#490 Verizon vs AT&T Radios, Backing up Drobo to Drobo, Mac Mini Monitor Hack, Chronosync, Shellshock Explained, TTT Search

I’m weary of defending Apple and I explain why. In Dumb Question Corner Steve Davidson asks for an explanation of whether the new iPhones from Verizon and AT&T can actually be moved between the two carriers and I find the answers at https://www.apple.com/iphone-6/specs/ and http://www.techwalls.com/differences-between-iphone-6-6-plus-models/. Steve and I continue our adventure figuring out how to back up one Drobo with another. I mention the Belkin Thunderbolt dock from Amazon, ResistorVision to read resistor values, Chronosync backup software from Econ Technologies and a hack to convince the Mac Mini that it has a monitor connected when it doesn’t. In Chit Chat Across the Pond Bart breaks down the Shellshock vulnerability, and in Taming the Terminal Part 21 of n, we learn more about searching from the Terminal.


itunes
mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 28, 2014 and this is show number 490.

Blog Posts

Weary of Trying to Defend Apple

Dumb Question Corner – Can AT&T and Verizon Phones Work on Each Others Network?

Backing up a Drobo – The Adventure Continues

Clarify

Hey that sounds like a great segue for an ad for Clarify! Like I said, I didn’t do the tutorial for anyone but me, but it’s amazing how often someone else finds one of these tutorials useful so I always share them no matter how arcane they are. I dropped in links to things like the Apple support article explaining how if you have an Airport device or an Apple TV, either one of them will just magically make your Macs wake up for you if you need them. I put in screenshots, blurred out usernames and passwords, drew boxes around buttons I should push next time and made myself little notes to explain why I set switches a certain way. It’s not a complex tutorial or even all that complicated to execute but I just hate having to figure out something a second time.

If you’re forgetful or even just lazy (I’m both) grab yourself a copy of Clarify from clarify-it.com and save yourself time and energy. Heck, you don’t even have to share your tutorials with anyone but yourself to get productivity out of Clarify.

Chit Chat Across the Pond – Time 23:24

Security Medium – Shellshock

This week it emerged that there has been a nasty bug in BASH for years. Initially it was just ‘the BASH vulnerability’, but someone nicknamed it Shellshock, and it stuck, so that’s how the media are running with it now.

The vulnerability is in how BASH handles environment variables, and the result of exploitation is code execution. While you might think the shell is not very exposed over the network, the problem is that lots of services utilise environment variables, and lots of Linux and Unix servers use BASH to handle environment variables (at least by default), so in reality remote code execution through stuff like web servers is actually as easy as sending a request to the server containing a carefully crafted HTTP header. Researchers have also found that some DHCP implementations (NOT Apple’s custom one) expose the vulnerability.

A server bug allowing remote code execution is exactly what you need to get an internet worm going, and that’s exactly what is starting to happen in the wild. Researchers have already found botnets spreading themselves using this vulnerability.

Most Unix and Linux distributions were quick to shift a patch, so sysadmins all around the world spent Wednesday night and Thursday patching like mad.

Then it turned out the first patch didn’t really fix all of the problem, so a second patch had to be released – so all those overworked sysadmins got to do it again 24 hours later!

The big problem is that not all things that use BASH have been patched:

  • There is no patch from Apple yet, but they say they are working on one, and that the vast majority of Mac users are not in danger
  • There are more embedded devices with BASH on them than you can shake a stick at. In theory we should all be getting lots of firmware updates soon, but of course many older devices will never get patches, and even on devices where there are patches, loads of people will never bother to apply the updates, or even know that they should.

Then, on Saturday, we got another sting in the tail – security researchers are now saying that even the second patch does not actually fully resolve the problem, and that really, BASH needs fundamental changes that will break backwards compatibility in order to really lock this down. Expect sysadmins to be playing bash whack-a-mole for some time to come 🙁

People have been saying this is on the same scale as heart bleed, but it’s actually WORSE – heart bleed just leaked data, this gives attackers the ability to execute any code of their choice on vulnerable devices!

What should you, as a user, do?

