Sunday, April 23, 2017

Punycode

Wordfence is a security service for WordPress sites. I heard Leo Laporte talk about a recent post Wordfence had demonstrating a potential phishing technique.

To demonstrate this Wordfence created web site using an technique known as Punycode to encode the URL.

Here is a link to their demonstration site. Look closely at the address bar when you get there.

     https://www.ะตั€ั–ั.com/

Here is a link to the real site. Look closely at the address bar when you get there.

     https://www.epic.com

Can you tell the difference?

So you think you're a real geek and you always right click on a link and select "Copy link address" and then paste it into Notepad to see what the link REALLY links to. Knock yourself out. Try it.

Now is a good time to start worrying.

The only way to discern the difference in the URL is to actually browse to the demonstration site. Then highlight the URL and copy it. Now paste it into Notepad.

     https://www.xn--e1awd7f.com

That "xn--" is the Punycode.

I hope you noticed that the demonstration site also showed the padlock in the address bar. You can thank LetsEncrypt for that.

There's a workaround in Wordfence's post for Firefox and reportedly a fix in version 59 of Chrome.

In the meantime, do you think this would fool your mother?



Sunday, April 16, 2017

Shadow Breakers

There have been several leaks of supposed NSA hacks recently. Generally they have been older vulnerabilities and minimal impact.

Microsoft responded with a blog post.
Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.
However there's somewhat of a back story.

You'll remember that Microsoft mysteriously pulled their February updates with no explanation.

Then in March Microsoft fixed several flaws with no attribution. You have to back into this discovery by matching this with this.

This Engadget article speculates on how/why this happened. There's more speculation from Quartz here.

Whatever happened the result is that Microsoft did a good job of protecting their current platforms from the 0-day vulnerabilities. The same can't be said for the NSA.

Sunday, April 09, 2017

iOS 10.3.Whatever

tl;dr Install iOS 10.3.1 now

On March 27, 2017 Apple released iOS 10.3 with little fanfare. Here are their release notes:
iOS 10.3
iOS 10.3 introduces new features including the ability to locate AirPods using Find my iPhone and more ways to use Siri with payment, ride booking and automaker apps.

Find My iPhone
  • View the current or last known location of your AirPods
  • Play a sound on one or both AirPods to help you find them

Siri
  • Support for paying and checking status of bills with payment apps
  • Support for scheduling with ride booking apps
  • Support for checking car fuel level, lock status, turning on lights and activating horn with automaker apps
  • Cricket sports scores and statistics for Indian Premier League and International Cricket Council

CarPlay
  • Shortcuts in the status bar for easy access to last used apps
  • Apple Music Now Playing screen gives access to Up Next and the currently playing song’s album
  • Daily curated playlists and new music categories in Apple Music

Other improvements and fixes
  • Rent once and watch your iTunes movies across your devices
  • New Settings unified view for your Apple ID account information, settings and devices
  • Hourly weather in Maps using 3D Touch on the displayed current temperature
  • Support for searching “parked car" in Maps
  • Calendar adds the ability to delete an unwanted invite and report it as junk
  • Home app support to trigger scenes using accessories with switches and buttons
  • Home app support for accessory battery level status
  • Podcasts support for 3D Touch and Today widget to access recently updated shows
  • Podcast shows or episodes are shareable to Messages with full playback support
  • Fixes an issue that could prevent Maps from displaying your current location after resetting Location & Privacy
  • VoiceOver stability improvements for Phone, Safari and Mail

Weren't we all waiting for improvements in "Cricket sports scores?"

Well, there were a few more things in iOS 10.3. Good things. Things worth talking about. Things worth shouting from the roof tops about. But Apple didn't mention them in the release notice.

MacRumors noted:
iOS 10.3 introduces a new Apple File System (APFS), which is installed when an iOS device is updated. APFS is optimized for flash/SSD storage and includes improved support for encryption. Other features include snapshots for freezing the state of a file system (better for backups), space sharing, and better space efficiency, all of which should result in a more stable platform. Customers updating to iOS 10.3 should first make a backup given that the update installs a new file system.
More on the storage savings from APFS later...

In a separate document from the release notice Apple casually mentioned a few security updates. Specifically it documents 89 CVEs (Common Vulnerabilities and Exposures).

You'd think Apple would tout that.

Maybe there was a reason they didn't though.

On April 3, 2017 Apple released iOS 10.3.1 with ONE security fix.
Wi-Fi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975: Gal Beniamini of Google Project Zero
Read that again. Especially this part:
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
This is NASTY. The Register has a good summary. This is a problem in Broadcom's Wi-Fi stack which is used by iPhones after the iPhone 4 and in newer iPods and iPads and some Android phones including Google's Nexus 5, 6 and 6P, most Samsung flagship devices.

