Send in your questions you’d like to have Professor Maryanne Garry answer on the show about the brain, memory or how we perceive things for a show in a few weeks. I have an argument with myself about whether the use of ad blockers are essentially stealing or whether their our only defense against emotional damage. My octogenarian father-in-law explains how 1Password made his computing experience so much easier in a video interview I hope you’ll use to convince others to use a password manager. A quick review of a USB-C dongle for $20 from Aerb that does 90% of what I need on my 12″ MacBook. In Chit Chat Across the Pond Bart takes us through part 2 of his explanation of how to use HSXKpasswd from the command line and how to create our own configuration files. It’s one that really would be helpful if you read along with his shownotes while you work it out on your own!
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 6, 2015 and this is show number 539. I’m getting charged up for the big announcement day on Wednesday! Steven Goetz suggested that we fire up the live chatroom during the announcement like we did last time. All you have to do to join in the fun is go over to podfeet.com/live at 10 am Pacific Time. On the right side of the page you’ll see a web-based chat window asking you to pick a user name and then hit join. You’ll see a video link on the left but ignore that because I won’t be broadcasting ME during the event since we’ll all be watching Tim on our various devices. If you’d like to use a standalone client instead of the web client, Kirschen and I have compiled tutorials on how to set up Colloquy, Textual and Adium at a link in the shownotes. If you’re going to set up one of these clients I recommend working on that a little while ahead of time. Hope to “see” you there!
Dr. Maryanne Garry, professor in psychology will be coming to visit again and we’re hoping to do another recording for the show. You may remember her as the one who messed with everything we thought we knew about our memory and then destroyed our understanding of how we pay attention to things. She suggested I ask you to submit questions to the show on what else you might want to know in the area of cognitive science. I’m sure her discussions in the past have left you with questions that you’d love to have her answer or things you’ve read about the mind, the way we learn and perceive things, memory and behavior – please send them in!
You hear me yap about how Clarify helps me all the time to make tutorials to help other people learn how to do things and helps me to remember how to do things, and I’m sure that’s vastly entertaining and informative for you. But there’s one thing better than that, and it’s when you hear a spontaneous testimonial from a fellow NosillaCastaway. Out of the blue, Ben wrote in with this message he hoped I’d share with you:
I am helping someone with a web application. After we spent a few hours this morning working through things, they had a question this afternoon. Since I was no longer with them, I opened Clarify and walked them through it. Later, I saw that they were able to figure out their question so I asked how they liked Clafiy, and they responded “I LOVED it so easy and so helpful!” There is no better testimonial then that of someone who Clarify has helped.
So this is actually an embedded testimonial – it’s Ben telling us how HIS friend thought Clarify helped them get their work done. If you don’t believe the 3 of us, please download the free trial of Clarify over at clarify-it.com for Mac or Windows or both, and prove it to yourself. When you do buy Clarify, be sure to let them know that you heard about it from me and Ben!
Chit Chat Across the Pond
Security Medium – OS X Trojans Accessing the Key Chain
There is yet another story about OS X security that sounds really bad – apps accessing your keychain without permission!
Attack apps abuse OS X’s accessibility features to find the popup that asks for permission to access the keychain on your screen, and then click the ‘OK’ button for you.
As bad as this sounds, there is some very important small print – before malicious apps can do this, you need to 1) download and install them, and 2) give them full administrator access to your system by entering your admin password when they ask you to.
Installing an app and running it is giving the app quite a lot of trust, but giving an app admin rights is giving it a LOT of trust – DO NOT DO SO LIGHTLY!
We now know this trick has been in use for some time, perhaps as far back as 2011. The advice to users remains what it always was, and always should be – be careful what you install and run, and be REALLY careful what you give admin access to!
