All Mac friends – register for the MidwestMacBBQ.com and macstockconferenceandexpo.com on June 20th in Chicago! Donald Burr needs more beta testers for the new version of the NosillaCast Live app so send him your Apple ID email addresses. I feel all Dick Tracy using the Apple Watch to dictate messages and make phone calls. Two NAB interviews, the first about GoPro Studio for editing your GoPro videos from http://gopro.com, and the Audio-Technica System 10 – Camera-Mount Digital Wireless Microphone System from Audio Technica. Next up I answer the question, “How Well do 58,820 Photos do in iCloud Photo Library?” In Chit Chat Across the Pond Bart is back with Taming the Terminal Part 33 of n – SSH Bookmarks.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday April 26, 2015 and this is show number 520. Wow, was this a big week. I’ve got more to say about Photos and I got the Apple Watch and we have NAB interviews to play. The good news is that in spite of my best efforts to interrupt Bart, Chit Chat Across the Pond is a bit shorter this week so you won’t be listening for 12 hours like last week. You know I always worry about the show going too long but I have never once had a complaint about it. I figure if it’s too long, you just stop and start up the next week. That’s what I do anyway! We’d better dig in if I’m going to keep my promise, right?
Midwest Mac BBQ and Macstock
When Macworld was cancelled it left many of us very sad. Luckily Barry Fulk decided to do something to get us a place to go to enjoy our community. He’s throwing a barbecue…for all of the Mac fans who can get themselves to Chicago on June 20th. I’m not joking, and perhaps he’s crazy but he’s really doing this. Then another crazy person, Mike Potter from For Mac Eyes Only decided that it would be even MORE fun if we had a Mac conference to go to the morning of the 20th, so he started a thing he’s calling Macstock Conference & Expo. It’s apply named because it’s in Woodstock, Illinois, about an hour away from Barry’s house.
Mike asked me if I’d like to give a tech talk at Macstock and you know how I love to do that so of course I said yes! Also speaking are Mike himself, Erik Erickson from For Mac Eyes Only, Chuck Joiner of Mac Voices, Julie Kuehl of SciFi Tech Talk, and Guy Serle of MyMac.com.
If this sounds fun to you, go to MidwestMacBBQ.com to sign up for the barbecue and find out about the hotel block Barry has for us nearby and then head over to macstockconferenceandexpo.com to register for Macstock. I hope to see a lot of you there, even Don McAllister is flying over from
Call for Beta Testers
Donald Burr, creator of the original NosillaCast Live app for iOS has been slaving away on a new version for iOS 8. I’m a big believer in incentives so I’ve bribed him by offering to pay for his Apple developer fee for the next year IF he gets the app submitted to the App Store by May 20th.
If he’s to make that goal, he needs your help. He’s reactivating the Nosillacastaway Beta Test Network and needs more people to join in the fun. He especially needs people with older iPhones (5s and below) and iPads (both full size and Mini) because he doesn’t have those devices on which to test himself. If you’d like to join in the fun, please send him an email at firstname.lastname@example.org from your Apple ID email address.
I do want to mention that when the app goes live, all proceeds go to Donald’s coffers as he’s the one doing all of the work on this!
You know I’m a huge fan of Audio Hijack 3, enough that I did a screencast of how to use it for ScreenCasts Online. The best part about it is how easy it is to experiment and try new things. I was recording Chit Chat Across the Pond with Bart a couple weeks ago and as often happens, I asked him to turn his input volume down because he’s so much louder than me when I crank my gain all the way up. He complains when I ask this because the same input volume is perfect when he records HIS shows and he doesn’t want to mess it up on his end.
And then he had a great idea – he suggested I drop in a Balance block into Audio Hijack and shift the balance away from him and towards me. I’d never used Balance before in Audio Hijack but I dropped it in, moved the slider back and forth, did a test recording and it worked perfectly! Now what do you think I did next? I whipped open Clarify where I had quickly documented the setup I’d created to record Chit Chat Across the Pond, replaced the screenshots with new ones showing the balance block and how I had it set. I slid a few things around to make it pretty and type in a single line explaining to myself why I had put in the balance block too. Then I hit the Evernote button to put it right back in my database of tutorials and I was done. Boom. Clarify is always there for me to help me remember things I’d easily forget. Even if you never want to help ANYBODY else, I’d recommend checking out Clarify just for yourself. Head over to clarify-it.com and give the free trial a spin. Tell them I sent you!
