Barkings! | The Small Dog Apple Blog

A blog about our business, our industry, and our lives. You'll find posts from everyone at Small Dog and if the dogs could blog, they'd be here, too!

(RSS) and (ATOM)

Diagnosing & Treating Bash "Shellshock"

OS X is a descendant of a long lineage of UNIX operating systems, from which it inherits its incredible stability and enhanced security. However, the past two weeks have uncovered numerous bugs in a core piece of software relied on by many UNIX operating systems, OS X included: bash (Bourne-again shell). It turns out that these bugs have been very long standing and can be exploited in numerous ways to provide unchecked access to a computer (in some cases remotely) with an afflicted version of bash installed. Due to the surprise and scope of this vulnerability, many have dubbed it “Shellshock”, in reference to the combat fatigue experienced by soldiers, but it’s really not a fair comparison to the effects of war.

A “shell” is a program that interprets and acts on textual commands either entered directly by a user at a terminal (or using a virtual terminal like the Terminal app found in /Applications/Utilities on OS X) or from a file containing one or more commands to be run automatically (sort of like a player piano, if that’s even a useful analogy anymore.) Bash is a very common shell program and is the default on many UNIX operating systems, including OS X (as of Mac OS X 10.3 Panther). If you’ve ever opened up the Terminal app and run a command in the last decade, you’ve used bash.

I personally write a fair number of scripts in the bash language to automate various processes on my computers and servers, primarily because it so ubiquitous. It may be partly because I’m a bit of a masochist, but—as a server admin—I also find it helps me perform tasks more efficiently when working in Terminal since it is the default. Needless to say I immediately started investigating the bugs, the attacks, and testing OS X workstations and servers.

Fortunately, without very specific custom configuration, OS X is not vulnerable to remote attacks through the afflicted version of bash, as echoed in the following statement from Apple (given to Jim Dalrymple of The Loop):

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. […] With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.

None of the OS X 10.6 Snow Leopard through OS X 10.9 Mavericks systems I tested were vulnerable to remote attacks, however, all versions were susceptible to local attacks. The bugs are such that malicious commands can be inserted into “environment variables” (just what they sound like, data that exists in the environment in which individual shell scripts are run and therefore can be accessed by many scripts) and will be automatically executed upon any bash command or script being run. Not good. Since there are multiple bugs, there are different ways to test for each, but I find running the ‘bashcheck’ script to be very convenient way to test for all of them at once.

The bash developers and community have worked feverishly to investigate and fix these bugs. Apple has released “OS X bash Update 1.0” which includes fixes for the initial pair of bugs, but it unfortunately does not address subsequent bugs. As a further inconvenience, Apple does not provide this update via Software Update or the App Store, so you must download & install the appropriate update for your version of OS X:

OS X bash Update 1.0 – OS X Lion (10.7)
OS X bash Update 1.0 – OS X Mountain Lion (10.8)
OS X bash Update 1.0 – OS X Mavericks (10.9)

For those of you running Mac OS X 10.4 Tiger through 10.6 Snow Leopard on much older Macs, the developers of TenFourFox (an open-source version of the Firefox web browser specifically for older PPC & Intel Macs), provide a download along with detailed instructions to install a version of bash that fixes all the known vulnerabilities at this time. It does require command line experience, so is not for the faint of heart. The updated version provided by the TenFourFox team can also be used on OS X 10.7 Lion through 10.9 Mavericks and actually installs the very latest 4.3.x version of bash as opposed to the older 3.2.x version that Apple includes by default (and provided the partial fix for). This newer version of bash also has some benefits that programmers might enjoy, but it comes at the risk of possibly being downgraded by a future OS X update from Apple.

If you never use the Terminal app, I’d suggest you at least apply the appropriate version of “OS X bash Update 1.0” and any future updates that Apple might release to fix the additional vulnerabilities. For those of you who use Terminal with any frequency, you’ll want to proceed with caution and weigh the pros & cons of relying on Apple’s partial update or manually updating to the latest version of bash for your particular use.

Comments Closed

A Candle-Powered iPhone?

If you’ve been reading Kibbles and Bytes over the past few months, you might have noticed I’ve written more than once about power and electricity. A few weeks ago, I wrote about generating electricity and how watts work. In that article, I mentioned that I’ve experimented with thermoelectric electricity generation and I thought this week I’d explain a bit about what that is and how it works. Spoiler alert: it’s pretty cool!