  • If you run Linux – patch it
  • If you run a Mac – sit tight, Apple is working on a patch, and unless you are running your Mac as an internet-accessible server, you are probably safe anyway. If you do run your Mac as a server, you should consider manually updating BASH
  • Keep an eye out for firmware updates for routers and IP cameras and other smart devices, and install them as they come out
  • Buy a sysadmin a coffee – they could probably do with one 🙂

Links:

Security Light

Important Security Updates:

Important Security News:

Notable Breaches:

Suggested Reading:

Main Topic – Taming the Terminal Part 21 of n – More Searching

https://www.bartbusschots.ie/s/2014/09/26/taming-the-terminal-part-21-of-n-more-searching/

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, Blue Mango Learning at bluemangolearning.com makers of Clarify. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at allison@podfeet.com, follow me on twitter and app.net @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

7 thoughts on “#490 Verizon vs AT&T Radios, Backing up Drobo to Drobo, Mac Mini Monitor Hack, Chronosync, Shellshock Explained, TTT Search

  1. Donald Burr - September 29, 2014

    Minor nit: Bart claimed that BASH is in “more embedded devices than you could shake a stick at.” Not true. Embedded devices, by their very nature, are extremely limited in both processing power, memory and storage space, so they really can’t run a big shell like BASH (which is *huge* in terms of code size.) So embedded systems typically use a “cut down” shell called BusyBox. (Actually BusyBox consists of “cut down” versions of most common Linux utilities – ls, cp, mv, rm, etc. – all wrapped together in one app binary.) And, since BusyBox shares NO code with BASH, it is therefore NOT vulnerable to the “ShellShock” vulnerability.

  2. Donald Burr - September 29, 2014

    BTW, OpenVPN is NOT affected by ShellShock.

  3. podfeet - September 29, 2014

    Hot dogs, thanks for letting us know OpenVPN is ok, Donald.

    Minor nit: I can only shake a stick at say a dozen embedded devices before my arm would get tired, so even if 99.99% of embedded devices use BusyBox there’s probably at least 13 that use Bash.

  4. Donald Burr - September 29, 2014

    Bart, i’m surprised that you didn’t mention that the “find” command can accept regular expressions (regexps) for filenames. So you could rewrite your “find all perl files and modules” command:

    find ~/Documents/scripts ‘(‘ -name ‘*.pl’ -or -name ‘*.pm’ ‘)’ -exec wc -l {} ‘+’

    as:

    find ~/Documents/Scripts -name ‘*.p[lm]’ -exec wc -l {} ‘+’

  5. Donald Burr - September 29, 2014

    Linux/UNIX actually does have something similar to OS X”s Spotlight/mdfind. It’s called “locate.” Basically it runs a daemon (system process) that periodically scans your entire hard disk and puts the results into a quickly-searchable database. (on most Linux distributions, this is set up automatically.) You can then search that database using the “locate” command (e.g. “locate .pdf” to find all PDF files. You can use both shell wildcard characters (*, ?, etc.) and/or regular expressions as well, making it a very powerful way of finding files whose names match any given criteria.

  6. Bart Busschots - September 29, 2014

    Hi Donald,

    We covered REs in the previous instalment, using -regep to give better RE support than the very basic RE support you get with -name. I think it’s better to use -name for just the basic stuff, and -regexp for when you need more. Trying to remember which small subset of regexps you can use in -name just confuses things IMO.

    As for locate, correct me if I am wrong, but does locate not index only file/folder names? Spotlight indexes much more than just the names of files, so while locate is faster than find if you are just looking based on name, it’s still not a patch on mdfind.

    Bart.

  7. Donald Burr - September 29, 2014

    Bart,

    Yeah, I see your point about the find command supporting only a limited subset of regexps. I guess I’m just used to doing, e.g. “find . -name ‘*.[ch] …’ to go through all of my C code rather than “find . -name ‘*.c’ -or -name ‘*.m’…”. To each his own I guess!

    Also, yes you are correct, “locate” only searches filenames, which is why I said that it was only “kinda” like mdfind (or rather, that’s what I meant to say… doh.) Still, it’s really fast because it uses the pre-indexed database rather than searching through the whole drive, so it has its uses; plus, it supports the full set of extended regexp’s if you use the “–regex” flag.

Leave a Reply

Your email address will not be published.

Scroll to top