NosillaCast Logo - text says NosillaCast Podcast and EVER so slight Apple Bias. Main background is a gradient medium blue to lighter blue with a skyline of black silhouette buildings below. Behind the building are some geometric red shapes. And of course the prominent podfeet (two bare feet) are in the middle

NC #625 ecobee3 Installation and Review, Quarterback for Live TV on a Phone, Don’t Buy the TrackR, Security Bits

This week I’ll tell you about my experience installing the ecobee3 and later in the show I’ll review it. I’ll tell you why even though it’s awesome you shouldn’t buy it. We’ll have the first of our NAB 2017 interviews – Quarterback for Live TV on a phone. Then I’ll explain why you seriously want to avoid buying the TrackR (not because it’s awesome). Then we have a great episode of Security Bits with Bart Busschots. It’s got four Security Mediums which gave us a lot to chew on.


itunes
mp3 downloadHi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday April 30, 2017 and this is show number 625. This is going to be a positively jam-packed show. I installed the ecobee3 Smart Thermostat with only a little help from Steve and I’ll explain that adventure, then we’ll hear the first of our interviews from the National Association of Broadcasters conference that Steve and I just attended. This first interview is about a cell phone case called Quarterback that will give you over the air TV on your phone, I’ll tell you why you should not buy the TrackR, then I’ll come back to the ecobee3 Thermostat and why it’s so awesome and why you shouldn’t buy it anyway.

Then we’ll have a great session of Security Bits with Bart Busschots. It ran longer than usual but it was super meaty. Instead of a giant list of news, it was four security mediums that are very nuanced so the explanation and discussion on each is pretty important. I found all of it fascinating. I guess we’d better kick in!

Chit Chat Across the Pond

Bart and I JUST recorded Chit Chat Across the Pond today, so we’re a wee bit late in the week. In this installment of his Programming By Stealth series, we review our test code using QUnit, and then learn how to use QUnit to test our code within a real browser page. We do that using the API we built together, the Bartificer Link Toolkit that identifies external links on a web page, makes them open in new tabs, adds the tag rel=noopener, and adds a cute icon to identify them as external links. As always Bart’s terrific written tutorials and downloadable examples are available at bartbusschots.ie/….

Blog Posts

A Noob Installs the ecobee3 Thermostat

We’re going to come back to talk more about the ecobee3 and how well it works, but let’s take a break and listen to the first interview from NAB 2017.

NAB 2017: Quarterback Live HD TV for Smartphone

You Had One Job, TrackR

ecobee3 is Awesome – Don’t Buy It

Patreon and Amazon

We just finished talking a bit ago about the TrackR and what a hot mess it is. Imagine if I had been an advertiser for those folks. It would have created quite a conflict of interest for me if that had been the case. Now I’m not saying I’ll never advertise again, but I have to say I feel completely unfettered to say what I really think because I don’t have advertisers. This show is completely supported through donations by listeners who push the “Support the Show” button on podfeet.com.

From there you can do a one time PayPal donation, you can become a Patron of the show through Patreon and donate just a little bit every week, or you can push the Amazon button and buy your toys through the affiliate link. All of these methods are great ways to demonstrate that you find value through the show. And thank you to all of you who continue to support our efforts here.

Security Lite

Security Medium 1 – 'DoublePulsar'

In the previous security bits we mentioned that the latest dump of CIA hacking tools from the group named Shadow Brokers contained hacking tools that targeted many versions of Windows. At the time it was not clear whether or not the latest patches from Microsoft protected users from the vulnerabilities exploited by these tools.

The good news is that we now know that Microsoft's March patches did indeed plug the holes uses by these tools. However, that has not been enough to prevent tens of thousands of machines being taken over by one of the released hacking tools – DoublePulsar.

The exact number of infections is not clear, different scans of the entire internet by different companies are giving different numbers, but while the numbers are not the same, they are all of the same order of magnitude – it's not clear exactly how many tens of thousands of devices are infected at any given moment, but it is clear that we are talking about tens of thousands of devices.

It seems that many people are too slow to patch, and since the cat is now out of the bag, it's easy for anyone to hack into un-patched Windows machines, and many people appear to be doing just that.

Make sure your Windows machines are all patched!

Security researchers have also released a tool for remotely removing a DoublePulsar infection.

