Yet again I delve into why my family chews up so much data when on travel and I take a first look at the $7 menubar app TripMode from tripmode.ch to limit and measure my data usage. I give you some thoughts about Apple Photos now that the honeymoon is over, and it’s not all happy happy joy joy. A lot of people say we don’t NEED smart watches but I had an example where the Apple Watch really saved me. Donald Burr goes crazy about two dock adapters from CableJive: Compact dock adapter and Dock adapter with 2 foot cord. In Chit Chat Across the Pond Bart takes us through all of the crazy security news from BlackHat and Defcon this week and tells us whether to light our hair on fire, and then he gives us a short and sweet explanation of what JSON is and what we might want to do with it. Here’s a link to Bart’s blog post.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday August 9, 2015 and this is show number 535.
I think Allister did a fantastic job with the show last week, didn’t you? I especially loved his snarky little comment of, “if you’re waiting for Allison to talk about Apple Music you’ll be waiting for a long time”! Nick Riley did a great job on his review of Cheap Imposter, and what a great voice. I sure hope he does some more reviews for us. I really enjoyed the conversation with Myke about the evolution of his network. To be honest, I thought I’d just not been paying attention because I hadn’t heard of relay.fm till just a little while ago so it was a relief to hear that it only started a couple of years ago. I also realized that I’ve been on relay.fm because Clockwise is on that network.
The one thing I think about a lot is why the networks exist and what’s the benefit of being a member of them. I guess when they get established as a source for good shows, you get a halo effect across the shows. I know David Sparks said that the Mac Power Users podcast went up 10X in listeners when they joined 5×5. It’s also probably easier on the podcasters to not have to do all the mechanics behind the scenes to run the show. I know it’s good for advertising deals too. For me though, after working for 35 years for the man, I’m really happy to always be able to do whatever I want on my show. 10X the listeners would be cool, but I wouldn’t want to lose any freedom to talk about whatever I want. Hope you guys are cool with that.
It was so nice to have a week off thanks to Allister. I know I don’t have a day job any more but I do put a fair amount of effort into the show and it was delightful to feel no obligation at all for a full week. When I got home on Sunday I even washed all of the downstairs windows because I had the time. I’m back in the saddle and well rested so let’s dig in.
Donald on CableJive Lightning Dock Adapters
The problem to be solved
- I like docks
- Direct audio connection, no chance of weird glitches/dropouts as you sometimes get with Bluetooth and WiFi
- As Star Trek TNG taught us, we are after all “ugly giant bags of mostly water” – very good at absorbing radio signals
- I also like to charge my phone while I play podcasts (and yes, music too)
- But I also use a case
- In my case it’s plastered with pictures of my favorite anime characters (who all happen to be cute girls, don’t judge)
- But maybe you have a case with your favorite movie/TV stars on it, or a really cool art print or something, or you’re a klutz and/or work in hazardous environments, and need one of those armor cases (like LifeProof or Otterbox)
- This is a problem, because in most cases, docks and cases just don’t work together
- The case makes the phone not fit in the dock, because they’re engineered to too tight a tolerance
The solution – the CableJive Lightning Dock Adapters
- Compact dock adapter, $18.95 on Amazon
- Dock adapter with 2 foot cord, $25.95 on Amazon
- Very simple really. It has a female Lightning connector on one end, and a male Lightning connector on the other.
- It’s available in two versions, one that’s all in one integrated piece, and another where the two ends are separated by a 2 foot cable. (This is significant, you’ll see why in a bit.)
- This is an officially licensed MFi product, meaning that it fully supports the Lightning protocols, including audio passthrough and charging, and you DON’T get the “this accessory is not made for iPhone” message!
- he part that plugs into the phone is especially slender, which allows it to securely plug in even through a case
- It works perfectly! Lets me play music using a variety of docks (i’ve tried ones from JBL, Bose and Sony) and it charges my phone too (if the dock itself supports charging.)
