[0:01] Hi, this is Alison Sheridan of the NoCillaCast Podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias. Today is Sunday, December 11th, 2022, and this is show number 918.
Well, before we get too far into the show, I have a couple of announcements.
[0:19] There will be no live show on Christmas Day. So we'll be here next week, but not on Christmas Day.
Now, we might do on a New Year's Day, depending on how things work out, because that's, you know, as Sandy points out, maybe some people will be hung over, but most people probably not doing anything on that Sunday night.
Anyway, I'll announce this again next week, but I think you'll probably be able to remember that there won't be a live show on Christmas.
I also want to remind you to send in your I'm Still Using It contributions. I have a fair number of them, but I'm nervous that it will be enough to give us a full show for the show between, on Christmas Day, that I've got to do early.
The idea of I'm Still Using It is to tell us a story about a piece of software or hardware that you're still using after a very long time.
And why? Most importantly, why? A lot of people are sending me things, I'm still using this, but I'd like why? What is the thing you use it for? And that'd be, I have to ask follow on questions, so if you can just give it to me in one, that's even better.
By the way, it could even be a podcast you're still listening to after many, many years.
The way you can get yours read on the show is by sending me an email at allison at podfee.com with the title, I'm still using it.
Now getting the title right is important because I've got a smart folder, a smart mailbox that shoves them all in there. And if you don't do it quite right, I might miss yours.
[1:37] Okay, here's the last announcement. If you get any free time over the holidays, I have another ask of you. On January 17th, Steve and I are off to Antarctica for a couple of weeks.
Bart and Alistair have volunteered to hold down the fort in my absence, which means we we are going to be needing listener reviews for the middle of January.
If you get any cool gadgets as gifts over the holidays, or maybe you treat yourself to a nap that you've had your eye on for a long time, anything you think is fun and nerdy would be great for the show.
Alistair and Bart are kind enough to do this so that our streak of coming up on 18 years without interruption can be maintained.
I sure hope you'll think of a way to step in and help.
Allison On Clockwise #480
[2:16] I had a lot of fun this week being a guest on the Clockwise podcast with hosts Micah Sargent and Dan Morin, along with guest John Moles.
We talked about what we would ask OpenAI's chat GPT and where those things might go wrong.
We talked about Apple's new App Store price points, and we talked about the never-ending Apple car rumors.
My question for Clockwise was about time-consuming automations we've written, and to both of our amusement, Micah and I had the same exact silly automation and we had both had them
written for us by different people. Check out episode 480 of the Clockwise Podcast at the link in the show notes, which are visible in your podcatcher of choice and they're also available at podfeed.com.
Touchretouch Tutorial On Screencastsonline
[3:01] My latest tutorial is up on ScreenCastsOnline and it's about a terrific tool called TouchRetouch for iOS and iPadOS and the Mac.
TouchRetouch does a fantastic job of removing unwanted objects in your images even with your big fat fingers on an iPhone, and it's only $4 US on iOS.
I've been using TouchRetouch for years and years, but I had no idea how capable it was until I researched the app fully to create the video tutorial for ScreenCastsOnline.
I did review it for the podcast many years ago, but I learned so much more doing the video tutorial.
Now, there's also a TouchRetouch app for the Mac, which is more expensive and oddly somewhat less capable.
But if you have an Apple Silicon Mac, you can run the $4 iPad version and get all of the capabilities.
In the tutorial, I demonstrate the similarities and differences so you get to see it running on all platforms.
Now, I'm going to give you my usual disclaimer. ScreenCastsOnline Tutorials is a subscription podcast and magazine, and it provides real training on how to use tools.
There is a free 7-day trial where you can get access to the back catalog to see if it's a service you might like.
But it's a dangerous trial because I can pretty much guarantee you'll find value in the tutorials from all of the different tutors, so don't even check it out if you're worried that you might like it.
Ccatp #754 — Casey Liss On Automations From The Absurd To The Delightful
[4:19] We actually have two chit chats across the pond this week. On one of them, chit chat across the pond number 754, we're joined by developer Casey Liss of the Accidental Tech podcast and creator of the iOS apps Masquerade and Peek-a-View.
I asked Casey to come on the show to talk about automation. In particular, we talked about unnecessary or overly complex automations, automations that mysteriously run but we can't remember how or why they're running, automations we're really proud of, and finally, darn it, these just make me happy automations.
It is a great conversation, it's a lot of fun, and if you haven't heard Casey Liss describe how he created an automation to know whether his garage door is open or not, you have got to listen to this episode of Chit Chat Across the Pond.
You can, of course, find Chit Chat Across the Pond episode 754 with Casey Liss in your podcatcher of choice.
