In this week’s show I tell the long harrowing story of how I did a computer animation in the early 1980s and how hard it was using the tech of the day, I’ll answer a dumb question about how the payments work for Amazon Affiliate Links, and Bart Busschots is back with Security Bits where he’ll tell us whether to light our hair on fire about the breach at Cloudflare, how Google produced a collision in SHA1 and why that matters, along with important security news, notable breaches (yes, Yahoo again) and why you shouldn’t use IE or Edge on Windows until they fix the known zero day bug.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday March 5, 2017 and this is show number 617.
Well Steve and I are about to go off on one of our wild travel adventures. This time we’re going to the Galapagos Islands off of the coast of Ecuador and then to Peru to see the 15th century Inca city of Machu Picchu. We’ll be gone for two weeks, and I’m just guessing here, but I don’t think we’ll have a good level of Internet access either out on a boat over 500 miles away from the mainland or while hiking the Incan trail. I shouldn’t over sell the hiking part – we’re not doing the week long trek that crazy people do, we’ll be hiding for a grand total of 4 hours, but it starts at over 8000 feet, and then we climb 2000 feet in just 2 miles. As good of shape as we’re in, we suspect this will be really challenging. We’re really looking forward to this trip but I’m afraid we’ll be off the air for those two weeks.
But the NosillaCast hasn’t missed a show in 11 years, so you won’t be left with radio silence. Bart Busschots and Allister Jenks have agreed to host the show in our absence. I know you’ll be in good hands based on all the times they’ve done this for us in the past. They’re some of MY favorite shows! I don’t know if they’ll be doing Chit Chat Across the Pond or not, but that could happen too.
I’ll do a live show on the 12th, but the following show will have to come out REALLY early on Thursday the 16th so we won’t have a live show that weekend, or for either of the shows while the guys are in charge. We’ll resume our regularly scheduled live show back on April 9th. I know that’s a long time, but remember you can always meet up in the chat room at the regular time even if I’m not doing the show. Heck, you guys don’t listen to me that much anyway. I know Mark never listens. Anyway, I’ve updated the NosillaCast calendar so if you’re subscribed you’ll be able to see when the live show stops and resumes. If you’re not subscribed, there are instructions over at podfeet.com/live.
If you’ve been thinking of sending in an audio review, now would be a perfect time for it. The guys would REALLY appreciate some help on this. I’m asking a lot of them to do this so it would mean a lot to me to have you guys help them out. I’m looking at you, Terry.
Chit Chat Across the Pond
This week’s Chit Chat Across the Pond was a marathon session of Programming By Stealth, but not in a bad way. In the way you’re watching a great movie and you’re glad it’s really long, not in a looking at your watch kind of way. Anyway, we learned a final concept related to JavaScript prototypes: static functions. Then we flipped topics and back in html we learned out to make forms, checkboxes and radio buttons. We also learned how to use jQuery to find out what our buttons and checkboxes say and how to change them. And of course he does this in the context of using ARIA to ensure our html is accessible.
MacVoices
This week, my arch enemy Chuck Joiner had me on his show, MacVoices as part of his “Road to Macstock” series. He’s having presenters come on to talk a little bit about why we go to Macstock and give an idea of what people will hear about in our presentation if they attend. It’s a great bit of fun, but I warn you, it will make you want to go to Macstock even more! You can watch or listen to Chuck and me banter over at macvoices.com.
If you haven’t made plans to go to the Chicago area for Macstock July 15th and 16th, I really hope you’ll find a way to get there. It’s a terrific conference intermixed with a lot of socializing time. There’s something about the Mac community that has a warmth that I don’t feel at other conferences. I’m not sure what causes this, but Barry Fulk and Mike Potter have managed to transplant the friendly camaraderie that lived at Macworld over to Macstock. You should come and experience it for yourself. Check it out at macstockconferenceandexpo.com.