- It may not necessarily fit your case
- It will *probably* work, but there are literally thousands of case designs out there, and some of them may not be made to the same mechanical tolerances, so you never know
- Suggest you buy from a place like Amazon that has a good return policy, just in case
- It also may not necessarily work with your dock
- In particular, if your dock is custom molded so that the iPhone fits right into it, the added height that the dock adapter adds will most likely result in your phone not fitting
- This is why they make a version of the dock adapter with a little 2 ft cable between the two ends. True, it’s not as convenient or as pretty, but it will still allow you to use your phone with your dock
- These cons aren’t specifically directed against the CableJive dock adapter in particular – there is no way to physically fit the circuitry needed to handle Lightning without taking up a little space
- These things work as advertised, and the price is really quite reasonable. If you’ve been looking for a way to use a dock while your phone is in a case, here it is
Be sure and check out otakunopodcast.com if you’re at all curious about Japanese animation (anime), comics (manga), food, travel, culture, etc.
When I was doing my discovery on where all my data ran off to, I of course went over to my tutorials and looked up the checklist I did on this with Katie Floyd. I realized that the tutorial probably needed some dusting off so I opened up Evernote where all of my Clarify documents are dutifully stored. I was able to create new numbered sections to the tutorial to add in Photos along with my previous instructions about halting photostream on Aperture and iPhoto, add in some new services to disable and then republish my document to my blog. To be honest I had a few glitches in the process so it didn’t go as smoothly as it should have. I was able to find the help documentation online at clarify-it.com’s support pages, but I wasn’t able to save the document back to Evernote for some reason.
I’ve dropped a note over to firstname.lastname@example.org about the problem and I know that they will get back to me really quickly on a solution. In my experience, about 75-80% of the time it’s something dumb I did, and the rest of the time it’s something broken on their end. The good news is that they always find a resolution to my problems if they persist. I think it’s good if I tell you that the software isn’t perfect, because you would never believe me if I pretended otherwise, right? It’s awesome to have great software but EVERY application has problems from time to time so it’s important to know that the staff supporting the tool will get back to you quickly with real solutions. I get emails all the time from folks telling me how they got great support from the Clarify folks so it’s not JUST because I advertise for them!
If you’d like an easy way to create beautiful tutorials like my Checklist to Limit Data Use on Travel and get great support in using the tool, head on over to clarify-it.com and check out their free trial for Windows and Mac.
Chit Chat Across the Pond
Allison – remember to ask Bart if it isn’t already obvious:
in this article: http://www.msn.com/en-us/news/itinsider/a-massive-security-bug-lets-criminals-hack-iphones/ar-BBlrGOy?ocid=spartanntp they talk about an exploit for the iPhone but it seems to me that you would have to jail break the iPhone to side load an app in order to be vulnerable. Yes?
Bart’s Answer: This is just a silly re-hash of some stories from ages ago – this is Apple’s system for corporations to write their own apps being abused, and you will always know this is happening because you’ll need to accept a custom provisioning profile to make the app go – SAY NO!
Security Medium 1 – Stagefright
Nearly a billion Android devices can be taken over simply by sending them a maliciously crafted MMS message. The vulnerability exists in the code the processes the message on receipt, not the code that displays the messages, so you don’t even have to open the message to get owned – once your phone receives it, you’ve had it.
The bug is in an OS library called ‘stage fright’, hence the name of the bug.
Google have released a patch, but because there are two middle-men between Google and most Android users, many users will simply never get it, particularly those with older phones.
Some positive fallout form this is that Google and Samsung have announced they will start doing monthly security updates, but, that still leaves the carriers in the way, and helps no one who’s android phone is not from Samsung.
Some people may get patches, many won’t be able to. Bottom line – Android security is a complete and utter mess. When the design is as nutty as squirrel poo, you can’t fix it without starting over from scratch.
The only practical advice I can think of is to ask your carrier to disable MMS on your account so your phone cannot receive MMS messages.
- The bug: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/
- Google releases a patch: http://arstechnica.com/security/2015/08/google-pushes-update-for-critical-android-bug-but-wont-say-if-its-fixed/
- An interesting read from a former-Android-fanboy (his words, not mine), who has finally had enough – http://motherboard.vice.com/read/goodbye-android (“Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android.”)
