Honda Bob and I replace the screens on two iPhone 5s, Interview with Boinx Software’s Sebastian Wölfe about Boinx TV 2. I answer the question, “How hard can screencasting be?” Interview with Contour Design about their ergonomic input device, Contour RollerMouse Red. I answer the question of what Mac laptop people should get. In the Clarify ad I explain how to restore three finger drag on the new 12″ Macbook. In Chit Chat Across the Pond, Bart explains how he’s formalizing the code for xkpasswd.net so you can install it on your Mac or PC or Linux box to create secure, memorable passwords locally but to your own specifications. It’s a teaser episode, in our next installment we’ll actually get to play with it.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday May 24, 2015 and this is show number 524. Today we passed the 500 mark in our podfeet.com/googleplus community! I put out the call at 499 to see if I could catch who pushed us over 500. 2 people did it right away, one of them was Gary Benny but the other person didn’t identify themselves. I’d like to congratulate them both for joining an awesome community of really smart people helping each other out there. Go check it out yourself!
I’m a pretty big fan of gestures on the Mac. I’m not a crazy person about it but there’s a few on which I depend constantly. I can’t stand hard clicking a trackpad, and I love to use three fingers to drag a window around. One of the very first things I do when I’m on a new Mac is to enable tap to click and three finger drag in System Preferences, Trackpad, Point & Click. Imagine my dismay when I went to that preference pane on my new 12″ Macbook only to find that three finger drag was GONE. I went off to the Googles, and buried in an Apple, deep rich explained that it’s still there but for some reason Apple decided to bury it in the accessibility preference pane. And by bury it, I mean SIX levels deep! I’m reasonably good at following text explanations but I decided this was just crying out for a Clarify document!
Using Clarify’s built-in screenshot tool on my MacBook Pro, I showed where the three finger drag USED to be. I saved the Clarify document into Everynote, which did the sync to the cloud dance in a couple of seconds. I opened Evernote on my Macbook, and pulled up the Clarify document. Then I took the rest of the screenshots showing how it’s missing on the Macbook but then walking through the six levels of Inception to reveal the toggle for three finger drag. I typed in explanations on each step, changed the titles of the steps to be clever and entertaining and then posted the document to the Tutorials over on Podfeet.com. As always this will be useful to others searching now, and will help me when I completely forget how to do this next time!
If you need to/want to/have to make instructions for yourself and others, get a free trial of Clarify over at clarify-it.com.
Chit Chat Across the Pond
Ireland Made History this Weekend
On Friday, Ireland held a referendum to alter the constitution to remove the gender requirements for marriage. As we record this on Saturday, the results are almost all in, and while the exact percentage is not certain, it is now impossible for the result to change – Ireland voted YES, by a lot!
There are now 21 countries where marriage equality exists nationally, and Ireland is the first on the world to legalise it by referendum (plebiscite). The stereotypical view of Ireland was that it would pass in the cities, and fail in rural areas, but since more people live in the cities, it would pass overall. The great news is that the stereotype is wrong – it is passing in the city and in the country. As we record the results are in for 40 of the 43 constituencies, and it is 39 YES, one NO, and that No was by a vote of 49% to 51%. The map really is almost all green! http://www.rte.ie/news/results/2015/referendum/ssm/
What really surprised me was the positive energy around the yes campaign – there was a positive party atmosphere as everyone young and old spoke up for equal rights. If you want to go a bit teary-eyed, check out the hashtag #hometovote on Twitter – it was posted by people travelling home to Ireland from all over the world to take part in this historic vote. What you see is happy smiley faces with rainbow coloured balloon on boats, and planes, busses and trains – really heart-warming stuff! Also – the final turnout numbers are not in yet, but it is looking like being if not the highest ever turnout for a referendum, then the highest for many decades.
Security Medium – (AKA – why there is no need to set your hair on fire)
The internet lost it’s collective mind over the fact that Apple Watches do not provide security features above and beyond any other watch that exists today.
All this hooha was triggered by that fact that you can factory reset an Apple Watch, and hence steal and sell them. This means than an Apple Watch is the same as every other fancy watch in the planet.
The actual story here is one of good news – the Apple Watch protects your data when stolen, resetting the watch destroys your data.
