The show starts with a review of the Canon EF-S 10-18mm wide angle lens from listener Steven Goetz. That’s followed by a dumb question from listener Lynda who’s having trouble getting Back to My Mac to work through Double NAT. Then we hand over to Allison for two more interviews from CES, one with the Z-Wave Consortium, and one with bag maker LooptWorks. That’s followed by a Security Medium about the FREAK SSL/TLS vulnerability. As a pallet cleanser before Security Lite listener Sean reviews the game Zombies Run, and the show ends with a Chit Chat Across the Pond (desk really) with Irish classical music blogger Bren Finan, who shares his experiences trying to live his digital life on just iOS.
Hi folks and welcome to episode 513 of the NosillcaCast podcast, I’m your guest host Bart Busschots. This is a technology geek podcast with an eeeeeeever so slight macintosh bias, and you can find full show notes over at podfeet.com.
This is the first of three guest-hosted shows. Myself, Allister Jenks, and Guy Serle will be filling in for Allison while herself and Steve head off on an adventure through the middle-east and India. Based on the photos that have been landing in my inbox, they’re having a great time so far – the architecture in the UAE is really catching their eye, though I think they’re finding the restrictions on alcohol a little challenging! Anyway – if you guys are listening, safe on-ward travels, and enjoy yourselves!
I want to say thanks to all the listeners who have submitted content for the guest hosts so far – it really makes our jobs easier! There are still two more guest-hosted shows, so please keep the dumb questions and reviews coming in! Allison has asked me to act as secretary for the show while she’s away, so you can send your content for Allister & Guys shows to me at firstname.lastname@example.org and I’ll pass them on for you.
Let’s get show stated with a review sent in by listener Steven Goetz.
Review of Canon EF-S 10-18mm f/4.5-5.6 ISSCM lens
For details see this post on Steven’s Blog.
Dumb Question Corner
This week’s dumb question was sent in by listener Lynda, she asks:
“Way back in episode #431, 8/11/13, Allison reported on you’re helping with configuring her home network as a double NAT. My husband followed your instructions and did the same for our network.
It is fine – except that I can’t use ‘Back to my Mac’. Apple basically says to turn off ‘multiple-NAT’ configurations.
Is there a way to get ‘Back to my Mac’ working with our configuration, or am I just stuck?”
Before answering this question I want to lay some ground-work so everyone understands what exactly the problem to be solved is.
What is NAT?
Firstly, what is NAT? It stands for ‘Network Address Translation’, which tells you very little. NAT is a technique that routers can use to share a single IP address between multiple computers. Like all routers, a NAT router connects two networks together, and it can be described as having an outside interface, and an inside interface. The outside interface of the router is a network connection that is configured to use the one IP address the NAT router is sharing out. The NAT router then creates a different network behind itself containing all the computers that appear to be sharing that one IP from the point of view of those outside the router’s network. In reality all the IP addresses behind the router have IP addresses, but those addresses are private, and invisible from in front of the NAT router.
The reason it is called ‘Network Address Translation’, is that as network packets leave the private network behind the router, the router re-writes the packets so that the from address is the router’s external IP address. The router uses an internal state table to keep track of which connections map to which internal IP address. Almost all home routers are NAT routers.
When connections originate behind the NAT router everything works great, the router can create an entry for the connection in it’s internal state table, and it knows exactly what to do with all incoming packets that are part of that connection. Where things break down is when computers infant of the NAT router want to make an in-bound connection to a computer behind the NAT router. The router has simply no way of knowing which of it;s many internal IPs it should map that incoming connection request to.
One way to get around this is a feature called ‘port forwarding’. Almost all NAT routers support this feature, and it simply allows you to map a port number to an internal address. If an outside computer tries to start a connection on that port number, the router sends that traffic to the specified internal IP address.