Ccatp #755 — Bart Busschots On Pbs 142 — The Xkpasswdjs Project Kickoff!
This is what we've been waiting for. As I said to Bart at the end of our recording, we're no longer fixing to make a plan. We actually have a plan now.
The show notes for this episode point to the readme file for the official GitHub project.
And then he'll build the guidelines that will help us work as a team of contributors. This means things like a style guide, automated scripts to build the project, and configuration files for all of the tooling.
Now he has a vision that we're going to work on the direct port next with no enhancements during the direct port phase.
I tried to get him to take a dollar bet on whether that goal will be achieved, but he did not fall for it.
After that, we'll go into maintenance mode. So those are the three phases. Anyway, this is a fun episode because we are finally moving forward after learning all of the tools we'll need to make this project a success.
You can find BART's show notes that point to the README at pbs.bartafisser.net.
[6:23] Now at the end of that episode, or in the middle, the beginning, somewhere in that episode, I'm pretty sure I promised transcripts of that episode.
And I don't know why, but the auto-generated transcripts I talked about last week did not work.
A note into the developer of Alphonic, and I'm hoping it can help me still get that transcript, but I don't have it yet. So that's one that would be really good to have a transcript for, because the show notes don't really talk to exactly what he talked about.
But anyway, I'm still working on it.
Podfeet Blog Posts Delivered By Email
[6:54] I was chatting with my buddy, Naraj, this week, and he thanked me for putting him on distribution for emails whenever I wrote a blog post.
I told him I never did that and I didn't have any idea how he was getting them. I asked him to send me one of the emails he gets, and from that I was able to figure out backwards how these little treats were coming to him. At the bottom of every blog post I make, there's a comment box.
Below the comment box are two checkboxes. The first says, notify me of follow-up comments by email.
This is handy if you make a comment and want to know if anybody responded to you. It only sends you emails if you give it your address and only for that one post if someone else comments.
But the second checkbox says, notify me of new posts by email. Apparently, Niraj had checked that somewhere along the line.
So if you'd like to have hand-delivered notifications of all of my blog posts just like Niraj, check Check the Notify Me of New Blog Posts by Email box and your dreams will come true.
You'll not only see all of the blog posts I create, but you'll also get security bits by Bartwick Schatz and if other contributors write their blog posts like Alistair often does, you'll get those as well.
Now I should mention that you don't get the entire blog post in the email. You get the title and the excerpt and then a link to the website to read the rest.
[8:13] The funny part of this is that I had no idea I'd even enabled this feature. I have a plugin called Jetpack from the fine folks at WordPress.com that has a lot of features and buried in all those settings, I found that I had enabled this right in there.
If it sounds fun to you, check the box and if it gets tiresome after a while, there's an unsubscribe link in every single email.
I wish I'd realized I had done this when I was talking to Casey about automations that run and we don't know why.
This would have been a good one to add to that list.
Come Join The Fun In Mastodon — I Promise, It’S Easy!
[8:44] Do you remember when you first heard about Twitter? Remember thinking it sounded silly and you didn't think it had any legs?
Remember thinking the word tweet sounded idiotic?
Do you remember finally joining Twitter and then being baffled by it, wondering why is everybody so excited about this? And remember wondering well wait, but who do I follow? How do I find people? This is so confusing.
I bet you're having those same concerns about Mastodon. If tweet sounded silly, how about toot?
That's what it's called when you post on Mastodon.
My goal in this story is to make Mastodon a bit less baffling, to offer a bit of advice on how to proceed on a few parts of it, and how to just have some fun.
I'm having a really good time on Mastodon. It's fresh and new and people are especially interactive.
I encourage you to go in and kick the tires a bit and see if it's a service that might make you happy.
I don't know if it's going to unseat Twitter in the end, but for right now it's a very pleasant place to hang out and have some fun while we wait for the dust to settle on Twitter.
As hard as it was to wrap our collective brains around Twitter, Mastodon does add a nice little extra layer of complexity.
[9:54] Before you can join Mastodon, you have to decide which instance you're going to join. Now, an instance is just a fancy name for a server.
But get this, it doesn't matter which instance you join.
Now I say that for a couple of reasons. The most important of which is, if you decide at any time you don't like the instance you're on, you can just move. When you move, you don't lose any followers and you don't lose the people you've chosen to follow.
I accidentally created two accounts on different server instances over time and I was able to freeze one of them and make it an alias to the other one.
And that combined my followers and the people I was following on the two accounts all into one.
Wiser no one knew that I moved servers or I combined servers. So it's pretty easy to move. Little bit nerdy, but not too hard. Now on Twitter, you follow specific people,
and you can look at things like trending or follow a hashtag. And you can do the exact same thing from all Mastodon servers because they're federated. By federated that means that while different people are managing all of these different servers, you can still you'll find people and trending topics on all servers.