In an ideal world it would be nice if the Apple Watch went above and beyond what other watches do, and provided some kind of activation lock feature, but, that’s not actually easy to do on a device like the Apple Watch that can’t contact the internet without it’s paired iPhone. I think John Gruber gets to the nub of the issue: http://daringfireball.net/linked/2015/05/15/apple-watch-support
Another story that has some more validity to it is a report that it is theoretically possible to abuse the 1-second loss of skin contact that the watch will accept to steal someone’s watch, get your finger on the sensors, and then use their Apple Pay. If the watch loses contact with skin for any more than a second, it will lock, so this is by no means easy. The only sensible take-away from this is that if you watch it stolen, you should use the Watch app to un-couple your cards ASAP, just to be sure to be sure – https://nakedsecurity.sophos.com/2015/05/21/apple-watch-lets-nimble-fingered-crooks-use-your-apple-pay/
A bug has been found in the open source virtualisation library called QEMU, which is at the heart of a lot of virtualisation products, including XEN, KVM (and hence RHEVM) and Virtual Box. The bug is in QEMU’s virtual floppy disk controller. It allows someone with root access on one VM to break out of the VM, and attack the hypervisor that manages the VMs, and hence, attack other VMs. This is called a VM break-out. You might that that because the bug is in the FDD controller, it would only be exploitable on VMs with a virtual floppy attached (i.e. almost no VMs), unfortunately the code is always loaded, and it can be exploited on VMs without virtual FDDs attached.
The media have hyped this one to spectacular degrees, but, there are no attacks in the wild yet, and the attack surface is smaller than you might think at first glance. If you are a home user who use VMs, you could only use this vulnerability to attack yourself! If you are a large organisation with your own data centres, you could also only use this to attack yourself. The danger zone is the half-way house between those two – people who buy the use of VMs from cloud providers and/or hosting providers.
The good news is that there are patches available, and there are no reports yet of attacks in the wild.
It’s important that cloud providers install these patches promptly, and if you have a cloud VM you might want to drop your provider an email asking what they are doing about Venom, but there really is no reason for folks to panic about this bug.
This story is very easy to misunderstand, because it’s a tale of two parts, and the media are not doing a great job of explaining the subtlety.
Lets start wit the obvious – the 1990s-era export variant of the Diffie-Helman key exchange algorithm is not secure. Like all the export cyphers, it was designed to be just about crackable in 1995, 20 years have passed, so its not surprising it’s now easily crackable by anyone. The solution here is simple, remove support for all export cyphers from web server configurations and browsers. If you’ve getting a sense of deja-vu, you’ve been paying attention 🙂 Only a few weeks ago another one of the old export cyphers was discovered to be causing some serious problems, and the advice then was to remove all export cyphers, so we were very much prepared for this one.
It’s the second part of the story that’s more important, and seems to be getting less coverage. The export key length was 512 bits. The standard has been 1024 bits for some time now. The research also found that 1024 bits is probably not enough to provide protection from state-level actors any more. As a result, the advice now is to switch to 2048 bits. Basically, sysadmins have some work to do. One fly in the ointment for some sysadmins is that Apache 2.2, which is still used widely, can’t do 2048 bit Diffie-Helman. This means that some servers are going to need to be upgraded before they can be secured.
Bear in mind that upgrading to 2048 is only needed to protect traffic from government-level attackers, so a few weeks or even months delay is not a big deal.
The fabulous SSL tester at www.ssllabs.com has been updated to cap the grade of any server with 1024bit DH at a B, so anyone who cares about their SSL config will be pushed into upgrading ASAP.