This is a laborious process, so some technologies were invented to automate this process. One of those protocols is NAT-PnP, and it allows devices inside a network to set up port-forwarding automatically. An app that wants to receive in-bound connections and use these kinds of protocols to configure the needed port forwarding with the need for human intervention. For security reasons, these router-reconfiguration protocols are LAN-only protocols, and cannot cross a router. In other words, a computer can only use NAT-PnP to re-configure the router that it is directly connected to, it cannot configure any routers beyond that.
What is double-NAT?
OK, so that’s NAT, what is double-NAT? Well – it’s the same thing, but twice! The computer is behind a NAT router which is behind a NAT router.
In an ideal world, no one would be behind double-NAT, but we don’t live in an ideal world! Many ISPs give customers rubbish routers, and force them to use them, not allowing users to directly connect their own routers to their internet service.
I’m in that situation with my cable provider, and Allison is in the same situation with hers, as indeed is Lynda.
We basically have two choices – live with the crummy router provided by our ISP, or, connect our own router to our ISP’s router, and connect our devices to our own router. This gives us back all the advantages of having a good router, but the price we pay is double-NAT.
Most of the time double NAT is no problem at all, but there can be the odd exception. I’ve been doing this for years without a single issue, but Lynda has not been as lucky.
The Problem to be Solved
Lynda is behind double-NAT, and she wants to use Back to My Mac, which relies on automatic router re-configuration via a protocol like NAT-PnP. For security reasons, NAT-PnP can only re-program the first of the two NAT routers between Linda’s Mac and the internet. Can Lynda keep her own router, and enable Back to my Mac? And if so, how?
Firstly, is it possible? The answer is yes, but with some caveats.
The DMZ IP to the Rescue
The solution relies on a third common router technology, the ability to set a default port forwarding IP. This feature exists in many, but not all routers, and the name varies wildly. On the routers I have worked with, it is usually described as a DMZ IP address.
Regardless of what it is called, the feature allows you to specify an internal IP address that all in-coming packets that do not belong to an existing connection, or are not on a port specifically forwarded somewhere else, should be sent to. In other words, if someone from the outside tries to connect in, don’t drop the packet, send it to the specified internal IP instead.
What you need to do to get NAT-PnP working through double-NAT is to configure the inner most NAT router to be the DMZ address for the outer NAT router.
To get a working solution, you need to do the following:
1. configure the outer router to always give the inner router the same IP address (almost all routers can do this)
2. configure the outer router to use the now static IP of the inner router as its DMZ address (many routers can do this)
3. enable NAT-PnP (or one of the other similar protocols) on the inner router.
So, assuming the outer router supports static DHCP leases, and DMZ addresses, and assuming the inner router supports NAT-PnP or similar, you can get Back to my Mac working through Double-NAT.
CES Interview(s) from Allison
Security Medium – the FREAK vulnerability
In the 1990s the US government decided to classify encryption as munitions, banning the export of ‘strong’ cryptography. Because if this, US companies had to down-grade their encryption when connecting internationally, so a weaker cypher known as RSA-EXPORT was added to web servers and web browsers.
The law changed in the 2000s, but the code to support RSA-EXPORT hung around.
When RSA-EXPORT was created it was designed to be JUST beyond the cracking abilities of everyone but governments, while being feasible for cracking by governments in extremis. Computing power has moved on a lot since the 90s, so it is now crackable in a matter of hours by anyone who can afford to spend $100 bucks on some Amazon cloud computing resources.
In theory, the presence of EXPORT in the supported cypher suite on browsers and servers should not be a problem because when a connection is negotiated, the strongest encryption supported by both end-points will be used, and normally, that would never be a horribly weak cypher like EXPORT.
Of course you know there has to be a but, and there is. Researchers have now discovered that a man-in-the-middle (MITM) can manipulate the handshake between client and server to make each end think that they have no choice but to settle for EXPORT (only possible if both ends support EXPORT). Once the HTTPS connection has been down-graded to this intentionally weak cypher, the MITM can then save a copy of the network packets for later off-line cracking on a computer, or on a cloud computing service like Amazon’s EC2.
