On this 8th anniversary of the NosillaCast, you’ll hear first hand what happened when Knightwise of knightwise.com challenged the Internets to get him 150 members to his Google+ community and how the NosillaCastaways helped, then Bart will jump in to answer a dumb question on how to be as secure as possible if you’re running a WordPress website and then I’ll give you my take on the new Roku 3 vs. the AppleTV 3. in Chit Chat Across the Pond, Bart takes us through Taming the Terminal Part 3 of n.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday May 12, 2013 and this is show number 418. Happy Mother’s Day to all the mom’s out there! I was treated pretty darn well – flowers from Lindsay, Kyle and Steve – I got tulips, orchids and star gazer lilies. Yup, I cleaned up on this one! tonite I have requested filet mignon with new potatoes and grilled portobello mushrooms and zucchini for dinner – hope that comes through too. Ooh – and guess what? tomorrow is the 8 year anniversary of the NosillaCast! How fun is that? But enough messing around, we have an excellent show today. First you’ll hear first hand what happened when Knightwise of knightwise.com challenged the Internets to get him 150 members to his Google+ community and how the NosillaCastaways helped, then Bart will jump in to answer a dumb question on how to be as secure as possible if you’re running a WordPress website and then I’ll give you my take on the new Roku 3 vs. the AppleTV 3. in Chit Chat Across the Pond, Bart takes us through Taming the Terminal Part 3 of n. Lots to learn here so let’s dig in.
But before we get started by talking about Knightwise’s dare, I have to take the opportunity to bust the chops of my buddies over at the SMR Podcast, Chris, Rod and Robb. If you haven’t heard their show, they squeeze in a little bit of tech talk about mobile devices in between talking about movies and video games. Anyway, Robb is an Android and Blackberry guy, Chris is a hard core Windows guy, and Rod blows with the wind – sometimes iOS, sometimes Windows 8 and sometimes Android, he just can’t make up his mind I guess. Anyway I had to think of him when Steve and I were in an AT&T store and we looked around at the different options they had for smart phones. They had the Samsung Galaxy S3 and the new hotness S4, they had the Nokia 920 and HTC Windows 8 phones, all the great new stuff. There wasn’t a single person in the store looking at these devices. Instead, there were four women clustered around…an iPhone 4. Not an iPhone 5 even, it was the iPhone 4 that really got them excited. They stayed there long enough for me to capture a photo or two, and I put that in the shownotes for your entertainment. Sorry boys, a 2 year old iPhone still beats your new hotness!
Knightwise Licks a Vista Machine
In a shameless act of self promotion, good friend and contributing member of the NosillaCastaways, Knightwise offered to actually lick a Vista machine if he got 150 members of his Google Plus community by last weekend. We watched the numbers creeping up like the last few moments of a Kickstarter campaign, and then I tweeted out about it and unleashed the NosillaCastaways upon him. I’m pleased to announce that Steve Davidson of our crew was number 150, forcing Knightwise to his doom. He ran away to the north of France with his darling wife Nyana for a day where he trained in licking things (streetlamps, mustard, oysters, french girls etc). But finally, he was face with the moment of truth.
I’ve included a link in the shownotes to the video that’s almost too horrible to watch, but let’s listen take a risk and listen to it.
insert audio of Knightwise
Dumb Question Corner
Hey Allison. Todd McCann here from *ROBOT: Warning! Warning! Blatant plug alert!* yikes! http://abouttruckdriving.com/ and the Trucker Dump podcast *plays podcast intro* *ROBOT: Careful. I’m watching you.* Oops. Sorry. My finger slipped. *ROBOT: Uh-huh.*
Sheez. Well Allison, I can see that you’re the perfect person to be asking this question about website security. So, a while back you and Bart scared a few toots out of me when you talked about websites getting hacked. Even worse, they were passing it along to their readers without even knowing it.
I never used to worry about this stuff, but now that I have the Trucker…. *Warning begins, then stops* Ok ok. “The podcast,” I figure I better get my crap together.
I’m good about keeping WordPress, my theme, and my plug-ins up-to-date, and I keep regular backups of my full site. But I’m sure those Geeky sites that got hacked were all doing this too. So here’s a few dumb questions for you. And if you’re going to bring that cranky Irishman into this, tell him to be gentle. You’re dealing with a guy who can’t tell the difference between html and Klingon. So with that in mind:
1. Beyond keeping up to date versions of everything and doing backups, what additional steps can I take to secure my website?
