It’s Christmas Day but there’s a fresh NosillaCast anyway – no best of show for us. Allister Jenks joins us to talk about the photo manipulation app Primitive for Mac from primitive.lol/…. I’ll tell you the tragic story of how Melissa lost her father’s voicemails and our joint discovery of how to get them back. I’ll give you my review of the Apple AirPods and we’ll talk about whether Bluetooth on them is fiddly, how they fit, and usability with Siri. Steve will jump in to talk about music playback quality (since that’s not my strong suit. Rush Sherman tells us about how he and I worked out a way to help him support the podcast through Patreon at a price his family could afford. Bart Busschots joins us for Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday December 25, 2016 and this is show number 607. Merry Christmas, Happy Hanukkah, Happy Kwanzaa and if none of those fit, Happy Festivus. We took a break from Chit Chat Across the Pond this week, but the NosillaCast hasn’t missed a show in so long we just had to keep the chain of happiness going. We won’t take a break next week either so Steve and I will even be hosting the live show on Sunday night of New Years Day. That’s not New Year’s Eve, because that would just be silly. Or drunk. In any case, come on over and hang out with whatever friendly and enthusiastic NosillaCastaways are still standing on January 1st at 5pm Pacific to welcome in 2017 at podfeet.com/live.
We’ve got a surprising amount of content for a holiday week so we’d better kick in. Let’s start with another great review from our good friend Allister Jenks.
Blog Posts
Transform Your Photos with Primitive – Guest Post by Allister Jenks
Melissa’s Lost Voicemails, AKA Why I Do the Podcast
Apple AirPods – Bluetooth With Less Fiddling?
Patreon
This podcast is supported by people like you pledging your hard-earned dollars and cents through Patreon. I’ve been saying on the show that you can contribute a quarter, a dollar, a hundred dollars a show, whatever you can afford. But this week Rush Sherman wrote a post in our Google Plus community (podfeet.com/googleplus) where he explained that the lowest option was to pledge $1 per week.
I knew that I have some patrons who pledge $0.25, and I know I pledge $0.25 to some podcasts. I dashed over to Patreon and did some digging. Rush sent in a recording after we worked on a solution.
I found that if you accept the minimum pledge of $1/week, you can then immediately go in and change a setting to give a monthly maximum. This allowed Rush to set the max to $1/month which equates to $0.23 per show, exactly what his family could afford.
Thank you so much Rush for letting me know about the problem and working with me on the solution. This is so great it practically qualifies as a dumb question. I’m sure that you helped others who had maybe considered sponsoring some shows but couldn’t see pledging so much. Your kind words are very much appreciated. Some content creators gripe about the monthly limit because it gets spread across all of the podcasts that you pledge to support, but I think it’s terrific. It does make the funding a bit less predictable for the content creators but I don’t think this system would work at all if you couldn’t control your own spending levels. I say good onya Patreon.
Security Bits
Followups
- Apple have added calendar spam filtering features to iCloud.com (coming to native apps soon) – www.macobserver.com/…
- Links related to the Mega Yahoo Breach
- Yahoo reports massive data breach involving 1 billion accounts – www.computerworld.com/…
- Yahoo: One Billion More Accounts Hacked – krebsonsecurity.com/…
- Yahoo admits it’s been hacked again, and 1 billion accounts were exposed – arstechnica.com/…
- How to delete your Yahoo! data and shut down your account – www.imore.com/…
- My Yahoo Account Was Hacked! Now What? – krebsonsecurity.com/…
- What can you do with a billion Yahoo passwords? Lots of bad things – arstechnica.com/…
- Yahoo breach: your account is selling for pennies on the dark web – nakedsecurity.sophos.com/…
- Small corrections from ‘seat of the pants’ MD5 conversation from last week
- You can salt with MD5 using string concatenation before hashing (take password, append salt, then hash)
- You can ratchet all your hashes instantly by hashing the MD5 hash with a better algorithm like SHA256
Security Medium – A Major Bug Found Netgear Routers
A nasty bug has been found that allows an attacker to execute arbitrary commands on affected routers as root. Exploitation of this bug is trivially easy (you pop the command you want to execute onto the end of a URL, remembering to encode the spaces). The bug is in the admin web interface, which is only accessible from the LAN side by default. However, it is trivially easy for JavaScript code to use your browser as a gateway to the inside interface of your router. Basically, visit a website, and without you having to do anything more, your router could be taken over.