CSUN’s Assistive Technology Conference
This week Steve and I went to CSUN’s Assistive Technology conference in San Diego. We’ve been going for a number o years now, and it’s a fantastic way to learn about al the cool new gadgets and technologies being developed for those who require more assistance. There are products for the visually impaired, hearing impaired, those with motor control problems and those with speech and cognition challenges. I’m telling you guys, they get the coolest stuff. We got some great interviews and as usually we’ll stretch them out over time. In fact, I’m just teasing you about this. I’m going to wait a week before playing any of them, that way I’ll have some for the guys to play while I’m gone.
Blog Posts
Back in MY Day, Animation Was Hard
Patreon and Amazon
Dumb Question Corner about Amazon Affiliate Links
Jamie Cox asked a Dumb Question over on Google Plus (podfeet.com/googleplus):
Allison is always encouraging us to use the Amazon affiliate link, and I do, but I have some questions about exactly how this works. I don’t know what kind of feedback Allison gets besides a total dollar figure, but the shoppers get none.
We don’t see “Your purchase contributed $1.98 to the NosillaCast”, or anything like that.
What purchases count? If I click the affiliate link, and then buy something, does that count unconditionally, or are there provisos? What if, after following the link, I buy something that was already in my shopping list, or in my cart? Does that count? Does anyone know?
Jamie asks some great questions, AND gives me a sly way to do a plug for the Amazon Affiliate Links while I answer. The short answer is “it depends.”
The most important thing to know is that in order for a percentage to go towards the show, you have to start and complete the transaction in the same session. So buying something that was already in the cart won’t count, and putting something in the cart from a link and then finishing the next day doesn’t go to support the show.
There’s a reason why I always say, “a small percentage of what you buy goes to help the show” and I’m not very specific about how much. It’s because it’s really complicated and it changes all the time.
Different product types generate different revenue percentages. The low end tends to be around 3% but I’ve seen s high as 7%. I remember home and garden is one of the high ones (so buy a barbecue this summer!) Electronics are around 4% but musical instruments (which luckily includes microphones) are at 7%.
It’s also a sliding scale. So if enough people buy in a category, the percentage goes up.
All this is true until they change it. Which they just did. Roger Nash sent over an Engadget article talking about some recent changes Amazon made to the program. I’m not going to read it to you because it only makes it more confusing. The article talks about how bloggers might want to change their strategy of what products to push based on how much money they’ll make. And you know I’m not going to do that.
If I talk about a product, and that product is available on Amazon, I will absolutely link to the product on Amazon. But I don’t go looking for stuff that will make money and then write articles about those product to get you to push the button. This show will never be done that way.
Jamie also asked about what I know about what’s been bought, since as the buyer you get zero feedback. That would be really cool if they told you how much you’d helped. I think it would encourage people.
I do get good granularity on what was purchased, but I don’t see who purchased what. It’s fun to peruse, because while there’s a high percentage of electronics as one might expect, but there’s also diapers and books and beauty products and clothing and handbags and groceries and games and tools. Even something like foam ear plugs, which only cost $5.62 returned $0.30 to help pay the bills. Enough people buy little things too that it really does pay off.
Thanks for the great question, Jamie!
And I want to give a special shoutout to Steve Ewell who just signed up to be a patron of the show. He went to podfeet.com/patreon and pledged a dollar amount to help support the podcast in a recurring way where he does know how much he helps the show. Thanks again Steve!
Security Bits with Bart Busschots
Security Medium 1 – The CloudFlare bug, AKA CloudBleed
CloudFlare is a major content delivery network and web application delivery platform. Many of the world’s most popular websites are served through CloudFlare.
It acts as a globally distributed reverse proxy that sits in front of back-end web servers. By placing itself between users and the actual web servers, CloudFlare can provide geographically distributed caching, DDOS protection, and other kinds of filtering.
