Bart Busschots is guest-hosting the show this week. Allison tells the story of Move Mouse – a Mac app written for a Nosillacastaway by a Nosillacastaway! Bart answers a great dumb question from listener Lynda on the security of old Macs, Ken Wolf from the Manhattan Repertory Theatre reviews Chronicle, Bart fills us in about the POODLE vulnerability that’s been in the news this week, Allison describes how you can become a hero with Clarify, and in Chit Chat Across the Pond Bart talk to George Starcher about security from a Mac user’s point of view.
Hi folks, welcome to the NosillaCast Mac Podcast, hosted at podfeet.com, a technology geek podcast with an ever so light Macintosh bias. Today is Friday the 17th of October, and this is show number 493. I’m your guest host, Bart Busschots.
You’re hearing my voice instead of Allison’s because herself and Steve are away celebrating their daughter’s wedding – I’m sure I speak for all the nosillacastaways when I wish the happy couple a long and happy union!
Allison may be away, but that doesn’t mean she didn’t record some stuff for the show! We’ll start this episode with a review from Allison of an app written by one of our very own Nosillacastaways! Next we’ll have a dumb question from listen Lynda, then a review of an app called Chronicle from listener Ken Wolf of the Manhattan Repertory Theatre. They we get an un-scheduled security lite from me on the POODLE SSL vulnerability that’s making the media this week, then we hear form Allison again with ad for her favourite tutorial app, and finally security pro and Mac geek George Starcher joins me for Chit Chat Across the pond.
Move Mouse (Blog Post)
Dumb Question Corner
Hi Bart,
I’ve heard you say, many times, that older OS’s are not secure, because they haven’t been updated against current vulnerabilities.
Is it possible that some older Mac OS systems, i.e. the first Mac OS X versions, and/or OS9 might actually be secure because no one has written trojans, worms, etc. that would run on them, or they might be running really old versions of s/ware that weren’t vulnerable to modern exploits?
I ask because one of my friends advocates letting some older folks running older Macs run what they have. It’s hard for some of the older people to change. I’ve always advocated having them update, but I’d be interested in your thoughts on this.
Thanks!
Lynda
Thanks for the great question Lynda!
The short version of the answer would be “it depends”.
Ultimately this comes down to understanding and balancing risks.
Firstly, there is a big difference between vulnerability and risk. Old OSes, no matter how old, ARE vulnerable, but, if you go back far enough, they may be low risk. A house with an unlocked door IS vulnerable, but the risk is very different for a house in the middle of a crowded city, and a house high in the mountains 100 miles from the nearest road!
An important fact to understand is that a surprising amount of the code in our modern OSes is old, DECADES old! There is no money in re-inventing the wheel, so if it works, it would be a waste of resources to re-write it. If a bug is discovered in old code like this, it can go WAY back! A perfectly timed example of this is BASH vulnerability discovered this month, that bug is 15 years old, so every version of OS X with BASH contains the vulnerability (very very old versions of OS X used a different shell).
Something else to bear in mind is that the closer two OSes are in age, the more code they have in common, so recently obsoleted OSes are the most likely to also be affected by recently discovered bugs. This means that an OS that’s a little out of date probably the most dangerous one to run.
I would say that the single most dangerous thing to do would be to advise someone to stay on OS X 10.7 or 10.8 on a computer that is connected to the internet.
If you go WAY back in time, you start to become part of such a small minority that you are unlikely to be targeted. You become the digital version of the unlocked house 100 miles from civilisation.
Another BIG factor when analysing risk is the question of connectivity. If a computer is not connected to the internet, it is, for all intents and purposes, safe.
My opinion, and it is just an opinion, is that the risk is probably tolerable if your computer is so old that it pre-dates Apple’s switch to Intel chips, or, the computer has no network connection. I think advising anyone to connect an out of date Intel Mac to the internet is irresponsible.
But – having said all that – I refuse to have any part in anyone using an out of support OS. I advise all my friends and family against it, and feel strongly that if you want to use a computer, you have to understand that computers change. It may sound harsh, but I firmly believe that if you can’t accept change, you can’t safely use an internet connected computer.
Chronicle from Ken Wolf
Hi Bart, this is Ken Wolf from Manhattan Repertory Theatre with a review of Chronicle, a bill reminder app from Little Fin Software LLC.
But first let’s start with the infamous problem to be solved. I, like everyone else, have bills that need to be paid. Now the problem is I’m old and so I forget things, and the problem is I’m busy and I get distracted and I forget things, so I need either an application or a person who will remind me to pay my bills on time. Since I can’t afford a personal assistant, Chronicle is my application of choice.
