David Ginsburg of the In Touch with iOS podcast sent in a recording describing the unusual problem he had where Apple shipped him with an operating system actually newer than the one you can download. I’ve started a series called Tiny Tips, and the first one is why you should create a folder called Delete Me. I’ve got part 2 of my Affinity Photo for iPad review/walk through and then we’ve got Security Bits with Bart Busschots.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday June 25, 2017 and this is show number 633. This week we’ve got a really interesting story about a new MacBook Pro from David Ginsburg, I’ve got a Tiny Tip for you (a new segment I plan on doing for the show), and the second half of my walk through of Affinity Photo for iPad. If anything, I love this program more this week than last week. After that we’ve got Security Bits with Bart Busschots.
Chit Chat Across the Pond
Chit Chat Across the Pond this week is another episode of Programming By Stealth with Bart Busschots. I’m very proud of the fact that I completed my homework, writing a program from scratch that passed all of the tests written by Bart. It took me 12 hours, and nearly 4 hours of Dorothy’s time helping me do it, but I got ‘er done. In this installment, 36 of x, we learn some more HTML, specifically about all the cool things the input tag can do, like creating invisible forms which is just weird but also very cool. The challenge this week is a flip on last week. This week Bart has written the next bit of code for us and we have to create the tests. It’s as challenging as all the rest but it’s just as fun. Check out either the full Chit Chat Across the Pond feed, or the Programming By Stealth feed in your podcatcher of choice.
Eye Chart Radio
This week I got to co-host Eye Chart Radio with Mike LaPlante. I’m on a six week rotation and it was finally my turn again. We discussed Apple doubling down on security, the new App Store, AirPods and Affinity Photo for iPad. Eye Chart Radio can also be found in your podcatcher of choice and it’s spelled Eye ( e y e ) Chart Radio.
Blog Posts
David Ginsburg on MacBook Pro and AppleCare
[For the readers – David bought a brand new 2017 MacBook Pro and tried to use Migration Assistant to move his data and apps and settings over to his new Mac, but it caused his new machine to become unresponsive. He tried to use recovery to reinstall the OS, but it said his version was too new. Same thing happened when he tried to download Sierra from the Mac App Store.
Apple replaced it, and he got another new machine. Before using Migration Assistant he cloned the new drive just in case, and sure enough after running Migration Assistant the Mac wouldn’t function. He restored from the clone that time and has been working with Apple about this but they don’t have a solution. 10.12.6 is due out soon so he’s hoping he’s got a way to recovery when that comes out. ]
David Ginsburg of the In Touch with iOS podcast sent in a really interesting story about macOS and new computers. Let’s have a listen.
I thought David’s story was really interesting. In all my years with the Mac, I have never heard of Apple shipping a computer with an OS newer than what you could download.
After David sent this in, he got a response from his AppleCare associate who shockingly did hear back from engineering (I never seem to get a response). Here’s what she sent to David:
As it turns out, since this is a brand new 2017 MacBook Pro, it comes on a different build train that the previous models(as you mentioned that you noticed). Due to this fact, the version is slightly different from the one available through the Mac App Store. Because of this, and some CPU-specific software, you’re met with this alert instead of allowing you to proceed. With that said, they have opened up an investigation.
Apple Engineering has received reports of this symptom and are investigating. Further updates, if any, may come by way of a software update, knowledge base article or software release. I will follow up with you if I receive any additional information. I know you mentioned you wanted the external bootable drive as a backup option. I wanted to remind you that you also have access to Recovery HD and Internet Recovery, should you need to reinstall OS at any time.
David pointed out to me that one of the problems is that the recovery partition has the older OS build on it too, so he can’t use that, which he had, of course, told her. Hopefully this gets fixed in 10.12.6 for David.
Tiny Tip – Delete Me
Affinity Photo for iPad – Part 2
Patreon and Amazon
You guys have been absolutely fabulous using the Amazon Affiliate Links over at podfeet.com to help support the show. When you use those links, a small percentage of the price you pay comes back to help pay hosting fees and other costs associated with creating the show. I can’t tell who bought what, but I can see a list of what people have bought. It’s pretty fun to scroll through and see what’s in the list. Recently people bought books, candy, mic cables, mic stands, refrigerator water filters, USB thumb drives, flash triggers, batteries, embroidery supplies, music CDs, address labels, and bird food. So if you think you can only use the Amazon Affiliate Links to buy tech toys, even bird food helped bring $5.29 in to pay for Bluehost and Libsyn. Thank you to all of you who choose to hep out the show.
Security Bits with Bart Busschots
Security Medium – Stack Clash
We have another bug with a media-friendly name, Stack Clash, and in terms of scope, it’s a biggie! A large range of Unix-like operating systems including Linux, OpenBSD, and FreeBSD have a nasty bug in their kernels, and the problem code goes back 12 years!
One small mercy is that we’re not dealing with a remote code execution bug that could be easily turned into a worm, but a local privilege escalation bug instead. Basically, any user on an affected system can trivially gain root powers through this bug. Privilege escalation is not good, but it’s a lot less catastrophic than remote code execution. To underline that point, RedHat have not rated this bug as Critical, instead, they’ve gone one rank lower, and rated it Important.
Where privilege escalation bugs really bite is on shared servers – in theory all the users of a shared server are protected from each other, each being confined to their own home directories with limits placed on the processes they can run etc.. However, if any user can become root, that separation completely breaks down!
The other big problem with privilege escalation bugs is that they can be combined with other bugs to become greater than the sum of their parts. Most network-facing processes on Unix OSes run as an unprivileged user so that even if they get hijacked through a remote code execution bug, they have little or no power to do any real damage on the server. However, combine a bug like that with a privilege escalation bug like this one, and you get to totally take over a server.
At the moment there isn’t a proper fix, but there are mitigations possible, and vendors have begun shipping those workarounds as kernel updates. The major distributions are being promptly patched, but, there is another problem, Linux is not just a really popular server OS, it’s also a really popular IoT OS, and it powers many home routers. These vendors are often much slower to patch than the major distributions, and realistically, there will be a lot of devices for which a patch is never released, and, even more devices that will never have the patches that are released applied to them. Expect to see a lot more IoT hacks in the future!
While macOS does contain a lot of FreeBSD code, Apple chose not to use the kernel that ships with FreeBSD in their OS, instead, they opted for the Mach microkernel. As best as I’ve been able to discover, it is not affected. Windows contains an entirely custom kernel, so it too is not affected. What’s less clear is what the situation is with Android – it may well be affected.
As a home user, all you can really do is check for updates to your IoT devices, and apply any that are released as an when they become available.
Links:
* Serious privilege escalation bug in Unix OSes imperils servers everywhere – arstechnica.com/…
* Stack Clash Linux vulnerability: you need to patch now – nakedsecurity.sophos.com/…
Important Security Updates
- Patch Tuesday has been and gone with important updates from Microsoft and Adobe. Microsoft patched Windows, including WindowsXP, and Adobe patched Flash and Shockwave – krebsonsecurity.com/… & arstechnica.com/…
- A related opinion piece – Microsoft’s decision to patch Windows XP is a mistake – arstechnica.com/…
- Mozilla have released critical updates to FireFox and Thunderbird to fix a vulnerability that allows remote code execution – www.us-cert.gov/… & www.us-cert.gov/…
Important Security News
-
- Apple will be automatically switching users of their old 2 Step Verification system to their new, and more secure, 2 Factor Authentication system when they upgrade to iOS 11 or macOS High Sierra – www.imore.com/…
- Security researchers find two pieces of Mac malware for sale on the so-called dark web as services. If this malware-as-a-service offering proves popular, it could be the start of a wave of attacks against Mac users – www.macobserver.com/…
- Attackers have developed a new technique for obscuring the true URL of attack web pages – this technique is shockingly simple, and particularly effective against devices with small screens – they attackers pad a sub-domain with so many dashes that the true domain is pushed off-screen, e.g.
www.facebook.com-----------------------------------------------.hacker.net
– arstechnica.com/… - The latest Wikileaks data dump reveals details of CherryBlossom – CIA malware that can remotely transform home routers from 10 different manufacturers into spying devices. This is a very clever ploy, because home routers are rarely updated, despite being riddled with well known (and patched) security vulnerabilities (Editorial by Bart – when did you last update the firmware in your router? Maybe now might be a good time to do that?) – arstechnica.com/…
- Apple’s routers are not affected – www.macobserver.com/…
Suggested Reading
- Notable Breaches
- A damning report from the US DOD finds that the NSA has failed to implement proposed security measures – nakedsecurity.sophos.com/…
- PSAs:
- A new malware variant serves as a timely reminder to disable UPnP on our routers – nakedsecurity.sophos.com/…
- US CERT warns American business to patch urgently to protect against North Korean cyberattacks – nakedsecurity.sophos.com/…
- Beware fake listings on Airbnb – nakedsecurity.sophos.com/…
- UK listeners with a Virgin Super Hub 2 or Virgin Super Hub 2ac from Virgin Media are warned that they need to take steps to secure their routers – nakedsecurity.sophos.com/…
- Drupal have released a critical update that patches a bug that would allow a remote attacker take over your site – www.drupal.org/…
- Useful Tips
- Top 6 Free Mac Security Tools – www.macobserver.com/…
- The Reality of Internet Safety: Why Education Trumps Technology – www.intego.com/…
- How Coding Can Make Your Kids Safer Online – www.intego.com/…
- How to install Linux on a Chromebook (and why you should) – arstechnica.com/…
- GDPR: how to avoid the data protection cowboys – nakedsecurity.sophos.com/…
- Bad App Stores
- The Google Play adware apps that just won’t die – nakedsecurity.sophos.com/…
- Google Play is fighting an uphill battle against Android adware – arstechnica.com/…
- More Android apps from dangerous Ztorg family sneak into Google Play – arstechnica.com/…
- While Apple have a much better handle on things than Google do, the iOS App Store is no Utopia – there are expensive paid apps listed there that cannot possibly do what they promise – how Apple’s human reviewers could have approved them is hard to fathom – medium.com/…
- Though reporting form TechCrunch suggests Apple is stepping up its game and clamping down on these kinds of abuses – techcrunch.com/…
- Governments -v- Privacy
- Election Hacking
- Microsoft propose the establishment of the Global Cyber Attribution Consortium, an international NGO with responsibility for credibly determining who is responsible for what cyber attacks – nakedsecurity.sophos.com/…
- How social media companies are using AI to fight terrorist content – nakedsecurity.sophos.com/…
- What does looking under the hood of your browser reveal about you? – nakedsecurity.sophos.com/…
- Your mouse knows when you are lying – nakedsecurity.sophos.com/…
- Fileless malware targeting US restaurants went undetected by most AV – arstechnica.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
Where’s the picture of the console?