June 2019: Web browsers, continued

Web browsers continued as the meeting topic at the June 18, 2019 Strait Macintosh User Group meeting. In a change from the past, the meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA.

While President Sabrina Davis and others set up the room for the meeting, Vice President Lawrence Charters hosted a Q&A (Question and Answer) session. The overarching rule: the question had to be about Apple devices, and the question had to be something that could be asked and answered in three minutes or less.

Q&A

Q: I have a new iPhone, and am having trouble moving photos from my old phone to my Mac to my new phone.

A: Once upon a time, you used iPhotos or iTunes or some combination of the two to move photos. Today, by far the best solution is to use iCloud. Every Apple ID account offers 5 gigabytes of space in iCloud for photos, messages, email, and documents. This is not enough for most people, so buy some more space (it is inexpensive, and you can do that through the iClouds pane in macOS System Preferences or through Settings > Apple ID (click on your name at the top) > iCloud > Manage Storage in iOS). This will allow you to move photos around between your iPhone, iPad, and Mac seamlessly, as long as you have an Internet connection.

Q: What do you think of the new Mac [introduced at the June World Wide Developers Conference].

A: The new Mac Pro coming out in Fall 2019 will have a minimum of 8 Xeon W core processors, 32 gigabytes of memory, and 256 gigabytes of solid state disk (SSD) storage. If this is too little, you can configure it with up to 28 Xeon W core processors, 1.5 terabytes of memory, and 4 terabytes of SSD storage. It will start at around $6000, The accompanying Apple Pro Display XDR for the machine (optional) will cost $5000 or $6000, not including the $1000 stand. One person mentioned that it justified getting a bumper sticker that said, “My other car is a Mac.” Highly configurable, very powerful, and not intended for the average user.

Q: I have not upgraded since Sierra; and am reluctant to upgrade. How vulnerable am I to security issues?

A: macOS Mojave, the current operating system, is faster and more secure on your existing hardware. It is like getting a rebuilt engine for an old car, for free, with new tires, airbags and seat belts. You may have to upgrade some software, but you gain a currently supported, secure operating system, much more capable of protecting your computer and your data.

Every time Apple patches their software, they release notes on what was patched and why. Hackers use these notes to discover and exploit weaknesses in machines that have not been patched so: upgrade your system, and stay current. Don’t delay.

Q: Do I need Flash?

A: Flash is a security vulnerability and Mojave tries to keep you from using this; it is not installed by default. Adobe stopped development of Flash in 2017, and will completely abandon it in 2020. If you use something that requires Flash, stop using it. Find an alternative.

Q: My computer is warning me that an application is not optimized for my system. What does that mean?

A: macOS is warning you that the application is not a 32-bit native application, and will not work with future versions of macOS. Apple, and Microsoft with Windows, is pushing 64-bit operating systems and applications as the standard, for security reasons. (iOS has been 64-bit only since iOS 11.) The next version of macOS, macOS Catalina, will not run 32-bit applications.

While some companies, chiefly game companies, have sent out messages warning users that their software will stop running if using macOS Catalina, the real problem is that the game companies aren’t upgrading to their software. If you really think life will end without some obsolete software package, buy a used Mac, put the game or other application on it, and don’t let that machine ever touch the Internet.

Think of that warning message as: “I am a piece of obsolete software on your computer. I’m making your computer vulnerable.”

Note that the move to 64-bit-only is not unique to macOS; iOS moved to 64-bit-only several years ago, and Windows 10 is now moving to 64-bit-only. Intego has a nice blog entry on why 64-bit is better.

Fire Fox, Chrome, Safari, Edge popular Web browsers; 2B androids in use but may not have working browser, 70-80 malicious software per device; iOS does not have malicious software because can upgrade devices; 1 Android (Pixel) gets Google updates but not many devices; may see warnings that an app not optimized for new OS; game manufactures warn if upgrade to OS Catalina games may not work anymore; 64bit processors since 2003/4; can move more data at one time so more efficient, better memory management; 32bit vulnerable to hacker code but 64bit makes memory not used as reserved so hackers cannot exploit; a 32bit OS is less secure; the programs will not run; if run without Internet can use older machines with older OS

Officers, equipment and funds

President Sabrina Davis gave a brief overview of some changes in Strait Macintosh User Group, starting with: equipment and funs.

Sabrina was elected President in October 2018, with Lawrence Charters elected Vice President. They presided over the December 2018 meeting, and had planned out a meeting for February 2019, which was canceled due to a major snow storm.

