DTNS 2330 – B*A*S*H

Logo by Mustafa Anabtawi thepolarcat.comBreki Tomasson is on the show and while we will touch on a glaring omission from Healthkit, the main story is the bash vulnerability Shellshock. Thankfully Steve Gibson agreed to drop in and explain it to us!

MP3

Multiple versions (ogg, video etc.) from Archive.org.

Please SUBSCRIBE HERE.

A special thanks to all our Patreon supporters–without you, none of this would be possible.

If you enjoy the show, please consider supporting the show here at the low, low cost of a nickel a day on Patreon. Thank you!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, Kylde, TomGehrke and scottierowland on the subreddit

Show Notes

Today’s guest: Breki Tomasson, creator of the CSICon podcasting network and Steve Gibson, co-host of Security Now and head of the Gibson Research Corporation

Headlines

Last week a vulnerability in bash was reported to Red Hat by Unix expert Stephane Chazelas. The vulnerability was revealed late Wednesday. GigaOm has a good roundup of the details, but it essentially allows an environmental variable with an arbitrary name to carry a malicious function definition with trailing commands. That means it can get your server to execute code. It affects any OS that implements bash which includes Apache, most versions of Linux and Mac OS X. It also can include many routers, webcams and other embedded systems. Red Hat issued a partial patch and Akamai published some mitigation measures, but more fixes from more vendors are expected.

TechCrunch reports Apple says bent iPhone 6s are extremely rare and claims only nine people have complained to the company about it. Apple claims under normal use the problem rarely occurs and notes the new iPhones are built with steel/titanium inserts to reinforce stress locations. Apple also claims iPhone 6 models underwent testing to ensure they can endure bending, sitting, torsion and other kinds of stress.

Kotaku reports Valve released the Steam Music player for its desktop client. It’s not a streaming (or should we say steaming?) service just an in-game music player for your existing collection. So for instance if you want to be able to listen to Peter Gabriel’s Steam on the Steam Music Player, we now live in a world where that’s possible.

The PC is NOT DEAD! At least not in the US. NPD reports consumer retail PC sales grew 3% in the US from July 4th through Labor Day week. Last year sales declined 2.5% in that period. Chrome OS led the way increasing 37 percent over 2013 and Mac products rose 14 percent. Windows devices dropped 3%. Overall laptops rose 3.4% while desktop sales were essentially flat.

TechCrunch reports Apple apologized for the “great inconvenience” caused by its faulty iOS 8.0.1 update and claimed developers are working around the clock to prepare iOS 8.0.2 with a fix that will hopefully arrive in the next few days. Apple officially recommends rolling back iPhone 6 and 6 Plus from 8.0.1 to 8.

Reuters reports that European data privacy regulators gave Google guidelines on legally collecting and storing user data. Google came under privacy scrutiny from the European Union as well as six individual European countries after the company combined its privacy policies and data collection from sixty services into one, and giving users no way to opt out.

Apparently the EU feels a little warmer towards Facebook, because Reuters UK has two sources that say Facebook is about to win unconditional EU approval to purchase mobile messaging startup WhatsApp for $19 billion. European telecom companies like Deutsche Telekom and Telefonica want the EU to extract concessions from Facebook in light of WhatsApps plan to add free voice-call services later this year, but it looks like that may not happen. US regulators approved the deal in April.

 

 

News From You

BigJim1 submitted the ABCNews story on the successful arrival of India’s Mars Orbiter Mission and our subreddit users voted it up. The Indian Space and Research Organization is the first agency to be successful on a Mars mission in its first attempt. The orbiter program cost $75 million which Prime Minister Narendra Modi pointed out was less than it cost to make the movie Gravity. It’s also quite a bit less than the $671 million NASA spent on the Maven mission to Mars.

Kylde didn’t want us to miss the Technology Review report that Google X Lab’s head Astro Teller, speaking at the EmTech Conference on Tuesday, said Google aims to have a continuous ring of high-altitude balloons above the Southern Hemisphere within the next year. Project Loon as its called will provide LTE data service to cell phones on the ground at rates of 22 megabits per second to fixed antennas, and five megabits per second to mobile handsets. Teller said “if we can figure out a way to take the Internet to five billion people, that’s very valuable.”

Discussion Links:  Shellshock and a glaring Healthkit omission

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

http://www.reuters.com/article/2014/09/25/us-cybersecurity-shellshock-idUSKCN0HK23Y20140925

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

http://www.openwall.com/lists/oss-security/2014/09/24/11

https://twitter.com/taviso/status/514887394294652929

https://gigaom.com/2014/09/25/the-critical-shellshock-flaw-affects-many-linux-and-apple-systems-heres-what-you-need-to-know/

http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/

http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCRaXildXA4

http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/

http://www.theverge.com/2014/9/25/6844021/apple-promised-an-expansive-health-app-so-why-cant-i-track

Pick of the Day: SpeedCrunch via Cody Olivier

My pick is SpeedCrunch. As a game programmer and CS graduate student, I need a quick, straight forward, and simple calculator with some power behind it. Enter SpeedCrunch. It is a calculator that is completely controlled by your keyboard ( similar to command-line ) which supports user defined variables, a multitude of math functions, and comes with a table of scientific constants. It shows history, lets you retrieve previously entered equations, and my favorite feature is as you type in an equation, it will have a little pop-up with the current answer to the equation. This is very useful when I am adding up a lot of numbers and want to see the current total. It works for Windows and OSX and has a portable Windows version. I also believe the program is open source for anyone who wants to modify or look at the code.

Friday’s guest: Darren Kitchen and Len Peralta

2 thoughts on “DTNS 2330 – B*A*S*H

  1. This is for Jenny:

    Hey Jenny!

    To help you with your network connection, you may want to consider a powerline adapter. These provide a wired solution without having to drag an ethernet cable across the room. I use these all the time for wiring difficult or older structures where I can’t run cabling. They are super simple to install. Each adapter plugs into the wall and includes a short ethernet cable to run to your computer and internet connection (router, switch, etc.). I know, it sounds weird, but it uses the IEEE 1901 standard, so it’s an actual “thing” (grin).

    Don’t count on getting the advertised speed, but you will get at least 100 Mb/s. Also, for best results, be sure to use AC outlets that are on different breakers (circuits) and not shared with anything with a high-ampere motor, like a treadmill. Also, you can’t plug them into surge protectors, just directly into the AC wall outlet. No software needed, but they do include a Windows utility for configuring and monitoring them, useful if you have more than one.

    These are a good, secure and easy solution to having wired ethernet. You can get these at Amazon, Newegg and probably many other places. There are other models & brands available, I’ve used some different ones, but for the cost / performance benefits, these seems to work fine and I haven’t had any complaints from clients.

    More info:
    http://www.amazon.com/TRENDnet-Powerline-Nano-Adapter-TPL-406E2K/dp/B008F537KC/ref=sr_1_1?ie=UTF8&qid=1411839164&sr=8-1&keywords=trendnet+powerline

    Look this over and see if you think it will help. If so, let me know and I will send you one. I’m not a Patreon member, but I’ve been wanting to send some form of a donation to DTNS, so this will be my contribution. You and Tom do a great show and as a daily viewer, I’m happy to help out.

    You have my email if you need to contact me.

    Hope this helps!
    – Alan

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: