#519 NAB and NMX, Is it Time to Jump to Photos, Taming the Terminal SSH Tunneling

Steve and I went to NAB and NMX this week so I give you a few thoughts on how fun that was (audio interviews to start next week, but video interviews are already starting to go up on podfeet.com). I try to answer the question of whether it’s time to jump to the new Photos App from Apple by going through how I answered that question for myself. In Chit Chat Across the Pond Bart covers the latest in Security Light, Medium and suggested reading as always followed by Taming the Terminal part 32 of n. It’s a marathon show!

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday April 19, 2015 and this is show number 519. I think we might have a marathon show here this week. Steve and I went to a conference so we’ve got interviews from that, I’m going to give you my thoughts about the new Photos app and what I’ve decided to do about it, and we’ve got Security Lite and Chit Chat Across the Pond with Taming the Terminal Part 32 of n where we get to do SSH Tunneling. Put on your seatbelts and let’s get going!

This week was the NAB Show (National Association of Broadcasters) and NMX (New Media Expo) out in Las Vegas and Steve and I got to attend both. We have been to NMX and it’s previous incarnations of the Podcast Expo and Blogworld many times, but this was the first time NMX was embedded inside NAB.

It was Chuck Joiner of MacVoices.tv who suggested it might be interesting. He’d been to NAB many times before and got a lot out of it. Dave Hamilton of The Mac Observer and Mac Geek Gab decided to go too, and Don McAllister of ScreenCasts Online jumped in too. Remember when we used to do the Mac Roundtable? Well it was originally started by four guys – Tim Verpoorten, Adam Christianson, Steve Stanger, and Joseph Nilo. We’ve only met Joseph once before at Macworld, and were delighted to find out that he was coming to NAB too. Now if that doesn’t sound like a party I don’t know what does!

I have to say that I think we’ve outgrown NMX. It sounds snarky to say that I have nothing to learn from the speakers there. I decided a few years ago that the solution was to not expect to learn, but to give back and teach. However, they’ve rejected my talks for the last two years. I was bummed about that because you know how I love to teach! I felt a little better when Don got his rejection notice…and he hadn’t even submitted a paper! Oh well!

The exhibit hall for NMX the last time we went was really really weak, maybe 20 booths tops and none of them interesting. The good news is that with the purchase of an NMX tickets this year, we got access to all of the NAB booths. Believe it or not, NAB fills the Las Vegas Convention Center, North, Central and South Halls. CES fills those three giant halls but also spills out into other hotels, but that still makes NAB pretty darn huge.

The downside of NAB is that much of the equipment and software is WAY out of our league. For example the bottom of the line Red Camera starts at $5000 but the model they were showing off at NAB starts at $50K! We went to the huge Black Magic booth, who sell interface boxes for video. All but two of the boxes were over $2000. Not exactly what we’re looking for, but keep in mind this show is geared towards people making television and movies.

The good news is that with a show this big, there’s still an awful lot within the podcaster’s salary level to enjoy. Steve and I did about a dozen interviews, so not quite as many as CES but I think we got some real keepers in there. We’ll start playing them a couple at a time like we did for CES.

I have to give a big shoutout to Allan Tépper from TecnoTur, because I did the worst thing possible to him. Remember I asked on the show if anyone else was going to be there? Well, Allan wrote to me to tell me he’d be at NAB, and then he recognized me as we were both going into an event called the Super Meet. He introduced himself and right then the line we’d been waiting in started to move and I said I’d catch up with him inside. And then I TOTALLY FORGOT TO GO FIND HIM! I think I might be the worst person ever. He found Don inside the hall and they had a great conversation so at least he had fun.

I wanted to mention one more thing about NMX before I move on and that’s that the Podcast Awards took place. I didn’t attend the award ceremony but I’m delighted to tell you that Tom Merritt’s Daily Tech News Show won for best Tech show overall! That’s a HUGE achievement considering it hasn’t been much more than a year since he started his show. Congratulations to Tom and his producer Jennie for a well-deserved award.

Blog Posts

Is it Time to Jump to Photos?

Clarify

If you’ve been listening to the show for any length of time you’ve heard me talk about my favorite tool, Clarify, for making tutorials with photos and text and annotations. One thing I don’t talk about very often is all the ways you can present the tutorials you create with Clarify. I went poking around on the Clarify-it website today and realized that there are a LOT of formats! First you can publish your tutorial to your own free site on clarify-it.com. You can store your tutorials inside Evernote which I’ve mentioned before so you have essentially a database of your content. You can publish to WordPress as a page or a post, but you can also simply get the entire html content and images so you can post it on other blog platforms. You can publish to a beautiful PDF with the built-in templates or create your own. Stuck with people who love Microsoft Word? Clarify has output for Word too. Maybe you’re a big fan of Dropbox, you can share to Dropbox and get a public URL that you can instantly send to anyone.