In about 12 hours the attacker can crack the server’s private RSA key, and decrypt all the saved packets, revealing banking details, usernames and passwords, credit cards, and everything else that was sent over the supposedly secure connection.
What’s worse is that many web servers don’t rotate their RSA private keys very often (that requires heavy CPU usage), so once the key has been cracked, it can be used to intercept not just the communications with the original victim, but with others communicating with that same server over a down-graded HTTPS connection. You still have down-grade all your victims, but you only have to do the hours-long cracking once per site!
Initial reports suggested that only Android, iOS & OS X were vulnerable, but these reports were incorrect. We now know that the built-in crypto libraries in Windows are affected too, as is OpenSSL.
The good news is that it takes two to tango!
This kind of attack is only possible if BOTH the browser being used by the victim, AND the server the victim is visiting support RSA-EXPORT. If either end has support for EXPORT removed or disabled, the attack cannot succeed.
This means that users can protect themselves by applying the browser updates on the way, and website owners can protect all their visitors by disabling EXPORT on their web servers.
Also – to provide a sense of scale, only about 36% of HTTPS-secured websites supported EXPORT before this story broke. That number is only going to go down, though it did initially contain some very embarrassing famous sites like whitehouse.gov and nsa.gov!
As I write these show notes, Google has released a patch for the Chrome browser, and for Android (though when actual Android users will actually get it from their handset makers and carriers, who knows!). Microsoft have released an advisory with instructions for how to disable this cypher, but they NOT for the the faint-hearted, and probably useless to 99.9% of Windows users (technet.microsoft.com/…) – EDITORIAL: it’s a disgrace that MS think this advisory is acceptable, what is needed is a ‘fix it’ button that anyone can press, not instructions for using an obscure DOS command line tool! There is no fix yet from Apple, but there is one on the way, so when it comes out, patch your Mac and your iOS device.
That was just security medium, there is 3 weeks worth of security lite still to come, so lets take a breather with a review of the game Zombies Run sent in by listener Sean.
Zombies Run Review
I would like to talk about the Zombies, Run! app for iPhone. I have used it since it first arrived in the App Store in 2012. It is part fitness game and part radio drama. The app starts a user off with 23 story missions that put you in the literal shoes of a first-person radio drama about Abel Township, a township in a post-apocalyptic world full of zombies. Every mission strings together a story that slowly unravels the causes of the apocalypse and the people still surviving in the world.
It measures your run data with either GPS for outdoors or the accelerometer for treadmills. It intersperses radio clips from your radio operator, Sam Yao, with your playlist of songs. A mission lasts between 30 to 60 minutes, depending on the mission and song lengths.
During a run, you will collect supplies and materials to help build your base. It is a SimCity-like interface that uses the supplies collected to add housing, farms, and more to help populate Abel Township.
A pretty cool feature is Zombie Chase Mode. If you have it turned on, every mile or so, a voice will tell you that zombies are approaching. You will hear the moan of zombies as you speed up your pace. If you do not speed up to 20% of your current pace in time, you will drop your supplies collected to distract the zombies. It is a very cool way to practice interval training during your run.
Currently, the app has expanded to three seasons of content with over 150 missions. It will help you stick to your running goals and provide a reason to run the next day. I highly recommend it.
The app costs $3.99 in the App Store, with each subsequent season costs $7.99. It sounds like a lot of money, but it provides hundreds of hours of content, similar to a television show.
Belt up – this is going to be a quick run through three whole eventful weeks of important security news!