If you want to chat with a small group of people with a specialized interest, then choosing a server that specializes in that topic might make sense.
But I think for most people, I'd suggest choosing a server with wide interests rather than specialized.
Here's why I give that one caveat about not choosing a server that's too specialized.
[11:21] When I suggested to Steve that he might want to look into Mastodon, we talked about what instance he should join.
He's super into astronomy, so I suggested the instance, Astrodon.social.
It's been great, but it actually put him into an odd position. While he really likes astronomy, he doesn't just like astronomy.
If he wants to post about physics, well, that's probably still of interest to that community, but what if he wants to post a picture of how we restained our back fence or of our dog Tesla looking goofy?
Seems kind of out of place.
[11:53] Now some servers have had to cut off adding people because the influx has been so massive, but don't be discouraged by that. You could try the server that Bart went on and it's,
MSTDN.social. It's MSTDN.social and I put a link in the show notes. Or you could try the geek-oriented one hackyderm.io or you could just go to joinmastodon.org, close your eyes and pick one.
But remember, it doesn't matter if you change your mind later, you can just move.
So what does it actually mean to be part of an instance? What does that have to do with who you follow? Stephen Getz asked this very question, and I think I came up with a good analogy to try to explain it.
[12:34] Let's say you and your cousin go to different high schools. You can talk to your cousin and find out what's going on in their lives, and they can tell you what their high school friends are doing, but you can't see everything going on in their high school.
You can, however, see everything that's going on in your own high school. A mastodon, someone you're following, is like your cousin in the other high school.
It doesn't matter if you and I are on different instances, we can follow each other and we miss nothing. The people you follow can expose you to things going on on their server, like their high school. And you can see everything going on in your own server, your high school.
[13:08] I hope that analogy helped explain how you can be on different servers and still see toots by the other people. So let's say you've closed your eyes and blindly chosen an instance to join.
Just like when you joined Twitter, Your first question is how to find people to follow, and especially, how do you find the people you are already following on Twitter?
Because so many people are either abandoning Twitter altogether, or at least hedging their bets by testing out Mastodon, something wonderful has happened.
People have all started putting their Mastodon accounts into their Twitter profiles.
Now, full Mastodon name is at your handle, at your instance. So you, or you can write it as your instance slash at your handle, like chaos.social slash at pod feed.
This all makes a lot more sense if you see it in writing like on my website, but we're gonna make it even easier than that.
Now, while it's great that people are putting their Mastodon handles into their profiles on Twitter, imagine how tedious it would be to comb through all of the people you follow on Twitter,
going into their profiles and finding out whether or not they had put their Mastodon profile in there, their Mastodon link, I guess it is.
Let's say you even had the patience to do that one time.
What if the next day someone on your list adds their Mastodon info? Are you gonna comb through all of the people you follow every day to see whether they've added their Mastodon information?
[14:29] Of course not. That's where the internet comes in to help again. There's a fabulous tool at movetodon.org that solves this pesky problem.
When you go to Move to Don, you'll be asked to give authorization to the tool to access both your Twitter and Mastodon accounts.
This is exactly the same kind of step that you go through when you install a Twitter app. to allow it to pull the info from your accounts.
Once you've authorized the tool, it will show you a very nicely formatted list of people it has found. You can see their avatar, their name, their Twitter account, and their full Mastodon account.
If you hover over this area, you'll even get a pop-up showing you their full bio. This will help you remember who they are and whether you still think they're interesting.
Now you can see when they joined Mastodon and how long they've been active on the service.
[15:17] But the important thing is to the far right of each name it finds, you'll see a big purple follow button to follow the person on Mastodon.
If you've already followed them, the button will say following. That's awesome.
This makes it super easy to follow people and you can just go back to the page and refresh it once in a while to find more folks.
Now they also provide a follow all button, but I recommend against this.
Consider this like a nuke and pave opportunity. You're really starting fresh. So I suggest looking at each person you follow questioning, do they actually give you joy? If they don't, just skip them and look for those who do.
Now Bart said on Let's Talk Apple that he has really culled his mastodon list down from what he was following on Twitter, and I've done the same. I'm not following angry people. I'm not following people who don't give me joy, and I think that's one of the reasons I'm enjoying mastodon so much.
[16:10] So let's talk about a couple of basics of mastodon. I mentioned earlier that instead of tweeting, you toot. Now, some people are trying to change the word toot to post. That's boring. I think,
tooting is fun and I think it's going to stick. When you retweet on Twitter, it means that you're exposing the clever tweet you saw to the people who follow you. On Mastodon, that action is called,
boosting. Right now, when so many new folks are looking for accounts to follow, boosting is super important on Mastodon. I follow April Menendez on Mastodon. Really recommend following her and her her Mastodon link is in the show notes,
and she follows a lot of great photographers.