Sometime in March 2019, some former members discussed, via an email exchange, dissolving the group. As far as we know, none of these individuals attended the October or December meetings, or had standing as officers, but they decided Strait Macintosh User Group was no longer functioning, and gave the treasury (roughly $2,800) and all equipment to Shipley Center, in Sequim. They did this without the President or Vice President calling a meeting, or a vote of the membership attending a meeting. Shipley informed us the funds and equipment are not recoverable.

The June 2019 meeting was moved to the Library because, without funds, we could not pay the room rental at the previous location. One limitation: we can’t book a room more than three months in advance, and can’t guarantee a date. We also do not have control over the old web site or forum, so created this new site, https://straitmac.wordpress.com. For a list of the current officers, see https://straitmac.wordpress.com/contact/.

Restarting SMUG

Our membership list is three years old, and needs to be updated. If you receive a message from us, and don’t want to, please just use the contact page to request we stop. We will be sending out notices to our mailing list of meetings and any other interesting events, and a volunteer will also post announcements on NextDoor.

We will be hosting monthly meetings for a while, to regain momentum. The next meeting will be the third Tuesday in July, July 16, 2019, at 7 p.m., at at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. We can only reserve a room at the library a few months in advance; we can’t have a standing meeting for the entire year.

Several people were asked what do we do for money, since the treasury is empty. If we wish to have a custom domain for this website (straitmac.org or something that does not include “wordpress.com” in the name), and get rid of the advertising, we need $130-150 per year. If we wish to use another meeting space, and have a projector for presentations, we need considerably more. We will talk about options at future meetings.

Presentation: web browsers, continued

If it seems that much of the talk about web browsers involves security, there is a good reason: it does involve security.

The major current web browsers, in order, are Safari (on a billion and a half iOS devices, plus Macs), Chrome (on iOS devices, Android devices, Macs, and Windows), Firefox (on Macs, Windows, Linux, Android, and iOS devices), Microsoft Edge (on Windows and, now in beta, on Macs), and Internet Explorer (completely abandoned by Microsoft, but still used on almost a billion compromised machines).

HTTPS Everywhere, a free browser extension for Chrome (but not Safari) puts up a giant warning screen when you attempt to visit an insecure website.

Almost all Mac and iOS compromises involve something download over the web, so it is important to keep all your iOS and Mac devices running the current operating system and a current browser. If your device is too old to support a current operating system, don’t connect it to the Internet.

Your day-to-day account on your Mac should be a non-admin account. Why? An admin account can accidentally authorize a piece of malware to be installed by simply clicking an “OK” box in your browser. Non-admin accounts cannot install software and, therefore, are far more secure from accidental compromise.

The big reason over a billion Windows machines are infected with malware: they are running obsolete versions of Windows, and the user account is an admin account. In the U.S., the government is as guilty as this as anyone else; the U.S. Navy, for example, is still in the process of retiring thousands of machines running Windows XP and Windows 7, instead of the current Windows 10.

If you think you, the “average user,” are not vulnerable — you most definitely are a target, and are vulnerable. Thieves are attacking not only adults and teens, but even taking out credit and home loans in the names of one year olds, confident that it will be a decade or more before the child learns their credit has been ruined. Even if they scam you out of only a couple hundred dollars, this is still a tempting target for thieves, as they can attack hundreds or thousand of accounts a day.

Visiting straitmac.org with Safari is flagged as “Not secure.”

To protect yourself, avoid unencrypted sites. The old Strait Macintosh User Group Site, straitmac.org, is unencrypted. If you visit with Safari, Chrome or Microsoft Edge for Mac (now in beta), the location bar will flag the site as “Not Secure” because it does not have a valid security certificate. The SMUG Forum is also not encrypted, which means that user names and passwords entered on the site are sent in clear text and can be intercepted and exploited. This is, by the way, why you should use unique passwords for every account, as otherwise, all a hacker has to do is compromise one site and they can use that password on any and every site that you’ve reused that password.

Visiting straitmac.org with Chrome is flagged as “Not secure.”

To keep track of all the unique passwords, use a password vault, such as 1Password. The iPhone and the Mac versions of 1Password sync, allowing you to use 1Password on your iPhone when away from Mac. 1Password can do more than store passwords; you can also use it to store credit cards, your license plate number your VIN (Vehicle Identification Number), or anything else that is associated with you as an individual and is difficult to remember.

