NC #593 Poll to Influence Podfeet Redesign, Activity Tracking Improvements in watchOS 3 and iOS 10, First Days with iPhone 7 Plus, Security Bits

We chat about how the clock on podfeet.com/live is insecure and how we’re going to program our way around it. I need your help with a quick 5-question poll to help me redesign podfeet.com. Activity tracking has REALLY improved with watchOS 3 and iOS 10. Want to help the show? Pledge your support at podfeet.com/patreon. I’ll give you some of the high points of my first few days with the new iPhone 7 Plus (spoiler, I love it) but we’ll wait till next week to talk about the camera. Bart Busschots is back with another edition of Security Bits. Among other things he’ll tell you whether to light your hair on fire about the Dropbox kerfuffle.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 18, 2016 and this is show number 593. This week I took delivery of an iPhone 7 Plus and the Apple Watch Series 2 aluminium. I’ve got some thoughts on the first few days with the iPhone 7 Plus but I haven’t had time to write up my experiences with the camera. I’ve taken a bunch of comparison photos between the 7 Plus and the 6 but I want to do a good job of analysis before talking about it. The same is true with the Series 2 watch. It’s killing me though because I really want to talk about them!

I want to tell you one great anecdote though. I finished off my first thoughts blog post about the iPhone 7 Plus and ran out the door with Tesla for a quick walk to the grocery store. On my way, I got a Telegram message on my watch from Mark Pouley. He said he’d found two typos in the blog post. When I got the store, I quickly grabbed the 3 things I needed and got in line. With only 2 people ahead of me in the express lane I didn’t have much time, but i whipped out my giant-screen iPhone, logged into WordPress in Safari on Podfeet.com, made the edits, hit save and right then the guy was ready for me to pay. I double-tapped the side button on the Apple Watch, turned my wrist over and paid with Apple Pay. Boom! I love technology!!!

Chit Chat Across the Pond

In this week’s Chit Chat Across the Pond. Bart Busschots takes us through Programming By Stealth installment 21 where we get into jQuery basics. This is another really easy lesson where he reviews some stuff we learned way back when about html and css, and shows us how with jQuery we can search for elements on a web page, limit the search and filter the results. Then he shows us how to actually start changing the css with jQuery. It’s such a fun lesson, I hope you’ll go check it out at podfeet.com/….

Blog Posts

Danger! Insecure Clock!

Redesigning Podfeet.com – Need Your Feedback

I’ve been thinking about redesigning podfeet.com for a long time. It was a cool theme when I built it about 126 years ago but it’s really showing it’s age. I think we’ve outgrown it with separate NosillaCast and Chit Chat Across the Pond shows, special series like Taming the Terminal and Programming By Stealth, there’s all the tutorials, and of course links to cool stuff like our Facebook and Google Plus groups, and ways to help the show. Personally, I think it’s a hot mess!

I’ve started working on a redesign but I thought it might be a good idea to start getting some feedback first. I put up a very simple 5 question poll over on podfeet.com. I may ask more questions later, but I’m starting easy! I want to know what you do on the site, what you wish was easier, how you access it, which podcasts you listen to and what you’d like to see improved. I pushed it out earlier in the week on social media, and as is usually the case with these things, it’s the comments that seem to matter the most.

I hope you’ll go over and participate in the poll. I made sure it was the kind where you can see the results after you participate which I think is more fun. Stay tuned, I think things are going to get a lot more usable soon!

Activity Tracking is Really Improved with watchOS 3 and iOS 10

Patreon

I didn’t go into podcasting to make money but I also didn’t go into it to lose money either! I’d like to break even on it and maybe make enough money to buy more gadgets to review for you. To this end I decided to start using Patreon to give you guys an easy way to support the show. Patreon lets you pledge a weekly amount that you only get billed if the podcaster actually produces a show. In the case of my show, that’s a guarantee since we haven’t missed one in over ten years!

If you head over to podfeet.com/patreon, you enter a credit card, and then choose how much you want to pledge to keep the show afloat. You can do a dollar or a quarter, or a thousand dollars a show – whatever you think it’s worth. If you can’t afford it though, PLEASE don’t donate. I’m serious about this. It’s just if you think you could spare some money to help us out here, that would be great.

I’d like to give a shoutout to our newest patrons this week, we’ve got Chad and whk and Bob and Rob and Christopher and Tom. I can’t thank you all enough for helping the show like this, you’re awesome!

Ok, let’s get back to some geek fun.

First Few Days with the iPhone 7 Plus – Size Matters

Security Bits

Security Medium – The DropBox for Mac Controversy

This is a story that has been bubbling away for a few months, but only got traction recently when the main-stream tech-press started reporting on it.

Over the past few years, OS X has been tightening up its security, putting systems in place at the operating system level to limit the access apps have to each other's data, and to the system. Apps that have a legitimate need to access resources that are usually off-limits can ask for permission to do so.