Security Medium 2 – Thunderstrike Returns
Security researchers have released an updated variant of the Thunderstrike vulnerability that was released, and patched, earlier this year.
This new variant is a little more powerful in that it is conceivably possible to pull the exploit off remotely:
1) a remote attacker hacks a mac through an un-related security vulnerability OR tricks a user into installing malware (Thunderstrike 2 CANNOT get in un-aided)
2) once infected with malware, a victim then plugs in a specfic kind of thunderbolt devices (one with a so-called Options ROM), e.g. an Apple Ethernet adaptor, and the malware then infects that thunderbolt device.
3) the infected device is then plugged into another computer, and infects it
4) the newly infected computer infects all compatible thunderbolt devices plugged into it, and in theory the whole infection spreads like wild fire
There is no reason to set your hair on fire though:
1) you need to get malware onto your machine before it can be infected with this
2) the researchers disclosed it to Apple responsibly, so this is not in the wild (at least not as far as we know, and not yet)
The best practical advice for now is simply not to let strangers plug things into your Mac, and frankly, that’s ALWAYS good advice!!!
- A great FAQ from TidBits – http://tidbits.com/article/15841
Security Medium 3 – OS X Zero-day (DYLD_PRINT_TO_FILE)
A privilege escalation bug has been found in OS X 10.10 Yosemite. The bug is in a new OS feature, so it does not affect older versions of OS X. The bug has also been patched in betas of 10.11 El Capitan, so Apple clearly knew about it.
The bug is sophmoric in nature – an Apple engineer added a new feature without putting any of the text-book safety checks in place, so, it is possible for any code on OS X to edit any file on the system as root. This makes it possible to give an user password-less sudo access by using the bug to edit the sudoers file.
Some media outlets are reporting that Apple will include a fix for this in the up-coming 10.10.5 release of Yosemite (I haven’t seen official confirmation of this from Apple, though it does make a lot of sense, since they have the fix in the 10.11 betas already).
While this is obviously not good, it is not time to set your hair on fire yet because this is a privilege escalation bug, so, it can only be used by software already installed on your system, so, either malware has to make it’s way in through a totally un-related vulnerability, or, you have to install the malware onto your own computer yourself.
Important Security Updates:
- Mozilla have released an emergency patch to FireFox after a data-stealing bug was found being exploited in the wild – be sure you are on 39.0.3 – http://arstechnica.com/security/2015/08/0-day-attack-on-firefox-users-stole-password-and-key-data-patch-now/
- The first windows 10 patch arrives, and is pushed into people’s machines, whether they like it or not! – https://nakedsecurity.sophos.com/2015/07/30/zero-days-first-official-windows-10-patches-arrive/
- RELATED: Microsoft quietly release an optional download to allow Windows 10 users to hide and block unwanted updates – https://nakedsecurity.sophos.com/2015/07/29/new-microsoft-tool-will-hide-or-block-unwanted-windows-10-updates/
Important Security News:
- Samsung an Google to relase monthly security updates to Android (Editorial by Bart – a small step in the right direction, but Android security is, and will remain, fundamentally broken as long as there are middle-men between Google and users’ phones) – https://nakedsecurity.sophos.com/2015/08/06/stagefrightened-google-samsung-to-push-out-monthly-android-fixes/
- Security researcher at BlackHat to reveal how Android fingerprint sensors are not very well secured, allowing malware to steal fingerprint images (editorial by Bart: this is because Android did not copy Apple’s secure element) – http://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/
- Reserchers have found two new ways of uniquely identifiying us online, even when we stop all cookies:
- Some browsers (Firefox, Chrome & Opera) provide an API that allows websites access to a device’s battery statistics – this can be used for short-term tracking – https://nakedsecurity.sophos.com/2015/08/06/how-your-battery-life-could-be-used-as-an-undeletable-cookie/
- How we type can uniquely identify us – we all apparently have our own unique cadence – http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/
