#524 iPhone Screen Replacement, Boinx TV 2, How Hard is Screencasting, Contour RollerMouse Red, What Mac Laptop Should You Get, Crypt::HSXKPasswd

Honda Bob and I replace the screens on two iPhone 5s, Interview with Boinx Software’s Sebastian Wölfe about Boinx TV 2. I answer the question, “How hard can screencasting be?” Interview with Contour Design about their ergonomic input device, Contour RollerMouse Red. I answer the question of what Mac laptop people should get. In the Clarify ad I explain how to restore three finger drag on the new 12″ Macbook. In Chit Chat Across the Pond, Bart explains how he’s formalizing the code for xkpasswd.net so you can install it on your Mac or PC or Linux box to create secure, memorable passwords locally but to your own specifications. It’s a teaser episode, in our next installment we’ll actually get to play with it.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday May 24, 2015 and this is show number 524. Today we passed the 500 mark in our podfeet.com/googleplus community! I put out the call at 499 to see if I could catch who pushed us over 500. 2 people did it right away, one of them was Gary Benny but the other person didn’t identify themselves. I’d like to congratulate them both for joining an awesome community of really smart people helping each other out there. Go check it out yourself!

Blog Posts

Honda Mechanic Repairs a Cracked iPhone Screen

Teaser of Boinx TV 2

How Hard Can Screencasting Be?

Contour Design’s Ergonomic RollerMouse Red and Red Plus

Search How to Choose a Mac Laptop


I’m a pretty big fan of gestures on the Mac. I’m not a crazy person about it but there’s a few on which I depend constantly. I can’t stand hard clicking a trackpad, and I love to use three fingers to drag a window around. One of the very first things I do when I’m on a new Mac is to enable tap to click and three finger drag in System Preferences, Trackpad, Point & Click. Imagine my dismay when I went to that preference pane on my new 12″ Macbook only to find that three finger drag was GONE. I went off to the Googles, and buried in an Apple, deep rich explained that it’s still there but for some reason Apple decided to bury it in the accessibility preference pane. And by bury it, I mean SIX levels deep! I’m reasonably good at following text explanations but I decided this was just crying out for a Clarify document!

Using Clarify’s built-in screenshot tool on my MacBook Pro, I showed where the three finger drag USED to be. I saved the Clarify document into Everynote, which did the sync to the cloud dance in a couple of seconds. I opened Evernote on my Macbook, and pulled up the Clarify document. Then I took the rest of the screenshots showing how it’s missing on the Macbook but then walking through the six levels of Inception to reveal the toggle for three finger drag. I typed in explanations on each step, changed the titles of the steps to be clever and entertaining and then posted the document to the Tutorials over on Podfeet.com. As always this will be useful to others searching now, and will help me when I completely forget how to do this next time!


If you need to/want to/have to make instructions for yourself and others, get a free trial of Clarify over at clarify-it.com.

Chit Chat Across the Pond

Ireland Made History this Weekend

On Friday, Ireland held a referendum to alter the constitution to remove the gender requirements for marriage. As we record this on Saturday, the results are almost all in, and while the exact percentage is not certain, it is now impossible for the result to change – Ireland voted YES, by a lot!

There are now 21 countries where marriage equality exists nationally, and Ireland is the first on the world to legalise it by referendum (plebiscite). The stereotypical view of Ireland was that it would pass in the cities, and fail in rural areas, but since more people live in the cities, it would pass overall. The great news is that the stereotype is wrong – it is passing in the city and in the country. As we record the results are in for 40 of the 43 constituencies, and it is 39 YES, one NO, and that No was by a vote of 49% to 51%. The map really is almost all green! http://www.rte.ie/news/results/2015/referendum/ssm/

What really surprised me was the positive energy around the yes campaign – there was a positive party atmosphere as everyone young and old spoke up for equal rights. If you want to go a bit teary-eyed, check out the hashtag #hometovote on Twitter – it was posted by people travelling home to Ireland from all over the world to take part in this historic vote. What you see is happy smiley faces with rainbow coloured balloon on boats, and planes, busses and trains – really heart-warming stuff! Also – the final turnout numbers are not in yet, but it is looking like being if not the highest ever turnout for a referendum, then the highest for many decades.

Security Medium – (AKA – why there is no need to set your hair on fire)

Apple Watch

The internet lost it’s collective mind over the fact that Apple Watches do not provide security features above and beyond any other watch that exists today.

All this hooha was triggered by that fact that you can factory reset an Apple Watch, and hence steal and sell them. This means than an Apple Watch is the same as every other fancy watch in the planet.

The actual story here is one of good news – the Apple Watch protects your data when stolen, resetting the watch destroys your data.

