NC #621 Health Tracking Update, Aira Visual Interpreter, American Printing House Accessible Calculator, Magnet, Spectacle & Security Bits

Hi folks, welcome to episode 621 of the NosillaCast, a technology geek podcast with an ever so slight macintosh bias. This the show for Sunday April 2nd 2016, and I’m your guest-host Bart Busschots.

mp3 download

CCATP – Dermot Daly from Tapadoo

In this week’s Chat Chat Across the Pond I chatted with Dermot Daly who runs Tapadoo, a mobile app development company based Dublin, Ireland. We talk about what it’s like being a developer witting apps for iOS and Android, how App Store and Google Play store differ from each other, and the state of the app business in general. We also look at what some of the recent changes to the app store really mean for developers.

An Update on my Health Tracking

Of all the things I’ve ever recorded with Allison over the years, the show that I’ve gotten the most positive feedback on is our CCATP chat about how I’m using tech to gain control of my health and weight. We recorded that chat in July last year, so I thought it might be nice to update you all on how things are going.

Firstly, I still use an Apple Watch to measure the calories I burn. I’ve now moved from an original Apple Watch to a Series 2, and I love it even more than I loved the original. The two things I really wanted from the new watch were waterproofness, and built-in GPS. Not having to worry about your watch getting wet is a really big deal when you get your exercise mainly form cycling, and live in Ireland! The original Apple Watch relied on the iPhone’s GPS, so if there was ever a bluetooth glitch between the watch and the phone, the watch lost its ability to accurately record calories, and generally assumed you’d decided to stand still for half an hour and robbed you of hundreds of calories. That kind of thing only happened ver occasionally, but it was so dis-heartening on handful of occasions it happened that I really wanted to stop it happening again. An un-expected bonus is that the battery life on the Series 2 is not just a little better than it was on the original, but MUCH better. I now generally finish the day with well over 50% battery remaining, and I track between 1 and a half and three hours of workouts every day! Also, I went for the Nike+ model, and those straps with the little holes are so much nicer to wear than the solid sports band I had one my first watch.

Secondly, I’m still using MyFitnessPal to track calories consumed and manage my daily calorie budget. The app has been steadily improving, so I’m loving it more and more as time goes on. Also, the longer you use the app, the better it knows you, and the more it can help you to log your food quickly and easily. Also, in my experience it was well worth taking the small extra effort to create saved meals. I turns out I’m much more of a creature of habit than I realised, and I repeat the same meals very regularly indeed!

I’ve also added some nice connected hardware into the mix to track my progress. I track my weight and body composition with the Body wifi scales from Withings, and my blood pressure with the Withings bluetooth Blood Pressure Monitor. The industrial design on both of the Withings products is superb, and while I initially hated their app, it’s improved a lot over the last year, to the point that I’ve moved from merely tolerating it to actually liking it.

I still rely on Apple’s health app to act as the hub that ties all my data together. My watch writes my calories burned there, MyFitnessPal gets the burn data from there, as well as my current weight, and writes back my nutrition information, and both of my Withings devices write the measurements they take there.

So – the big question, is it working?

The reason I started down this road was because my blood pressure was too high, presumably because I was over weight. So, has all this tech actually solved the problem? Yes! In January 2016 my BMI was well over 25, I was, officially, morbidly obese, I had a resting heart rate in the low 80s, and I had grade 1 hyper tension. Today, my BMI is 21 with a body fat percentage of just 12%, a resting heart rate of about 60, and my blood pressure at the bottom of the normal range.

CSUN 2017 Interviews

Two macOS Window Tilers

Security Bits

Followup – More Fallout from Vault 7

Documents in the recent leak of CIA documents exposed a vulnerability in 318 Cisco routers and switches that allows simple remote-takeovers of the switch. Cisco are presumably rushing to get a patch out, but nothing has been released yet – arstechnica.com/…
Additional information released as part of the dump shows the CIA targeted Macs, including making booby-trapped Thunderbolt ethernet adaptors code-named sonic screwdrivers that used the now-patched Thunderstrike vulnerability to take over Macs they were physically plugged in to – arstechnica.com/… & nakedsecurity.sophos.com/…

Security Medium 1 – The iCloud Extortion Attempt

A gang of cyber criminals calling themselves the Turkish Crime Family say they have 300 million iCloud account details, and that if a ransom is not paid by the 7th of April, they will start using those details to wipe devices and accounts. The ransom they are demanding is $100K in iTunes gift vouchers, or, $75K in Bitcoin or Ethereum crypto currency.

Based on all the reporting I’ve read to date, it seems they group definitely have some Apple ID usernames and passwords, and that they probably got them from breaches of sites other than iCloud, and/or from phishing campaigns. Basically, password re-use and phishing are the prime suspects yet again. Apple insist iCloud has not been hacked.

How can you protect yourself? If you have re-used the password you use for your iCloud anywhere else at all ever then it would seem sensible to re-set your Apple ID password ASAP, and be sure to set it to something unique. This would also seem like an opportune moment to enable two-factor auth if you haven’t done so already.

You should also be aware that some scammers seem to be capitalising on the news coverage of this story by launching phone-based scams where they pretend to be Apple calling about the iCloud breach. Apple will not call you out of the blue like that, so don’t fall for these scams!

Links:

Security Medium 2 – MAC Address Randomisation Weaknesses

Any device that has a wifi card has a unique MAC address, and, as long as that card is active that MAC address can be seen by nearby wifi access points. Retailers and others realised this fact allowed smart phones to be used to track people as they move through a store or a city, or even as they travel around the world.