When she sees an image she likes, she boosts it. So now I see them in my feed and I can find photographers I might wanna follow.
It's a chain of happiness. Now here's the interesting thing. On Twitter, you can quote tweet.
So that's retweeting while also commenting. But on Mastodon, you can only boost or comment, not both at the same time.
This was an intentional choice by the founder of Mastodon, Eugene Rochko. He felt that quote tweeting encouraged toxicity because your comment is targeted at your audience.
It doesn't go to the person who created the original tweet.
[17:25] With comments, you have to talk directly to the person who wrote the tweet, which he hopes This will encourage more civilized behavior.
I see this point, but I do find so many times I really want to tell people why I'm boosting a toot, why I think it's interesting or funny, or what memory it's surfaced.
I can boost a toot, which is just fun to say, that's why I keep saying it, and I can make a comment so I can do both, and that way I suppose my followers might still see the comment.
[17:52] Now, there don't appear to be any great clients out there for Mastodon just yet, but Tapbots, the makers of Tweetbot, are hard at work on a Mastodon client called Ivory.
I'm not quite in the public beta yet, but those on the private beta say it's pretty awesome. For now, I'm using Metatext on iOS and Mastodonaut on the Mac.
They're passable, but they seem to be missing some features. But you know, they're okay.
But before worrying about getting a dedicated client, I really suggest just log into your instance via the web interface and you'll get a full featured experience.
I was originally confused by a few terms when I went into Mastodon, so I'd like to explain them.
Clients and the web interface, you'll see three options. Home, Local, and then a third one that's either called Public or Federated. Home is where you can see and
read toots and boos by the people you followed. Think about it as essentially what you would see if you were using a third-party client for Twitter like Tweetbot. You just see the people you follow. Home is just like that. Local is,
everyone talking on your server instance. So for Steve with Astrodon.social,
that's awesome because it's all astronomy talk and it's relatively small.
For me on chaos.social, it's just completely random. It's just all kinds of topics from people I don't know and a fair percentage of it is in languages I don't actually speak.
[19:14] So local is kind of like your high school. You may or may not have anything in common with all of those people.
If it's a large server, a large high school, the feed might be scrolling past really quickly not be very interesting.
[19:26] Now, federated slash public, depending on which tool you're using, that's where you can see everyone and every instance talking.
It's basically a rapidly flowing river of the conversation of the world.
Now, once I've found enough people to follow and move to Don, I've chosen to limit myself to just reading home.
It's chatty enough, but not too chatty because I've carefully chosen who I'm going to follow.
In fact, it's pretty similar to my Twitter experience, except with less anger.
[19:52] There's also a notification tab, and it tells you when people follow you, star something you've tooted, or boost a toot of yours.
If you're super popular, that can get a bit noisy, but if you're a regular person, that can be a happy place. Through the web interface, if you search for hashtags, you can follow them just as though they were people.
I recommend hashtag astronomy for the pretty pictures and maybe some science. The bottom line here is that there's still a lot I need to learn and want to learn about Mastodon, but I'm really enjoying myself. As I said to Bodie Grimm, get on over to Mastodon,
it's like Twitter but way less cranky pants. I hope you'll come over and join us. You,
can find me at podfeed at mastodon.social and let's see, I asked Steve to give me his account and I'm going to read it here. I'm vamping as I'm scrolling and it went past
too far. Ah, here it is. He is at spsharidan at astrodon.social. I'm pretty sure if you just search for at SP Sheridan there's probably not a lot of those and if you
find the one at astronaut dot social that Steve and if he moves to a different server it won't matter once you follow him you'll be connected to him I highly recommend following Steve he's a very interesting person to follow he has lots of varied interests and they're pretty cool stuff and he's never cranky pants.
Support The Show
[21:10] Would you like to have ad free versions of all of the shows from the pod feet podcast would you like to have free access to our discord server for the live shows? Would you like to be able to chat anytime you like with other no-sillicast ways,
in our Slack? You can have all of this without paying a dime. There are no paywalls to have fun talking tech at the Podfeed Podcast. All of this is brought to you by the generous people,
who support the show by either giving a one-time donation at podfeed.com slash PayPal or becoming a patron at podfeed.com slash Patreon. If you appreciate having no paywalls to have fun with with the shows, please consider becoming a supporter voluntarily.
Security Bits — 11 December 2022 Deep Dives On Eufy Credibility Problems And Apple New Security Features
[21:59] Well, it's that time of the week again. It's time for security bits with BartBooShots. Are we in a mess? Is everything wonderful? What are we looking at today, Bart?
Um, do you own a eufy camera?