Sometimes it can seem like our iPhones are just electricity black holes. Sure, they last a pretty long time, but they still need to be charged a lot. This problem has spawned a whole line of products to help charge our devices when a wall outlet isn’t available. Most of these that I’ve seen are based on solar. We even carry a number of solar-based charging systems by Goal Zero. These are really cool products, and they work really well, but you probably already know the catch: Without sunlight, all they can do is look nice.

With this in mind, I set out to see if I could use thermoelectric generation to generate power on demand. Thermoelectric generation uses something called the Seebeck Effect. When you have two dissimilar metals joined together in a loop, a temperature difference between the junction points will create a current. You can use any two metals, but modern devices use a P-N semiconductor junction. These tiny semiconductor pieces are small (sometimes only about 1/8” cubes) so dozens (or more) are linked together to form a thermoelectric module. When you apply heat to one side, and cool the other side, the module generates electricity.

Could you use one of these to charge something like an iPhone? Yes and no. These modules are typically only 5%-8% efficient, so you need to work really hard to get appreciable power from them. In my design, I used a 5-watt module and a tea light candle. 5 watts is enough to charge a smartphone, but to get that power, the hot side needs to be about 300C and the cold side would need to be around 25C. That’s a hard differential to create, and I was never able to do quite that well.

There are things you can do with that low power though, and having it on-demand allows it to be useful in ways solar panels can’t be. One thing you can do is use your own body heat to power an LED flashlight. How is that possible? LEDs don’t need a lot of current, but they do need a few volts. The small voltage generated from the heat of your hand can be boosted to drive the LEDs. Thermoelectric generators also power deep space probes. Out of reach of the sun’s rays, they use heat from radioactive isotope decay to drive the generators. One final application is in waste heat energy harvesting. Thermoelectric generators are used to capture waste heat energy from industrial processes to improve energy efficiency.

Obviously you can’t use radioactive isotopes to generate your power, but a few companies have developed thermoelectric generators for the consumer market. The most famous is probably the Bio-Lite camp stove. They claim it can charge an iPhone, which is probably true, but I expect it takes a very, very long time. Since it’s a stove, you also can’t use it indoors. Another company, Tellurex, has a device you can run with a tea light candle (like my design) called t-POD. I actually bought that one to try, and I have to say, it works really well. It comes with a bright LED light it powers, but I’ve plugged in other small circuits as well.

For now it looks like we’re mostly stuck with solar when it comes to powering our devices without a wall outlet, but we might see that change in the near future.

Comment

New Year, New You

…OK, so that’s a little hokey. I’m of the belief that a few resolutions are a good thing, but that they shouldn’t be so grand that they’re wildly out-of-reach. For me, details always help, but the more detailed they are, the fewer I should commit to. Example: I will make the time to hike Camel’s Hump this year. It’s not too realistic with my schedule to also plan to do Mt. Mansfield, Mt. Abe, and Mt. Elmore since there are only about 12 days of summer in Vermont anyway, am I right?

Anyway, I also believe that technology can aid in one’s resolve to be better in the new year. (Case in point: I was surprised to find out that my mom had a FitBit Wristband; she still uses a flip phone that’s about 10 years old and has no desire to upgrade. However, when the time comes, I think she’d love the integration with the app…just sayin’.) I’ve compiled a list of five apps that just might help you get things started right in 2014.

LiveStrong MyQuit Coach – Dare to Quit Smoking – Free ($.99 ad-free)
If you’re still a smoker, this should be goal #1. I can’t say I’ve tried this myself, but it gets high ratings from users, and I’ve polled some ex-smokers about the interface and what their biggest obstacles were to quitting. MyQuit Coach is physician approved, and it helps you set attainable goals to finally quit the habit.

Smoke Free – Free (It’s worth including a second one since it’s such a good resolution!)
Smoke Free’s interface is also very clean, and its approach includes a monetary angle — it’s pretty sobering to see how much you’ve been spending on cigarettes, and gives you “total $ saved” data along with positive statistics to help you stay on track.

Lose It! – Free ($39.99/yr for premium features)
There are a lot of calorie counting and weight-loss apps out there, and I’m partial to Lose It. I’ve always liked the interface, and I find it easy to navigate and add custom foods and meals. It’s a great way to really see just how good/dysfunctional your daily habits might be when it comes to food and exercise. I’ve had this app for several years, and I’m planning to accelerate my goals in 2014 to get back to a pre-baby, pre-mid-thirties weight.

