Send in your questions you’d like to have Professor Maryanne Garry answer on the show about the brain, memory or how we perceive things for a show in a few weeks. I have an argument with myself about whether the use of ad blockers are essentially stealing or whether their our only defense against emotional damage. My octogenarian father-in-law explains how 1Password made his computing experience so much easier in a video interview I hope you’ll use to convince others to use a password manager. A quick review of a USB-C dongle for $20 from Aerb that does 90% of what I need on my 12″ MacBook. In Chit Chat Across the Pond Bart takes us through part 2 of his explanation of how to use HSXKpasswd from the command line and how to create our own configuration files. It’s one that really would be helpful if you read along with his shownotes while you work it out on your own!
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday September 6, 2015 and this is show number 539. I’m getting charged up for the big announcement day on Wednesday! Steven Goetz suggested that we fire up the live chatroom during the announcement like we did last time. All you have to do to join in the fun is go over to podfeet.com/live at 10 am Pacific Time. On the right side of the page you’ll see a web-based chat window asking you to pick a user name and then hit join. You’ll see a video link on the left but ignore that because I won’t be broadcasting ME during the event since we’ll all be watching Tim on our various devices. If you’d like to use a standalone client instead of the web client, Kirschen and I have compiled tutorials on how to set up Colloquy, Textual and Adium at a link in the shownotes. If you’re going to set up one of these clients I recommend working on that a little while ahead of time. Hope to “see” you there!
Professor Maryanne
Dr. Maryanne Garry, professor in psychology will be coming to visit again and we’re hoping to do another recording for the show. You may remember her as the one who messed with everything we thought we knew about our memory and then destroyed our understanding of how we pay attention to things. She suggested I ask you to submit questions to the show on what else you might want to know in the area of cognitive science. I’m sure her discussions in the past have left you with questions that you’d love to have her answer or things you’ve read about the mind, the way we learn and perceive things, memory and behavior – please send them in!
Blog Posts
Ad Blockers – Stealing or User Right?
Octogenarian Talks 1Password
One USB-C Dongle to Rule Them All?
Clarify
You hear me yap about how Clarify helps me all the time to make tutorials to help other people learn how to do things and helps me to remember how to do things, and I’m sure that’s vastly entertaining and informative for you. But there’s one thing better than that, and it’s when you hear a spontaneous testimonial from a fellow NosillaCastaway. Out of the blue, Ben wrote in with this message he hoped I’d share with you:
I am helping someone with a web application. After we spent a few hours this morning working through things, they had a question this afternoon. Since I was no longer with them, I opened Clarify and walked them through it. Later, I saw that they were able to figure out their question so I asked how they liked Clafiy, and they responded “I LOVED it so easy and so helpful!” There is no better testimonial then that of someone who Clarify has helped.
So this is actually an embedded testimonial – it’s Ben telling us how HIS friend thought Clarify helped them get their work done. If you don’t believe the 3 of us, please download the free trial of Clarify over at clarify-it.com for Mac or Windows or both, and prove it to yourself. When you do buy Clarify, be sure to let them know that you heard about it from me and Ben!
Chit Chat Across the Pond
Security Medium – OS X Trojans Accessing the Key Chain
There is yet another story about OS X security that sounds really bad – apps accessing your keychain without permission!
Attack apps abuse OS X’s accessibility features to find the popup that asks for permission to access the keychain on your screen, and then click the ‘OK’ button for you.
As bad as this sounds, there is some very important small print – before malicious apps can do this, you need to 1) download and install them, and 2) give them full administrator access to your system by entering your admin password when they ask you to.
Installing an app and running it is giving the app quite a lot of trust, but giving an app admin rights is giving it a LOT of trust – DO NOT DO SO LIGHTLY!
We now know this trick has been in use for some time, perhaps as far back as 2011. The advice to users remains what it always was, and always should be – be careful what you install and run, and be REALLY careful what you give admin access to!