[22:11] If you do, then it's a mess. If you don't, you're fine. And it's not necessarily a mess. And I'll tell you why when we get to that.
I will need a lot of convincing that it's not a mess, but I'm, I'm always open to being convinced always. And can I guess?
[22:27] Is home kit the same here? Let's tell them, don't leave the witness. Okay, don't leave the witness. Good, now you've ruined it. We'll get there very shortly. It's all ruined now.
I understand. Anyway, it's, it's second item down anyway. A few follow up items before we get into the main. We have two deep dives by the way, just to tease ahead. The Eufy is a deep dive and then Apple provided a heckin' lot of news.
I'm really excited to hear that part. That's the one I'm really looking forward to.
I mean, if I'd been pushed for time, I would have just done the Apple story and nothing else if it had been a case of Bart you have to triage. The Apple one is definitely the biggest news of the last half year, if not the last full year. It could be the biggest news of all of 2022.
Okay, anyway, some follow ups.
Right, which is a fair few people. Yeah, yeah.
So Twitter chaos continues. I think it's Cherry Breton. That's the EU Commissioner you enjoy following on Mastodon, isn't it?
Yes, so he had a meeting with Elon and made it quite clear to Elon that when the Digital Services Act comes into effect next year, Twitter cannot continue to not moderate like it currently is. He can't ban people on a whim. He can't allow people back on with a poll.
He has to have actual documented policies and procedures applied equally and fairly to all.
So he has to apply it to himself too?
[23:49] Yes, because he shouldn't be applying anything to anyone. His employees who follow a process should be doing it all.
[23:58] Uh, yeah. Go, go EU. I hope so. And he did say yes. I don't want Twitter to die. I really don't. Me too. But.
[24:06] Me too. It just has to live well. Yes, it has to deserve our attention.
Yes, that's it exactly. In related news, a fascinating interview by Kara Swisher of Twitter's former chief safety officer who credit to him, he stuck with Musk for a couple of weeks and then eventually was like, ah, I'm out of here.
And even in the interview, he is extremely level headed. This is not a revenge interview.
There are times where he defends Musk and there are times when he does not.
And I would kind of see that when he doesn't, he has a point and when he does, he has a point. I actually found it was refreshing to see such nuance with Twitter.
[24:50] Interesting. What podcast is it on? I see the link, but I can't tell.
On with Kara Swisher. That is the current name of her podcast. The feed has stayed the same. So you probably to subscribe to it as a different name that I can't remember right now, but it changed identity. I think she left the New York Times because I think she's independent now.
[25:11] I think. Anyway, fascinating interview. Very, very highly worth it. We also talked last time about, we thought that Apple would be introducing the 10 minute air drop time limit to everyone. We now
know that is coming as part of iOS 16.2. It is in the current basis. And specifically it's a 10 minute limit on how long you can be open to everybody. It's not you can only air drop for 10 minutes,
You just can't be wide open for more than 10.
Yes, exactly. You can't be a universal receiver for more than 10 minutes.
[25:43] Which I think is a good change in spite of the circumstances under which Apple get this.
Right. Like a stopped clock can be right twice a day. The fact that it's being done for dodgy reasons does not change the fact that it is actually the right thing. And if the feature had been invented today, it would have always been like this. It's just technical debt from a more innocent age that it ever came into being the way it is.
Is. Okay. And another good news, Google Chrome's Passkey support has moved out of their, well, I say beta in the show notes. I believe they call it Canary. Um, which is, it's a good
name I guess for a beta. Does it die? No, let it go into production. Anyway, Passkeys has moved from Canary into the production branch of Google Chrome. So that is again,
[26:30] That's really good news. So Safari and Chrome is Edge? Firefox? Are they on board yet?
Do you know? I don't know off the top of my head. If they are not actually on board, they are on the road. They are all well into their beta programs. If they are not actually switched over to production, they're very close.
So we are very close to having all the browsers on board here, which is fantastic.
Again makes it more the incentive for websites to do their bit becomes much greater when the browsers are ready. Until the browsers are ready every website owner who's a bit lazy can realistically say ah yeah but sure it's not on age yet or ah yeah. Although Google Chrome is by far the biggest one right,
because if you don't include mobile it is the biggest browser.
And if you do include mobile, it's Safari, in which case the argument is the same. So it's fantastic. Yeah. Yeah. Good.
[27:23] Okay. So our friends at Euphy, I have titled it, Euphy Destroy Their Credibility, which is the politest I can be because I just find this whole thing quite the train wreck.
But if you would like to follow it blow by blow, the links are below in the show notes.
It is a twisty, turny tale with many, many confusing bits. And I think a part of the reason it's so confusing is because there were two different problems found.