NetGear are working on firmware updates for affected routers, but in the mean time, US Cert actually recommend turning off affected routers. If you have an affected router, at the very least, keep a close eye on NetGear’s site and update your firmware as soon as a fix is released for your model of router.
Links:
- Netgear routers have gaping remote access hole – nakedsecurity.sophos.com/…
- Stop using Netgear routers with unpatched security bug, experts warn – arstechnica.com/…
- Netgear router remote control bug – what you need to know – nakedsecurity.sophos.com/…
- kb.netgear.com/…
Important Security Updates
- Apple releases security updates for macOS Sierra and OS X Yosemite & El Capitan – nakedsecurity.sophos.com/…
- Apple release iOS 10.2 – support.apple.com/…
- Fixes the Find my iPhone bug mentioned in the previous Security Bits – nakedsecurity.sophos.com/…
- Apple release tvOS 10.1 – support.apple.com/…
- Apple release watchOS 3.3.1, then revoke it after it ‘bricks’ some watches – arstechnica.com/…
- Apple release iTunes 12.5.4 including security fixes for iTunes users on Windows – www.macobserver.com/…
- Microsoft and Adobe released critical patches on Patch Tuesday – krebsonsecurity.com/…
Important Security News
- Covert downloaders found preinstalled on dozens of low-cost Android phone models – arstechnica.com/…
- Popcorn Ransomeware changes the game – if you infect at least two other people you get your data back for free – nakedsecurity.sophos.com/…
- The European Commission will update their rules to ensure that apps like Skype and WhatsApp have to abide by the same privacy rules as regular Telcos – nakedsecurity.sophos.com/…
- Microsoft will make it easier to wean yourself off Flash – future versions of Edge will allow you to control Flash more granularly instead of just “on” or “off” – nakedsecurity.sophos.com/…
- A judge in Florida has ordered a defendant to reveal his passcode – this is a dramatic departure, so it seems likely this case is heading for the US supreme court – www.bbc.com/…
- Evernote back down – will not implement their controversial proposed new privacy policy – news.fastcompany.com/…
- Germany threatens to fine Facebook €500K for each fake news post – qz.com/…
- IBM study finds that 46% of executives encountered ransomware, and of those, 70% paid to get data back. IBM estimate that ransomware payments are heading for $1Bn a year – nakedsecurity.sophos.com/…
Notable Breaches
- Hacked cheating site Ashley Madison settle with US FTC and will pay $1.6M for failing tp protect account data and not actually deleting accounts of those who paid a $19 fee to have them deleted. The actual settlement was for $17.5M, but due to ‘inability to pay’ they will only pay $1.6M – arstechnica.com/…
Suggested Reading
- Did the Russians “hack” the election? A look at the established facts – arstechnica.com/…
- RELATED – beware the potential damage a single typo can do – nakedsecurity.sophos.com/…
- EU cybersecurity policy body ENISA warns that backdoors ‘punish the wrong people’ – nakedsecurity.sophos.com/…
- Uber said it protects you from spying. Security sources say otherwise – www.revealnews.org/…
- Zero-day exploit against Fedora and Ubuntu published – arstechnica.com/…
- Authorities in the US and Europe target users of ‘booter’ services – krebsonsecurity.com/…
- The EU accuses Facebook of misleading it in WhatsApp take-over probe – www.reuters.com/…
A Palate Cleanser
How The 404 Error Created The World Wide Web – www.popularmechanics.com/…
You heard me say during the segment on the vulnerability in Netgear routers that I wrote to them asking wither R8000 is the same as R8XXX. The distinction was important to me because they said that the R8000 was vulnerable and now has a fix, but I have an R8500. The good news is that shortly after Bart and I recorded, Netgear’s security team finally wrote back to me, and the even better news was that the R8500 was not affected. When they use zeros, I guess they really mean zeros.
The bad news is that they took 9 days to answer me when the vulnerability was a critical one and was being actively exploited. I’m one of the few folks around who actually could have turned that router off and worked off of my second router till it got fixed. I’m glad I’m safe but I’ll have to give them a C+ on their speed of response. I know they had their hands full and I’m sure it was a rough week for them but it was a pretty easy question!
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
Great article you shared with us.
Hello,
My name is Ivana Balentic and while going through your website I saw you mentioned our friends at Popular Mechanics (https://www.podfeet.com/blog/2016/12/nc-607/).
I’m curious is it possible to sponsor the mention of my blog?
All the best,
Ivana Balentic