2. Are any of those security packages worth the money? For instance, Hostgator offer something called SiteLock. It claims to scan for malware and spam. I have my doubts.
3. And since we’re on the subject, is there a cheap or free way to stop the spam I’m getting in my comments section? I’ve installed one of those captcha thingies and it has cut down most of it, but some still manage to leak through. Keep in mind I don’t make a cent on this site. So the cheaper the better.
That’s about it for now. I would like to thank you, Alison, for helping me get the website up and running. Your willingness to give back to the community is just one of the reasons why you rock harder than an Iron Maiden concert. Your Podcasting on Podcasting series and your recommendation of the awesome Feeder app was invaluable to me, as was your help through Twitter and email. Not to mention all my dumb questions that you’ve answered. Without your help it would have taken a lot longer to get http://abouttruckdriving.com/ off the ground. *ROBOT: I’m going to let that one slide. Buttkisser.* Oh hush.
And lastly I’d like to appeal to the excellent Nosillacastaways to email me with any suggestions they might have for securing their sites or for any cool WordPress plug-ins that they’ve found helpful. They can email me at [email protected]. Thanks. *ROBOT: You are a jerk.* What?
Well Todd, thank you so much for the kind words, I have to help others because that’s how I got here myself, by the kindness of strangers. In case someone didn’t catch the name of Todd’s podcast, it’s called The Trucker Dump Podcast at abouttruckdriving.com. I should point out that Todd took an interesting approach to publishing his podcast – instead of ekeing them out one a week, he went for the House of Cards model on Netflix and published 92 episodes all at once! It’s fun because you can start at episode 1 and you have lots of runway to go on it.
Now onto your questions, Todd. I am going to bring in the cranky Irishman for the answer here, but there’s one part I can answer first that doesn’t require heavy lifting. First of all, get rid of that CAPTCHA. For anyone out there who doesn’t know what that is, it’s those annoying squiggly letters that are impossible to read and often inaccessible to those without vision. Awful for everyone across the board. I’m glad to see you actually did one of the math ones, so not as annoying as a normal CAPTCHA but I have a solution that doesn’t require any of that nonsense and is no work at all once you set it up.
The answer is a lovely free plugin called Akismet. You get yourself an Akismet API key I think it’s called, and then install the plugin and boom, you’re done with spam. Ok not 100% done with it but I maybe get 1 or 2 a week now that come to me as an email notification from Akismet asking me if it might be spam. Sometimes you’ll get a short flood of problem posts but within a few days Akisment has broadened the net and they stop. Akismet even has a stats page on your site so you can see how much it’s doing – in the last 12 months it’s stopped 207, 206 spams with a 99.93% accuracy rate. For some reason it often thinks George’s comments are spam (no wisecracks) but other than that it works like a charm.
Ok, now that I did the light lifting, let’s bring in the big guns and let Bart answer the hard parts.
How long is a piece of string?
Seriously, though, the threats come in three main forms:
1) vulnerable software
2) vulnerable passwords
3) vulnerable squidgy organic bits (i.e. humans)
If you run as few plugins as possible, only run plugins that are under active development, and keep your site, all your themes and all your plugins up to date, then you are doing as much as you can to protect yourself from vulnerable software. On shared hosting the server is beyond your control, so, you need to trust that your hosting provider is taking their responsibilities for patching seriously.
WordPress is under heavy attack from a botnet at the moment, so definitely be sure to use strong passwords for all your accounts. That goes for your WordPress admin account password, your MySQL password, and your password for the hosting package. On WordPress it’s also wise to create a new admin account with a username that’s not admin, and to then delete the default admin account. Having strong passwords is only half the battle though, if you send them insecurely, then their strength is irrelevant! In an ideal world, you should never use FTP, because that exposes your hosting provider password, you should use SSL for your connection to MySQL, and you should use HTTPS to access your site. StartSSL can do you free HTTPS certs, so that part is fixable, but on shared hosting the use of FTP is often not optional, and you almost never get control over how the web server talks to the MySQL server. Being on shared hosting and being secure are mutually exclusive. All you can really do is manage the risk, so never ever ever use FTP from anywhere but your home network or another trusted network. Absolutely positively do not do it from public wifi or ethernet in a hotel (unless you are using A VPN to tunnel our). The same goes for connecting directly to your MySQL DB with a MySQL client.