- Ars are reporting that Lenovo are still selling laptops with Superfish installed – it seems they may have stopped installing it at their factories in December, but as of February, that change had not yet rippled through the supply chain. Also – their removal tool does not actually remove all of Superfish – it leaves the actual Superfish executable, and some related DLLs behind, though it does remove the dangerous SSL Cert – arstechnica.com/…
- As expected, the SSL-busting code that powers Superfish has been found in at least a dozen more apps – arstechnica.com/…
- Also as expected – researchers have found evidence of real-world attacks against the weak SSL certs that underpin Superfish, including MITM attacks against users visiting major lies like Gmail, Amazon, eBay, Twitter, and Gpg4Win (email encryption software) – arstechnica.com/…
- AV firm Lavasoft, and certificate authority Comodo found to be shipping software with Superfish-style SSL bypassing – arstechnica.com/…
Important Security Updates
- Mozilla release security updates for FireFox & Thunderbird – www.us-cert.gov/…
- RELATED – FireFox to require digital signing of plugins in the second half of 2015 – nakedsecurity.sophos.com/…
Important Security News
- The CIA & GCHQ (their British counterparts) hacked into Gemalto, the world’s largest manufacturer of SIM cards, and stole the encryption keys for SIM cards, rendering the security on them useless against British and US government snooping. Gamalto are arguing that the hack was not that big, but most security researchers seem to be deeply sceptical of these claims – firstlook.org/…
- Oracle add adware into OS X Java installer – EDITORIAL: this is the final straw for me, I’ve always had a soft spot for Java (it was my first language), but I’m done with it now, Oracle have killed it with this kind of slimy tactic – www.zdnet.com/…
- There were a lot of bad headlines implying that there is a security flaw in Apple Pay, but the reality is a little more complicated – the problem is that fraudsters are succeeding in tricking banks into adding stolen cards into Apple Pay. Nothing is getting compromised via Apple Pay, it’s just that banks are failing to stop stolen cards being added to Apple Pay accounts – arstechnica.com/…
- D-Link have issued, and are about to issue, critical security updates for a number of their routers – if you own a D-Link router, you should read this – nakedsecurity.sophos.com/…
- Google have quietly dropped encryption-by-default from Android Lollipop – nakedsecurity.sophos.com/…
- Serious security shortcoming uncovered in the Venmo mobile payments service – nakedsecurity.sophos.com/…
- Uber accidentally publish the login details for a sensitive DB on GitHub – arstechnica.com/…
- Uber were not alone in accidentally publishing usernames and passwords on GitHUB – arstechnica.com/…
- Study shows that 9 out of 10 healthcare pages leak private data – nakedsecurity.sophos.com/…
- Another reason to change your router’s password – spam is now using default usernames and passwords as image URLs to trick you into hacking your own router by simply viewing an email – krebsonsecurity.com/…
- New app highlights weaknesses in WhatsApp by allowing users to to track any WhatsApp user – nakedsecurity.sophos.com/…
- Twitter have released a new tool that should remove the need for organisations to share a Twitter username and password among a number of employees, making it easier to keep corporate Twitter accounts safe from hackers – nakedsecurity.sophos.com/…
- PSA for WordPress users – if you use the WP-Slimstat plugin, make sure you are up to date ASAP – arstechnica.com/…
- Credit Card Breach at Mandarin Oriental hotels – krebsonsecurity.com/…
- Natural Grocers investigating a card breach – krebsonsecurity.com/…
- some more details on the Anthem breach, including some important advice to protect from phishing – Anthem has said that ALL communications about this breach will be via snail-mail, so ALL emails and ALL unsolicited phone calls claiming to relate to the breach are scams so “don’t buy, don’t try, don’t reply” – nakedsecurity.sophos.com/…
- UK parking fine company PayMyPCN.net leaks 10,000 motorists names and addresses – nakedsecurity.sophos.com/…
- Two good reminders of why you might want to think twice before lashing out on social media:
- A Facebook post criticising his employer lands a US man in a Middle-eastern jail cell – nakedsecurity.sophos.com/…
- former Red Sox pitcher Curt Schilling exposes the true identities of some Twitter trolls who attacked his daughter, resulting in some being fired and losing places on sporting teams – nakedsecurity.sophos.com/…