They were found by the same researcher. And so they tended to get conflated.
And then there's a sort of a third underlying problem. So I'm just going to basically say what the problems were and where we stand with the problems and how you feel responded. And I'm sort of going to leave all the rest to the listeners to go dig deeper if they would like to.
So one of the things that was discovered is that. Okay, so I should back up one sec. So one of the things UFI promises about their cameras is end to end encryption.
And they promise you that the data is only available to you and to no one else, which is a big deal for a security camera.
[28:28] I have started to slowly allow some smart stuff into my house. I have not dared let a camera into my house yet. I do it will be using that secure video feature in HomeKit.
But I'm sort of waiting for thready stuff.
Actually no, I'm waiting for thread and matter support to come out university, I just want to live in a world where everything is thread and matter.
We're nearly there, I can see it. Anyway, that's not the hernia there. So the promise is full end to end encryption.
And so one of the problems discovered is that if you set your notification settings a certain way, then thumbnails of your videos will be sent up to UEFES Cloud unencrypted.
[29:10] And that's not really in keeping with we won't send anything to the cloud. Previously, it was done so silently.
Now it has done so with an explicit warning from UFI that if you choose these settings, you will be uploading stuff to the cloud. So basically it was done without consent. Now it's done with consent.
[29:28] Well, but you can still do things and set your settings and not have the thumbnails go up. Correct.
So if you see the thumbnails in your notifications, those are coming from the cloud.
So you need to change your settings so that when you get a notification from your camera, there are no thumbnails in it.
Okay. And you've done it right. So that one, you know, that's not, wasn't initially transparent, a gun held to their head, they've done the right thing there.
Correct. And okay, I assume it gets worse than this. I'm not going to lose a lot of sleep. I'm not going to lose a lot of sleep. Thumbnails, okay, hypothetically, your thumbnail could show something you don't want to show, But yeah, on the grand scheme of things.
But it's going to get worse, isn't it?
Unfortunately, it is going to get worse. So the really big clanger was the unencrypted video streams. So in a world where there is actual end-to-end encryption.
[30:19] The only thing moving between your camera and your phone should be encrypted garbage, and it should be encrypted gibberish at every single step along the way, because otherwise the encryption is not end to end.
So no matter how catastrophically wrong security goes en route, the only thing compromisable should be gibberish.
And yet a security researcher found that for every eufy camera that is set up in the normal eufy way, there exists a really weird looking URL that will give you a live feed of the unencrypted live feed from the camera.
[30:57] That literally should be impossible.
[31:01] If the promise was true. Right now, the URL is not like, you know, ufi.com forward slash Alison's camera forward slash. It is an obfuscated URL.
So it is a big load of gibberish. Unfortunately, the gibberish is actually calculable gibberish, which is the third major flaw.
The gibberish is based on the serial number.
[31:29] Now a serial number is a permanent, unchangeable, not secret.
[31:37] To use something unchangeable that is not a secret in any sort of security control is the world's biggest red light.
Your security should be ingesting secrets, keys, passwords.
Your security should not be based on something that is not a secret and not immutable.
Sorry, that, yeah, it should be mutable and a secret.
[32:05] So a serial number is not treated as sensitive data. So unsurprisingly, the security researcher found that the serial number is in various API calls. So the serial number can be determined.
Now you think have tweaked the APIs to remove the current places that happen to leak the serial number that we have discovered.
But because it's not a secret, it is just a matter of figuring out another place it leaked because the developers would never have been trying to hide it, because a serial number is not a secret.
The other thing is, if you sell a camera, the serial number stays with it forever, so it is impossible to buy a second-hand UV camera safely, because the previous owner could know the serial number that you cannot change and that is vital to the building of these secret URLs.
[32:53] And while what you have responded by making the secret URL harder to find, they still exist and they still work. So even now, the feeds, if you can figure out the URL, still work.
So there is a fundamental design flaw here. To have used the serial number as a security control is fundamentally flawed. And the only way to fix that is a complete re-architecting of all of the cloud infrastructure.
[33:27] Which I'll save your powder for a moment. So that is at a technological level of three problems.
The first one is like, yeah, okay, so you should have put a warning in the settings.
Okay, yeah, whatever. The unencrypted video stream is head exploding.
It means that the end to end encryption is like cake, it's a lie.
The definition of end-to-end is it's not unencrypted anywhere in between. How can this URL exist?
[33:55] And then you have the fundamental flaw of using a serial number as a secret to try hide things. That's just fundamentally wrong as well.
And then we come to the bit that really makes me lose confidence, is how UFI responded to the security researcher.
They started off with categorical denials that were proved false. They were then followed up by unwarranted downplaying of the issue.
And finally, with technical changes to hide rather than fix the problem.