As for the squishy organic bit, try not to fall for phishing attempts – if you give the bad guys your password, it doesn’t matter how long it is 🙂
There is a reason banks don’t use shared hosting, so you just need to accept that you can’t have a cheap website and be well secured. That doesn’t mean you give up though, you do the best you can. Think if it like the old gag about not having to out-run a bear, but just having to out-run your friend. If you can avoid being the lowest hanging fruit, you should be fine.
To end on a quick checklist:
1) keep being diligent about updates
2) if you haven’t done, so, set secure passwords (shameless plug – xkpasswd.net)
3) if your can cheap hosting allows you to install SSL certs, get a free one from StartSSL so you can get HTTPS on your site so you can protect your WordPress admin password and login cookie.
I hope that helps you sleep at night now Todd, and good luck with the podcast, I bet it will be a big success! If you want to follow Todd on Twitter, he’s simply @ToddMcCann.
Roku vs. AppleTV
I’m a big fan of the 2nd and 3rd generation AppleTV (not so much the 1st gen). Steve and I find it the best way to watch Netflix from the 128 devices in the house that can play Netflix. Love our TiVo and all, but it buffers all the time trying to play Netflix. The AppleTV is also our device of choice to rent movies from iTunes. Again we have alternate devices, including a MacMini hooked up to the big TV, but the AppleTV is easier and faster. We use the AppleTV for Airplay too, it’s fantastic for flipping a Youtube video up onto the big screen from an iPad, iPhone or a Mac.
I should mention the most IMPORTANT thing the AppleTV can do – that’s play Hulu Plus. It’s a critical function now that All My Children has been raised from the dead and come online on Hulu. I watched All My Children for about 33 years, every day during lunch at the gym, and I was devastated when it was cancelled, so you can imagine how delighted I am to have my beloved show back! Dorothy (aka Maclurker), Pat Dengler and I are having a blast comparing notes. I mean it’s critical to be able to answer questions like, “what did Cara do with her unborn child where her evil lover David Hawyard was locked up in prison for shooting JR who really started it and David’s poor dead daughter?” Yes, having Hulu is an important feature for any set top box for me.
But you guys probably all knew the AppleTV was great for all these things. So what problem do I need to solve? I’m afraid I don’t have one, but I heard the Roku was cool so I wanted one. My techno-phobe brother has a Roku and I have to admit that it looked kind of neat when he showed me what it could do.
It was my birthday a bit ago and I asked Steve to buy me the Roku 3. For a hundred dollars it does 1080p, built-in wifi b/g/n, has an expandable memory slot, bluetooth, a free FULL edition of Angry Birds (why did they put that in the specs?) and an Ethernet and USB port. The real question will be, without iTunes will there be things I reach for the Roku for instead of the AppleTV?
The main reason the Roku caught my attention now instead of earlier is that it’s got a search feature that searches across ALL of the channels it can receive. I’m so weary of “is this on iTunes? Netflix? Amazon?” I gave it a go – I did a search for one of my favorite chick flicks, “How to Lose a Guy in 10 Days” and the Roku came back with three choices – Vudu, Amazon and Blockbuster, all showing the prices of $2.99. Pretty cool feature, and it worked a champ. Luckily I have this fine film in my DVD library so I didn’t have to shell out the $2.99.
I have to say that I absolutely DETEST the remote on the AppleTV. That little rocker button is weirdly clicky and it’s super easy to click it wrong. The remote is not comfortable in the hand with its sharp edges. The worst part though is that once you drill down say into an episode of Archer on Netflix, it’s about 126 back button clicks to get to the main AppleTV home screen to then navigate down into another service.
Hands down I like the Roku remote MUCH better. It’s very smooth and comfortable in the hands, and its rocker has more motion so it’s easier to use. Probably the best thing on it is a freaking HOME button! Yup, 126 levels deep into Netflix and with one single touch I’m back at the home screen of the Roku interface viewing my channels. It’s a little weird having the select button below the toggle instead of being in the middle of the toggle but I have a feeling that’s just a muscle memory problem that I’ll get over.
The other great feature is a quick rewind button that goes back 15 or 30 seconds (I didn’t time it) much like TiVo’s had for years. I LOVE that button. When we watch Archer on the AppleTV, and we miss a joke, we just look sadly at each other and debate whether it’s worth the pain of trying to back up because it’s so janky on Netflix on the AppleTV.
