NC #599 iPhone 7+ Portrait Mode, 2016 MacBook Pros, Security Bits

Next week the show will be out early because we’ll be out of town on the weekend, so don’t try to go to the live show because there won’t be one! In Chit Chat Across the Pond, Bart taught us how to create a JavaScript API in Programming By Stealth 24. I did some experiments with the new iPhone 7+ feature called Portrait mode comparing the photos to a DSLR. The new MacBook Pros are coming and I’ll talk through the features and try to help you see if they’re good or bad choice for you. Bart Busschots is back with Security Bits where we do a deeper dive into DirtyCOW and Drammer along with important security updates, notable breaches and suggested reading.


itunes
mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday October 30, 2016 and this is show number 599. We’ve been building up to the 600th episode of the NosillaCast, but then I realized that next week I’ll be in an area no Internet access. Heck, even Sandy won’t be in town. So two things are going to happen.

First of all, the show will be out early next week, I’m thinking Thursday, and there will be NO live show on November 6th. But I don’t want a 600th show without a live audience, so I’ve decided to skip over 600 and declare next week’s show #601. Then the following week, I’ll do show 600. How’s that to mess with your head? I have to confess that I stole this idea from the SMR Podcast guys. They weren’t all in town for episode 300, so they skipped passed it. They forgot to ever come back and do 300 though!

By the way, there’s a way to keep track of when the live shows are, if you copy the link in the shownotes (don’t click it, copy it) to the Google Calendar and use it to subscribe inside your calendar of choice. Whenever I cancel a live show or move it, you’ll see it correctly in that calendar:

http://www.google.com/calendar/ical/p4eqmsjrta23puioq768nuko0k%40group.calendar.google.com/public/basic.ics

Anyway, let’s get on with show #599!

Chit Chat Across the Pond

Speaking of messing up show numbers, this week’s Chit Chat Across the Pond was episode 461 but you’ll hear me say 460 in the show. I don’t know why it’s so hard for me to get the Chit Chat numbers right! In any case, it was a fun-filled episode with Bart Busschots back with Programming By Stealth installment 24 – Creating a JavaScript API. He also teaches us an easy way to create professional documentation in order to publish our work as a JavaScript library. In order to get there we learn how to write reusable and sharable code, how “closures” help you keep your variables out of the global scope so they don’t mess up other people’s code, we learn one Ternary Operator), and my favorite, self-executing anonymous functions. If that sounds fun to you, check out Chit Chat Across the Pond #461 and of course the spectacular show notes over at bartbusschots.ie/….

Blog Posts

iPhone 7+ Portrait Mode Depth Effect

2016 MacBook Pros Promise Big Improvements

Patreon and Amazon

We used to take advertising over here on the Podfeet Podcast Network, but a while ago I stopped doing ads in favor of a couple of other methods. If you find value in the show, and you can afford it, you could pledge an amount for each NosillaCast that I publish. We do this through a service called Patreon and you can sign up at podfeet.com/patreon. I want to give a big shout out to our newest patrons, Jaimie Harris, Doug Ingram, Ricky Rodriguez, and Desmond for their support of the show.

If you haven’t got extra change lying around, I totally understand that. As the holiday shopping season is upon us, you’re probably going to do some shopping at Amazon, right? If you could go to podfeet.com first and click on the Amazon logo in the left sidebar to get to Amazon, then a small percentage of what you spend will go to help the show and won’t cost you an extra dime! I really appreciate everyone who has used the American Amazon store as well as the ones for the UK, Germany, and Canada. You can find all the Amazon links at podfeet.com/funwithflags

Security Bits with Bart Busschots

Security Medium 1 – DirtyCOW

A zero-day privilege escalation bug has been found in the Linux kernel. The bug allows any user to become root in a matter of seconds by exploiting a so-called race condition in the Kernel's implementation of a future called copy on write, or COW. The buggy code was added to the kernel 9 years ago, so it is in a lot of things. The bug has now been patched, but the vulnerability is being actively exploited in the wild. This bug will not directly allow an attacker access into a system, but it will turn any access into root access, making is extremely powerful when paired with other much less powerful bugs.

Android users the Linux kernel, and it has been found that all versions of Android from version 1.0 to the absolute latest version are vulnerable. There is no patch yet for Android, and none is expected until next month's monthly patch from Google, at which time it will start slowly trickling out to the subset of Android devices that get security updates. This is a positive boon for Android malware authors.

Links:

Security Medium 2 – Drammer

Security researchers have developed a variant of the RowHammer attack that successfully gives root access on many Android devices. The proof of concept code can be successfully delivered as JavaScript embedded in a web page.

The technique doubles up the traditional RowHammer attack to attack a single row of RAM from two sides, hence it is a Double RowHammer, or Drammer.

This is not a software bug, but a hardware problem present in some RAM chips. It can't be fixed via a software update. If your device is vulnerable, then it is vulnerable, and always will be.