Some of the filtering features CloudFlare provide involve parsing and then altering HTML. Unfortunately, some of these services relied on buggy code. When this buggy code encountered un-matched HTML tags, it would run off the end of a buffer, and include random chunks of the server’s RAM into the returned HTML. End-users could see this leaked data, but search engines could also index and cache it.
So – like HeartBleed, CloudBleed was dumping random chunks of memory. Like with HeartBleed, that memory could contain sensitive information, but most likely, it would just be random garbage. There is also no way to determine what parts of memory you’ll get back as an attacker, so you can only perform opportunistic attacks. Basically, an attacker would keep getting chunks of memory until they found something of value.
In terms of the scope, the bug was triggered by a combination of bad HTML run through a small sub-set of CloudFlare features, so only a small percentage of CloudFlare users were triggering the leaks. However, the data leaked could come from ANYTHING in the server’s RAM, so, ANY CloudFlare customer’s data could be leaked.
CloudFlare responded very quickly, and have been very transparent about what happened, and how. They had kill-switches built into their systems, so they had the power to disable any of their features easily if there was ever a problem found, and they used that functionality to good effect. Before going public they also reached out to the search engines their logs showed had cached leaked data, and asked them to purge their caches.
Bottom line – you should judge a company by how they respond to problems, not whether or not they ever have any, because ALL companies employ imperfect humans, so they will ALL suffer a breach at some point. IMO, CloudFlare responded really positively – they had re-planned procedures which they deployed rapidly, and they were transparent about what happened and how they dealt with it.
It is also very unlikely your data has been compromised by this attack, but, there is no harm in changing your passwords on any sites you use that are served through CloudFlare. I wouldn’t be telling people they should change passwords, but if you’d prefer to, go right ahead, there is absolutely no reason not to.
Links:
- Serious Cloudflare bug exposed a potpourri of secret customer data – arstechnica.com/…
- Cloudbleed’s silver lining: the response system worked – nakedsecurity.sophos.com/…
- Cloudflare chief pledges third-party review of code – nakedsecurity.sophos.com/…
- CloudBleed: What you need to know – www.imore.com/…
- Cloudflare’s blog post on what happened at blog.cloudflare.com/…
Security Medium 2 – The first SHA1 Hash Collision
Security researchers have been finding cracks in the SHA1 hashing algorithm for some years now, and warning the world that the hash is no longer cryptographically secure. Those predictions have now started to come true with the first successful hash collision attack by Google researchers.
It should not be possible to take an original document, edit it so it says what you want, and then get it to hash back to the original value. If you can do that you can forge digital signatures. That is exactly what Google did! They started with a PDF that said one thing, edited it so it says something else, and then stuffed it with the appropriate invisible metadata to get it to hash to the same value as the original document. BOOM – one digital forgery!
It should be noted though that it took Google a long time and a lot of resources to do this, so while this kind of attack is now clearly possible (it’s been done), it’s not yet a practical attack, let alone an easy one. But, attacks only get better over time, so the clock is now well and truly ticking for the use of SHA1 in cryptography.
