NosillaCastaways go see Mamma Mia!, I solve some interesting challenges with the new Touch Bar MacBook Pro, I explain how not to do Migration Assistant when getting a new Mac and Bart Busschots joins us for another lively session of Security Bits.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Monday November 28, 2016 and this is show number 603. I really appreciate you guys waiting an extra day for the show so that Steve and I could go see the musical Mamma Mia! Yesterday. There’s actually a connection to the podcast.
Shai has been on the podcast several times. He’s a singer, a dancer, a photographer and a videographer. We can’t afford to have him on the show too often because the plugins he recommends are SO expensive! We went to see Mamma Mia! Because he was playing the lead male character Sam! NosillaCastaways and friends Dorothy (aka @maclurker) and Pat Dengler (aka @yourmacdoctor) and Brett (aka @bcanedy) said we should do a meetup and then Steve got involved and suddenly I find out I’m going to something with music in it!
Then I got a crazy idea. Barry Fulk, the master mind of the Midwest Mac BBQ and cohort of Mike Potter’s in creating Macstock, has another hobby and that’s surprising people by showing up to things. I texted Barry, asked him if he wanted to surprise everyone (even Steve) and show up at Mamma Mia, and ten minutes later he had booked his flights. Watching Steve answer the door the day of the event and having Barry standing there was spectacular. Steve says he can’t trust me any more.
Anyway, it was fantastic to see Shai performing this roll in front of 3000 people. I have so many favorite parts about this but one of the real highlights was meeting his lovely and hilarious wife Jessica.
This might be a good excuse for a bunch of NosillaCastaway meet ups though – the show is on tour around the US. I know Denise is going when they get to Austin so maybe this could be a “thing!” If you’re listening to the show, Shai will consider you a friend. They’ll be in Washington, Pennsylvania, Maryland, Virginia (I’m looking at you, Kevin), Maryland, Iowa (come on Kirschen, start a party), Kansas, Oklahoma for George, Utah for Dean, Minnesota…pretty much everywhere! I put a link in the show notes to the Mamma Mia! touring schedule so start organizing! Ok, enough goofing around, we should probably do some tech stuff, right?
Chit Chat Across the Pond
In Chit Chat Across the Pond Bart gave me another two weeks to get my homework done on Programming By Stealth and brings us a case study of how to create a JavaScript API on Github. He uses a real life example of a small, open source library he released over the weekend called barfificer.linkTookit.js. This library includes many of the bits and pieces we’ve been working on in Programming By Stealth, how to add a rel of no opener on all links with a target of _blank (the ones that open in a new tab) and adding a little icon in the url to politely tell the reader that you’ll be navigating away from the page you’re on. It’s a great lesson in the structure of how Github works and even more importantly how it automatically creates beautiful documentation from Markdown comments in the code.
Blog Posts
Touch Bar MacBook Pro Challenges and Solutions
How Not to do Migration Assistant
Patreon and Amazon
It’s that holiday season again, and if I know you, you’re shopping on line like a good little geek without leaving your house so you don’t have to talk to real people. I bet at least some of the time you’re shopping on Amazon. It would delight me if you went to podfeet.com when you think of Amazon and click on the big Amazon button (that is not a tracker, doesn’t have embedded javascript but is a plain old image) and then did your shopping, a small percentage of what you spend goes to help support the podcasts. I don’t care if you’re buying diapers, or that SSD your sister really wants, every little bit helps.
If you’d rather support the show through Patreon with a monthly pledge, head on over to podfeet.com/patreon. Your support is much appreciated.
