Bart Busschots is guest-hosting the show this week. Allison tells the story of Move Mouse – a Mac app written for a Nosillacastaway by a Nosillacastaway! Bart answers a great dumb question from listener Lynda on the security of old Macs, Ken Wolf from the Manhattan Repertory Theatre reviews Chronicle, Bart fills us in about the POODLE vulnerability that’s been in the news this week, Allison describes how you can become a hero with Clarify, and in Chit Chat Across the Pond Bart talk to George Starcher about security from a Mac user’s point of view.
Hi folks, welcome to the NosillaCast Mac Podcast, hosted at podfeet.com, a technology geek podcast with an ever so light Macintosh bias. Today is Friday the 17th of October, and this is show number 493. I’m your guest host, Bart Busschots.
You’re hearing my voice instead of Allison’s because herself and Steve are away celebrating their daughter’s wedding – I’m sure I speak for all the nosillacastaways when I wish the happy couple a long and happy union!
Allison may be away, but that doesn’t mean she didn’t record some stuff for the show! We’ll start this episode with a review from Allison of an app written by one of our very own Nosillacastaways! Next we’ll have a dumb question from listen Lynda, then a review of an app called Chronicle from listener Ken Wolf of the Manhattan Repertory Theatre. They we get an un-scheduled security lite from me on the POODLE SSL vulnerability that’s making the media this week, then we hear form Allison again with ad for her favourite tutorial app, and finally security pro and Mac geek George Starcher joins me for Chit Chat Across the pond.
Dumb Question Corner
I’ve heard you say, many times, that older OS’s are not secure, because they haven’t been updated against current vulnerabilities.
Is it possible that some older Mac OS systems, i.e. the first Mac OS X versions, and/or OS9 might actually be secure because no one has written trojans, worms, etc. that would run on them, or they might be running really old versions of s/ware that weren’t vulnerable to modern exploits?
I ask because one of my friends advocates letting some older folks running older Macs run what they have. It’s hard for some of the older people to change. I’ve always advocated having them update, but I’d be interested in your thoughts on this.
Thanks for the great question Lynda!
The short version of the answer would be “it depends”.
Ultimately this comes down to understanding and balancing risks.
Firstly, there is a big difference between vulnerability and risk. Old OSes, no matter how old, ARE vulnerable, but, if you go back far enough, they may be low risk. A house with an unlocked door IS vulnerable, but the risk is very different for a house in the middle of a crowded city, and a house high in the mountains 100 miles from the nearest road!
An important fact to understand is that a surprising amount of the code in our modern OSes is old, DECADES old! There is no money in re-inventing the wheel, so if it works, it would be a waste of resources to re-write it. If a bug is discovered in old code like this, it can go WAY back! A perfectly timed example of this is BASH vulnerability discovered this month, that bug is 15 years old, so every version of OS X with BASH contains the vulnerability (very very old versions of OS X used a different shell).
Something else to bear in mind is that the closer two OSes are in age, the more code they have in common, so recently obsoleted OSes are the most likely to also be affected by recently discovered bugs. This means that an OS that’s a little out of date probably the most dangerous one to run.
I would say that the single most dangerous thing to do would be to advise someone to stay on OS X 10.7 or 10.8 on a computer that is connected to the internet.
If you go WAY back in time, you start to become part of such a small minority that you are unlikely to be targeted. You become the digital version of the unlocked house 100 miles from civilisation.
Another BIG factor when analysing risk is the question of connectivity. If a computer is not connected to the internet, it is, for all intents and purposes, safe.
My opinion, and it is just an opinion, is that the risk is probably tolerable if your computer is so old that it pre-dates Apple’s switch to Intel chips, or, the computer has no network connection. I think advising anyone to connect an out of date Intel Mac to the internet is irresponsible.
But – having said all that – I refuse to have any part in anyone using an out of support OS. I advise all my friends and family against it, and feel strongly that if you want to use a computer, you have to understand that computers change. It may sound harsh, but I firmly believe that if you can’t accept change, you can’t safely use an internet connected computer.
Chronicle from Ken Wolf
Hi Bart, this is Ken Wolf from Manhattan Repertory Theatre with a review of Chronicle, a bill reminder app from Little Fin Software LLC.
But first let’s start with the infamous problem to be solved. I, like everyone else, have bills that need to be paid. Now the problem is I’m old and so I forget things, and the problem is I’m busy and I get distracted and I forget things, so I need either an application or a person who will remind me to pay my bills on time. Since I can’t afford a personal assistant, Chronicle is my application of choice.
The first thing you need to do when you open up Chronicle is to log in the information about your bills. You need to put the due date and the amount and all those little details. Once in, Chronicle does all the work.
The interface is simple and easy to read. On the left, you have your bills with the average paid, the amount which is due and then the next due date. On the right you have the month at a glance, and you also have a listing of the bills that are due soon, bills that are due this month in terms of how much it’s going to be, and also the bills you have already paid this month in terms of the amount that you’ve paid. Down bottom, you can also list your income.
When you pay a bill you simply log in the amount and then your bill goes down to the bottom of the column on the left.