The first thing you need to do when you open up Chronicle is to log in the information about your bills. You need to put the due date and the amount and all those little details. Once in, Chronicle does all the work.
The interface is simple and easy to read. On the left, you have your bills with the average paid, the amount which is due and then the next due date. On the right you have the month at a glance, and you also have a listing of the bills that are due soon, bills that are due this month in terms of how much it’s going to be, and also the bills you have already paid this month in terms of the amount that you’ve paid. Down bottom, you can also list your income.
When you pay a bill you simply log in the amount and then your bill goes down to the bottom of the column on the left.
Chronicle has some interesting features. In the preferences, you can set up your overview columns with the average paid, the amount due, the balance and other things. And you can also set up a “Weekend Avoidance” which means that it will show the bill is due on Friday before a weekend so you don’t have to pay a bill on the weekend.
You can set up when it will announce that a bill is due soon. It can be in 7 days or it can be in 1 day or it can be 12. You set it up so that it works for you. Also you can set it up so that in the dock or the menu bar, there is a little number that shows you how many bills are due. You can also enable notification reminders and default reminder settings saying you want to be reminded maybe three days before your bills are due and at a specific time. Basically, you can set up reminders so that they will work for you.
Chronicle, also has an iOS app that syncs via Dropbox and it works seamlessly.
The one caveat I have with this application is that when you’re logging in bills paid there will be a voiceover that says: “GOOD JOB!” “TERRIFIC!” “WELL DONE!” “CONGRATULATIONS!”
Congratulations? Seriously? You are congratulating me because I am paying my $10.88 Photoshop bill? Hey, I want congratulations when I win an Oscar! So that feature is a little annoying. I just turn the sound down when I am logging in my paid bills.
So if you need to be reminded about your bills, please check out Chronicle. It is only $9.99 right now on the Mac App Store. I think it’s on sale, and it is a great application and the iOS app is wonderful also.
This is Ken Wolf from Manhattan Repertory Theatre in New York City signing off, and Bart, I just want to say I think you are the greatest and unique and what you do in your work with Allison and your work on your podcasts and on the other podcasts you’re on that I have listened to, is awesome! Thanks for covering for Allison this week.
Bad POODLE
This week a vulnerability was discovered in version 3 of the SSL protocol.
We all know to look for the lock icon in our browser, which signifies that we are browser over HTTPS, the secure version of the HTTP protocol. When we see that icon, we assume our data is being securely sent, because, in theory, it is.
As users, we usually don’t care about the fact that the HTTPS protocol supports the user of many different encryption protocols, and many different encryption cyphers under the hood. Our browsers support a set of protocols and cyphers, and every web server supports a set of protocol and cyphers, and when ever we connect to a HTTPS site, our browser and the server have a little negotiation to decide which protocols and cyphers to use for that connection.
HTTPS supports more cyphers than you can shake a stick at, but only a handful of protocols. Since HTTPS first came into use in 1994, there have been just five such protocols – SSL 2, SSL 3, TLS 1, TLS 1.1, and TLS 1.2.
SSL 1 was effectively a test version, and was never used for real, and SSL 2 has been known to be insecure for some time now, so it’s no longer used (or at least it shouldn’t be). Until this week, SSL 3 was still considered safe, but not anymore!
The POODLE bug is a protocol flaw that has been discovered in SSL 3, and it allows attackers to decrypt supposedly secure connections. The fact that the problem is a flaw in the protocol rather than a flaw in a particular implementation of the protocol means that all implementations of SSL 3 are now unsafe. The only safe HTTPS is HTTPS that uses TLS rather than SSL.
The fact that all versions of SSL are now unsafe means that all old browsers without TLS support are now dead. For the most part that doesn’t matter because no one is using ancient versions of Netscape or FireFox etc., but there is one very notable exception to this – the immortal IE 6! It should have died years ago, but as of this week, you HAVE to stop using IE 6 – it cannot do TLS, it is not safe anymore!
So – what are we all going to do about this POODLE problem?
Because HTTPS connections are negotiations, BOTH parties to a connection, i.e. the browser and the server, have to agree that SSL is OK for it to be possible for SSL to be used for a given connection.
Like with heart bleed earlier this year, this means that responsible sysadmins have spent the last few days fixing their web servers by removing SSL from the list of protocols their servers will accept.