- Patch Tuesday has been and gone since the last security lite, including updates to Flash, Acrobat, Reader and, Air from Adobe, and Windows, Silverlight, .NET and Office from Microsoft (http://krebsonsecurity.com/2015/05/adobe-microsoft-push-critical-security-fixes-7/)
- Apple releases the first updated for the Apple Watch, and it includes security fixes – http://www.macobserver.com/tmo/article/apple-posts-security-content-of-watch-os-1.0.1-and-its-sobering
- Mozilla has patched FireFox and Thunderbird – https://www.us-cert.gov/ncas/current-activity/2015/05/12/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and
Important Security News
- A flaw has been discovered in Android’s factory reset function resulting in private data is not being properly deleted from many models of Android phone (an estimated 500 million phones are affected) – the best way to protect yourself is to encrypt your Android – http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/
- More security problems for home routers – this time a buffer overflow in the Linux NetUSB library – most of the big brands are affected including: D-Link, Netgear, TP-Link, Trendnet, and ZyXEL (NOT Apple) – http://arstechnica.com/security/2015/05/90s-style-security-flaw-puts-millions-of-routers-at-risk/ (A list of vendors and models from the security researchers: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt) (Editorial by Bart: at this stage it’s clearly no longer safe to keep old routers that are not getting support from their vendors in use. Also, checking for router firmware updates needs to become something people do on a regular basis – perhaps set a monthly reminder in your calendar to log in to your router and click the button to check for updates)
- RELATED – security researchers have un-covered a self-sustainsing bot net living in insecure home and SOHO routers – http://arstechnica.com/security/2015/05/researchers-uncover-self-sustaining-botnets-of-poorly-secured-routers/
- Keep an eye out for an iOS update and an update to Safari on OS X to address a bug that allows websites to spoof the content of the address bar – a positive boon for phishers – http://arstechnica.com/security/2015/05/safari-address-spoofing-bug-could-be-used-in-phishing-malware-attacks/
- A US Federal district judge has ruled to curtail what some call “constitution-free zones” at US ports of entry – https://nakedsecurity.sophos.com/2015/05/14/warrantless-laptop-seizure-at-us-borders-shouldnt-be-rubber-stamped-rules-judge/ (editorial from Bart: a key quote from the ruling: “one cannot treat an electronic storage device like a handbag simply because you can put things in it and then carry it onto a plane” – the entire questionable practice is based on interpreting computers as “containers”, a phrase written in the days of suitcases and hand bags, long before the concept of digital devices)
- 4 million Adult Friend Finder profiles has leaked, including email addresses and sexual orientations – http://arstechnica.com/security/2015/05/database-of-4-million-adult-friend-finder-users-leaked-for-all-to-see/
- CareFirst BlueCross BlueShield (don’t ya love concise company names!) have lost 1.1 million customer records – http://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/
- It appears spyware maker mSpy has suffered a data breach with sensitive data stolen from hundreds of thousands of customers, but the company deny it – http://krebsonsecurity.com/2015/05/mspy-denies-breach-even-as-customers-confirm-it/
- A now-fixed bug in Verizon’s systems exposed the personal information of 9 million home internet customers – http://www.buzzfeed.com/josephbernstein/verizon-security-flaw-left-millions-of-home-internet-users-v
- A Google study finds that Security Questions are worse than useless – http://googleonlinesecurity.blogspot.com/2015/05/new-research-some-tough-questions-for.html (Editorial from Bart – if you have to set security questions, my advice is to lie like a dog and record your lies in a password manager)
- According to an NSA document released by the Canadian Broadcasting Corporation, the NSA had the ability to intercept app downloads from some app stores (including Google’s & Samsung’s but apparently not Apple’s) and inject malware into the downloads of targeted individuals – http://arstechnica.com/information-technology/2015/05/theres-an-app-for-that-how-nsa-allies-exploit-mobile-app-stores/
- The IC3 (Internet Crime Complaint Centre) have released their report for 2014 – social media-related crime is very much on the rise – https://www.us-cert.gov/ncas/current-activity/2015/05/22/IC3-Issues-Internet-Crime-Report-2014
- Lenovo use the system update software to patch a privilege escalation bug in their system update software – https://nakedsecurity.sophos.com/2015/05/11/lenovo-uses-system-update-to-patch-serious-system-update-security-hole/
- Apple, Google and others join forces to lobby the Obama administration against back doors- https://nakedsecurity.sophos.com/2015/05/20/apple-google-and-others-urge-obama-to-say-no-to-backdoors/
- The FTC proposes a compromise regarding the sale of the RadioShack customer data base – http://arstechnica.com/tech-policy/2015/05/ftc-proposes-a-compromise-so-radioshack-can-sell-consumer-data/
- 65 advocacy groups join forces to criticise FaceBook’s Internet.org for being a walled garden for the world’s poorest people – https://nakedsecurity.sophos.com/2015/05/19/internet-org-is-accused-of-being-a-walled-garden-for-the-worlds-poorest-people/
Main Topic – XKPasswd.pm becomes Crypt::HSXKPasswd
Why XKPasswd.pm needed to become Crypt::HSXKPasswd, and what had changed other than the name. We then talked about how to install it, and I walked Allison through the installation process. The following two blog posts related to what we talked about:
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – like Gary Benny did! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.