Roku has a more flexible model of managing what channels you see than the AppleTV (I know, you’re shocked, right?) Adding and deleting channels is super easy and intuitive. They’ve made one design choice in their menus that confuses me though. Whenever there’s a list to scroll through, it’s a circular list. By that I mean you never get to the bottom, the list just starts over again. I don’t pay attention all that well sometimes and I kept finding myself saying, “hey…didn’t I see that already?”
I mentioned in the specs that the Roku 3 has a USB port on it – for grins and giggles I plugged in hard drive where we’ve ripped a lot of our movies. Then I sat looking at the screen wondering how I’d access it. After a moment of reflection I wondered whether it’s another “channel” which in this case is sort of an app. I found a bunch of apps that would play the content including the free Roku USB Media Player Channel. I’m not gonna lie, it’s ugly but it does the job. Of COURSE I couldn’t’ play all of my movies because some of them were legally acquired digital copies that came with my Bluray purchases, so there’s always that but you can’t blame Roku for it. In theory you can also access music (and of course I didn’t have any) and images from the same USB interface. For some reason the interface in the Roku app showed two thumbdrives to choose from, one of which didn’t work and the 2nd of which was indeed my hard drive. Kinda makes you appreciate the way Apple not only represents the type of device you plug in but even the color, like when you plug in a red Nano, iTunes knows it’s a red Nano.
I played around in the settings and discovered that by default the Roku 3 sets itself for 720p and plain stereo and you have to manually set it to 1080p and surround sound stereo. Odd choice since that’s one of the features people really care about, you’d think some auto-sensing there, or at least a popup to ask which you want would be in order. Making your device look worse than it is isn’t a choice I’d make.
I should tell you how much more complicated it was for us to install the Roku – through no fault of its own. We have an A/V receiver with four HDMI inputs an then one output for the TV. But we had a Bluray player, the AppleTV, TiVo, and a Mac Mini already plugged into those four ports. We don’t really use the Mac Mini that much but we do use it from time to time so we didn’t want to get rid of it. Off to Radio Shack for an HDMI switch so we could make this just that much more complicated! We could have gotten a 2 port switch but you KNOW that we’d end up with another HDMI device eventually and regret not spending the extra money for the 4 port switch.
So now we have the Mac Mini and the Roku plugged into the switch, and the single HDMI cable coming out of that into the back of the receiver. Now you do realize what has to happen, right? We get to have another remote! Now if we want to watch the Roku, ALL we have to do is:
- Use the Sony remote to turn on the TV
- Use the Sony remote to change inputs to Satellite (that’s the name of the port where the switch is plugged in)
- Use the switch remote to change to input 1
- Use the Roku remote to find what we want to watch
Easy peasy! you should see Steve and I stare at each other when we go to watch TV now…um, we want Archer, which is what we used to watch on Neflix but then the free seasons were gone so we bought it on iTunes which is on AppleTV which means using the Sony remote to switch to the DVD input and then use the little AppleTV remote to find Archer. sigh. some days I think I’d rather read a book.
Clarify & Screensteps
This week I did a talk at SMOG, the Southern California Mac Owners Group, called Creating Spectacular Documentation. I love giving this talk because I start with easy screenshots, then into tools like Grab, Skitch and Jing, but the fun is when I get to talk about ScreenSteps and Clarify. A woman in the front row said partway through, “well so far Preview can do all that…” I wasn’t flappable though because I just kept going with the demo as Clarify did more and more and the oohs and aahs kept coming. If you haven’t bought Clarify or Screensteps yet, you need to head on over to BlueMangoLearning.com and give them a free 30 day trial. Remember you can buy cross platform licenses so if you’re a slider like Knightwise you can use them on both platforms. Steve Davidson wowed his dad this week with a Clarify tutorial on how to move his shows from his TiVo to his iPad, you can be a hero too!
