Friday, September 26, 2014

BAD iOS 8

Greetings:

I received this from Chelanie Israel this morning.  If you are running a recent iPhone and want to upgrade to iOS 8 - OR - if you updated to iOS8 already, PLEASE read the following message (onlhy slightly edited for content and space).

===================================
iOS UPATE:  The update (8.02) to the bad code was released Thursday night (9/25/14) about 10 pm. I have tested the new update and we are ready to update iOS devices (iPads and iPhones) from 8.0 to 8.02 or you can move from 7 to 8.02 safely. Please do so as quickly as you can.

FYI: The original code that was effected was 8.01. It was released Thursday morning (9/25/14) at 6:00 am CST and pulled from the Apple servers at 9:00 am CST.

On the same note there is a vulnerability that was found early yesterday and confirmed all
  • Linux
  • BSD
  • MacOS
  • iOS if Jailbroken
  • Android with bash services turned on
  • Windows machines running IISS (server software).

If you haven’t upgraded to iOS 8.02, please do so as this will protect your iPads and iPhones (which are not suppose to be effected, but this is something that is being suggested by Apple), if you have a jailbroken phone, you will need to restore your iPhone to factory settings until they can fix the cydia breakpoint.

All versions of MacOS are vulnerable at this point. I have a call with Apple this morning (9/26/14) to find out if they will have a software update today.  So far, nothing.  I will be updating both of my servers this evening.

All versions of Mac OS Computers have the Shellshock vulnerability. However, some are more susceptible than others. To be completely safe you will need to update your bash (part of your command line from the BSD which is part of your operating system) from 3.2.51 to 3.2.53. This is done via one of two ways:

1. You can manually update the machine through the terminal
2. You can use the software update to do the update when it is available.  It looks as though this will be sometime within the next week.

Most personal machines are not vulnerable to Shellshock as someone would have to crack the firewall or router to which you are connected, to access your machine.  If you are only accessing the internet via your home or office network, then you have reasonable safety.  If you have a double firewall, again you have reasonable safety, but your machine is still vulnerable to Shellshock.

You can also make sure that Sharing, Remote Login and Remote Management are turned off. Although this helps, this does not fix the vulnerability to Shellshock.

The reason you may want to update manually is because your machine either sits on the web for people to access (i.e. servers) or you travel and use public WiFi (i.e. hotels, McDonald's, Starbucks, etc) often. If you are using a private MiFi device, that is not a public WiFi.

What is Shellshock? It is a vulnerability or hole in the code that allows someone to take over your computer without you giving them permission. It is definitely something that needs to be protected from.

______________________________________
Chelanie Israel aka Miss Mac

email:    chelanie@missmac.ch • missmac@mac.com
web:    http://www.designbymissmac.com
blog:    http://www.dearmissmac.com
twitter:     MissMacsMuses
                c: 214.718.1967  • f: 469.327.0843

======================================
Later on Chelanie sent this out:

From a terminal window:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0   
$ # Note: The bash23-053 patch does not apply cleanly on OSX because
$ # of a missing y.tab.c file. This can be ignored or the alblue
$ # one used instead. Upstream commits the y.tab.c file so doesn't
$ # have that problem.
$ # Not-yet-released-patch - replace alblue.bandlem.com line with:
$ # curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 
$ curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

To verify it worked:

$ bash --version

Source: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an


======================================

Here is a link to an InfoWorld article on Shellshock:

http://www.infoworld.com/article/2687975/security/four-no-bull-facts-to-know-about-the-shellshock-bash-bug.html

 I hope this helps some of you.  If not, contact Apple Support - if you can get through their clogged telephone lines right now.  And, as normal, it is a crisis with the weekend coming up.

Shalom
Ya'akov

Thursday, September 4, 2014

Wet Blankets Throughout History

Greetings:

To help develop an open-minded and defiant attitude to other' rejection of your ideas, remember that many creative contributions are initially met with skepticism if not outright hostility.  Keep a list of creative contributions that we now know to be significant but that were once thought to be crazy, stupid, useless, offensive and doomed to failure.  The next time you or someone you know has an idea, give an idea a chance - or at least to not immediately shoot it down - than to be one of those who always say, "That wor't work." or "That is a bad idea" or "That is too risky" and, hence, never do anything great.  Here are some examples to begin your list:
  • "This 'telephone' has too many shortcomings to be seriously considered as a means of communications.  The device is inherently of no value to us." [Western Union internal memo, 1876]
  • "The wireless music box has no imaginable commercial value.  Who would pay for a message sent to nobody in particular?" [David Sarnoff's associates in response to his urgings for investment in the radio in the 1920's]
  • "The concept is interesting and well-formed, but in order to earn better than a 'C,' the idea must be feasible." [A Yale University management professor in response to Fred Smith's paper proposing reliable overnight delivery service.  Smith on on to found Federal Express Corp.]
  • "Who the hell wants to hear actors talk?" [H. M. Warner, Warner Brothers, 1927]
  • "I'm just glad it'll be Clark Gable who's falling on his face and not Gary Cooper."  [Gary Cooper on his decision not to take the leading role in "Gone With The Wind."]
  • "A cookie store is a bad idea.  Besides, the market research reports say American likes crispy cookies, not soft and chewy cookies like you made." [Response to Debbie Fields' idea of starting Mrs. Fields's Cookies]
  • "We don't like their sound, and guitar music is on the way out." [Decca Recording Company rejecting the Beatles, 1962]
  • "Heavier-than-air flying machines are impossible." [Lord Kelvin, President, Royal Society, 1895]
  • "If I had thought about, I wouldn't have doen the experiment.  The literature was full of examples that said you can't do this."  [Spencer Silver on the work that led to the unique adhesive for 3-M "Post-It" notepads.]
  • "So we went to Atari and said, 'Hey, we've got this amazing thing, even built with some of your parts, and what do you thing about funding us?  Or, we'sll give it to you.  We just want to do it.  Pay our salary, we'll come work for you.'  And they said, 'No.'  So then we went to Hewlett-Packard, and they said, 'Hey, we don't need you.  You havent' got through college yet.' "  Apple Computer Inc. founder Steve jobs on attempts to get Atari and H-P interested in his and Steve Wozniak's personal computer.
  • Professor Goddard does not know the relations between action and reaction and the need to have something better than a vacuum against which to react.  He seems to lack the basic knowledge ladled out daily in high schools." [1921 New York Times editorial about Robert Goddard's revolutionary rocket work.]
  • "Your want to have consistent and uniform muscle development across all of uyour muscles?  It can't be done.  It just a fact of life.  You just have to accept inconsistent muscle development as an unalterable condition of weight training." [Resons to Arthur Jones, who solved the "unsolvable" problem by inventing Nautilus.]
  • "Drill for oil?  You mean drill into the ground to try and find oil?  You're crazy!" [Drillers whom Edwin L. Drake tried to enlist to his project to drill for oil in 1859.]
I am not sure of the original author of the above but this went the rounds when I was at FedEx back in 1995-1997.  I think that Fred Smith must have been the instigator but we could never prove it.  :-)  If you have any more "documented" Wet Blankets, please send them to me or post them in the comments section.  Thanks,

Shalom,
James