Important Security Updates:
- Mozilla Release FireFox 40.0.3 with important security updates – https://www.us-cert.gov/ncas/current-activity/2015/08/27/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR
- RELATED – Mozilla have revealed that their bug-tracking system was compromised (by an admin re-using a password that had been used on a site that was hacked). The attacker had access to non-public bugs in the bug tracker, and used one of those bugs to attack FireFox users last month – hence the emergency patch at the start of August. All bugs the attacker saw have been patched (as of the most recent update), and Mozilla are changing their security practices around their bug tracker – fewer people will be granted access, and all will need to use 2FA – http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/
Important Security News:
- Another serious Android vulnerability – this time the problem is in remote access software being added by carriers, and an app exploiting the bug has been found in the Play Store – http://arstechnica.com/security/2015/08/major-android-remote-access-vulnerability-is-now-being-exploited/
- Another nail in Flash’s coffin – Google started blocking most flash by default in Chrome on 1 September – https://nakedsecurity.sophos.com/2015/08/31/google-chrome-will-block-flash-from-tomorrow-well-sort-of/
- Malware affecting JAILBROKEN iPhones stole 225,000 Apple account logins – Jailbreaking is the crippling of security on iOS, if you do it, you are putting yourself at real risk – http://arstechnica.com/security/2015/08/malware-infecting-jailbroken-iphones-stole-225000-apple-account-logins/
- A new DOJ policy requires US law enforcement agencies to get a warrant before using ‘stingrays’ (fake cell towers) – https://nakedsecurity.sophos.com/2015/09/04/us-law-enforcement-now-need-a-warrant-to-use-stingrays/
- RELATED: research shows Stingrays were being used to tackle petty crime – https://nakedsecurity.sophos.com/2015/08/25/stingrays-used-to-track-petty-crime/
- Security researchers found that all 9 of the brands of baby monitor they tested were wide open to attack – the best advice – avoid monitors with internet connectivity – http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
- Windows 10 spies on your kids by default, then emails the parents a dossier – https://boingboing.net/2015/08/10/windows-10.html & http://wccftech.com/windows-10-spies-on-children/
- RELATED: not all reports about Windows 10 privacy concerns are legitimate – there was a big kerfuffle about MS ‘disabling pirated software’ – simply put, there is no “there” there – https://nakedsecurity.sophos.com/2015/08/25/pirate-sites-ban-windows-10-over-privacy-worries/
- UK authorities arrest six for using the LizardSquad’s DDOS tool (the one that killed gaming services last Christmas) – http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/
- RELATED – the LizardSquad respond by DDOSing the National Crime Agency’s website – https://nakedsecurity.sophos.com/2015/09/01/national-crime-agency-website-ddosed-by-lizard-squad/
- The controversial Wassenaar Arrangement claims another victim – HP pull out of sponsoring Pwn2Own for fear that it may now be illegal to do so – http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-sponsor-amid-new-cyberweapon-restrictions/ (a good explanation of why the software part of the treaty is so controversial – http://www.wired.com/2015/06/arms-control-pact-security-experts-arms/)
- India’s Competition Commission accuses Google of rigging search results – https://nakedsecurity.sophos.com/2015/09/02/google-accused-of-rigging-search-results-by-indias-competition-cops/
- A researcher discovers that NyPost.com seems to be downloading, but not showing, video ads, presumably to generate illegitimate ad revenue, and in the processes, wasting users bandwidth and battery – just another example of how broken our current ad model is, and why Apple are including content filtering in their OSes – https://medium.com/@robleathern/the-mobile-video-ad-lie-938a6de51367
- RELATED SUGGESTED READING: – A very interesting post from Jean-Louis Gassée on the future of web advertising – http://www.mondaynote.com/2015/08/31/life-after-content-blocking/
- New data released by the hacking ring “Impact Team” shows Ashley Madison execs hacked competitors – http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/
- RELATED: The CEO of Ashley Madison’s parent company quits – http://arstechnica.com/tech-policy/2015/08/ceo-of-ashley-madison-parent-company-quits/
- RELATED: Something Ashley Madison got right – they did a good job of hashing passwords – https://nakedsecurity.sophos.com/2015/08/31/what-ashley-madison-got-right/
- RELATED: no matter how well a site protects passwords, if you pick bad passwords, they will be cracked – http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/
- More OPM breach fallout – China & Russia now using the data to weed out spies – http://arstechnica.com/security/2015/08/china-and-russia-cross-referencing-opm-data-other-hacks-to-out-us-spies/
- RELATED – a post from Brian Krebs calls into question the effectiveness of the actions that OPM are taking to protect victims – http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/
- An interesting article explaining why we should expect things to get worse before they get better when it comes to automobile security – http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/
- A great article from Ars Technica – “How security flaws work: the buffer overflow” – http://arstechnica.com/security/2015/08/how-security-flaws-work-the-buffer-overflow/
- An interesting infographic from Intego showing how much your private information is worth on the black market – http://www.intego.com/mac-security-blog/how-much-is-your-privacy-worth-infographic/
- More Windows 7, 8 & 10 privacy worries – http://arstechnica.com/information-technology/2015/08/microsoft-accused-of-adding-spy-features-to-windows-7-8/
- Another HTTPS bug, mainly affecting larger organisation that use dedicated load balancing devices, allows long-term adversaries to occasionally capture a server’s private key – this is most useful to large actors like national spy agencies, who have the resources and time to watch for this very rare bug – the bug can’t be triggered, but if you watch long enough, it will happen to any site using affected devices – http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-https-sites-to-reveal-their-private-keys/
- A new variant of Android randsomeware is using XMPP to communicate with control servers – http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-chat-to-call-home-and-claims-its-from-nsa/
- Wikipedia take against against paid for edits, AKA ‘sock puppet accounts’ – https://nakedsecurity.sophos.com/2015/09/02/wikipedia-blocks-sockpuppet-accounts-amid-blackmail-claims/
- Concerns over new TOR weaknesses prompt some darknet market places to shut down – http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-exploited-prompt-dark-market-shut-down/
- Reflective Satellites may be the future of high-end encryption – http://arstechnica.com/science/2015/08/reflective-satellites-may-be-the-future-of-high-end-encryption/
Main Topic – The hsxkpasswd command line tool continued
The Perl module powering this command line tool was chosen as module of the month for August 2015 by the editors at Perl Tricks: http://perltricks.com/article/192/2015/9/3/What-s-new-on-CPAN—August-2015
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.