Chit Chat Across the Pond
Security Medium – A Bad Week for Mobile Security
A Linux & Android WPA Bug (that might affect some Windows users too ):
We all know WEP is fundamentally flawed, and hence utterly unsafe to use. Hence, most wifi is now using a variant of WPA. No fundamental flaws have been discovered in WPA (yet), but, this week a nasty bug has been found in an open source WPA library called wpa_supplicant – http://en.wikipedia.org/wiki/Wpa_supplicant.
The library is most commonly used on open source OSes like Linux and BSD, but there is a Windows version too, which may be bundled into networking software or device driver people may have installed. The most notable affected OS is Android.
The bug is a buffer overflow in the code that processes the name of ad-hock wireless networks. This means that versions of wpa_supplicant that don’t support peer-to-peer networking are not affected. Unfortunately, Android does support P2P wifi, so it is affected. The bug could be used to read data from memory on the affected device, crash the affected device, or, execute arbitrary code on the device.
If you have any Linux or Android devices that support WPA, or are using a 3rd party wifi driver or wifi client on Windows, keep an eye out for security updates, and apply then promptly!
No iOS Zone
A totally un-related wifi bug has also been found in iOS, which has been given the cutesy name “No iOS Zone”. An attacker can send an iOS device into an infinite reboot loop by tricking the user into connecting to a wifi network secured with a maliciously crafted TLS certificate. The bug was introduced with iOS 8, so does not affect older versions of iOS (which you should not be using because they are known to be unmatched against hundreds of security bugs).
There is no patch yet, but the researchers have reported their findings to Apple, and are practicing responsible disclosure, and not explaining how the exploit works until Apple have had time to get a fix out. The researchers also say that while iOS 8.3 is still vulnerable, it is actually a little less vulnerable than older versions of iOS, so they recommend updating to that version ASAP.
2 Separate HTTPS Bugs in iOS Apps
Earlier this week it was reported that about 1,500 iOS apps are using an older version of the 3rd party HTTPS library AFNetworking with a known security bug. These were mostly smaller apps, the most noteworthy probably being Citrix OpenVoice Audio Conferencing. The only fix is for the developers to update their affected apps with more recent versions of the library (or to re-write their apps to use the OS’s native libraries ). Affected apps are vulnerable to Man-in-the-middle (MITM) attacks.
Later in the week a different HTTPS bug, also in AFNetworking, was discovered leaving about 25,000 iOS apps vulnerable to MITM attacks. In this case all versions of AFNetworking before the just-released version 2.5.3 are vulnerable. Again, the fix is for developers to update their app to use the latest version of AFNetworking (or to use iOS’s native libraries).