The greatest benefit of Clarify is the ability to share your knowledge so that you can help other people, keep them from asking you the same question over and over again, and make yourself look positively brilliant. Because you are, of course, brilliant but not everyone knows that yet! Go check out the free trial of Clarify over at clarify-it.com for Mac and Windows and be sure to tell them Allison sent you like Stefaan Lesage did just this week!

Chit Chat Across the Pond

Security Medium – Rootpipe

The latest security bug with a cute name is Rootpipe, and it affects OS X going back to at least 10.7. This is a privilege escalation bug, but for some reason the media have decided to call it a back door. This bug allows an app running as an admin user to gain full root access without needing the user to enter a password. Some reports say this bug only affects admin users, some reports say it also affects non-admin users. It’s not clear what exactly is going on.

Apple have patched Rootpipe for OS X 10.10 Yosemite, but will not be patching it on older versions of OS X. The advice in the security community seems to be that if you are running old versions of OS X, you should not run as an administrator.

Links with More info:

• http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root/
• http://www.intego.com/mac-security-blog/rootpipe-backdoor-flaw-no-patch/

Security Light

Important Security Updates:

• Last Tuesday was Patch Tuesday, seeing important updates from Microsoft, Adobe (including Flash), and Oracle (including Java) – http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/
• Security professionals urging Windows users not to delay in installing the April Patch Tuesday fixes from Microsoft as they contain a particularly dangerous one that could allow a worm to spread. The bug is in HTTP.sys, and allows remote code execution – https://nakedsecurity.sophos.com/2015/04/15/update-tuesday-april-2015-urgent-action-needed-over-microsoft-http-bug/
• Microsoft’s patch Tuesday releases also contained a security update for Office 2011 for Mac – http://www.intego.com/mac-security-blog/microsoft-releases-office-2011-14-4-9-update-patches-critical-vulnerabilities/
• Apple patches OS X, iOS, Apple TV, and Safari – https://nakedsecurity.sophos.com/2015/04/09/apple-fixes-loads-of-security-holes-in-os-x-ios-apple-tv-safari/

Important Security News:

• Yet more proof that ads are dangerous for your digital health – malicious flash-based ads infect visitors to a number of sites, including the Huffington Post, with extortionware – http://arstechnica.com/security/2015/04/faked-flash-based-ads-on-huffpo-other-sites-downloaded-extortionware/ (Editorial by Bart: the issue is not really with advertising, but with sites out-sourcing ad acquisition to the lowest bidder, and with allowing dangerous technologies like Flash in ads. I think it is immoral to block ads, but I think it is foolish not to block Flash. End result – I see only safe ads, incentivising sites to move away from dangerous Flash ads.)

• If you’ve been infected by popups in your browser, Pat Dengler recommends Adaware Medic: http://www.adwaremedic.com/index.php Shareware, so push the donate button if it helps you
• A very reasonable US Government Accountability Office (GAO) report studying on-board security in planes gets blown out of all proportion by the dregs of the Media (Fox News unsurprisingly gets a special mention for their breathless hyperbole). Bottom line – don’t panic! The document is actually a good summary of where things stand now, and where things should go in the future – https://nakedsecurity.sophos.com/2015/04/17/could-a-hacker-really-bring-down-a-plane-from-a-mobile-phone-in-seat-12c/
• A Virginia audit of their ironically named WINVote voting machines finds they are a security nightmare, and the board of elections removed their certification. This list of security blunders is jaw-dropping, from relying on WEP for security to using passwords like ‘abcde’ – https://nakedsecurity.sophos.com/2015/04/17/tampering-with-us-voting-machine-as-easy-as-abcde-says-virginia-report/ & http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/ (Editorial: given the importance of free and fair elections to democracy, the fact that it was possible for these machines to be certified for years is utterly horrifying, and shows the need for urgent and dramatic reform of the electoral system)
• The EU has launched an investigation of Google for abusing its monopoly position in search – https://nakedsecurity.sophos.com/2015/04/16/eu-accuses-google-of-abusing-search-dominance-opens-android-investigation/
• Google take a big step to putting the insecurity of the 1990s behind us, disabling the NPAPI plugin API in Chrome by default, and hence banishing Java and Silverlight form the web – http://arstechnica.com/information-technology/2015/04/chrome-starts-pushing-java-off-the-web-by-disabling-plugins/
• Just because a plugin is in Google’s store, does not mean it is safe – security researchers found that the plugin ‘Webpage Screenshot’ with over 1.2 million downloads was gathering user data and sending it to advertisers – http://arstechnica.com/security/2015/04/chrome-extension-collects-browsing-data-uses-it-for-marketing/
• Google does a bit of a cleanup of its plugin store and removes nearly 200 plugins found to be injecting ads into web pages – http://arstechnica.com/security/2015/04/google-kills-200-ad-injecting-chrome-extensions-says-many-are-malware/
• Yet another hole has been found in WPS (Wifi Protected Setup). This is the third major hole in the protocol, and the third time security researchers are telling everyone to stop using it! If you router won’t let you disable WPS, buy a new router, because any router with WPS enabled is insecure – https://nakedsecurity.sophos.com/2015/04/13/we-told-you-not-to-use-wps-on-your-wi-fi-router-we-told-you-not-to-knit-your-own-crypto/
• Half a month on from the CNNIC certificate blunder, it’s interesting to see how different browsers have responded. Apple & Microsoft have NOT taken action, Google and FireFox have removed trust of CNNIC – https://nakedsecurity.sophos.com/2015/04/14/tls-certificate-blunder-revisited-whither-china-internet-network-information-center/
• An update on the FaceBook tracking report discussed in the previous Security Lite – FaceBook now admit there is a bug in their code that was causing them to track people they didn’t mean to track – https://nakedsecurity.sophos.com/2015/04/10/tracking-report-was-wrong-says-facebook-but-there-is-a-bug-that-needs-fixing/
• PSA – a security bug has been found in Dell System Detect – an app pre-installed on many Dells, and also issued by Dell Support when users open calls. Dell patched the app, but didn’t actually fix the problem, so they patched again, and this time they seem to have actually fixed it. If you have a Dell, you should probably check if Dell System Detect is installed, and if it is, either updated it or remove it – http://arstechnica.com/security/2015/04/dell-support-software-gets-flagged-by-antivirus-program/
• PSA – if you run WordPress with the popular Super Cache plugin, be sure it is patched – there is massive exploitation ongoing of sites running out of date versions of this plugin – https://www.us-cert.gov/ncas/current-activity/2015/04/09/WP-Super-Cache-Cross-Site-Scripting-XSS-Vulnerability

