Don’t forget to join the NosillaCastaways in the live chatroom during WWDC at podfeet.com/live (or if you know how to use an IRC chat client, go to irc.borgchat.net and enter room #nosillacast. Macstock Conference and Expo and the Midwest Mac BBQ are only 2 weeks away! I sure hope to see a lot of you there, Steve and I are really excited! I declare time of death for Fitbit (for me), I’ve officially converted to the Apple Watch. Donald Burr announces the new and improved for iOS 8 NosillaCast App that lets you join the live show, chat with the NosillaCastaways, listen to recorded shows, read the blog posts and even watch the videos Steve and I post. There’s even an Apple Watch version to add to your notifications. OWC got back to me with even more awesome geeky detail on the difference between synchronous and asynchronous flash memory inside SSDs. Link to the free AJA speed test they recommended for compressible data transfer. The NosillaCast Headquarters is now unified on 1Password, no more LastPass in the house. In Chit Chat Across the Pond Bart’s back with the second half of the new XKPasswd Perl Module where I actually get to run it: Getting Started with Crypt::HSKPasswd.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday June 7, 2015 and this is show number 526. If you’re hearing this early enough on Monday, don’t forget to join the NosillaCastaways in the live chat room at podfeet.com/live for the WWDC Keynote at 10am on Monday! We’ll be recording an episode of the Mac Roundtable again right after the keynote so dust off that feed and hear what we think of the announcements.
If the price of Macstock is a problem I can help you out with that, send me a note and I can probably hook you up with a free ticket. I’m super excited about this and hope to see a lot of you there!
Fitbit Time of Death
I’m afraid I’m going to have to call it. Fitbit time of death (for me), 10pm Saturday 6 June 2015. I have been wearing both the Fitbit and my Apple Watch for the last five weeks and the Apple Watch is definitely a massive winner. I’m getting more full body exercise and not just steps, and I realized that it’s been weeks since anyone in my Fitbit friends list mocked or cheered me.
All day today I’ve noticed one really weird thing. Every time I stand up, I unconsciously tap the area on my waistband where my Fitbit was. I guess I’ve been checking to make sure I have it on. How long have I been doing this? Years and years? It’s really freaky and I can’t stop myself from doing it. Very weird.
It’s a sad day because I have so many great memories, like the time when Jean MacDonald and were coming back from a snorkeling trip on the Macmania cruise in Australia and I asked if we should take the stairs, and she said, “Why? We aren’t wearing our Fitbits!” But it’s time go now. RIP Fitbit. Hey, I wonder if I can sell this on Gazelle?
Well let’s move on with another VERY important announcement.
New NosillaCast App Released for iOS 8 – by Donald Burr!
Announcing the all-new NosillaCast App Version 3.0! This is Donald Burr of otakunopodcast
Here’s what’s new and changed
* Completely reworked for iOS 8. Now you no longer feel like you’re living in the last century when you’re using it!
* Redone Live Show chat interface, including much better scrolling.
* Reworked Previous Shows screen – the app will now keep track of which shows you’re in the progress of listening to, or have finished listening to. There’s even a handy “Catch Up” button if you need to declare podcast bankruptcy!
* New Videos section! Now you can watch all of the cool videos that Allison shoots at trade shows and conferences, right within the app. You don’t have to bounce out to Safari or YouTube.
* Much better Live Show notifications – the app now checks Allison’s show calendar to determine when the next live show is. It will also alert you if the show has been rescheduled, for example, if Allison has to postpone the show by a day (or reschedule the show for a day earlier or whatever) because of a trip or whatever.
* Today Extension that tells you when the next Live Show is
* And finally, the app supports the Apple Watch! You can view a summary of Allison’s latest podcasts and videos, the app will tell you when the next Live Show is (and if it has been rescheduled) and you can Live Show receive notifications right on your Watch.
If you’ve bought the app before, you get all of the above for free! Just launch the app store and check the updates tab. If you don’t already own the app, then what are you waiting for?! All this can be yours for only $1.99 (or the equivalent in your local currency.)
Check it out at the link below!
Now I yelled at Donald for not charging for this HUGE upgrade, he has been working on it forever and as he said, toiling away for all these months. Oh and get this – it’s even a universal app so you buy once and use on iPhone, iPad, and Apple Watch! If you use the app and you really like it and wish he’d charged you for it, I put a link to Donald’s Paypal Tip Jar in the shownotes so you can help him out. His total lack of avarice will keep him from ever becoming a multi-billionaire, that’s for sure!
This week Barry Porter made the critical error of using me as a sounding board to rant about some of his clients. We all need an outlet and I was certainly very willing to oblige. The error he made was that by chatting with me he ended up doing some tech support for me! He happened to mention a problem of using a USB printer hanging off of an Airport Extreme, and I’ve been having problems with mine. In his rant he mentioned something about WPS printers but I didn’t follow what he meant in his written explanation…so I mildly suggested he make a Clarify document for me! In just a couple of seconds, he grabbed a couple of screenshots (which he could have done with any tool) but he was able to annotate them quickly with an arrow or two to make sure I understood. In just those few seconds he shut me up so I’d quit bothering him with endless clarification requests. Get it? Clarify clarifies things for people! If you’d like to get annoying friends, relatives, clients off your back, get yourself a copy of Clarify from clarify-it.com. Oh wait, I just thought of something, if you have clients who pay you by the hour, do NOT use Clarify to help them!!!