But, unlike with heart bleed, this time we, as users, have the power to protect ourselves by removing SSL support from our browsers. For instructions visit this link (scroll down past the sever stuff to the section on protecting your browser).
If you disable SSL in your browser, you are safe, because unless both sites agree to SSL, there can be no SSL!
Clarify
Listen as Allison interrupts us (again) to tell the tale of how she was able to very quickly help her friend fix a problem with audio not playing inside Safari. She claims that in 35 seconds she was able to take three screenshots (one was a pulldown menu), drop in an arrow on one, draw a box around another and copy the whole thing in an email back to her friend. She was a hero. You too can be a hero by going to clarify-it.com and downloading the free trial.
Chit Chat Across the Pond
Bart’s guest this week is security pro George Starcher. Bart and George take a big-picture look at security from a Mac user’s point of view.
Closing
And with that another Nosillacast comes to an end.
Thanks to everyone who sent in material for the show – you made my life a lot easier – as Ken Ray would say, you rock!
Should you want to hear more from me, you can check out podcasts over at lets-talk.ie, I do a monthly Apple show called Let’s Talk Apple, and a monthly photography show called Let’s Talk Photography (aren’t I original!). If that’s not enough to satisfy your appetite for Irish accents, you can also hear, and even see, me on the latest Mac Jury (mac voices episode 14207) where Chuck Joiner kindly invited me to chat with himself, Don McAlister, and Dr. Mac about this week’s Apple event.
Congratulations again to Lindsay and Nolan, and until next time, Happy Computing!
re Security of Old Macs
Bart and I have been around and around about this before. So, lean back, and have fun.
I fully agree with Bart. It is best to stay up to date with OS versions and security updates,
But what if the bestisn’t possible?
Such as on the huge number of Intel Macs that won’t upgrade past Snow Leopard, and the zillions more “left behind” on Lion? Not to mention the folks who still have the PowerPC Powerbooks on Tiger. I know they’re out there, because I gave them the computers and still get calls for help.
Apple could keep its OS versions update with security. Apple doesn’t. Tens of billions in the bank, and no security updates for older versions of the OS.
On the other hand, I turned on a “Core Solo Mac”that runs SL. I’ve kept it around as a backup, and because it runs a couple of label printers which having the old OS keep from the dump.
Wait! As I booted,and it hasn’t been on for weeks,there’s an update alert!
iTunes. Yep. Apple can keep its music store open, even if using it isn’t secure.
So,if you have an old Mac you don’t want to toss out because it would cost big to replace, what do you do?
You could run Linux. I tried that. It was a pain to set up,and not everything worked right.
Or you can try to be as safe as you can.
Don’t use Safari. For whatever reason, maybe because it is built in and so often exposed to the internet, most of the vulnerabilities I read about Apple patching seem to be Safari.
You can use Chrome, but I understand Google will end support for older 32 bit Macs soon.
There are versions of Mozilla Firefox that will continue to work.
Read: http://tenfourfox.blogspot.com/
Flash isn’t and was never safe. Without the Chrome built in version, your old Mac won’t be able to run Flash content. One benefit! Less obnoxious ads.
Remove Java from your machine.
There are substantial benefts to using the web interface to Gmail as Google has excellent virus detectors, blocks clicks leading to malware, and by caching images and not sending them directly, protects users from malicious embedded code.
Perhaps other online webmail providers do the same. I am familiar with Gmail.
Presuming ClamXav runs on your old Mac, install and run it. Get the full version with Sentry, turn it on to monitor any downloads. You won’t find the full version on the MacApp Store.
I really don’t like the idea of filling landfills with working computers. But there are things you probably shouldn’t do with an insecure Mac. Such as online banking.
Perhaps others have useful suggestions to keep old Macs safer?
One final bit. Google’s Chromebooks are very, very inexpensive. The HP 14″ that runs a Haswell chip is a nice and secure way to interface and interact with the internet. I gave one to a friend whose grandchildren kept destroying her Win PC with inadvertent malware downloads. It was easier to buy and give her the Chromebook than to keep “fixing” the PC.
The Haswell HP 14″ is on closeout for as low as $199. There are other nice Chromebooks that are current releases and still quite inexpensive. Like the Toshiba 13″
Buy a Chromebook to access the Internet, and like Bart suggests, you can unplug your Mac fron danger, safely use it for the local software you own, such as Word or Photoshop, and start saving for your next Mac.