Apart from installing all app updates as they come out, the only thing users can do is check if any app they are concerned about is affected by either of these bugs using a handy search utility created by the security researchers who reported these problems: http://searchlight.sourcedna.com/
A Little Digital Sorbet to cleanse the pallet:
John Oliver takes on patents – https://www.youtube.com/watch?v=3bxcc3SM_KA
John Oliver with Edward Snowden – Last Week Tonight with John Oliver: Government Surveillance (HBO)
Important Security Updates:
- Mozilla have released an update to FireFox to fix a remote code execution bug – if you use FireFox, let it update itself to 37.0.2 ASAP! – https://www.us-cert.gov/ncas/current-activity/2015/04/21/Mozilla-Releases-Security-Update-Firefox
Important Security News:
- Apple’s attempt to patch RootPipe has not worked – a new way has been found to exploit the bug, though it has not been released to the public (responsible disclosure) – keep an eye out for another patch from Apple, hopefully soon, and in the mean time, consider not running as an admin – http://www.intego.com/mac-security-blog/os-x-yosemite-still-vulnerable-to-rootpipe-attacks/
- Twitter-bashing must be fun, because the internet exploded with hyperbole over Twitter’s new option to allow anyone DM you. Just to be clear, IT IS OFF BY DEFAULT, so there is nothing to worry about – http://www.macobserver.com/tmo/article/twitters-new-dm-everyone-sucks-but-its-off-by-default
- Twitter announces a new algorithm that could block make abusive tweets before the recipient sees them. The algorithm is supposed to hide abusive @mentions from people you don’t follow, and will not hide tweets from those you do follow. If the targeted user goes to the sender’s stream, they will still see the tweets – https://nakedsecurity.sophos.com/2015/04/22/twitters-new-anti-abuse-filter-hides-harassing-tweets-from-your-mentions/
- PSA for WordPress users (AGAIN!): Over a dozen wordpress plugins have been patched to fix dangerous Cross Site Scripting bugs that could allow an attacker to take over a WordPress instance by allowing them to steal login cookies, and insert malicious code into the suite. The plugins affected include high-profile ones like JetPack. If you run WordPress, make sure it, and all your plugins and themes, are up to date – http://arstechnica.com/security/2015/04/swarm-of-wordpress-plugins-susceptible-to-potentially-dangerous-exploits/ (WordPress itself also got an important security update – https://www.us-cert.gov/ncas/current-activity/2015/04/23/WordPress-Releases-Security-Update)
- PSA for D-Link router users – keep an eye out for a security update for your router, as D-Link scramble to fix a critical security bug in the firmware of many of their routers – https://nakedsecurity.sophos.com/2015/04/21/d-link-router-user-keep-your-ears-and-eyes-open-for-the-next-firmware-fixes/
- PSA for users of the popular Magento e-commerce system owned by E-Bay – update your sites ASAP – a critical bug was patched in February, but almost 100,000 e-commerce sites remain vulnerable – http://arstechnica.com/security/2015/04/potent-in-the-wild-exploits-imperil-customers-of-100000-e-commerce-sites/
- Costa Coffee Club – https://nakedsecurity.sophos.com/2015/04/22/costa-coffee-club-warns-of-possible-database-intrusion/
- A German court finds that AddBlock Plus is legal – https://nakedsecurity.sophos.com/2015/04/23/adblock-plus-is-legal-rules-german-court/
- Two Interesting Op-eds on Ars Technica – one in against TOR routers, and one for – http://arstechnica.com/security/2015/04/op-ed-why-the-entire-premise-of-tor-enabled-routers-is-ridiculous/ & http://arstechnica.com/security/2015/04/op-ed-in-defense-of-tor-routers/
- Microsoft announce an up-coming enhancement to their cloud offerings called ‘lock box’, the promise is that MS will never access your data without your permission, even in response to law enforcement requests (editorial – I’m DEEPLY sceptical on that last point) – http://arstechnica.com/information-technology/2015/04/microsofts-office-365-lockbox-gives-customers-last-word-on-data-access/
- A device that detects rogue Cellular towers, including Sting Rays was demoed at the RSA conference this week – http://arstechnica.com/information-technology/2015/04/this-machine-catches-stingrays-pwnie-express-demos-cellular-threat-detector/
- The US FTC have sanctioned phone location tracking company Nomi Technologies for not allowing customers to opt-out – https://nakedsecurity.sophos.com/2015/04/24/ftc-sanctions-phone-location-tracking-company-for-not-allowing-customer-opt-out/
- Aaron’s Law (an attempt at long-overdue reform of the US’s Computer Fraud and Abuses Act) back in congress in the US – https://nakedsecurity.sophos.com/2015/04/23/aarons-law-back-in-congress-to-bring-long-overdue-fix-of-us-hacking-law/
Another Little Digital Sorbet – 25 Years of Hubble
“Pillars of Creation”, Hubble’s most famous image, explained – http://www.vox.com/2015/4/24/8482327/pillars-of-creation-hubble
Hubble Invisible Universe Revealed: http://video.pbs.org/video/2365472415/
Main Topic – Taming the Terminal Part 33 of n – SSH Bookmarks
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at email@example.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.