- For a week, Yahoo hosted malicious flash ads – get more proof that you do not have to go to out of the way places on the web to be in danger, and yet more proof that flash needs to die, and finally, more proof that our current ad model is broken – http://bits.blogs.nytimes.com/2015/08/03/hackers-exploit-flash-vulnerability-in-yahoo-ads/
- Beware – Windows 10 enables WiFi sharing by default – the feature is on by default, BUT, you still get asked whether you want to share each network. Be aware that every Windows 10 user is one click away from sharing your wifi password with their entire address book, and all their social media friends! –http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/
- There is a bug in BIND, one of the most common implementations of DNS, and it is getting a lot of media attention, but, there is not too much to worry about – the bug only crashes DNS servers, so the only real threat is that some un-patched DNS servers will go down for a while – http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/
- More research that shows TOR is not as anonymous as people like to think – http://arstechnica.com/security/2015/07/new-attack-on-tor-can-deanonymize-hidden-services-with-surprising-accuracy/
- Another remote car hack – this time via OnStar (the problem is in the matching phone app, not the hardware in the cars, so owners can protect themselves by not using the app until a patch is released) – http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access-to-onstar/
- A German privacy watchdog orders FaceBook to allow pseudonyms – https://nakedsecurity.sophos.com/2015/07/30/facebook-ordered-to-allow-pseudonyms-by-privacy-watchdog/
- (Editorial from Bart – this is in suggested reading because there is no solution, and that makes it not lite!) A security researcher has created a 30 dollar device nicknamed RollJammer, that can capture and re-play the signals from remote car and garage locks, and not just obscure ones – http://arstechnica.com/security/2015/08/meet-rolljam-the-30-device-that-jimmies-car-and-garage-doors/
- An interesting editorial that suggests that the moment Google turned evil was the moment the decided to promote their own services over competitors, even though their own search algorithm ranked them lower – http://www.macobserver.com/tmo/article/when-google-did-evil
- Some interesting tips from Intego for hardening your Mac – http://www.intego.com/mac-security-blog/15-mac-hardening-security-tips-to-protect-your-privacy/
- Google stands up to France – ignores court order to forget world-wide (editorial by Bart: the ball is in your court France, now what?) – http://www.macobserver.com/tmo/article/google-stands-up-to-france-refuses-global-right-to-be-forgotten-order
- Hackers turn a printer into a covert radio transmitter – http://arstechnica.com/security/2015/08/funtenna-software-hack-turns-a-laser-printer-into-a-covert-radio/
- When the internet of things goes bad – a wifi-enabled sniper rifle is hacked and it;s target changed remotely – https://nakedsecurity.sophos.com/2015/07/31/wi-fi-enabled-sniper-rifle-hacked-to-change-target/
- Campaign group iRights demands all kids should get the right to be forgotten online – https://nakedsecurity.sophos.com/2015/07/29/children-should-have-the-right-to-be-forgotten-says-irights-campaign/
- Fun article – what you sound like to a sysadmin – https://nakedsecurity.sophos.com/2015/07/31/what-you-sound-like-to-a-sysadmin/
Main Topic – Learning JSON
My original plan for this CCATP was to walk people through using the new hsxkpasswd command line password generator. The command line tool is included in the latest release of the Crypt::HSXKPasswd perl module, and that module has now been uploaded to CPAN, so, in theory, it should be as easy to install as:
sudo cpan Crypt::HSXKPasswd
(those who have one of the betas manually installed should delete it first: https://www.bartbusschots.ie/s/2015/08/08/uninstalling-a-crypthsxkpasswd-beta/)
But – there has been a LOT of security news, and, I only uploaded the module to CPAN on the day of our recording, and CPAN’s index hasn’t updated yet, so, I can’t be sure the module is working through CPAN yet, so it probably makes sense to wait until the next CCATP before describing how to use the tool.
The command line tool’s (totally optional) advanced features make heavy use of JSON, so, I figured it would make sense to use the remainder of this segment to teach people JSON, as a foundation for the next episode.
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at email@example.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.