In Chit Chat Across the Pond Bart and I actually did a video episode where he showed his screen while he solved some of the JavaScript challenges he gave us in Programming By Stealth. Check that out at podfeet.com/…. We’ve got a “Dumb Question” from Dorothy asking how to extract images from Live Photos, and I’ll tell you about an amazing, free online diagramming and flowchart tool from draw.io. Germany is winning in the Amazon Affiliate Links game so find your country’s link at podfeet.com/funwithflags. Bart Busschots is back with another edition of Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday August 7, 2016 and this is show number 587.
Chit Chat Across the Pond – Now in Video!
This week on Chit Chat Across the Pond, Bart and I did something really cool. As you know he’s been teaching us JavaScript in Programming By Stealth. Each week we go through his lessons and he shows us the code examples. Four weeks ago he put together some challenges for us, and I made it through the first four of five. He thought it might be cool to have him demo on video how he would solve the challenges, building them up in front of our eyes and ears.
I thought it would be mean to suddenly without warning jam a giant video file into everyone’s feed, so we sent the audio to the feed and posted the video on podfeet.com with the regular shownotes.
We needed to make sure you could actually read the text he was typing, which is a bigger challenge than just a talking head show. I put my screen at 1280×720, and Bart set his as close as he could to 1280×720 resolution on his MacBook Pro (you can’t force a specific resolution without third party tools like SwitchResX). We had him go close to full screen with a browser window but pulled it up just a smidge from the bottom because the difference in resolution would get it partially cut off.
Now to record the video AND audio. I use Audio Hijack to tune our sound for the audio podcast and Loopback to pipe into Skype for our calls. My plan was to use the awesome screencasting software Screenflow to record the video and audio. In ScreenFlow I can set the audio recording to the output from Audio Hijack, and tell ScreenFlow which screen to record. We ran a test, and for some reason I have yet to figure out, as soon as I started to record on ScreenFlow, I could no longer hear Bart or monitor my own sound.
ScreenFlow got us both perfectly but it would be just a bit hard for us to converse when I couldn’t hear. I have written to the Audio Hijack folks at Rogue Amoeba to see if they can figure out why this happened. They’re super responsive, and I’m sure they’ll get back to me to explain what I might have been doing wrong. I should contact Telestream for the ScreenFlow end but their support isn’t always great and their heads might explode with how I use Audio Hijack and Loopback to pipe audio.
But Bart and I weren’t foiled yet. We both have copies of Ecamm Software’s Call Recorder for Skype. Neither of us had ever used it for video but we had both used it for audio. Bart and I both fired it up, fiddled with a setting or two, and it worked flawlessly! The audio piped perfectly from Audio Hijack into Call Recorder and the screen resolution looked fabulous!
Steve is the official video producer for podfeet.com, so he was tasked with making this go after the raw video was captured. We knew we wanted the Chit Chat Across the Pond logo at the front end, with the Chit Chat Across the Pond music, but I also wanted Bart’s adorable logo for Programming By Stealth in the intro. Steve fired up Fotomagico 5, and created an awesome animation where the Chit Chat Across the Pond logo zooms in and the little Programming By Stealth logo swirls into place tucked right under the podfeet. It’s adorable!
So, thanks to Steve and Bart and all the cool tools available today, we have actually produced a video teaching programming! Go check it out at podfeet.com/ CCATP Episode 449.
Blog Posts
Dumb Question – How to Extract a Different Image From a Live Photo
Free draw.io Instead of OmniGraffle for Diagramming
Amazon Affiliate Links
A while back, due to popular demand, I figured out how to start adding other countries to the Amazon Affiliate Links. It’s a bit of a pain because I have to set up each country separately, and each one pays separately, and they have the audacity to have their websites in their own language, and they pay me by a physical check in the paper mail! How weird is that? Because of that I set limits on how often to send me checks.
Anyway, this week I got the first foreign check – and the winner is Germany! Clause Wolfe claims he did it single handedly but I suspect some other fine German NosillaCastaways helped out and for that I thank all of you!
I had a mistake in the code for Canada so we just got that fixed. England is coming on strong too.
So if you’re shopping for back to school, or you need some barbecue supplies for Labor day weekend or you just need a new pair of socks, consider going to podfeet.com and clicking on the Fun with Flags link on the big Amazon logo to start your purchasing to send a small percentage to the show. Now, does anyone know where I can cash a check in the US that came in Euro?