Chit Chat Across the Pond
iOS & Captive Portals – don’t panic, but be careful
Some background information:
Many wifi networks, particularly in hotels or public institutions, require users to log in via a web page, instead of using WPA (or the evil WEP). From a wifi security standpoint, these networks have no password, they are open, but when you first connect to one, you are trapped until you log in. Every URL you try to surf to brings up the login page. This is what is called a ‘captive portal’. In hotels you often have to log in with your room number and your surname, and sometimes you don’t have to log in at all, you just have to accept a usage agreement (Irish Rail is an example of the latter that I regularly see).
Captive portals work fine if you are trying to browse the web, but not when you are trying to use an internet connected app. The app will simply fail to connect to the network, for apparently no reason, until you open a browser, and accept the terms. On old versions of iOS that was the experience users got on Captive Portals – confusion! At some point in iOS’s evolution (not sure exactly when, but it was some time ago now), Apple added some code to detect when an apparently open network was actually a captive portal, and when it does so, it pops up the captive portal login window as a full-screen pop-over, no matter what app you are using. This makes captive portals usable in our modern app-centric world.
This week security researchers are warning of a danger – fake captive portals made to look like Apple Pay screens. The idea is that an attacker would lurk near an Apple Pay terminal, and then, when they see an iPhone customer use Apple Pay, fire up their evil captive portal network in the hope that they get their fake Apple Pay window to pop up at just the right time. The user could the conceivably, be tricked into entering their credit card information.
Plausible, but not a catastrophe – you just have to remember to be observant.
When you are in a captive portal window, there is ALWAYS a title at the top of the page with the word “log in”, a cancel button, and Safari Mobile back and forward buttons. Basically, the UI implies you are on a web page, not in the Apple Pay app, because, well, you are! Real Apple Pay windows don’t have forward and back buttons, or titles saying ‘log in’.
Bottom line – be observant – if is smells fishy, back away!
For more details, see this good Ars Technica article: http://arstechnica.com/security/2015/06/evil-wifi-captive-portal-could-fool-users-into-giving-up-apple-pay-data/
Serious Bug Found in Pre-Summer 2014 Mac Firmware
Despite not getting a cutesy name, this is definitely one of the biggest security stories of the year.
In theory, it should not be possible to edit the firmware in your computer from within the running OS. This is why your Mac has to reboot to do firmware updates.
When you boot your Mac, one of the things the BIOS* does before handing control over to the OS is lock itself into read-only mode.
On Macs more than about a year old, there is a bug in the firmware. When booting from cold, they do correctly lock down the permissions on the BIOS, but, critically, when waking from a deep sleep (RAM pushed down to disk, then restored to RAM), the firmware FAILS to lock down the write permissions on the BIOS, allowing the root user to change the BIOS on a running system.
Why is this a big deal?
Simple, it allows for a permanent hack of a system – you can re-install the OS a million times, but if the bad-guys are in the firmware, they can immediately re-hack your system as soon as you boot it up.
While this is undeniably a BAD thing, it is not a catastrophe, at least not yet. There are still some important caveats – only root can write to the BIOS, so an attacker needs to hack your system to execute code as you, then, use another exploit to elevate their privilege, then wait for your computer to come out of sleep, and THEN attack your BIOS.
The more out of date your OS, the easier this is to do. The more out of date your apps and plugins, the easier this is to do. So, right now this second, users have two choices of how to react:
1) disable sleep in all your Macs
2) be extra diligent in keeping everything up to date and secured – if the attackers can’t get in, and can’t get root, they can’t attack this nasty flaw
In the short to medium term, Apple need to release patched firmwares for all Macs new enough to run the latest OS X ASAP. Assuming Apple does that, we all then need to patch our Macs ASAP.
Right now, there are no known attacks in the wild, so this is currently a real danger, but not an immediate crisis. My approach is to be extra good at applying patches, but to allow my Macs sleep. I will also be keeping a close eye on the security news, and as soon as there are reports of real-world successful attacks, I will disable sleep on all my Macs if Apple have not yet released patches for my Macs by then.
* I know it’s technically EFI and not BIOS, but I think BIOS has become like Hoover, a name that has grown beyond its strict meaning to encompass an entire class of thing. More importantly, I think more people understand what I mean when I say BIOS, then when I say EFI.