Thanks for a great show, Bart. Loved hearing about POODLE. This is good stuff. But what about IOS browsers? Is there a fix for them? Or don’t they need it?
As of today (20 October), Safari on OS X 10.10 is vulnerable, and so is Safari on iOS 8.0.2 (you can test at https://www.ssllabs.com/ssltest/viewMyClient.html)
I think we have to wait for Apple to release updates 🙁
I tested out the instructions at the link Bart sent to turn off SSL on browsers. The instructions may be good on Firefox and IE, but they don’t help on Chrome and Safari. The instructions say that Safari is fixed if you just run the latest update, but running the test after the the update says it’s not up to date so I’m not sure if it’s fixed or not.
Chrome is REALLY weird to update, you have to launch the Terminal and issue a command, which launches Chrome, then spits all kinds of glop on the screen in the Terminal, and eventually it asks you for permission to get into your Contacts. Um, what? After I killed the terminal command, I ran the test to see if SSL was disabled and it said it was. Yay! But then I rebooted (to get the Safari update) and now Chrome also says it’s failing the SSL test.
I think this needs more work before you should try it…
Allison: I’ll see if I can figure what’s goign on with Chrome.
Bart: that SSL labs page is very confusing. From IOS Safari, the top box says I’m vulnerable. The next box says I’m not. But you’re right. We have to leave it up to Apple.
The reason for a lot of the Safari confusion is that Apple, in their infinite wisdom, have decided to do a pin-prick fix instead of a broad fix.
The current bug requires the combination of SSLv3 and a certain type of encryption cypher. The advice from the security community is clear, stop using SSLv3, but Apple have decided to only block SSLv3 + certain cyphers, and still support SSLv3 in other configurations.
Most tests are checking for the existence of SSLv3, and if it is there, flagging the browser/server as vulnerable, hence iOS and Safari continuing to be shown a failing.
I don’t like what Apple have chosen to do. SSLv3 is dead, just kill it already!
Allison, I’m guessing the instructions you followed only secured chrome for that single launch instance by feeding it an argument on execution.
Here is an easy way to create an automator action to fix chrome: https://zmap.io/sslv3/browsers.html#chrome-osx
HOWEVER, you MUST launch Chrome with the new automator app EVERYTIME you want to use it, or else you will not be protected! This is, of course, until Google pushes out a proper update for Chrome.
I followed those instructions and created the automator app, which I uploaded here: http://www.bignetonline.com/downloads/Chrome-POODLE-Proof.zip so I could re-use when I’m at my clients offices.
Bart, I found the talk with George about security on the mac interesting. I didn’t realize that I shouldn’t be running as an administrator. I figured OS X needed my password to do anything major anyways. Can you shed any light on this?
You’re right on, Joe. Dorothy has actually written up a great Clarify tutorial walking us through how to do that.
I asked Bart and George the same question about running as admin but they don’t agree with each other. I’ll let them answer here.
Joe – you are right that a to of things still need you to enter your password as admin, but not everything. I don’t have an exhaustive list, but I can give you one simple example to illustrate the point: as a admin, I can drag-and-drop an app into the Applications folder without being asked for a password.
There are definitely differences between running as an admin, and a non-admin, but running as an admin on OS X does not give you unfettered permissions, OS X admins are not Unix root, so they need to use the gui-equivalent of sudo to do many things.
George’s advice is very simple – don’t do it. That’s easy to remember, and easy advice to pass on.
My own take is more nuanced, but when talking to muggles I revert to George’s suggestion.
I do run as admin. That’s a decision I’ve made based on balancing the risks as I see them against the extra convenience it gives me.
I spend a lot of time on the Terminal, and non-admins can’t sudo, so running as a non-admin would mean I had to jump through an extra hoop on the command line (I would have to su to an admin account, then sudo). I also like being able to drag and drop stuff to the Applications folder. Running as an admin is simpler.
The reason I am happy to do so is simple – I NEVER share my Macs. The only data on my Mac is mine, and if my account gets hacked, even if I wasn’t an admin, my stuff would be in the line of fire. If I shared a Mac I would not run as admin because if I were to get hacked, the hacker would have the ability to muck up my stuff AND the other user’s stuff, while running as non-admin would limit the damage to just my stuff.
Allison – Could you post the link to the Clarify tutorial?
Bart – Good points. But like you, I think I’ll sacrifice ultimate security for some convenience as running as an administrator. After all, I’ve been doing it for many years now, and have never had a problem. Thanks for the clarification…
Impressive psychological faculties at work! Great answer!