In an ideal world it would be nice if the Apple Watch went above and beyond what other watches do, and provided some kind of activation lock feature, but, that’s not actually easy to do on a device like the Apple Watch that can’t contact the internet without it’s paired iPhone. I think John Gruber gets to the nub of the issue: http://daringfireball.net/linked/2015/05/15/apple-watch-support

Another story that has some more validity to it is a report that it is theoretically possible to abuse the 1-second loss of skin contact that the watch will accept to steal someone’s watch, get your finger on the sensors, and then use their Apple Pay. If the watch loses contact with skin for any more than a second, it will lock, so this is by no means easy. The only sensible take-away from this is that if you watch it stolen, you should use the Watch app to un-couple your cards ASAP, just to be sure to be sure – https://nakedsecurity.sophos.com/2015/05/21/apple-watch-lets-nimble-fingered-crooks-use-your-apple-pay/


A bug has been found in the open source virtualisation library called QEMU, which is at the heart of a lot of virtualisation products, including XEN, KVM (and hence RHEVM) and Virtual Box. The bug is in QEMU’s virtual floppy disk controller. It allows someone with root access on one VM to break out of the VM, and attack the hypervisor that manages the VMs, and hence, attack other VMs. This is called a VM break-out. You might that that because the bug is in the FDD controller, it would only be exploitable on VMs with a virtual floppy attached (i.e. almost no VMs), unfortunately the code is always loaded, and it can be exploited on VMs without virtual FDDs attached.

The media have hyped this one to spectacular degrees, but, there are no attacks in the wild yet, and the attack surface is smaller than you might think at first glance. If you are a home user who use VMs, you could only use this vulnerability to attack yourself! If you are a large organisation with your own data centres, you could also only use this to attack yourself. The danger zone is the half-way house between those two – people who buy the use of VMs from cloud providers and/or hosting providers.

The good news is that there are patches available, and there are no reports yet of attacks in the wild.

It’s important that cloud providers install these patches promptly, and if you have a cloud VM you might want to drop your provider an email asking what they are doing about Venom, but there really is no reason for folks to panic about this bug.

More: https://nakedsecurity.sophos.com/2015/05/14/the-venom-virtual-machine-escape-bug-what-you-need-to-know/


This story is very easy to misunderstand, because it’s a tale of two parts, and the media are not doing a great job of explaining the subtlety.

Lets start wit the obvious – the 1990s-era export variant of the Diffie-Helman key exchange algorithm is not secure. Like all the export cyphers, it was designed to be just about crackable in 1995, 20 years have passed, so its not surprising it’s now easily crackable by anyone. The solution here is simple, remove support for all export cyphers from web server configurations and browsers. If you’ve getting a sense of deja-vu, you’ve been paying attention 🙂 Only a few weeks ago another one of the old export cyphers was discovered to be causing some serious problems, and the advice then was to remove all export cyphers, so we were very much prepared for this one.

It’s the second part of the story that’s more important, and seems to be getting less coverage. The export key length was 512 bits. The standard has been 1024 bits for some time now. The research also found that 1024 bits is probably not enough to provide protection from state-level actors any more. As a result, the advice now is to switch to 2048 bits. Basically, sysadmins have some work to do. One fly in the ointment for some sysadmins is that Apache 2.2, which is still used widely, can’t do 2048 bit Diffie-Helman. This means that some servers are going to need to be upgraded before they can be secured.

Bear in mind that upgrading to 2048 is only needed to protect traffic from government-level attackers, so a few weeks or even months delay is not a big deal.

The fabulous SSL tester at www.ssllabs.com has been updated to cap the grade of any server with 1024bit DH at a B, so anyone who cares about their SSL config will be pushed into upgrading ASAP.

More details: https://nakedsecurity.sophos.com/2015/05/21/anatomy-of-a-logjam-another-tls-vulnerability-and-what-to-do-about-it/

Security Light

Important Updates

Important Security News

Noteable Breaches

Suggested Reading

Main Topic – XKPasswd.pm becomes Crypt::HSXKPasswd

Why XKPasswd.pm needed to become Crypt::HSXKPasswd, and what had changed other than the name. We then talked about how to install it, and I walked Allison through the installation process. The following two blog posts related to what we talked about:

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – like Gary Benny did! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

4 thoughts on “#524 iPhone Screen Replacement, Boinx TV 2, How Hard is Screencasting, Contour RollerMouse Red, What Mac Laptop Should You Get, Crypt::HSXKPasswd

  1. Bob - May 25, 2015

    “Interview with Contour Design about their economic input device, Contour RollerMouse Red.”

    First, the smart aleck speaks: I want an economic input device. It can input lots of money to my bank account… right?

    Seriously: Try “ergonomic”. It’s not cheap, but my partner Mabel says it’s the best she’s found for avoiding repetitive strain injuries (carpal tunnel syndrome and such). I’ve tried it but found a trackball I liked better.

  2. Allison Sheridan - May 25, 2015

    I get it, Bob, it IS expensive but the expense of surgery and physical therapy and the pain might be worth it.

    When you say, “try ergonomic” do you mean Mabel likes the Contour RollerMouse Red?

  3. Bob - May 25, 2015

    Allison, no, I meant that “ergonomic” would have made more sense than “economic” in the sentence I quoted from the top of this page. Was “economic” an auto-correct?

  4. podfeet - May 25, 2015

    D’oh! Thanks Bob – fixed now!

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top