Links:
- http://arstechnica.com/security/2015/09/sneaky-adware-caught-accessing-users-mac-keychain-without-permission/
- http://arstechnica.com/security/2015/09/attacks-accessing-mac-keychain-without-permission-date-back-to-2011/
Security Light
Important Security Updates:
- Mozilla Release FireFox 40.0.3 with important security updates – https://www.us-cert.gov/ncas/current-activity/2015/08/27/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR
- RELATED – Mozilla have revealed that their bug-tracking system was compromised (by an admin re-using a password that had been used on a site that was hacked). The attacker had access to non-public bugs in the bug tracker, and used one of those bugs to attack FireFox users last month – hence the emergency patch at the start of August. All bugs the attacker saw have been patched (as of the most recent update), and Mozilla are changing their security practices around their bug tracker – fewer people will be granted access, and all will need to use 2FA – http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/
Important Security News:
- Another serious Android vulnerability – this time the problem is in remote access software being added by carriers, and an app exploiting the bug has been found in the Play Store – http://arstechnica.com/security/2015/08/major-android-remote-access-vulnerability-is-now-being-exploited/
- Another nail in Flash’s coffin – Google started blocking most flash by default in Chrome on 1 September – https://nakedsecurity.sophos.com/2015/08/31/google-chrome-will-block-flash-from-tomorrow-well-sort-of/
- Malware affecting JAILBROKEN iPhones stole 225,000 Apple account logins – Jailbreaking is the crippling of security on iOS, if you do it, you are putting yourself at real risk – http://arstechnica.com/security/2015/08/malware-infecting-jailbroken-iphones-stole-225000-apple-account-logins/
- A new DOJ policy requires US law enforcement agencies to get a warrant before using ‘stingrays’ (fake cell towers) – https://nakedsecurity.sophos.com/2015/09/04/us-law-enforcement-now-need-a-warrant-to-use-stingrays/
- RELATED: research shows Stingrays were being used to tackle petty crime – https://nakedsecurity.sophos.com/2015/08/25/stingrays-used-to-track-petty-crime/
- Security researchers found that all 9 of the brands of baby monitor they tested were wide open to attack – the best advice – avoid monitors with internet connectivity – http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
- Windows 10 spies on your kids by default, then emails the parents a dossier – https://boingboing.net/2015/08/10/windows-10.html & http://wccftech.com/windows-10-spies-on-children/
- RELATED: not all reports about Windows 10 privacy concerns are legitimate – there was a big kerfuffle about MS ‘disabling pirated software’ – simply put, there is no “there” there – https://nakedsecurity.sophos.com/2015/08/25/pirate-sites-ban-windows-10-over-privacy-worries/
- UK authorities arrest six for using the LizardSquad’s DDOS tool (the one that killed gaming services last Christmas) – http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/
- RELATED – the LizardSquad respond by DDOSing the National Crime Agency’s website – https://nakedsecurity.sophos.com/2015/09/01/national-crime-agency-website-ddosed-by-lizard-squad/
- The controversial Wassenaar Arrangement claims another victim – HP pull out of sponsoring Pwn2Own for fear that it may now be illegal to do so – http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-sponsor-amid-new-cyberweapon-restrictions/ (a good explanation of why the software part of the treaty is so controversial – http://www.wired.com/2015/06/arms-control-pact-security-experts-arms/)
- India’s Competition Commission accuses Google of rigging search results – https://nakedsecurity.sophos.com/2015/09/02/google-accused-of-rigging-search-results-by-indias-competition-cops/
- A researcher discovers that NyPost.com seems to be downloading, but not showing, video ads, presumably to generate illegitimate ad revenue, and in the processes, wasting users bandwidth and battery – just another example of how broken our current ad model is, and why Apple are including content filtering in their OSes – https://medium.com/@robleathern/the-mobile-video-ad-lie-938a6de51367
- RELATED SUGGESTED READING: – A very interesting post from Jean-Louis Gassée on the future of web advertising – http://www.mondaynote.com/2015/08/31/life-after-content-blocking/