Noteable Breaches:

• US hotel chain White Lodging appears to have been breached again – http://krebsonsecurity.com/2015/04/white-lodging-confirms-second-breach/

Suggested Reading:

• Thinking of using the jail-break-free Popcorn Time for iOS? Care about security? Then don’t! – http://www.macworld.com/article/2908014/popcorn-time-for-ios-requires-a-dangerous-workaround.html
• A US law maker working on an anti-swatting bill gets swatted – https://nakedsecurity.sophos.com/2015/04/16/us-lawmaker-whos-pushing-anti-swatting-bill-gets-swatted/
• Target reaches $19M settlement with MasterCard over their big hack back in December 2013 – https://nakedsecurity.sophos.com/2015/04/17/targets-settlement-with-mastercard-costs-retailer-19-million/
• How Google’s April Fools prank introduced a security vulnerability into Google’s front page – http://arstechnica.com/security/2015/04/no-joke-googles-april-fools-prank-inadvertently-broke-sites-security/
• Former Hot Lotto security director accused of hacking lotto computer to win a $14.3M jackpot – https://nakedsecurity.sophos.com/2015/04/15/hot-lotto-security-director-suspected-of-tinkering-with-computer-to-win-14-3m/
• The NSA flies a trial balloon – how about a second front door instead of a back door? – http://arstechnica.com/tech-policy/2015/04/nsa-dreams-of-smartphones-with-split-crypto-keys-protecting-user-data/
• Reuters report that US agents were ordered to cover up a program used to illegally investigate Americas – http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805
• The US DEA and Army bought $1.2M worth of questionable hacking tools in recent years – http://arstechnica.com/tech-policy/2015/04/dea-us-army-bought-1-2m-worth-of-hacking-tools-in-recent-years/
• US DEA sued over ‘suspicion-less’ mass surveillance of Americans by the EFF on behalf of Human Rights Watch – https://nakedsecurity.sophos.com/2015/04/10/dea-sued-over-suspicionless-mass-surveillance-of-americans-phone-records/
• Researchers release an interesting study on the economics of bug bounty programs with the catchy title “The Wolves of Vuln Street” – http://arstechnica.com/security/2015/04/researchers-try-to-hack-the-economics-of-zero-day-bugs/
• How China’s Great Cannon cyber attack machine works – http://arstechnica.com/security/2015/04/meet-great-cannon-the-man-in-the-middle-weapon-china-used-on-github/ – also – do your bit to prevent your visitors being abused by the cannon, make your site HTTPS – http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/

Aside – please consider donating to the EFF

The EFF have succeeded in invalidating a patent that was being used to threaten podcasters into paying licensing fees to a so-called ‘non-practicing entity’ (https://www.eff.org/press/releases/eff-busts-podcasting-patent-invalidating-key-claims-patent-office) – this is great news for all podcasters, and, a good illustration of the EFF’s value to our society. I donate to them regularly, and would urge you to do the same.

Main Topic

Taming the Terminal Part 32 of n – https://www.bartbusschots.ie/s/2015/04/06/taming-the-terminal-part-32-of-n-ssh-tunnelling/

That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.