[Drammer] has successfully rooted the following handsets: the Nexus 4, Nexus 5, and G4 from LG; Moto G models from 2013 and 2014 made by Motorola; the Galaxy S4 and Galaxy S5 from Samsung; and the One from OnePlus. In some cases, the results aren't always consistent. For example, only 12 of the 15 Nexus 5 models were successfully rooted, while only one of two Galaxy S5 were compromised.

The researchers aren't certain why their results are inconsistent. They theorize that the age of a given device may play a role, since extended or intensive use may wear down cells inside the memory chips over time. Another possibility is that memory chips from some suppliers are more resilient to Rowhammer than others. (It's not uncommon for different generations of the same phone model to use different memory chips.)

(from the Ars Technica coverage linked below)

The researchers have created an app to test if your handset is vulnerable, but it's not made it to the Play store yet.

Links:

Important Security Updates

Important Security News

  • The US DOJ acquired a search warrant that granted them the right to force everyone in a residence, or in the vicinity, to press their fingers into the fingerprint sensors on their phones. The warrant is on shaky legal ground, and has been strongly criticised by the EFF – nakedsecurity.sophos.com/…
  • Apple are suing Mobile Star for selling dangerous counterfeit power adaptors and charging cables through Amazon – www.patentlyapple.com/… & tidbits.com/…
  • Ryan Collins, one of the Celebgate nude photo thieves, has been sentenced to 18 months in jail – nakedsecurity.sophos.com/…
  • Google has quietly dropped its ban on Personally Identifiable web tracking – www.propublica.org/…
  • The US Federal Communications Commission (FCC) has issued long-awaited rules on how ISPs can use the data they gather about customers. On the whole the rules are more strict than the ISPs wanted, but not perfect. ISPs have to tell customers what they gather and who they share it with, sharing of sensitive data must be opt-in, but sharing of non-sensitive data can be opt-out – nakedsecurity.sophos.com/…
  • Facebook allows advertisers to exclude users by race. ProPulbica was able to purchase an illegal ad that breaks the 1968 Fair Housing act using this system – www.propublica.org/…

Noteable Breaches

Suggested Reading

  • While there have been no dramatic developments in the Marai Botnet/IoT DDOS story, I have come across some interesting articles on the subject, so I've gathered them together here:
    • A good takedown of some dumb myths that are circulating about this attack – nakedsecurity.sophos.com/…
    • The Chinese manufacturer of many of the devices that took part in the Dyn attack, XiongMai Technologies, is both promising to recall devices, and, threatening to sue media like Brian Krebs for reporting on the massive securtity problems with their devices that are necessitating the recall – krebsonsecurity.com/…
    • Apple's insistence that manufacturers of Home Kit certified devices meet stringent security standards look a lot less onerous now! – daringfireball.net/… & www.imore.com/…
  • Facebook's Bug Bounty Program turns 5 – 900 bugs squished, and $5 million paid out – nakedsecurity.sophos.com/…
  • Telemetry data from the FireFox browser shows that 50% of the pages visited by FireFox users are now delivered over HTTPS – nakedsecurity.sophos.com/…
  • A link to save for future reference (and hope you never need) – 8 things to do immediately if you've been hacked – www.intego.com/…
  • A great article from Ars explaining how SQL injection vulnerabilities work – arstechnica.com/…
    • Editorial by Bart – I can't resist throwing in a link to this fantastic XKCD comic SQL injection – xkcd.com/…
  • Security Researchers find a flaw in the design of Intel chips that undermines an important security features – ASLR – arstechnica.com/…
  • Facebook joins the controversial replacement to the illegal EU/US Safe Harbour provision named Privacy Shield – nakedsecurity.sophos.com/…
  • Unsecured wireless pagers may turn infrastructure into the next IoT, as well as expose sensitive data from dangerous things like nuclear and chemical plants – arstechnica.com/…
  • How hackers used Bit.ly links in a spear-phishing attack that successfully hacked Clinton Campaign big-wig John Podesta – nakedsecurity.sophos.com/…
  • Wired reports that the European Commission’s Article 29 Data Protection Working Party has asked Facebook not to share WhatsApp data “until the appropriate legal protections can be assured” wired.co.uk/…

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at allison@podfeet.com, follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

2 thoughts on “NC #599 iPhone 7+ Portrait Mode, 2016 MacBook Pros, Security Bits

  1. Philip from Australia - October 30, 2016

    The bug allows any user to become root in a matter of seconds by exploiting a so-called race condition in the Kernel’s implementation of a future called copy on write, or COW.

    I think it’s a feature. 🙂

    Philip

  2. Philip from Australia - October 31, 2016

    Arrrgh… didn’t close the tag. Sorry.

Leave a Reply

Your email address will not be published.

Scroll to top