Simply Being – $.99
Maybe it’s the Vermont getting to me, but I’ve found that it’s nice to slow down a bit to keep relaxed and centered. The biggest challenge for me is to turn my brain off, and get away from distraction, including feeling tethered to my phone. Ironically, I’m turning to Simply Being to do that. You can choose from four meditation times, and has the option to listen to guided meditation with or without music or nature sounds. Bonus: It’s been recommended by The New York Times, Huffington Post, Yoga Journal and others. Mmmmm…I’m relaxed already.

iHome+Sleep – Free
Keeping with the relaxation theme, iHome+Sleep is a great app to track your sleep habits and ultimately, reap the health benefits of a good night’s sleep. It’s a fully-featured alarm with multiple settings and options. I’m not a morning person…at all…and I’m a firm believer that waking gently keeps you better prepared for the day. iHome+Sleep also allows you to log your sleep times, giving you a better sense of how much time you actually spend in quality slumber.

Try ‘em out. You can’t lose (except maybe a few pounds).

Comments Closed

Send Holiday Cards Right from Your iOS Device

The holidays are a time for sending cards, right? I don’t receive many cards throughout the year, but December is a different story. The cards seem to roll in and my fridge becomes covered with my friends’ and family’s cute cards.

These days, there are numerous online card sites for creating and ordering your own cards that makes it easier than ever. The holiday season is also insanely busy for a lot of people (especially those who work in retail!), so if you’d like to send out a card but feel as if you won’t have time to stuff, address and mail numerous envelopes, consider sending them from you iOS device — saving you time and money!

Here are some great Holiday card apps that are worth taking a look at:

Martha Stewart CraftStudioFree — Of course she has a card app…she’s Martha after all! Create cards for any occasion and then share them digitally, print out or send to Snapfish to be printed.

Red StampFree — This is the app I use for sending cards and it is easy-peasy! Great templates to choose from with great fonts and colors to make your card look highly professional. Again, you can send digitally or have it sent to be printed.

Vintage Christmas Cards$1.99 — For those of you who celebrate Christmas and prefer a more traditional, vintage looking Christmas card, this is just the app for you. With over 100 different cards pulled from the Victorian Era to Post-War America, you’ll have some great cards to choose from.

Lifecards$1.99 — If you’re more into the postcard style of sending a card, this is a great app. Scroll through all those photos on your phone and create a great photo collage to send to you friends and family!

Comments Closed

APP REVIEW: Limbo

Limbo: perfect game for Halloween night (or any other night actually)!

Limbo, by Playdead, is probably one of my favorite games of all time. When I heard that there was going to be a port for iOS, I was very excited, but at the same time a little nervous. It wasn’t the visual style, the sound, or the atmosphere, that I felt wouldn’t translate; it was the controls.

That’s not to say that reflex-based games don’t work on iOS, it’s that they have to set up a certain way to get the same type of responsive feedback that a player would expect from a keyboard or a controller. After playing the game for a while, I was happy to put the fears to rest. To control the boy, you can swipe in any direction, and the boy will move. Actions such as grabbing a lever or jumping, are done with your right hand; swiping in an upwards direction, will get the boy to jump, and holding your thumb on the screen will get the boy to grab an object.

The story of Limbo isn’t all that obvious, and to this day, it’s still up for interpretation. The game involves a boy who is looking for his sister. There are no weapons or random characters to help you on your search; you’re on your own from beginning to end. The environment is presented in a monochromatic, slightly grainy, film noir style. You could make the argument that this is supposed to be a horror game with some sort of death awaiting you around every corner; however, I view it as a game that’s more than that.

In order to solve the games many puzzles and traps, you need to be able to think quickly. The checkpoint system is pretty forgiving, even after making a mistake you won’t have to travel very far to try again. Much like Super Meat Boy, or Braid, Limbo’s gameplay is very much trial and error, which at times can be frustrating. However, it’s very rewarding when a puzzle is solved or when a trap is avoided. The game is a little short, and very linear, which may be a downside to some. In all honesty, I don’t feel this is a game that would benefit by having multiple paths or being a longer game.

This is one of the finest games ever released in the App Store, and even if you’ve played Limbo before, you need to experience the game in your hands. I can’t really explain it, but there’s something that’s just so inexplicably cool about it. The game looks and sounds amazing and the world you’re thrown into is so dark and mysterious, and is just begging to have all of its secrets uncovered.

If you somehow missed out on Limbo three years ago, take a chance on it. This game is a classic.

Limbo is available on the App Store for 4.99.

Comment

Previous Page