Someone asked if 1Password was different from Keychain, Apple’s built-in technology for storing and syncing passwords. The short answer is that they accomplish the same goals, but Keychain tends to confuse most users, whereas most users have no trouble at all properly using 1Password. Take Control Books, by the way, has electronic books on how to use 1Password, specifically, and how to manage Your Passwords, generally.

Visiting straitmac.org with Microsoft Edge for Macintosh (beta) is flagged as “Not Secure.”

straitmac.wordpress.com– shows a lock; secure site; has valid certificate from a 3rd party; has been audited; Browsers recognize this as a legitimate site; the machine has a valid certificate for the site so can encrypt the information exchanged; Chrome shows green icon if very secure e.g., banks; 

Safari, Chrome, and Firefox were briefly demonstrated, with brought up two interesting questions:

Why would you need more than one browser? The answer is: there are sites that might not work with Safari that will work with Chrome, or Firefox. Since the browsers are free, there is no “cost” to having all three. Another important consideration: Apple tends to update Safari, on the Mac and in iOS, with new operating system releases; Chrome checks to see if it needs to be updated every time it launches, and doesn’t bother to even ask you about updates. Firefox is somewhat in the middle; it checks every time, but asks you before updating.

The second question: is it possible for a site to be secure with one browser and not secure with another? The literal answer is: no. A properly secure site should be secure with all browsers, and if it is insecure with any browser it should be considered insecure with all. However, it is possible for a site to be secure and not work properly with a given browser. Again, this is a good reason to have Safari, Chrome and Firefox.

July meeting, third Tuesday, July 16, 7 p.m.

The July meeting topic will be an open-ended Q&A (Question and Answer) meeting. There are simple rules: the question must be about an Apple product, or something that runs on an Apple product, and the answer must be something that can be reasonably handled in a three to five minute answer. Questions do not need to be answered by a SMUG officer; if you know the answer to a question, feel free to chime right in.

Coming soon

Coming soon

Apple WWDC19 was full of wonders

Apple’s World Wide Developer Conference (WWDC) was held earlier today, and Apple made a number of announcements:

New Mac Pro is a highly customizable box.
The new Mac Pro is endlessly customizable, offering huge amounts of memory, storage, video power, etc. There is even a rack-mounted version, in case you want a small herd of these for crunching vast herds of bits and bytes.
  • iOS 13 is aimed at being much faster, even on existing hardware, and is bringing Dark Mode to the small screen, along with outstanding security and privacy;
  • iPad software is being split off from the iPhone to a new iPadOS, with features that take advantage of the vastly larger screen;
  • the Mac Pro returns, in a powerful 28-core monster;
  • Apple returns to the display business with an exotic Pro Display XDR;
  • watchOS 6 will add new health and fitness metrics and capabilities, and new watch faces;
  • tvOS 13 will allow multiple user profiles, so you can watch what you want, and listen to what you want;
  • macOS Catalina returns to the California coast, and splits iTunes apart with separate apps for Apple Music, podcasts, and Apple TV;
  • another huge change to macOS Catalina is Sidecar, a built-in capability to use your iPad as an additional screen of your Mac, and use iPad capabilities — such as the pen — with your Mac;
  • accessibility changes, to macOS, iOS, and iPadOS, promise to vastly expand what can be done by those with vision, hearing, or mobility limitations, including both the very young and the very old.
iPadOS showing Dark Mode and something more than apps on the home screen.
New iPadOS showing Dark Mode and the ability to display information on the home screen.

You can watch the keynote (a bit more than two hours) here.

Tapping the Apple Watch face will soon allow you to record a voice memo.
Soon you will be able to record a voice memo on your Apple Watch with just a tap.

Most people will never own a Mac Pro; fully equipped with the new Pro Display XDR, you could buy a decent car — a new car — for the same price, or less. But almost everyone with an Apple device will benefit from iOS 13, iPadOS, tvOS 13, watchOS 6, and macOS Catalina. In particular, the accessibility features, and the vastly expanded iPad capabilities, are worth a long, thoughtful look. And the security and privacy features built into the new operating systems — all the operating systems — are extraordinary.

The programming tools will roll out immediately, with the finished iPhone, iPad, watch, TV, and Mac operating systems coming out in the fall. The Mac Pro and Pro Monitor will be out “this fall,” but you can sign up to be notified when they are getting close.

An iPhone Note in Dark Mode, with an option to send an email notification directly from the Note.
iPhone Notes in Dark Mode, with the option of sending an email notification directly from the note.