Security Bits with Bart Busschots
Important Security Updates
- LastPass have pushed security updates to address remote code execution bugs – blog.lastpass.com/…
- Telegram for OS X has been updated to fix a bug where anything pasted into the app was written to a log file (editorial by Bart: IMO, the most worrying thing thing about this bug is the way Telegram reacted – they were angry and didn't seem to see it as a problem) – arstechnica.com/…
- RELATED – Telegram's use of SMS for activation may have exposed journalists and activists, because there are many known vulnerabilities in the whole cell phone system – nakedsecurity.sophos.com/…
- Apple release a security for for iOS that plugs a vulnerability being used by the Pangu jailbreak – www.macobserver.com/…
Important Security News
- Security Researchers find a flaw in how the WPAD (Windows Proxy Auto Detect) protocol works – if any device (not just Windows PC) has proxy auto-discovery enabled, a malicious network owner can partially breach HTTPS protections, exposing the URLs users are visiting – this is worse than it sounds because some authentication protocols rely on secret URLs, as do many cloud sharing services – arstechnica.com/…
- More signs that the ransomware 'business' is descending into chaos – the keys to the Chimera ransomware are leaked, apparently by a rival ransomware gang – arstechnica.com/…
- Europol, the Dutch police, Intel Security & Kaspersky Labs have collaborated to create a website to help ransomeware victims get their data back: www.nomoreransom.org – www.washingtonpost.com/…
- A report claims that more than half of UK firms have been hit by ransomware – arstechnica.com/…
- Security researchers find that the vast majority of non-BlueTooth wireless keyboards are broadcasting their keystrokes over the air with little or no security (editorial by Bart: if your keyboard is not Bluetooth, it's probably time to replace it – you type passwords and other sensitive data far too frequently for this kind of insecurity to be OK) – www.theatlantic.com/… & nakedsecurity.sophos.com/…
- Motorola confirms they will not commit to monthly security patches (Editorial by Bart: IMO that is not acceptable, if I were an Android user, I would boycott Motorola over this) – arstechnica.com/…
- Security researcher Jonathan Zdziarski finds that the iOS version of WhatsApp does not properly delete messages, leaving them hanging around inside an SQLite DB file which gets included in backups, including those to iCloud – nakedsecurity.sophos.com/…
- The US Social Security Administration now requires 2FA, but, you need to register to protect yourself, or the crooks can still register as you and start stealing your benefits – krebsonsecurity.com/…
- Security researchers use honey onions find 110 malicious TOR exit nodes (about 3% of exit nodes) – nakedsecurity.sophos.com/…
- US FTC Chief Technologist reminds us that forcing people to change their passwords often makes them LESS secure, not more! Why? Because when forced to change passwords regularly, humans invariably develop an algorithm for transforming their passwords, and as we already know, humans are very predictable, and research shows that these passwords are more crackable because of that – arstechnica.com/…
- Sophos warns that ransomware is starting to abuse Windows shortcut files (
.LNK
) files in email attachments to deliver their malware – an LNK file can have any name and any icon, and point to any file or all, so, a link tocmd.exe
could look like an innocent PDF document – nakedsecurity.sophos.com/… - Facebook plans to down-rate clickbait headlines (Editorial by Bart: the award for the best headline of the week goes to this story!) – nakedsecurity.sophos.com/…
- A new technique named HEIST makes previously difficult to execute HTTPS attacks easier. Website owners need to be sure their servers are properly configured to protect against the existing BREACH and CRIME HTTPS attacks (editorial by Bart: you can test sites you use and sites you run using the free security test from SSL Labs: www.ssllabs.com/…) – arstechnica.com/…
- Apple users beware – thieves are starting to use phishing attacks to try get victim's iCloud usernames and passwords so they can activate the devices they have stolen – www.macobserver.com/…
- Intego are warning of a very aggressive active phishing campaign targeting Apple uses' iCloud login details – be extra vigilent! – www.intego.com/…
- Apple launches a limited, but very generously paying, bug bounty program – www.reuters.com/…, www.imore.com/… & securosis.com/…
Notable Breaches
- Brian Krebs is reporting that Kimpton Hotels has suffered a credit card breach – krebsonsecurity.com/…
- Disney's Playdom games forum has been breached, and usernames and passwords leaked (apparently they were not hashed) – nakedsecurity.sophos.com/…
- The popular 3rd-party predictive keyboard SwifKey has suspended its sync service after it started to mix up people's accounts, accidentally leaking often sensitive information – an update is promised soon – nakedsecurity.sophos.com/…
- A hacker claims to have breached Yahoo and stolen 200 million poorly hashed passwords (MD5) – arstechnica.com/…
Suggested Reading
- A nice tutorial on how to get started with LastPass from Naked Security – nakedsecurity.sophos.com/…
- 1Password have released a new individual subscription offering to compliment their existing offerings for teams and families – blog.agilebits.com/…
- A new website outlines the tricks malicious UX designers use to trick people into unwanted purchases on the web – darkpatterns.org/…
- US voters should probably be aware that it appears that Russian hackers are attempting to influence this year's presidential election – the hacks are partisan, and focusing only on the Democrats – be aware that this information contains a strong bias – things could well be even worse on the Republican side, but that their secrets are remaining secret – arstechnica.com/…, arstechnica.com/…, arstechnica.com/…, arstechnica.com/…, arstechnica.com/…, arstechnica.com/… & arstechnica.com/…
- A scary story of how Find My iPhone's lack of 2FA almost lost a security researcher their entire digital life – arstechnica.com/…
- Police in the US ask security reachers to create a fake finger to unlock a murder victim's phone – www.theguardian.com/…
- A security blunder could have exposed all Vine users, but appears not to have been exploited – nakedsecurity.sophos.com/…
- A US judge has ruled that BitCoin is not really money (Editorial by Bart: this is actually a good thing for BitCoin) – nakedsecurity.sophos.com/…
- BitCoin value plummets as $77M worth of BitCoins are stolen from a Hong Kong exchange – arstechnica.com/…
- Charlie Miller & Chris Valasek return to hacking Jeeps – this time, using direct physical access to turn the steering wheel 90 degrees – nakedsecurity.sophos.com/…
Pallet Cleansers
- the Sysadmin flowchart (to celebrate Sysadmin day) – nakedsecurity.sophos.com/…
- An Illustrated Celebration of Trailblazing Women in Science – www.brainpickings.org/…
- The Mega Processor – a massively called up computer that reveals the normally hidden internals of a computer at the human scale – www.megaprocessor.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community and our Facebook group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.