#517 Politics Stopped My iPhone, Vert, TTT part 31 Secure File Copy with SSH

This week I was on the Daily Tech News Show with Tom Merritt at Daily Tech News Show and the SMR Podcast at smrpodcast.com. I tell the story of how Politics Stopped my iPhone, and then I give you a review of Vert from calumaa.com/vert. In Chit Chat Across the Pond Bart takes us through Taming the Terminal Part 31 of n: Securely Copying Files Across the Network over SSH.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday April 5, 2015 and this is show number 517. Before we dig in, I wanted to warn the live audience that we will be recording this coming Saturday night instead of the normal Sunday night because Steve and I are going to the National Association of Broadcasters in Los Vegas. We’re really looking forward to it. We’ve never been before, but Chuck Joiner and Dave Hamilton convinced us that it’s a recording gadget love fest and we should go. Don McAllister is coming too – so we haven’t even had a chance to miss him since we were together for a month in India! Finally Joseph Nilo will be there. Not sure you’ve heard of him but he was one of the original four Mac Roundtable folks along with Tim Verpoorten, Adam Christianson and Steve Stanger. We’ve only met Joseph once at a Macworld so we’re really looking forward to seeing him again. If anyone listening will be at NAB, be sure to let us know. I would love to get a chance to say hi.

It’s been a busy week of appearances on other peoples’ shows. On April Fool’s Day Tom Merritt had me on the Daily Tech News Show. I’m SURE it wasn’t because it was April 1st. We had a bit of a twist on the news, not joking but instead of doing all the US-centric news, every tech story started outside of the US. In one case we started talking about smartphone penetration in Kenya but then realized that it’s better than in the US! The main discussion topic was about Microsoft’s increased efforts in accessibility. Check out the podcast at Daily Tech News Show and of course there’s a link in the shownotes.

Chris Ashley of the SMR Podcast asked Terrance Gaines (aka BrothaTech) and me to join him for Episode #250 since Robb and Rod were both out of town. We chatted a bunch about the new Macbook, more about Microsoft’s Accessibility Developer Hub, the new Surface 3 from Microsoft (and how Chris is going to buy one with only TWO GIGABYTES for his wife) and then the boys droned on about some music service from Jay Z. I’m not sure what that was about, I was editing photos while they talked about music. I COMPLETELY tuned them out. In any case we had a great time so you should go check it out at smrpodcast.com and look for Episode 250, The Dream Team.

I suspect this won’t be the last time I say this, but I forgot one tech story from the trip to India. Let’s back up a little bit first and I’ll give you some background on why this might be of interest to you.

Blog Posts

Politics Stopped My iPhone

Convert Just About Any Unit and Currency with Vert

Clarify

Last week (and next week) we did the live show on an off day. Normally that just means letting the audience know when to keep an eye out for the video on Google Plus but now that we’re also broadcasting on Alpha Geek Radio (alphageekradio.com) we have to make sure Todd Whitehead who runs it can accommodate our new time on our regular channel. I should back up a little bit. Alpha Geek Radio is a collection of all geek shows with multiple video and audio channels so you can basically fill your day with geeks. Last week we realized that we needed to switch from our normal channel 3 over to channel 1 for just that show. No big deal, but we’d never done it before.

When Todd first helped me get the NosillaCast into Alpha Geek Radio, he walked me through the instructions, so you know what I did, right? I whipped open Clarify and took screenshots as he walked me through it, and rapidly slapped in some notes as he explained what to fill in on the different tools to get this to work. After I got off the horn with him, I cleaned it up, drew arrows and boxes around stuff on the screenshots, fixed the typos, and published a tutorial for him to give to other people. While he was super happy I’d done that for him (and super interested in how Clarify worked), it turned out to be immensely useful to Steve and me when we moved the show. I opened up the document inside Evernote, and I was able to jump right to the settings I needed to change to accommodate broadcasting on Channel 1 instead of 3.

If you use Clarify to easily make fantastic tutorials you can a) help other people, b) get them to stop asking you over and over again how to do the same thing, and c) even help yourself if your memory is as bad as mine. Check out Clarify over at clarify-it.com and tell them who sent you! No, not Todd, ME!

Chit Chat Across the Pond

Security Medium – FireFox 37 and Opportunistic Encryption

Mozilla release FireFox 37 with a number of security fixes, and, some controversy.

IMPORTANT – DO INSTALL THIS UPDATE.

The controversy surrounds a technology that has been added to the HTTP2 spec called Opportunistic Encryption (known as OE). FireFox 37 turns this feature on by default, but some argue that remove pressure from website owners to do the right thing and move to HTTPS. FireFox say that poor encryption is better for FireFox users than no encryption, hence the decision to turn it on.

