed emails is that it means your recipients get a copy of your S/MIME cert, which they will need if they want to send you encrypted mail.

To use S/MIME for encrypting email both you and your intended recipient must have S/MIME certs, and you must each have a copy of each other’s certs (if you each sent one signed email to each other your mail clients should have saved those certs). You can then encrypt emails between each other if your mail client support S/MIME.

Our OS X ( and iOS) Mail.app is great for this – Mail.app saves every S/MIME cert it receives from your contacts automatically, and it finds your S/MIME cert(s) in your OS X Keychain automatically as well. If you use Mail.app to send an email from an account that you have an S/MIME cert for, you will see two extra buttons in the compose window – one that looks like an old-fashioned seal – this controls whether or not you digitally sign the outgoing email (IMO you should ALWAYS do this if you have a cert), and one that looks like a padlock – the padlock will be greyed out until you type a recipient for which Mail has a cached S/MIME cert, but if if has a cached cert for your recipient you just click on this icon and the padlock will close, signifying that the email will be encrypted.

Tip – to get your S/MIME cert onto your iPhone or iPad, email it to yourself as a .p12 attachment and open that attachment in iOS’s Mail app, it will then install the cert.

As we mentioned in the chat, Bart had me walk through creating the certificate and installing it, and I’m working on making it a pretty Clarify tutorial for you to follow along. I hope to have that done for you early next week, so stay tuned.

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, Blue Mango Learning at bluemangolearning.com makers of ScreenSteps and Clarify. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter at @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.