[34:25] Eesh! I love Anker. Anker own Eufy. I adore my Soundcore headphones. I just feel really, really ick. Because I like Anker. This is bad.
[34:39] So you've said impossible to buy a second hand camera from Eufy camera and have it secure. And that's not a true statement because, and I'm going to talk into, you spoiled all of my excitement here but I'm gonna do it anyway as though you didn't. If you pay for iCloud plus and,
that means pay anything more than zero you can use HomeKit secure video and HomeKit secure video allows you to store all of your videos in iCloud which makes them available to you
within HomeKit and if you do that it is not going to the servers from from UFI. You've separated it. You do lose something, you can only do 720p, that's a requirement by Apple,
you lose the 1080p or HD and I was, I actually toggled going, do I want to do it or do I not? I really like having high quality cameras, it's why I bought high quality cameras, but,
in the end I chose iCloud secure video and I'm happy about that. You also have to make sure that the model of UfiCam you buy supports HomeKit, they do not all support HomeKit.
So I'm adding a link to the show notes that will show you how to set up HomeKit secure video.
Great. This is from you, Fiat tells you how to do it. And also a link to what you have to do in paying for iCloud, how much storage. What's really interesting is that the HomeKit secure video doesn't add to your storage.
So you're putting up gobs of videos, but you can be paying the littlest amount.
[36:09] Which is why they limit you to 720p.
[36:12] Sure, but still that's a lot of video. That's a lot of video. So I'm going to put up a link for that so you can see what the requirements are.
Now all of that is true. I'm putting it down as solution. If you have Ufi cams.
I'm not saying it's a solution that says you should buy them.
[36:35] If you do that, do you still have the Ufi app? How do you do you still use the uf-e app to configure the cameras?
[36:46] There are configurations you can do like geofencing and things like that so the uf-e app is still in the equation I.
[36:54] I think it's still.
[36:59] So, well, my concern is that... I don't know for a fact that it's changing it. My concern remains that if the security of this video streaming was so fundamentally broken, can we trust the security of the app? Whatever idiotic mistakes have they made?
I don't know that there's anything else wrong.
I don't feel confident that there isn't. It's just one of those, you've shaken my faith here.
[37:25] Like I say, I really, I have so many years of liking Anchor. It's their response that disappoints me because everyone makes mistakes.
Everyone does dumb things. And I believe they bought in another company. So this may have come in as technical debt. So the actual problems could be acquired rather than created.
But the response, that's today. That's not technical debt. The response is now.
And that is, I don't like it. It's also important to remember that Anchor is a Chinese owned company. I know that always has me a little nervous anyway.
It's sort of like this, it's like the social media problem. I'm running out of social media platforms.
I'm quitting them right and left and they keep, you know, lighting on fire and I have to leave them.
And so, you know, there's a point I did throw out all of my indoor Wyze cams after they screwed up.
And so I got rid of them and I replaced them with UfiCams and I am not in a position to, I don't want to throw them all away again and HomeKit Secure Video makes me feel comfortable. I'm okay with it. So for now, Alison, I think you basically what you're doing now to me, until we know anything worse.
Right. Exactly. So for now, there are no known issues with your setup.
So you have a very, very different question to someone who has no cameras and is thinking, what should I buy?
Because, well, who do you buy? I don't know yet, but at the moment I would be very reluctant to buy from Yuffie, but if I had a Yuffie I would do exactly what you've just done.
[38:52] That would be exactly my response, because I'm not going to throw the camera away unless I know it's broken.
But you know, if something more comes out, if there is another shoe hanging, when the second shoe drops, I probably would leave because if there's two, there's probably more than two.
But you know, for now, if I were you, I would do exactly what you've done.
Yeah. The nice thing about having a HomeKit is you can do your automations and things according to it too.
Yeah. HomeKit is just nice. Well, your HomeKit, let's be fair though. HomeKit automations will fail randomly and you'll have to recreate them all.
Just let's be clear. Let's not pretend they're going to keep working. But when they do work, they're really cool.
I think they're really cool. I'm going to actually have an interesting experience because the biggest automation I have is my Christmas decorations.
I say jingle bells to turn them on and home bugs to turn them off. I remember that from last year.
And I now have a whole new wireless network and all of those smart plugs are in the attic along with the Christmas decorations. So they have no idea their whole universe has changed. So when I plug those Miros plugs back in, I have no idea what's going to happen.
Well, that'll be fun. A hot tip. Remember to turn your VPN off.
[40:06] Okay. Every single time we set up new, I actually put a sticker on my switches. Now when I put them away that says turn off VPN, because the first thing you have to do is you have to connect to their network. Your VPN kicks in because it's never seen this network and it doesn't trust it and it shouldn't.
And then you sit there going, what is wrong with this piece of poop?