Notable Breaches:
- New data released by the hacking ring “Impact Team” shows Ashley Madison execs hacked competitors – http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/
- RELATED: The CEO of Ashley Madison’s parent company quits – http://arstechnica.com/tech-policy/2015/08/ceo-of-ashley-madison-parent-company-quits/
- RELATED: Something Ashley Madison got right – they did a good job of hashing passwords – https://nakedsecurity.sophos.com/2015/08/31/what-ashley-madison-got-right/
- RELATED: no matter how well a site protects passwords, if you pick bad passwords, they will be cracked – http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/
- More OPM breach fallout – China & Russia now using the data to weed out spies – http://arstechnica.com/security/2015/08/china-and-russia-cross-referencing-opm-data-other-hacks-to-out-us-spies/
- RELATED – a post from Brian Krebs calls into question the effectiveness of the actions that OPM are taking to protect victims – http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/
Suggested Reading:
- An interesting article explaining why we should expect things to get worse before they get better when it comes to automobile security – http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/
- A great article from Ars Technica – “How security flaws work: the buffer overflow” – http://arstechnica.com/security/2015/08/how-security-flaws-work-the-buffer-overflow/
- An interesting infographic from Intego showing how much your private information is worth on the black market – http://www.intego.com/mac-security-blog/how-much-is-your-privacy-worth-infographic/
- More Windows 7, 8 & 10 privacy worries – http://arstechnica.com/information-technology/2015/08/microsoft-accused-of-adding-spy-features-to-windows-7-8/
- Another HTTPS bug, mainly affecting larger organisation that use dedicated load balancing devices, allows long-term adversaries to occasionally capture a server’s private key – this is most useful to large actors like national spy agencies, who have the resources and time to watch for this very rare bug – the bug can’t be triggered, but if you watch long enough, it will happen to any site using affected devices – http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-https-sites-to-reveal-their-private-keys/
- A new variant of Android randsomeware is using XMPP to communicate with control servers – http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-chat-to-call-home-and-claims-its-from-nsa/
- Wikipedia take against against paid for edits, AKA ‘sock puppet accounts’ – https://nakedsecurity.sophos.com/2015/09/02/wikipedia-blocks-sockpuppet-accounts-amid-blackmail-claims/
- Concerns over new TOR weaknesses prompt some darknet market places to shut down – http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-exploited-prompt-dark-market-shut-down/
- Reflective Satellites may be the future of high-end encryption – http://arstechnica.com/science/2015/08/reflective-satellites-may-be-the-future-of-high-end-encryption/
Main Topic – The hsxkpasswd command line tool continued
The Perl module powering this command line tool was chosen as module of the month for August 2015 by the editors at Perl Tricks: http://perltricks.com/article/192/2015/9/3/What-s-new-on-CPAN—August-2015
Finishing Part 1: https://www.bartbusschots.ie/s/2015/08/22/using-the-hsxkpasswd-terminal-command-part-1-of-2/
Part 2: https://www.bartbusschots.ie/s/2015/09/06/using-the-hsxkpasswd-terminal-command-part-2-of-2/
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
I don’t mind ads but where the hell is truth in advertising? If a site needs ads the site should vet those ads. How can I trust what a site is posting about if all I’ve the page is “Obama says you don’t have to pay your mortgage” or ” lose 20 lbs in a week while you sit on the couch”. Because of all of these bogus ads I don’t trust any of them. Even if I see something I might like I make sure to search for the item myself. TV too had ads for things that I would consider false advertising but I never seem to hear of any public advocate fighting to protect dumb people from clicking on them or even some smart people doing it and getting viruses.
Allison. Great podcast! I’ve heard you on DTNS many times so finally decided to check out your solo work. I’ve only listened to shows so far but I’m really enjoying your fresh perspective on tech.