Important Security News:
- At the end of May Harvard College computer science student Aran Khanna released a Chrome extension called ‘Marauders Map’ (a Harry Potter reference) to highlight the fact that Facebook messenger shares your location information by default, and hence, that your friends have a creepy level of access to your location – https://nakedsecurity.sophos.com/2015/05/29/marauders-map-is-your-location-being-tracked-through-facebook-messenger/
- This week Facebook changed how Messenger words, you now have to actively choose to share your location. Facebook claim this change is utterly un-reated to the release of Marauders Map, and has been in the works for months – https://nakedsecurity.sophos.com/2015/06/05/facebook-messenger-no-longer-tracks-your-location-by-default/
- California becomes the latest US state to enact a law requiring a warrant to search computers, cellphones, and tablets – https://nakedsecurity.sophos.com/2015/06/05/california-passes-law-requiring-warrant-to-search-computers-cellphones-and-tablets/
- The US congress managed to amend (for the better) what was the USA PATRIOT Act, and is now the USA Freedom Act – basically, still a lot of spying and surveillance, but less mass-scale hoovering up of everything just in case it might be useful some day – https://nakedsecurity.sophos.com/2015/06/04/obama-signs-usa-freedom-act-into-law-clipping-nsas-powers/
- New PayPal TOS alarms many – as it currently stands, it will grant PayPal, and their partners, the right to robocall all users, even on phone numbers they never explicitly gave to PayPal. PayPal say they would never do that kind of thing, but the new TOS does allow it – the new TOS is scheduled to go live on July 1 – http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/03/a-horrible-new-paypal-policy-opts-you-into-getting-robocalls/ (editorial by Bart – PayPal is splitting in two, with a separate European company coming into existence headquartered in Ireland. We Europeans are also getting a new TOS, which I read, and I didn’t find anything like this in our TOS. Is the new US TOS a direct result of PayPal USA’s new-found freedom from the EU’s much stricter data and customer protection laws?)
- RELATED – the TOS for Google’s new Google Photos services is also coming under attack for being too broad – http://www.loopinsight.com/2015/06/03/googles-response-to-privacy-issue-in-photos-licensing-language/
- SourceForge continue to anger the open source community – having asserted control over the Windows version of the GIMP in controversial circumstances and started bundling adware with it (arguably more accurately described as malware), they also went on to take control of NMAP, but so far that download is still adware-free – http://arstechnica.com/information-technology/2015/06/black-mirror-sourceforge-has-now-siezed-nmap-audit-tool-project/
- Android M will give users iOS-style granular control over permissions (Editorial by Bart: about time – this is a massive step forward for Android) – https://nakedsecurity.sophos.com/2015/06/03/android-m-will-give-app-users-a-lot-better-control-over-their-data-privacy/
- Google adds a new ‘my account’ feature to make it easier to control your privacy and security settings – https://nakedsecurity.sophos.com/2015/06/02/googles-new-my-account-lets-you-tweak-privacy-and-security-settings/
- The US Federal Office of Personnel Management has been hacked, and 4 million personnel records for current and past federal employees have been compromised. Basically, it looks like China has hacked the central HR system for the US federal government – http://arstechnica.com/security/2015/06/federal-agency-hit-by-chinese-hackers-around-4-million-employees-affected/
- Tim Cook delivered a blistering speech on encryption and privacy (‘Weakening Encryption Harms Good People’) – http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/#.sxkwnm:u1vi
- Edward Snowden describes Apple as a ‘pioneering company’ when it comes to privacy – http://www.nytimes.com/2015/06/05/opinion/edward-snowden-the-world-says-no-to-surveillance.html?_r=0
- The US supreme court threw out the conviction of a man who made threatening posts on FaceBook (Editorial by Bart: this ruling is definitely important in our modern digital world, but it doesn’t seem to set very clear legal standards for what is and is not OK) – https://nakedsecurity.sophos.com/2015/06/03/violent-facebook-threats-conviction-thrown-out-by-us-supreme-court/
- GitHub has revoked a whole load of SSH keys because they were not sufficiently secure – anyone with revoked keys will have gotten an email informing them that their keys have been revoked, and telling them to inspect their code on the assumption that it has been altered by malicious actors, because it very well could have been. This is not a breach of GitHub, but a result of a massive bug in Debian Linux some time ago that results in a REALLY bad random number generation when creating SSH keys on that OS – http://arstechnica.com/security/2015/06/assume-your-github-account-is-hacked-users-with-weak-crypto-keys-told/
- Facebook experiments with OpenPGP for encrypting emails to users from Facebook – https://nakedsecurity.sophos.com/2015/06/02/facebook-moves-to-encrypt-the-emails-it-sends-users/
Main Topic – Using the New Crypt::HSXKPasswd Perl module
This is a continuation of a segment from the last CCATP segment I (Bart) was on.
Last time we discussed why XKPasswd.pm needed to become Crypt::HSXKPasswd, and what had changed other than the name. We then talked about how to install it, and I walked Allison through the installation process. The following two blog posts related to what we talked about:
In this continuation we move on to actually using the module to generate passwords: https://www.bartbusschots.ie/s/2015/05/28/getting-started-with-crypthsxkpasswd/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.