Chronicle has some interesting features. In the preferences, you can set up your overview columns with the average paid, the amount due, the balance and other things. And you can also set up a “Weekend Avoidance” which means that it will show the bill is due on Friday before a weekend so you don’t have to pay a bill on the weekend.
You can set up when it will announce that a bill is due soon. It can be in 7 days or it can be in 1 day or it can be 12. You set it up so that it works for you. Also you can set it up so that in the dock or the menu bar, there is a little number that shows you how many bills are due. You can also enable notification reminders and default reminder settings saying you want to be reminded maybe three days before your bills are due and at a specific time. Basically, you can set up reminders so that they will work for you.
Chronicle, also has an iOS app that syncs via Dropbox and it works seamlessly.
The one caveat I have with this application is that when you’re logging in bills paid there will be a voiceover that says: “GOOD JOB!” “TERRIFIC!” “WELL DONE!” “CONGRATULATIONS!”
Congratulations? Seriously? You are congratulating me because I am paying my $10.88 Photoshop bill? Hey, I want congratulations when I win an Oscar! So that feature is a little annoying. I just turn the sound down when I am logging in my paid bills.
So if you need to be reminded about your bills, please check out Chronicle. It is only $9.99 right now on the Mac App Store. I think it’s on sale, and it is a great application and the iOS app is wonderful also.
This is Ken Wolf from Manhattan Repertory Theatre in New York City signing off, and Bart, I just want to say I think you are the greatest and unique and what you do in your work with Allison and your work on your podcasts and on the other podcasts you’re on that I have listened to, is awesome! Thanks for covering for Allison this week.
This week a vulnerability was discovered in version 3 of the SSL protocol.
We all know to look for the lock icon in our browser, which signifies that we are browser over HTTPS, the secure version of the HTTP protocol. When we see that icon, we assume our data is being securely sent, because, in theory, it is.
As users, we usually don’t care about the fact that the HTTPS protocol supports the user of many different encryption protocols, and many different encryption cyphers under the hood. Our browsers support a set of protocols and cyphers, and every web server supports a set of protocol and cyphers, and when ever we connect to a HTTPS site, our browser and the server have a little negotiation to decide which protocols and cyphers to use for that connection.
HTTPS supports more cyphers than you can shake a stick at, but only a handful of protocols. Since HTTPS first came into use in 1994, there have been just five such protocols – SSL 2, SSL 3, TLS 1, TLS 1.1, and TLS 1.2.
SSL 1 was effectively a test version, and was never used for real, and SSL 2 has been known to be insecure for some time now, so it’s no longer used (or at least it shouldn’t be). Until this week, SSL 3 was still considered safe, but not anymore!
The POODLE bug is a protocol flaw that has been discovered in SSL 3, and it allows attackers to decrypt supposedly secure connections. The fact that the problem is a flaw in the protocol rather than a flaw in a particular implementation of the protocol means that all implementations of SSL 3 are now unsafe. The only safe HTTPS is HTTPS that uses TLS rather than SSL.
The fact that all versions of SSL are now unsafe means that all old browsers without TLS support are now dead. For the most part that doesn’t matter because no one is using ancient versions of Netscape or FireFox etc., but there is one very notable exception to this – the immortal IE 6! It should have died years ago, but as of this week, you HAVE to stop using IE 6 – it cannot do TLS, it is not safe anymore!
So – what are we all going to do about this POODLE problem?
Because HTTPS connections are negotiations, BOTH parties to a connection, i.e. the browser and the server, have to agree that SSL is OK for it to be possible for SSL to be used for a given connection.
Like with heart bleed earlier this year, this means that responsible sysadmins have spent the last few days fixing their web servers by removing SSL from the list of protocols their servers will accept.
But, unlike with heart bleed, this time we, as users, have the power to protect ourselves by removing SSL support from our browsers. For instructions visit this link (scroll down past the sever stuff to the section on protecting your browser).
If you disable SSL in your browser, you are safe, because unless both sites agree to SSL, there can be no SSL!
Listen as Allison interrupts us (again) to tell the tale of how she was able to very quickly help her friend fix a problem with audio not playing inside Safari. She claims that in 35 seconds she was able to take three screenshots (one was a pulldown menu), drop in an arrow on one, draw a box around another and copy the whole thing in an email back to her friend. She was a hero. You too can be a hero by going to clarify-it.com and downloading the free trial.
Chit Chat Across the Pond
Bart’s guest this week is security pro George Starcher. Bart and George take a big-picture look at security from a Mac user’s point of view.
And with that another Nosillacast comes to an end.
Thanks to everyone who sent in material for the show – you made my life a lot easier – as Ken Ray would say, you rock!
Should you want to hear more from me, you can check out podcasts over at lets-talk.ie, I do a monthly Apple show called Let’s Talk Apple, and a monthly photography show called Let’s Talk Photography (aren’t I original!). If that’s not enough to satisfy your appetite for Irish accents, you can also hear, and even see, me on the latest Mac Jury (mac voices episode 14207) where Chuck Joiner kindly invited me to chat with himself, Don McAlister, and Dr. Mac about this week’s Apple event.
Congratulations again to Lindsay and Nolan, and until next time, Happy Computing!