Links:

Security Medium 2 – Microsoft Introduce Phone Sign-in

Microsoft have rolled out a new authentication option for Microsoft accounts which they have named phone sign-in.

You start by installing and configuring the Microsoft Authenticator app on your phone. Then, when you try log in to your Microsoft account from another device, you won't need to enter your password – you simply enter your email address, hit next, and a message will pop up on your phone asking if the login should be allowed – if you allow it, then the login will succeed without you ever needing to enter a password.

There are many advantages to this approach, the most obvious of which is convenience! There is also nothing for key loggers to capture, so it is a more secure option than a basic password without a second factor.

Really, the only controversy here is that Microsoft are not being honest in their descriptions of this feature – they insist on referring to it has two-factor authentication when it simply isn't – what it is one-factor authentication where that one factor is better than the one-factor authentication we are used to – passwords. What Microsoft have done is replaced the single "something you know" factor (your password), with the single "something you have" factor (your phone). I guess two-factor auth is seen as a buzzword rather than a technical term by Microsoft, but it's very disappointing to see them play so fast and loose with technical terms.

It looks to me like the Microsoft technical teams did a good job, and the Microsoft PR department is yet again letting the company down.

Links:

Security Medium 3 – The Punycode Problem

The Domain Name System (DNS) translates between human-friendly domain names and the IP addresses actually used for computer-to-computer communications. DNS is old, very old, dating back to the dawn if the internet. Back then, it never occurred to anyone that there would be a desire to have accented characters in domain names, so the design does not allow for them. In fact, domain names don't even support letter case – WWW.PODFEET.COM is considered identical to www.podfeet.com!

Domain names consist of multiple parts separated by dots, where each part consists only of lower-case letters (a-z), digits (0-9), and dashes (though they're only permitted if they're surrounded by at least one letter or digit on each side).

As we've started to run low on user-friendly domain names, and as the internet has become ever more international, a desire has emerged to retro-fit accented characters and characters from other alphabets into domain names. Altering how DNS works is not really an option, so some clever people can up with a work-around.

The need to represent non-ASCII characters in ASCII-only environments is not unique to DNS, and a solution was developed – Punycode.

Punycode is an encoding scheme that allows unicode character codes to be written in ASCII. You can play around with it yourself on www.punycoder.com. You can see that cliché becomes xn--clich-fsa.

Back in 2003 Punycode met the web when the Internationalizing Domain Names in Applications (IDNA) standard was defined. Basically, browsers should support Punycode in domain names, hence, allowing domain names that appear to have accented characters, and characters from non-ASCII alphabets.

You would register www.xn--clich-fsa.com, and browsers would display it as www.cliché.com. Also, when you type www.cliché.com into the address bar, browsers should translate that to www.xn--clich-fsa.com on your behalf and then go fetch that website.

What could possibly go wrong?

The problem is so-called homographs – characters in different alphabets that look visually the same.

To prove this point, security researchers registered the innocent-looking domain name www.xn--80ak6aa92e.com, and legally acquired a valid TLS certificate for it. In many browsers, browsing to this domain will bring you to a page that is genuinely secure, so legitimately has a padlock, but the address bar appears to show www.apple.com. This is clearly phishing heaven!

A new name has been coined for these kinds of domain names, they have been christened confusables. Note that only humans find these domains confusing – computers see homographs as being completely different characters. This means that password managers will not get confused by these confusable domains, and neither will certificate authorities. If you take the time to view the certificate on www.xn--80ak6aa92e.com you'll see that it clearly shows the cert is for www.xn--80ak6aa92e.com and not www.apple.com.

At the moment, each browser's treatment of Punycode domains is different.

Apple & Microsoft support Punycode, but, they only decode Punycode domain names if you have the relevant language installed. So, if you don't have the Cyrillic alphabet enabled on your Mac or iOS device, you'll see the raw Punycode, not the confusable version.

Google took a slightly different approach, and decided never to decode Punycode if it mixes characters from multiple alphabets. The theory being that mixing alphabets is inherently suspicious, and probably a sign that someone is trying to construct a confusable. Unfortunately, you don't always need to mix alphabets to create confusable domains – case in point, the www.apple.com example above only uses Cyrillic. Google have since added extra logic to Chrome to better identify confusables, so the problem appears to have been resolved on Chrome.