Links:
- At death’s door for years, widely used SHA1 function is now dead – arstechnica.com/…
- Bang! SHA-1 collides at 38762cf7 f55934b3 4d179ae6 a4c80cad ccbb7f0a – nakedsecurity.sophos.com/…
Important Security Updates
- Apple have released Logic Pro X 10.3.1 which includes a fix for what seems to be the same vulnerability recently fixed in Garageband – support.apple.com/…
Important Security News
- Signal for iOS and Android gets secure video calling. On iOS, users can choose to have the app behave like any other VoIP app, but are warned that if they choose to do that, some metadata gets synced to iCloud – nakedsecurity.sophos.com/…
- Project Zero have published details on another Windows Zero-day bug, and it can be exploited through Edge and IE. details are a little sketchy, but it can definitely leak sensitive memory, and it can probably also allow remote code execute. This is a repeat of a bug Microsoft thought they had patched last year, but it turns out they only partially fixed the problem. What’s making this all the worse is that the fix was expected in the February patch from MS, but that has been totally canceled, so a fix is now not expected until March 14 at the earliest (Editorial from Bart – probably best not use IE or Edge until this is fixed) – arstechnica.com/… & nakedsecurity.sophos.com/…
- The US Congress is set to roll back the broadband privacy rules that the FCC introduced last October (Editorial by Bart – if you’re a US citizen, and you care about privacy, now would be a good time get let your congress critters know what you think about this issue) – nakedsecurity.sophos.com/…
- RELATED – the FCC under President Trump has already started to roll back on customer protections by easing the rules for ‘smaller’ ISPs – nakedsecurity.sophos.com/…
- Yet another reason to stop pirating software – some pirated Mac software has recently come with a nasty sting – really poorly written ransomware that is too buggy to actually decrypt your files, whether or not you pay. One silver lining for pirates is that the malware is also really bad at doing the actual encryption, and if you can find a backup of even one file from before it was encrypted, you can probably crack the key and get all your files back (Editorial by Bart – don’t steal from programmers – making software is hard work, and taking the food our of the mouths of developers makes everything worse for everyone – don’t be a dick!) – www.macobserver.com/…, www.macobserver.com/…, nakedsecurity.sophos.com/… & nakedsecurity.sophos.com/…
- PSA – a nasty SQL injection bug has been found (and patched) in the extremely popular WordPress plugin NextGEN Gallery – if you run it on your WordPress site, update it ASAP – arstechnica.com/…
Notable Breaches
- Some more developments in the Yahoo saga – the cookie forgery attack by “state actors” continued into 2016, affected about 32 million accounts, and in recent meetings with Verizon it became clear some of Yahoo’s systems were still compromised. Yahoo CEO Marissa Mayer has decided to forgo her annual bonus though – arstechnica.com/… & arstechnica.com/…
- Spiral Toys, makers of CloudPets, internet connected stuffed toys for kids, has leaked their database which includes more than 2 million voice recordings by accidentally putting a copy of their MongoDB database online without setting even so much as a password on it – arstechnica.com/…
Suggested Reading
- Nice simple instructions for enabling Medical ID on your iOS devices (and accessing it on other people’s iOS devices in an emergency) – support.apple.com/…
- Despite all the warnings from the IRS and the tech press, US tax payers shrug off the danger of tax fraud – nakedsecurity.sophos.com/…
- iPhone Robbers Try to iPhish Victims – krebsonsecurity.com/…
- Some Notable Security-related Legal Stories:
- A bad two weeks for security in connected cars:
- Research presented at the RSA security conference shows that many Android apps for connected cars are surprisingly poorly secured, failing to do even basic things to protect users credentials – arstechnica.com/…
- Sure, you might have bought the car, but does someone else control it? – nakedsecurity.sophos.com/…
- Security reachers have demonstrated a cool new technique for exfiltrating data from a computer that is air gapped (not connected to the network). You install malware on the air-gapped computer that controls the drive lights, have them blink out the data you want in a pre-defined code, and fly a drone up to the window to watch the light blink. (Editorial by Bart – this is really fun demo, but not a real-world threat, and despite what some of the media hype might have led you to believe, this technique does not allow a drone to read the contents of all hard disks just by watching the lights on any computer, the partner malware has to be installed for the blinking to mean anything!) – nakedsecurity.sophos.com/…
- Hackers who took control of PC microphones siphon >600 GB from 70 targets – arstechnica.com/…
- Frank Abagnale, world-famous con man, explains why technology won’t stop breaches – arstechnica.com/…
- Researchers uncover PowerShell Trojan that uses DNS queries to get its orders – arstechnica.com/…
- Unholy trinity of AKBuilder, Dyzap and Betabot used in new malware campaigns – nakedsecurity.sophos.com/…
A Palate Cleanser – Stanford’s Developing iOS 10 Apps with Swift free on iTunes U – www.macobserver.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.