The good news is that Apple's ecosystem is able to respond very quickly to vulnerabilities such as this. The bad news is that Android can't.

On a related topic, the implementation of new Apple File System (APFS) that comes with the installation of iOS 10.3.Whatever yields significant savings in storage.

On my 16GB iPad Air, my available storage increased more than 1GB. It took about half an hour to install.




Sunday, April 02, 2017

Setting TuneIn Favorites on Amazon Echo

I bought an Amazon Dot on Black Friday and have been playing with it. One capability I really like is to play radio stations on it. However it doesn't always chose the right radio station. Here's how to set TuneIn Favorites for your preferred radio stations.
You can add them as favorites within the TuneIn section of the Echo App or within the iHeart Radio section.  Both work the same way--so where it says "TuneIn" below, read "iHeart Radio" if that's the one you're working with. 
To do that, select TuneIn from the sidebar menu within the app.  Search for the station (I just searched for German radio and found Antenne Bayern, as well as a bunch of others.) It should switch to that and start playing. :D   You'll see the "play bar" at the bottom of the screen, below the list of search results.  Tap on the TuneIn or Station icon.  (Some stations have their own icon.) 
Now the station play bar will fill the right side of the app.  On the right side, you'll see "Queue" and "History" and the name of the current song underneath.
To the right of the song that's playing will be a little gray down arrow that is hard to see. Tap on that.  When you do, you should see the option "Favorite Station" in gray.  Tap on that.  It should turn red. 
*** 
Now, go to the Home Screen and tap on TuneIn again.  Scroll the right side of the app where it says Browse, Local radio, Trending, etc, to see the bottom of the list. 
Under Favorites, you should see your station and you can play them from there.  In the future, you'll only have to do the parts under the *** to play favorites.
https://www.kboards.com/index.php?topic=206521.0
While this is talking about a smart device app, I found that the web interface worked just the same.

Sunday, March 26, 2017

Nougat Explorer

I always wondered why Android didn't have a native file manager. Finally Android 7 Nougat has one. It's hidden deep in the Settings menu.



Thanks to gifmaker.me

Sunday, March 19, 2017

Android Backups in Google Drive

Update: This nice feature is now gone. Thanks Google.

Android has been taking device backups and sending them to the cloud for a while but it wasn't apparent where they were stored nor how long they were kept.

Google has updated Google Drive both on Android and the web to expose this information.

Here's how it looks on Android.


Tap on "Backups" and you'll see the list of devices backed up and when those backups will expire.


Keep on drilling down and you'll see which apps were included and when they last changed their data.



Sunday, March 12, 2017

Google Maps Traffic

How does Google Maps know about traffic? Here's what Business Insider reported.
Here's how it works: All iPhones that have Google Maps open and Android phones that have location services turned on send anonymous bits of data back to Google. This allows the company to analyze the total number of cars, and how fast they're going, on a road at any given time.
Even Google has blogged about it.
If you use Google Maps for mobile with GPS enabled on your phone, that's exactly what you can do. When you choose to enable Google Maps with My Location, your phone sends anonymous bits of data back to Google describing how fast you're moving. When we combine your speed with the speed of other phones on the road, across thousands of phones moving around a city at any given time, we can get a pretty good picture of live traffic conditions.
Don't believe everything you read on the Internet.

Google also uses traffic sensors.
Contracting with these transportation agencies to share the data generated by the sensors proved to be a mutually rewarding endeavor for both parties; Google was able to expand its traffic services while the transportation agencies were able to defray part of the sensors’ costs. 
But here's the creepy thing. At a lunch over the holidays, an executive in a Memphis-based logistics company told me how a Google executive had told him how Google gets location feeds from the cell carriers.

A little Google searching turned up more information.
So how does Google know what traffic is like on the roads, nearly all the time? From our smartphones, of course. Whether you like it or not, “telephone companies have always known where your phone is,” Dobson says, because cell phone companies need to use location to appropriately charge customers for calls. That means the companies are constantly monitoring location based on the strength of signal to a cell tower, which allows the phone to switch towers as it travels.
GpsPasSion reported in 2011.
Google now combines AirSage cell phone triangulations with their own gps probes. AirSage monitors both Sprint and Verizon phones totaling 150 million phones 
More recently Fossbytes reported.
Google also crowdsources location data from telecom companies. These telcos monitor user location data by a method called Trilateration, in which the distance of a user measured between two or three surrounding telecom towers is used to analyse the speed and location of the user.
Look at this detail from Google Maps. There's no way that they could get this much detail from a handful of users running Google Maps.


It takes a little reading between the lines to discern that the cell carriers are selling location data to Google but my source is impeccable.