Chit Chat Across the Pond
Important Security Updates:
- Next Tuesday is Patch-Tuesday – http://technet.microsoft.com/en-us/security/bulletin/ms13-may
Important Security News:
- Zero-day exploit discovered in IE8 (and only IE8) – http://technet.microsoft.com/en-us/security/advisory/2847140
- Exploit code for the bug (CVE-2013-1347) has been added to the MetaSploit framework, so attacks in the wild are now trivially easy
- If you are still on IE8, and you don’t have a REALLY good reason to hang about on such an out-dated version, now would be a great time to upgrade either to a newer IE, or to a better browser (Chrome or FireFox)
- No patch yet – but MS have created a fix-it as a temporary fix – http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx
- There MIGHT be a patch as part of this month’s Patch Tuesday (this week) – http://nakedsecurity.sophos.com/2013/05/11/may-patch-tuesday-coming-up-microsoft-still-not-sure-if-latest-0-day-fix-will-make-the-cut/
- Security Researcher finds that Snapchat doesn’t live up to it’s promise of deleting images – http://nakedsecurity.sophos.com/2013/05/10/snapchat-images-that-have-disappeared-forever-stay-right-on-your-phone/
- The Onion get serious for a moment and explain how they became the latest news organisation to get hacked by the Syrian Electronic Army – http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/
- Bloomberg caught abusing it’s data terminals to spy on corporations – this is serious conflict of interest stuff – on the one hand Bloomberg want to make money selling financial data to wall street firms, on the other, they want to make money selling news, and their reporters abused their data customers to get news – http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-data-terminals.html?hp&_r=1&
- US Government trying to pressure Google & Facebook into installing backdoors for them – http://nakedsecurity.sophos.com/2013/05/01/us-google-facebook-bacldoors/
- FaceBook introduces a clever new password recovery scheme – you designate up to 5 people are your trusted friends, and if you lose your password, any three together have the power to get it reset for you – http://nakedsecurity.sophos.com/2013/05/04/facebook-introduces-trusted-contacts/
- *** Very interesting article on how the British hid coded messages in plain sight (steganography) during WWII – http://nakedsecurity.sophos.com/2013/05/06/british-crypto-hacking-from-ww2-have-a-try/
Listener Michael Writes:
Hi Allison & Bart,
I thought this might be something you could get your teeth into (maybe even as a dumb question).
The problem to be solved is as follows:
One of my Physics students emailed me last Thursday asking me whether I had ever had to enter a PIN into my Mac during start-up. Apparently he had been locked out of his iPhone about 20 minutes before he got locked out of his Mac.
I advised him to disconnect any other device that was in some way connected to his iCloud account to avoid the possible next step in this hack i.e. having his devices wiped. Off course being a kid he had no backups.
He brought his Mac to school the next day & the first thing we did was to clone his drive (Carbon Copy Cloner) & then tried various tricks to try and unlock his Mac. It eventually became clear that his Mac wouldn’t boot past the Firmware password screen even with a different hard disk installed. None of the startup keyboard commands had any effect i.e. CMD-O, CMD-S, etc..
Using his actual hard disk (& its clone) to boot my Mac worked just fine.
Since then he has taken his Mac to a local Apple service centre & they advised him as follows:
“Hi Sir, When I took my mac in yesterday and told them about my icloud being hacked the said they are going to look into it. They also said to change the current email address on my account and the back up email address, to 2 completely different email addresses and change all security questions and passwords.
I have done this and also requested for the 2 step verification password but have to wait 3 days for security reasons.
When this is all done do you think its safe to continue using this account or scrap it and start a new one?”
So apart from this being a community service announcement I would also be grateful if you could advise me & him on his last question i.e. to scrap or not to scrap his iCloud account & start afresh.
Any suggestions would be greatly appreciated.
How many years worth of App, Music, Movie, and Book downloads are tied to the Apple ID? If there are hundreds of dollars of value tied to it I would be very reluctant to scrap it. If it were me I’d follow all Apple’s advice diligently, and try to carry on.
After the Mat Honan thing I turned off Find My Mac on my desktop Macs, and only left it on on my laptop. Since I have full disk encryption on all my machines, I think that’s a safe option. The laptop is the most likely to be stolen so it has FMM, but the desktop is the crown jewels, so I REALLY don’t want it remote wiped! If it is stolen, the full disk encryption will protect my data, so I don’t need remote wipe.
I’d suggest all our listeners take this as an opportunity to make a conscious decision to re-evaluate their choices when it comes to FMM and full disk encryption.
Taming the Terminal Part 3 of N – the anatomy of a Filesystem – http://www.bartbusschots.ie/blog/?p=2439
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, Blue Mango Learning at bluemangolearning.com makers of ScreenSteps and Clarify. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter at @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.