- A scathing review of Intuit’s security practices from Brian Kreb – if you use TurboTax, or any other Intuit product, you should probably read this – krebsonsecurity.com/…
- Ars Technica are also reporting security concerns around the practices of tax firm H&R Block – they do not verify client email addresses, which exposes their clients to unnecessary risks – arstechnica.com/…
- 9 facts about computer security experts wish you knew – gizmodo.com/…
- Facebook to be sued by Native Americans over their discriminatory real-name policy – nakedsecurity.sophos.com/…
- Facebook working on new ways to reach out to the suicidal – nakedsecurity.sophos.com/…
- Facebook explains when and why it peeps at your account – nakedsecurity.sophos.com/…
- Millions stolen from banks through sophisticated malware – arstechnica.com/… & krebsonsecurity.com/…
- “the Equation group” – arstechnica.com/…
- The FTC has launched a pair of contests to stimulate research into technical solutions to the problem of robocalls – nakedsecurity.sophos.com/…
- Adobe have launched a new bounty-less bug hunt program – nakedsecurity.sophos.com/…
- Security researcher demonstrates a technique for compromising PCs that play BlueTays and standalone BlueRay players with a boobytrapped BlueRay disk – arstechnica.com/…
Hey guys, do you miss me yet? I’m so grateful to Bart, Guy and Allister for taking the helm while I’m gone. Many years ago, the first time I handed off the tiller, I created a step by step tutorial on how I produce the show. It’s 26 pages long, and includes information on how I format the episodes, how to record in GarageBand, links to external resources like the Dumb Question Corner jingle by Victor Cajiao, how to log into my web server, and where to upload the audio episodes so they can be found by your favorite podcatcher. I took screenshots and added annotations and then some text around each set of images to explain why I was doing it that way.
Each year, before I go away, I dust off last year’s version and review it to see what’s changed. If there’s a significant interface change, I can retake the snapshots using the built in “switcheroo camera” that lets you simply replace an image, and adjust the annotations if necessary. Sometimes I’ve changed something fundamental and I have to rewrite a section but I don’t go through much pain at all to update the file.
This year I went through the 26 pages, made the edits, exported it to PDF and sent it off to the gentlemen who are caring for you while I’m away. I can’t say enough good things about how great Clarify is from
clarify-it.com, and I think there’s no better way to illustrate that than to tell you it was an essential ingredient in how you got your podcast today.
CCATP with Bren Finan
I am typing this on an iPhone 4S on a crowded train, in Vesper by Q Branch. I have a heavy bag on my lap and another between my seat.
So score one for iOS productivity.
- Jobs’ cars vs trucks—I wanted to prove that I can get by with a car
- MacStories’ Federico Viticci showed that it was possible
- My Mac is broken anyway, and I can’t afford a new one
My Mac now functions mainly as a) backup and cloud storage, and b) an Apple TV, through which I stream iTunes media and, via AirDisplay, apps like Netflix and 4OD from my iPad.
Syncing isn’t a big issue as I’m mainly a one-device person. I do almost all my work on a 4th generation iPad. But when I need to sync, it tends to be app- and task-specific. That’s why I’m typing this in Vesper, and not in Notes or some other guff like that. I also sync my calendar with Fantastical, and rely on cross-device syncing developed in iOS 8. For example, I mostly send messages from iPad via continuity.
What (Apps and things mentioned in the show)
Workflow has become indispensable. My SMS workflow (and how proud I was of it).
Shorten URL. Cross-post. Textshot. Quotebook. Film to Day One. PDF from webpage. Annotate and delete. Urban Dictionary.
Drafts, and its workflows and extensions. For both teaching and writing.
Launch Center Pro to post to social media and make coffee(!)
ForScore (and why I want an iPad Pro)
And that brings us to the end of another NosillaCast – thanks again to everyone who sent in content, and do please remember to send in content for my fellow guest hosts Guy and Allister by emailing it to email@example.com
Should you want to hear more form me you’ll find my two podcasts over at lets-talk.ie. I do a monthly photography show on the art and craft of photography, and a monthly Apple show where we take a big-picture look at the month’s Apple News.
Thanks for listening, remember you can find show notes at www.podfeet.com, and until next time, happy computing!