Since this is the World Wide Developers conference, there was also a presentation on coding, and it was impressive. While GUI (Graphical User Interface) programming has been touted for a couple decades, the reality is that complex programming is almost entirely based on thousands, or millions, of lines of text-only code. But with the forthcoming Xcode 11, you really can drag-and-drop large chunks of graphical elements, and large chunks of code, into your application code. And Apple has vastly reduced the code barriers between macOS and iOS apps with new technology that lets you very quickly, and fairly painlessly, transform an iOS app into a Macintosh application in just a few days.

Xcode 11 will offer drag-and-drop programming, and you can code for a Watch, Apple TV, Mac, iPad or iPhone by just selecting an option at the start of the project -- and little more.
Code on the left, with a live preview of the result on the right, compliments of the new Xcode 11.

iOS 12.3 security update

Apple released a security update for iPhones and iPads, 1OS 12.3, on May 13, 2013. You can subscribe to Apple security announcements at https://lists.apple.com/mailman/listinfo/security-announce/


APPLE-SA-2019-5-13-1 iOS 12.3

iOS 12.3 is now available and addresses the following:

AppleFileConduit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

Contacts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to read restricted memory
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8598: Omer Gull of Checkpoint Research

CoreAudio
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted movie file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8585: riusksk of VulWar Corp working with Trend Micro’s Zero
Day Initiative

Disk Images
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological
University

Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero

Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8576: Brandon Azad of Google Project Zero, unho Jang and
Hanul Choi of LINE Security Team

Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-8591: Ned Williamson working with Google Project Zero

Lock Screen
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A person with physical access to an iOS device may be able to
see the email address used for iTunes
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8599: Jeremy Peña-Lopez (aka Radio) of the University of
North Florida

Mail
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing a maliciously crafted message may lead to a denial
of service
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8626: Natalie Silvanovich of Google Project Zero

Mail Message Framework
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8613: Natalie Silvanovich of Google Project Zero

MobileInstallation
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to modify protected parts of the
file system
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8568: Dany Lisiansky (@DanyL931)

MobileLockdown
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to gain root privileges
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8637: Dany Lisiansky (@DanyL931)

Photos Storage
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2019-8617: an anonymous researcher

SQLite
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8600: Omer Gull of Checkpoint Research

SQLite
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to read restricted memory
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8598: Omer Gull of Checkpoint Research

SQLite
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2019-8602: Omer Gull of Checkpoint Research

Status Bar
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: The lock screen may show a locked icon after unlocking
Description: The issue was addressed with improved UI handling.
CVE-2019-8630: Jon M. Morlan

StreamingZip
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local user may be able to modify protected parts of the
file system
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8568: Dany Lisiansky (@DanyL931)

sysdiagnose
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8574: Dayton Pidhirney (@_watbulb) of Seekintoo (@seekintoo)

WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

Wi-Fi
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A device may be passively tracked by its WiFi MAC address
Description: A user privacy issue was addressed by removing the
broadcast MAC address.
CVE-2019-8620: David Kreitschmann and Milan Stute of Secure Mobile
Networking Lab at Technische Universität Darmstadt

Additional recognition

Clang
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.

CoreFoundation
We would like to acknowledge Vozzie and Rami and m4bln, Xiangqian
Zhang, Huiming Liu of Tencent’s Xuanwu Lab for their assistance.

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero and
an anonymous researcher for their assistance.

MediaLibrary
We would like to acknowledge Angel Ramirez and Min (Spark) Zheng,
Xiaolong Bai of Alibaba Inc. for their assistance.

MobileInstallation
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.

Safari
We would like to acknowledge Ben Guild (@benguild) for their
assistance.

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer’s Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple’s update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don’t Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be “iOS 12.3”.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

April 2019: Web browsers

Strait Macintosh User’s Group (SMUG)
April 2, 2019

Meeting: 7:00 p.m. to 8:00 p.m. at St. Luke’s Episcopal Church, Sequim

Meeting called to order by President Sabrina Davis and Vice President Lawrence Charters.

Two outstanding board positions, Treasurer and Secretary, remained to be filled. By unanimous vote, Analiss Schutzman was elected Treasurer and Kathleen Charters elected Secretary.

There was a discussion of the need for better communications. The SMUG forum had a note that the meeting was canceled and the organization dissolved, but at the last meeting in December, no such motions were entertained, and the February meeting was canceled due to show. Most attendees found out about the meeting either through direct contact with the President or Vice President, or through an announcement posted on Next Door (https://nextdoor.com/).

