NosillaCast Logo

#516 Travel Through the Lens of Technology, Touchnote for Postcards, TTT Part 30 of n SSHing More Securely

In this first episode back after being in the United Arab Emirates, India and Nepal for nearly a month, I tell you about the trip but through the lens of technology. Internet access limitations, planning tools, fun apps I used along the way, something for everyone. Check out Touchnote for Postcards for a fun way to send personalized cards on travel. In Chit Chat Across the Pond Bart takes us through Taming the Terminal Part 30 of n, SSHing more secure.


itunes
mp3 download


Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Monday March 30, 2015 and this is show number 516. Well it’s GREAT to be back! I am exhausted and a bit jet lagged but so happy to be home. We had a fantastic trip and it was such a treat to have THREE NosillaCasts to listen to from the guys. I know I thanked them in advance, but I think Bart, Guy, Gaz and Allister did such a great job.

I can listen to Bart any day of the week (that’s why I listen to ALL of his podcasts), and it was a treat to get to hear Bren talking about how he uses his iPad for his music work. Even though I don’t do any music stuff myself any more, it was still cool to hear about his progress away from paper. It was especially fun because we got to hang out with Bren when we were in Ireland with Bart a few years ago.

In spite of what Guy said on the show, I really enjoyed it. I would like to debate Gaz’s perspective on the Apple watch, and that’s what makes that kind of discussion fun. I have to admit that I did have that, “what was I thinking?” moment after asking Guy to host the show, but with Gaz as adult supervision…wait, was that even scarier?

And closing it out with Allister was perfect. As I’ve said many times, Allister could read me the phone book with that voice and I’d be happy! I learned a lot from Mike and Elaine too, really made me think a lot about good and bad training I’ve had over the years. I was most fascinated when she talked about training the clothing designers on Correl Draw’s vector program and then finding out they really needed photoshop training and just flipping over to that. Really shows her depth of knowledge and talent to be able to change a course on the fly like that. I hope you enjoyed the shows as much as I did. Thank you thank you thank you boys!

Blog Posts

UAE – India – Nepal International Travel Through the Lens of Technology

Touchnote for Postcards

Other Random Travel Tech Tidbits

Clarify

I have to admit something. Before I left, I was able to come up with three NEW examples of how I use Clarify to send to the boys for inclusion as ads in the show, but in the last four weeks, I didn’t do a single tutorial for ANYONE! Maybe it was the lack of Internet, maybe it was how much I was eating and drinking and watching rhinos and tigers. Maybe it was how relaxed and pampered I was, but I didn’t do anything to help anyone else with their computers or iOS devices. I think it’s the first time I’ve gone that long without using Clarify! I am certain that if it weren’t for Clarify, I wouldn’t do nearly as much to help others. I love it when I hear from you how you’ve used Clarify to take screenshots, annotate them and posted your tutorials to clarify-it.com so you only have to answer a question once. Keep those stories going, and if you don’t know what we’re talking about, go to Clarify-it.com yourself and give Clarify a free trial. Mac or Windows or both if you’re a slider who likes to help others. And be sure to tell them Allison sent you!

Chit Chat Across the Pond

Security Medium – a Bad Few Weeks for HTTPS/TLS:

Four news stories highlighted a range of problems with the Public Key Infrastructure (PKI) that we rely on for so much of our online security – the PKI gives us HTTPS to secure our browsing, as well as TLS to secure a variety of other internet-connecter services including email.

Unfortunately in all these stories, there is very little end-users can do other than the vitally important task of keeping their software up to date. The bulk of the work to shore-up the rickety PKI has to fall on the IT industry broadly.

The first two stories revolve around RC4, the cryptographic cypher used to secure about a third of HTTPS/TLS traffic today. There have been theoretical attacks against this cypher for many years, but they have been mostly theoretical, practical attacks were impractical to the point of being effectively impossible. The problem is that theoretical attacks only get better, and at two separate security conferences, two new and improved attacks against RC4 were released. These attacks are still not practical, but they are getting uncomfortably close to being so. It’s time for people who run websites and other TLS-secured services to phase out RC4. For now, this is not something end users need to worry about, just sysadmins, and it’s not yet an emergency. More detail: http://arstechnica.com/security/2015/03/noose-around-internets-tls-system-tightens-with-2-new-decryption-attacks/

The second to stories revolve around procedures around issuing certificates. The two failures are very different, but the end result was the same, fraudulent certificates issued for major websites.

The first certificate whoopsie came courtesy of Microsoft. From reading their statements you’d think the certificate authorities had messed up, but that’s not true, it was Microsoft themselves who messed up.

The problem revolved around DCV (domain control validation), the process certificate authorities use to verify that the person applying for the certificate really does own the domain they are apply for the certificate for. There are a few flavours of DCV, for example a CA (certificate authority) can request that the applicant add a randomly generated DNS recored to their domain, or that they put a particular web page at a randomly generated file path on their domain. But the DCV method that caught Microsoft off-guard was email-based DCV. There is a small set of standard administrative email addresses that are used for DCV, including hostmaster@domain, and Microsoft failed to reserve that address in their mail offerings, allowing enterprising Microsoft Live users to add the emails address hostmaster@some_microsoft_domains as aliases to their Microsoft Live accounts, and hence, to pass DCV, and hence to register certificates for Microsoft domains. The CAs did nothing wrong here, they followed DCV procedures to the letter, it is MS who messed up by not reserving all the standard DCV email addresses at all their domains. More Detail: http://arstechnica.com/security/2015/03/man-who-obtained-windows-live-cert-said-his-warnings-went-unanswered/

The second problem was entirely the fault of a CA though. The Chinese CA China Internet Network Information Centre issued an intermediary cert to an Egyptian company that had the power to sign any certificate. They gave the certificate to the Egyptian company with the agreement that they would only use this cert to sign certs for domains they controlled, but, the Egyptians broke that agreement, and signed certs for all sorts of domains, including Google domains. Chrome phones home when ever it meets a fraudulent Google cert, and so the whole story came out. More Detail: https://nakedsecurity.sophos.com/2015/03/26/serious-security-china-internet-network-information-center-in-tls-certificate-blunder/

Both of these sets of fraudulent certs were revoked through browser updates, hence the importance of keeping your browser up to date.

However, the real take-away for the industry is that they really need to figure out certificate revocation once and for all. At the moment, the system is a mess, and not at all effective. That needs fixing ASAP.

Security Light

Important Security Updates:

Important Security News

Noteable Breaches and other Privacy-related Developments:

Suggested Reading

Main Topic – More SSHing

Before starting into Taming the Terminal Part 30 of N, I just want to acknowledge a great tip sent in by a listener/reader, twitter user @adrianluff.

In part 29 I said that if you find you need to delete an SSH host key, you need to edit the file ~/.ssh/known_hosts with a text editor and delete the offending line, Adrian pointed out that you can use the ssh-keygen command to do this for you, so I’ve added that tip into Taming the Terminal Part 29 of N: https://www.bartbusschots.ie/s/2015/02/14/taming-the-terminal-part-29-of-n-intro-to-ssh/

Now we are ready to move on into part 30 of N – adding more security and convenience through the user of SSH keys – https://www.bartbusschots.ie/s/2015/03/29/taming-the-terminal-part-30-of-n-sshing-more-securely/

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at allison@podfeet.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

Leave a Reply

Your email address will not be published.

Scroll to top