MAC address randomisation was invented to address this problem. The idea is that while a device is not connected to a Wifi network, it will use a periodically changing random MAC address.

Apple added MAC address randomisation in iOS 8 in 2014, and Google added it to Android as an experimental feature the same year, before adding it as a full-blown feature in 2015. In theory, neither iOS nor Android devices should be trackable by their MAC address anymore. So, a group of security researchers set out to test that theory, and found that the reality is somewhat different!

In the standard passive scenario where the trackers just listen, iOS implements MAC address randomisation perfectly, and, almost all iOS devices you see in use today are running iOS 8 or later, so almost all iOS devices in the real world are randomising their MAC addresses.

The same is not true for Android. From a sample of nearly 1 million phones, only 6% implemented MAC address randomisation. That’s bad enough, but it gets worse! The majority of that 6% that do implement MAC address randomisation were found to implement it poorly – the devices periodically broadcast their real MAC addresses by mistake!

Everything is not perfect for iOS though. The researchers also found an active attack that works against all devices, including iOS devices, and it may not be possible to fix. The attack relies on standard features of the wifi protocol, and involves sending packets aimed at specific MAC addresses an seeing if any device with that MAC address responds. In effect, it is a brute-force attack. You broadcast to all possible MAC addresses in Apple’s assigned range, and eventually, you’ll get a reply from every Apple device in the area.

While the weakness is not easy to fix, it’s also not nearly as easy or practical to carry out as the old-style passive attacks that work on un-randomised or poorly randomised devices.

Link: arstechnica.com/…

Security Medium 3 – US Congress Votes to Revoke ISP Privacy Rules

In the previous Security Bits we mentioned that votes were up-coming on removing ISP customer privacy protections. Those votes have now passed both the US House of Representative and the US Senate, so the bill is on its way to President Trump, who is expected to sign it.

The bill invalidates US FCC (Federal Communications Commission) regulations introduced last year which prevented ISPs from selling customer browsing data without their consent. The votes were largely along party lines – everyone who voted for the bill is a Republican, and all Democrats voted against it, but there were a handful of Republicans who voted against the bill.

Central to this are two important facts.

Firstly, customers pay their ISP for a service. Selling data about your paying customers is not the same as offering free ad-supported services.

And secondly, and most importantly, ISPs are literally in an extremely privileged position – every bit of data that enters or leaves your home passes through your ISP. That’s not just your web browsing, but every single thing you do online on every single device in your home over every single protocol. Yes, Google and Facebook see much more of your browsing that many would like, but they only see snippets of your browsing (and your email if you use GMail). They have no idea what’s happening over other protocols.

I’ve seen a lot of politicians miss these two vital facts. I can’t tell whether they are just ignorant, or whether they are being wilfully dishonest, that’s something we all have to judge for ourselves.

Another important factor that complicates things is the sorry state of the US broadband market. If there was a thriving healthy market with lots of choice, you could make the argument that the free market will save the day, and that those who want privacy will be able to vote with their wallets and choose to use privacy-respecting ISPs. But, the reality on the ground in the US is very different. There is not a thriving healthy market, most US consumers have little or no choice of ISP.

Finally, if you consider internet access to be a basic utility like water, electricity, or telecommunications, then it makes a lot of sense to regulate the providers. We take it for granted that our electricity company is not allowed to sell our data, and that our telephone companies can’t sell our call data to advertisers. Why are ISPs being given such different treatment?

Can you do anything to protect yourself?

Yes – encrypt everything! Your ISP will still see the two end-points of any encrypted data streams to and from your home, but they can’t see into them, despite their privileged position.

Using HTTPS on websites helps a little, but only a little. HTTPS encrypts the data exchanged between you and the site you’re visiting including the full URL, but generally not the domain part of the URL. Why? Because the HTTPS connection will be to a given IP, which will probably uniquely identify the site anyway, but even if the site is on a shared IP, your DNS queries will have given the domain name away anyway. DNS packets are unencrypted, so every domain name used in every app on every device within your home can be seen by your ISP. Note that this is true regardless of which DNS server you configure your computers to use. Some ill-informed people are recommending people ‘protect’ their privacy by switching DNS provider. This is terrible advice!

What you need to do is to wrap all your traffic, including the protocols without encryption support like DNS, in a layer of encryption as it moves through your ISP. The obvious technical solution is to use a VPN, but be careful!

Using a VPN changes who you place in the privileged position of seeing all your data, but it doesn’t remove the presence of such a privileged position. When you use a VPN, you simply move from trusting your ISP, to trusting your VPN provider. Hence, it’s really important to choose your VPN provider wisely, they have to be someone you trust. In reality, that means you have to follow their incentives, which means following the money. That means free services are almost certainly out – if they are not charities, they must be making money off your use of their service – if you are not giving them that money, then they are probably selling your data!

The other obvious problem with using VPNs for everything at all times is the hassle of setting that up. You could install a VPN app on every single device in your home, which is a lot of work, and also probably impossible, because you probably have devices that don’t support VPN clients like smart TVs, game consoles, and IoT devices in your home. Clearly, what you want is to have your router manage a VPN tunnel between your home and your VPN provider, and automatically route all traffic through it. This is easy to do on corporate routers, and it can be done if you build your own router using open source firmwares, but that’s not trivial, and beyond the vast majority of the population’s abilities. Hopefully router manufacturers step up and make this easy for people in the future.

If I lived in the US I would run my own VPN end-point on a cheap cloud VM from a provider like Digital Ocean or Linnode, then configure my home-made PFSense-based router to connect to that VPN and route all my traffic through it. Thankfully, I don’t have to do that, because Ireland has robust data protection laws and our ISPs are well regulated.