Security Bits
Important Security News
- The Locky ransomware has found a new way to spread by exploiting a bug to force-download malicious image files through FaceBook and LinkedIn – when a user opens these files, they get infected with the ransomware – arstechnica.com/…
- Security researchers discover data-stealing malware on cheap Android phones from manufacturers including BLU. The malware sends a lot of personal data back to servers in China, and its authors say it was designed to collected data for selling ad, and should only have been deployed in China (editorial by Bart: as if that somehow makes it OK?!). BLU say they have issued an over-the-air patch to turn off the spyware – arstechnica.com/… & nakedsecurity.sophos.com/…
- The US Department of Homeland Security (DHS) have released “Strategic Principles for Securing the Internet of Things” – www.dhs.gov/…
- PoisonTap has been released, it is free software that turns a $5 Raspberry Pi Zero into a hardware password-stealing device. The devices weaponises the fact that even when locked, Mac and Windows computers auto-install network devices (we discussed this research on this segment recently) – arstechnica.com/… & nakedsecurity.sophos.com/…
- Twitter have expanded their mute service to help empower users against trolls – www.macobserver.com/…
- WhatsApp to add end-to-end encryption to their video calls – nakedsecurity.sophos.com/…
- Security researchers have released details of a very scary-sounding bug which they have (rather dishonestly IMO) named get-root-on-linux. The bug requires physical access, and only affects encrypted systems, and it doesn’t not bypass the encryption in anyway. It just gives attackers access to the
/boot
partition, which contains none of your actual data. In theory this could allow attackers install a key logger to get your disk encryption password, but if they have physical access, it’s probably easier just to sick a cheap USB hardware key logger between your keyboard and your computer – nakedsecurity.sophos.com/… - There was controversy as the internet discovered that Apple sync encrypted call log data between your devices so they can implement their continuity features (Editorial by Bart: IMO this was an invented ‘scandal’ to make money for publications through click-bait, theres is simply no ‘there’ there) – www.imore.com/…
- A limited lockscreen bypass has been discovered in iOS – it allows attackers see your photos, messages, and contacts without knowing your password. It does not give attackers any more access than that though – nakedsecurity.sophos.com/…
- Security Researchers have discovered a critical vulnerability that allows remote rooting of millions of Android devices in use all over the world. The devices are all running firmware from a company named Ragentek, and it does not properly validate over-the-air updates, allowing attackers install any code they want if they can get to a man-in-the-middle position. The firmware also pro-actively reached out to a number of domain names for instructions, and the company had failed to register two of those domains – had a malicious party registered those domains, they could have taken over all affected phones. Thankfully, security research firm BitSight registered the domains instead, and is now using them as a sinkhole to try figure out exactly how many phones are affected, and what makes and models they are. ATM, the biggest offender is BLU, but while they make up the plurality of the identified affected the devices, they only account for a little over a quarter of affects devices. ATM, over 47% of vulnerable devices remain un-identified, so expect many more vulnerable makes and models to be identified in the coming days and weeks – arstechnica.com/…
- Having been caught recommending expensive fixes for non-existent problems, Office Depot and Office Max will stop using a malware scanner from disgraced company Support.com, who agreed to pay $8.5M to settle a lawsuit accusing them of misrepresenting the results of free malware scans in order to charge fees for fixing non-existent problems – arstechnica.com/…
- FireFox have released a privacy-oriented browser for iOS that blocks trackers – nakedsecurity.sophos.com/…
- Google has issued warnings to journalists and academics, including Nobel Prize winner Paul Krugman, that nation states have attacked their accounts – arstechnica.com/…
- The New York Times reports that FaceBook have tasked their engineers with creating censorship software which would allow China to prevent stories they did not like appearing in users feeds – nakedsecurity.sophos.com/…
Notable Breaches
- Adobe will pay $11M to settle a lawsuit filed against it by 15 US State Attorneys General regarding its epic 2013 data breach – krebsonsecurity.com/…
- A bug in social media site Ello’s code caused it to expose usernames and passwords in URLs. The bug has now been fixed, and because the site served pages over HTTPS, the damage is probably quite limited. However, because the usernames and passwords were included in URLs, they have probably been recorded in the logs of corporate proxy servers (Editorial by Bart: probably best to change your password, just in case, and if you re-used it, to change it everywhere else you did that bold thing!) – nakedsecurity.sophos.com/…
- The US Navy has warned that personal data, including social security numbers, of more than 130k sailors has leaked through a compromised laptop – arstechnica.com/… & nakedsecurity.sophos.com/…
Suggested Reading
- Off Topic – with the demise of Apple’s Airport line, this overview of the best of the competition from Dave Hamilton might be interesting to some (I’m leaning towards Eero myself ATM) – www.macobserver.com/…
- ClickClickClick is a simple web page released by Dutch media firm VPRO to illustrate just how much a website knows about your activities as you browser it – nakedsecurity.sophos.com/…
- Security researches unveil BlackNurse, a new DDOS attack that is so potent a single laptop can take out a large corporate firewall, and hence, take the entire network behind it offline – arstechnica.com/… & nakedsecurity.sophos.com/…
- A security researcher has demonstrated a whole new approach to bypassing Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP). The attack targeted GStreamer on Fedora, but is not particularly practical in the real world. This is academically interesting rather than a reason to panic – arstechnica.com/…
- Security researchers have used a common feature available in the majority of audio chipsets to turn speakers into microphones. They have dubbed the attack SPEAKE(a)R – nakedsecurity.sophos.com/…
- Concern over overly broad action by FBI on darkweb case – nakedsecurity.sophos.com/…
- The WordPress mega-hack that could have been, but wasn’t – nakedsecurity.sophos.com/…
Palate Cleanser
A history of hard drives from BackBlaze – www.backblaze.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.