The most common type of app that needs to watch everything you do is an app that implements some kind of assistive technology, for this reason, you control permission for such super-privileged apps in the Accessibility section of the Privacy tab in the Security and Privacy preference pane.

Not all apps that need this kinds of super-privilege are for accessibility – apps like TextExpander need this level of privilege to monitor your keystrokes in every app, and replace what you type with your chosen expansion.

What a security researcher noticed over the summer was that DropBox was listed in his preference pane as having accessibility access, but it had never asked for that access, and he never granted it that access. How did it get there?

He removed the access, and then things really go weird – the permission came back! DropBox was somehow re-enabling it, again, without asking for permission. How?

The researcher managed to permanently remove the permissions, and, he found that DropBox continued to function normally.

My initial thought was that this looks very bad. If the permission keeps coming back, DropBox must be storing your passwords, and if the app works without the accessibility permissions, the app must be asking for more privileges than it needs – a big security no-no.

Now that I've had more time to read, I've changed my mind. DropBox say they need accessibility access for their badging and Office integrations, and that they use a helper app that runs as root to re-assert the permissions they need. They say they use OS X's standard APIs to give their installer root-level access, which means they never even get to see your password, so they could not save it even if they want to.

I don't see any evidence they are lying – you can see the root-owned helper apps yourself by typing the following in the Terminal:

ls -l /Library/DropboxHelperTools

Links:

• The article that started it all – applehelpwriter.com/…
• An explanation of what it going on from a DropBox engineer – news.ycombinator.com/…

Important Security Updates

• Last Tuesday was Patch Tuesday – Microsoft & Adobe released patches for critical vulnerabilities including patches for Windows, IE & Flash – krebsonsecurity.com/…
• Apple's latest OS updates are also security updates:
  • iOS 10 – support.apple.com/…
  • WatchOS 3 – support.apple.com/…
• WordPress released a patch to fix two critical vulnerabilities that allowed attackers to take over WordPress sites – www.us-cert.gov/…

Important Security News

• Google released fixes for two critical Android bugs as serious as Stage Fright, but, many phones will not be able to get these patches – arstechnica.com/…
• Malware also snuck into the Google Play store again, and was downloaded at least 2.5 millions times – arstechnica.com/…
• It now appears that a recent update to the Google Play Store has resulted in it always tracking your location, with no way to disable it. This may explain why users have been reporting a reduction in battery life since the update – nakedsecurity.sophos.com/… & www.loopinsight.com/…
• Security researchers have demonstrated a new attack that uses cheap USB dongles to extract login credentials from Windows PCs (and Macs in at least some configurations), even when they are locked. The technique works because both OS X and Windows will install new USB network devices even when the device is locked. In the long-term, Microsoft & Apple will need to fix their OSes so they do not install drivers when a machine is locked. In the short term, this is yet another reason never to leave your computer unattended in a public place – arstechnica.com/… & nakedsecurity.sophos.com/…
• Google announced it will start to label some HTTP websites in Chrome as 'Not Secure' – initially just sites that send usernames and passwords or credit card number over HTTP, but this is step towards marking all HTTP sites as insecure in the future – nakedsecurity.sophos.com/…
• The FBI released a Public Service Announcement warning that ransomware is getting more sophisticated, asking US victims to report the details to the FBI, and suggesting steps business can take to protect themselves – www.ic3.gov/…

Notable Breaches

• 98M plain text passwords from a 2012 breach of rambler.ru surface on the net – arstechnica.com/…
• ~800k plain text password leaked from porn site Brazzers – nakedsecurity.sophos.com/…
• 2.2M plain-text passwords from ad-clicking site ClixSense leaked, 4.4M more for sale – arstechnica.com/… & nakedsecurity.sophos.com/…
• UPDATE – US House Oversight committee slams OPM in report on their massive breach last year – krebsonsecurity.com/… & arstechnica.com/…

Suggested Reading

• Brian Krebs details a new technique scammers are using to try trick people into helping them bypass 2FA (don't believe every text message you receive!) – krebsonsecurity.com/…
• Some advice from Intego for securely using public computers in school – www.intego.com/…
• 10 security & privacy features you should be aware of in iOS 10 (not all new in iOS 10) – www.intego.com/…
• America gets its first nation CISO (Chief Information Security Officer) – nakedsecurity.sophos.com/…
• Security researchers find yet another serious problem with TOR – using hidden services directories strips away your anonymity – nakedsecurity.sophos.com/…
• More leaks from hacked emails that may be aimed at influencing the US election – this time the victim is Colin Powell – arstechnica.com/…

=======================

After I got off of the call with Bart, I decided to try and track down what insecure scripts were running on the podfeet.com home page. I figured it out – it was the Google Search box!!! The irony of that does not escape me. I added the “s” to https in the script call and Bob’s your uncle, podfeet.com now gets a generic response from Google. This couldn’t make me happier.

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.