To understand why OE is controversial, lets start by reminding ourselves what good encryption gives us. HTTPS makes three security promises:

1) Confidentiality – a man in the middle cannot read the data we send

2) Integrity – the data sent is the same as the data received – it has not been tampered with in transit

3) Authenticity – the data really was sent by the site is appears to be coming from

Confidentiality and Integrity come directly from encryption and is relatively easy to achieve, the hard part is authenticity, and that’s why we need certificates and certificate authorities. The only thing they add to the mix is authenticity.

The problem is that authenticity is VITAL. Without authenticity you can have man-in-the-middle (MITM) attacks. If you remove authenticity then an attacker can inject themselves into a transaction undetected, and hence remove both confidentiality and integrity.

OE ONLY provides confidentiality and integrity. In effect, this means it ONLY provides protection from PASSIVE attackers. This is not useless, but is’t not actually that far off being useless. The danger would be in offering users a false sense of security, which is actually worse than no security at all.

The good news is that the FireFox UI will show OE connections are INSECURE, so users will not see a padlock, so not mistakenly think their connection is secured when it’s not. Because of this, I disagree with those criticising FireFox. Reporting a connection as insecure when it actually has a little security is a positive thing.

More: http://arstechnica.com/security/2015/04/new-firefox-version-says-might-as-well-to-encrypting-all-web-traffic/

Security Light

Important Security Updates:

• Mozilla patch FireFox and Thunderbird – https://www.us-cert.gov/ncas/current-activity/2015/03/31/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and

Important Security News:

• Google Chrome has banished the Chinese CA at the centre of a new story in last week’s show. This is the CA that issued a certificate with the power to sign other certificates to an Egyptian company on the condition they not abuse it (which they then did) – http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/
• The Dyre Wolf malware is successfully targeting business, using a clever blend of malware and social engineering to trick corporations into giving up bank details. The attack starts by using social engineering to trick victimins into installing a trojan. That trojan sits and waits until the victim tries to access their banking website. It then springs into action, intercepting the connection to the bank, and replacing the banking website with an error message asking the user to phone a number for help. Operators at that number then trick victims into giving them enough information to generate fraudulent wire transfers out of the company. – http://arstechnica.com/security/2015/04/dyre-wolf-malware-steals-more-than-1-million-bypasses-2fa-protection/
• The results of the TrueCrypt audit are good, and yet, bad. No catastrophic issues were found. Just a few minor bugs that could be easily fixed. But – the developers have abandoned the project, and the license forbids forking of the code, so there is no legal way to fix these bugs. – http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/
• Google has done a clean-up of Chrome plugins, deleting plugins that inject ads into web pages. I think the big take-away here is that you should NOT trust plugins just because Google has them listed in their store. Google DO NOT vet their stuff remember, so Google App stores are quite the wild west. There is a sherif, but he only rides into town AFTER the damage is done! – https://nakedsecurity.sophos.com/2015/04/02/google-clamps-down-on-ad-injectors-after-100000-chrome-users-complained/
• The US Supreme Court has Unanimously asserted the GPS tracking counts as a search under the 4th amendment to the US constitution – https://nakedsecurity.sophos.com/2015/04/02/gps-tracking-counts-as-a-search-says-us-supreme-court/

Notable Breaches:

• Team Collaboration service Slack gets hacked, loses user DB, then implements 2FA – https://nakedsecurity.sophos.com/2015/03/30/slack-gets-hacked-rolls-out-two-factor-authentication-after-user-database-breach/

Suggested Reading

• Five Essential Security Tips for last-minutes US Tax Filers – http://www.intego.com/mac-security-blog/tax-security-tips-for-tax-filers/
• Google quickly patch a bug that would allow anyone to delete ANY YouTube video – http://www.intego.com/mac-security-blog/doomsday-flaw-gave-power-to-delete-everything-on-youtube/
• A report by Belgian universities raises serious questions about how FaceBook implements tracking opt-outs. They use a unique tracking cookie to track that you don’t want to be tracked! The Belgian Universities point out that this makes it possible to track everyone who ever interacts with a FaceBook site, including any site anywhere on the net with a FaceBook Like button, but FaceBook insist they are not doing anything wrong – http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report & https://nakedsecurity.sophos.com/2015/04/01/facebook-hits-back-at-report-claiming-it-tracks-pretty-much-everyone/

Main Topic – Taming the Terminal Part 31 of n – Securely Copying Files Across the Network over SSH

https://www.bartbusschots.ie/s/2015/04/04/taming-the-terminal-part-31-of-n-ssh-file-transfers/

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live normally on Sunday nights at 5pm Pacific Time (but this week on SATURDAY night_ and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.