At present, there are no plans to charge for membership in 2019. The domain name and Internet hosting fees for the website are paid through 2019, with the only remaining expense being room rental for meetings. The membership voted to pay the room rental on a yearly basis, and to reimburse Sabrina for paying out of pocket for the April meeting rental.

It was also agreed that meetings would continue every other month in Sequim. If attendance and conditions warrant, more frequent meetings may be adopted.

Meeting topic: Web browsers

Lawrence Charters did a live, interactive presentation on the World Wide Web in general, with a particular emphasis on web security and privacy. The web began in 1990, with an experiment at the European Organization for Nuclear Research (CERN, from the French Conseil européen pour la recherche nucléaire). Tim Berners-Lee developed a prototype web server on a NeXT computer, and it started serving out pages over the Internet in 1991. It rapidly eclipsed or replaced Gopher, FTP, newsgroups, and other Internet sources of information, and now the most widely used communications medium in history.

At its foundation, the web is based on text. As an example, this curl command (curl is built in to macOS) will fetch the opening page from the National Ocean Service website:

Capturing the first page of the National Ocean Service site using curl.
Capturing the first page of the National Ocean Service website using curl and macOS Terminal. Click on image for a larger view.

These elements of code are assembled by your web browser (Safari, Chrome, Firefox, etc.) into something (usually) much more useful: shopping sites, encyclopedias, dating sites, travel maps, etc.

Incidentally, email messages — even ones with graphics and sound and video — are also based on text. The text is assembled by your email client into discrete messages that look more like paper-based letters.

Because of abusive practices on the web, Google and Apple have been pushing hard for increased security and privacy. Safari on your Mac shows a lock icon when visiting an encrypted site; Google will show a lock in the location bar, and if visiting an insecure site, will display “Not Secure” right next to the URL.

It doesn’t matter if a site “sells” something; Apple and Google, and more recently Microsoft, want you to visit only encrypted sites. An unencrypted site can be easily compromised to, among other things, pass malware to your computer, or be used to “impersonate” a site.

With an encrypted site, anything you send between your device and the website is encrypted; it can’t be intercepted and read, or intercepted and modified. Google Chrome and Apple Safari also check the encryption certificates of a site to ensure that a) the certificate is valid and b) it is for the site it claims to represent.

Apple and Google also maintain a blacklist of sites that are known to be harmful. Apple does this through Gatekeeper, which is a combination of technologies that, among other things, periodically downloads a list of domains that your will refuse to visit. Google does this dynamically; every Chrome URL request checks with Google’s list of blacklisted sites.

Because of the security risks, Google also “downrates” sites that are not encrypted, pushing them down their rating results to discourage visits. Similarly, Apple does not allow iOS apps to make unencrypted web connections. These and other measures have resulted in a very rapid change to make encrypted websites (https and not http) the default on the web. There are still hundreds of millions of unencrypted sites; avoid them.

The easiest way to protect your Mac or iOS device: stay current with system and security updates.

In response to a question, Lawrence explained one major security difference between iOS devices and Android devices. Apple directly updates iOS (iPhone, iPad, iPod) devices. In the Android world, with one major exception, you need to go through your phone company. What this means: if you are on T-Mobile, or AT&T, or Verizon, or whatever, you can update your iPhone by just asking your device to do a software update, or responding to a prompt sent by Apple. But with almost all Android devices, the updates come directly from Verizon, T-Mobile, AT&T, etc., and while the device might theoretically qualify for a security update, the phone companies generally will not provide updates; they expect you to buy a new phone if you want an update. The exception: Google updates their Pixel devices directly.

Lawrence strongly recommended that everyone use long (15 characters or more), unique passwords for everything on the Internet. No password, for anything, should be reused somewhere else. To keep track of the passwords, use Apple’s Key Chain (free, and shared between iOS and Mac) or 1Password (paid, but much easier to understand and organize).

Don’t worry about “complex” passwords (use one upper case, one lower case, one symbol, one number) password. The important thing is to make them unique, and long; the longer the better. Spaces, by the way, count as a character.

Good: Kim Jong-un is a nutcase

Too short, and much harder to type correctly: K1mJ0Ng-nUTs

Passwords that are hard to type are easy to compromise because people tend to reuse them, or leave notes reminding themselves how to type them.

There were many more questions and topics than time available, so at the June meeting we will continue with:

Web security and privacy

While there are no privacy laws in the US, the European Union has imposed fairly demanding privacy laws, and as US companies want to do business with the EU, improved privacy is rapidly improving on major US websites. But individuals ultimately have the most control over their own privacy and security. We’ll talk about that in June.