That just leaves FireFox. Some in the FireFox community feel that banning some characters just because they happen to be homographs would be culturally insensitive, so on a point of principle, they do not want to block any Punycode URLs. They are coming under attack for putting political correctness above user safety, but last I heard, they have not backed down. FireFox users who want to protect themselves need to disable the Punycode feature themselves by browsing to the special URL about:config, searching for the setting network.IDN_show_punycode, and setting it to true.

Links:

Security Medium 4 – OSX/Dok

Security firm Check Point Technologies is warning of a new macOS trojan that is being actively spread at the moment. The malware arrives as a spam email with an attachment that appears to be named Dokument.zip, hence the name.

This is a true Trojan – you need to take active steps to get yourself infected, just receiving the attachment is not even nearly enough to get you infected. First, you need to attempt to open this oddly named file you received un-solicited from a total stranger, then, you will see a message saying that opening the file failed because it's corrupt. Then, a popup nothing like a standard macOS software update dialogue will appear, and ask you to update your Mac, and to please give your admin password. Only if you actually do that will you get infected.

If you infect yourself, Dok installs a new root CA certificate, a web proxy service that auto-starts on boot, and then re-configures your Mac to direct your internet traffic through that proxy service, where, using the new CA cert it installed, it can intercept all your web traffic, even HTTPS traffic, and read and/or edit it as it passes through.

While getting infected is hard, and while a similar piece of malware on Windows would absolutely not be news in any way, this piece of malware is significant for a few reasons.

Firstly, scale – we're not used to seeing cyber criminals put this much effort into targeting Mac users. They may not be doing it very well in this instance, but they are doing it, and that's a new development.

Secondly, for now (and probably not for very long), the malware is signed by a valid developer certificate. It's quite likely the private key for this certificate has been stolen, but that's not clear year. Everyone expects Apple to push an update to macOS's XProtect system to start blocking this cert and this piece of malware within the next few days, it not within the next few hours.

Just a reminder the GateKeeper is a hurdle for attackers to get over, not a silver bullet. In the digital world people often have a binary view of things, so I'm sure you'll hear someone say that this proves GateKeeper is useless. That is equivalent to declaring seatbelts useless because someone was killed in a car crash last week. We don't buy that kind of dumb illogic in the real world, so don't fall for it in the digital world either!

Links:

Important Security News

  • According to a recently filled law suit, the Bose Connect app that is used to pair control many Bose headphones spies on users, sending information about what they listen to back to Bose – www.reuters.com/… & www.nbcnews.com/…
  • Numbers released by Kaspersky show that despite being patched years ago, the bugs that enabled Stuxnet remained the most exploited bugs in the world throughout 2015 and 2016 (Editorial by Bart: clearly, people don't patch nearly enough!) – arstechnica.com/…
  • Multiple security vulnerabilities have been found a wide range of Linksys home routers. There is no patch yet, but there are instructions from Linksys on how to protect yourself – nakedsecurity.sophos.com/…
  • LastPass fixed another security vulnerability – this time one that allowed their 2FA to be bypassed in some circumstances – nakedsecurity.sophos.com/…
  • New, and more powerful, versions of BrickerBot destroying more insecure IoT devices. The author sees himself as a vigilante protecting the world from these insecure devices (if they are destroyed, they can't be recruited into botnets etc.) – arstechnica.com/…
  • A double-whammy of scandal for Uber this week – first, the NYT reported that they were caught by Apple using prohibited private APIs to fingerprint iOS devices, and using geofencing to try hide that fact from Apple reviewers, and then it emerged they were buying data on Lyft usage from analytics firm Slice who got the data from Unroll.me, a service that's advertised to users as a service to clean up their email inboxes – www.imore.com/…
  • RELATED – You Can Now Delete Uber Account Data Straight From The App – www.macobserver.com/…

Suggested Reading

A Small Palette Cleanser

I discovered a new law to add to my list of favourites – Betteridge's law of headlines:

Any headline that ends in a question mark can be answered by the word no

If you're wondering what my other favourites are:

  • Hanlon's razor

    Never attribute to malice that which is adequately explained by stupidity/incompetence

  • Godwin's law:

    If an online discussion (regardless of topic or scope) goes on long enough, sooner or later someone will compare someone or something to Hitler or his deeds

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top