The one thing I don’t really understand though is the hassle with HSXKpasswd especially after YOU JUST DID A SEGMENT on password managers??? Every password manager worth it’s salt already has an integrated, high entropy, highly CONFIGURABLE, password word generator built-in. I know you use 1Password. Personally I use LastPass (online) + Keepass for offline backup, and then because I’m paranoid, I use Viivo to encrypt my Keepass db before syncing to cloud storage (GDrive & DropBox) for yet another online backup. Anyways, all three of these password managers can generate unique 256-bit passwords (OVERKILL) with 2 clicks or less. Why bother with HSXKpasswd? Is it because it’s capable of generating human memorable pass-phrases using a configurable dictionary? If so, I still don’t see the point? The WHOLE POINT of using a password manager in the 1st place is you don’t NEED, or even want, memorable passwords. Passwords, security questions, backing up 2-factor auth QR-code .jpg’s… they can all be stored in a password safe and retrieved with 1 click.
When you take into consideration HSXKpasswd’s .TXT config/pre-set file one must set up and/or the INSANELY complicated terminal commands, which are longer than the actual passwords the tool generates, what is the point? I suppose as a programming exercise in PERL this tool would be great to download and study. But other than that, a normal person wouldn’t use this tool. Could you imagine explaining the merits of HSXKpasswd to the seniors at that computer club meeting? Hell, even I wouldn’t use this tool and I’m an I.T. professional.
@Michelle The reason why sites don’t vet ads is because they CAN’T. The vast majority of small, medium and even large websites obtain ad revenue by subscribing to an “ad network”. They do this by inserting into their website a small snip-it of code given to them by each ad network. That code snip-it is what loads and rotates the ads you see. That code is essentially a black-box to the website operator… they have little to no control over what ads are displayed and how (u might be given general control over ad content.. ie.. no adult ads, but not much more). Unless you’re a very unique website like the TWiT network who has a dedicated sales team, then your mom-&-pop website’s ONLY ad revenue option is to employ the “black-box” approach…. and even in TWiT’s case they probably get less than 5% of their revenue from their 2 (TWO) static website ads. TWiT makes ALL of its $$$ (literally MILLIONS & MILLIONS per yr) from testimonial commercial breaks DURING their podcasts.
EP – glad you found the show, and thanks for the detailed question. I think we forget that some people haven’t been listening for the first decade of the show. Bart built this originally as a web interface at http://xkpasswd.net. This is for normal people to be able to choose strong, memorable passwords with a UI that lets them choose how many words, how much padding, what kind of characters to use, etc.
It’s based on a combination of the xkcd cartoon that talks about passwords being good if you can pick four random words that you DIDN’T make up. Normally the problem with memorable passwords is that you made them up which means their logical and guessable. With Bart’s tool, it’s choosing the words for you so they don’t make ANY sense but they are memorable.
The other piece is from Steve Gibson’s Password Haystacks theory that the longer you make a password even just by padding it will give you a password that won’t be broken in a gazillion years.
What he’s been doing lately is making this into a tool you can use from the command line which is cool and I agree with you that this would not be something for the masses. He did teach me a while back how to make a Service which I use constantly to create my passwords.
I’ve used the built-in password generators of both LastPass and 1Password but I cannot type them easily when I do need to so I use xkpasswd to create them and immediately store them in my password manager.
I’m trying to find the episode where Bart explained the maths behind xkpasswd – you’d love it!
EP – a couple of points:
1) I have found that while I do keep all my passwords in a vault, I still have to type them relatively often when I’m on devices that are not mine. My iPhone is always with me, so it knows my passwords, but I have to read them from the iPhone screen and type them into the computer. HSXKPasswds are a lot easier to do that with than pure random passwords
2) I often have to set passwords on encrypted archives that I then have to email to people and tell them the password over the phone – again, HSXKPasswd passwords are much easier to work with in that situation than random gibberish
3) the terminal stuff is only for those who WANT to play with it. It’s not meant for muggles! http://www.xkpasswd.net is for muggles.