Every single time, every single time we do this, we go through it.
So, and the reason I bring up a HomeKit falling over in a heap is that Sandy posted that one day all of her HomeKit automations failed and she had to rebuild them all from scratch.
And then a couple of days later, it happened to us. And then it happened, I want to say it happened to Alistair, but Alistair's stuff's always falling over in a heap. And then I was talking to my consurgent and he said all of his fell over in a heap.
So he says he heard something did fall over in a heap at Apple on that.
As I understand it, under the hood, there's a gigantic rewrite happening at the moment in preparation for matter.
Hmm. And so I think it's quite plausible that that gigantic rewrite had a whoopsie.
[41:13] Yeah, it sounds like it. We also have an automation that we don't know how it's happening at all.
Like it's not in there, but it's working perfectly. And Steve thinks that we might've done it in the Hue app, but the Hue app no longer allows you to create the automations in there. So there's an automation running that we can't edit, can't change, but it works.
So there's no UI anymore, but it's still in the brain.
And it's working.
[41:38] Talk about screw reaction in the distance. Yeah, but imagine you wanted to stop it. Nope.
Anyway. Okay. So anyway, deep dive number the second. Okay. This one is fun.
This is like, yeah, this is mostly fun. I have one bit of neutral news. It's not the good news or bad news. It is a thing.
So I will end with a big question on this.
Okay. About why it won't work.
[42:00] But let's go. Okay. So the big thing is we have three new announcements that we're going to dig into in detail. And Apple had a great big press release, but three big new announcements.
And then they didn't do a press release, they released a statement to a select number of websites say, and by the way, that controversial CSAM thing we were talking about that we had paused, yeah that's dead, that's not happening anymore.
So that's kind of interesting in this story because the reason we all thought they were doing that, what they were going to do was at the point in time when a photograph was
flagged for uploading to iCloud, Apple were going to on your phone between deciding it was going and actually leaving your phone, they were going to take a fingerprint of the photograph and then compare that fingerprint to fingerprints of known child abuse imagery,
and look for matches on your phone and then send it off to the cloud.
Which meant that in the future they could encrypt it as it went up to the cloud because they'd already done the checking on your phone.
And people were very, very, very concerned with the concept of your phone working against you, your phone, messing with your photos, not in the cloud, but on your phone.
And people got very upset about it. And in the end, Apple were forced to park the idea. And I think I had said at the time, I don't think this is ever coming back when they parked it.
Well, it's gone. They have abandoned it. It is gone.
[43:23] Which makes it all the more surprising. They went ahead with the features we're going to talk about now. So the first feature is the one that in some ways has me the most interested. Well, no, not the most.
Yeah, let's just do them in order. I went with the order they were in Apple's press release because I was too lazy to rearrange them and to decide which was cooler. So I just put them in that order.
So the first feature we have is called iMessage Contact Key Verification.
[43:47] And this is the one that takes the most explaining. So we're going to spend most of our time here. So the most substantial, genuine security-based criticism you can make of Apple's messaging system is that while it does good end-to-end encryption using public key cryptography.
[44:06] The fundamental flaws wrong word but the weakness is that apple manage the keys and they don't show their work. So you have to trust that apple have safely and correctly shared your public key with everyone else is in a conversation with you.
So remembering the way public and private keys work right so let's say we're in a group chat myself yourself and alistair. So, the way it works in Apple's system is that you send a message to the group.
That message is encrypted twice. Once with my public key, which means only I can read the message.
And once with Alistair's public key, so only he can read the message.
And that is true end to end encryption. It was encrypted before it left your device with separate encryption to me and to Alistair. And the only place it gets decrypted is on my phone and on Alistair's phone.
If I have a phone and a Mac and an iPad, you actually got three public keys from me and you encrypted the message three times from me. If Alastair has a Mac and an iPhone that's two, you've actually encrypted the message five times with five public keys.
[45:12] Okay. It's perfect end to end encryption. Now, if you had to manage those keys, if we had to manage those keys, I think we'd go nuts.
Right. So, quite sensibly, Apple managed the keys. So it has long been the case that we trust that Apple do not add an extra key.
If they added just one more key to the set of keys, then that could be the public key that matches the FBI's private key.
And then they would be end to end encrypted in our secret conversation. And it wouldn't break end to end encryption, but there will be an extra person eavesdropping. The phrase in the media was ghost keys.
And because Apple doesn't show you the keys, you can't go into iMessage and say, show me the keys, show me who is in this conversation in terms of keys, it's just going to say Bart and Alastair, and under the hood it has 3 keys for me and 2 keys for Alastair.
[46:04] The other way to do this, to make it way more secure, would be to allow us to manage our own keys. There is actually an app that does it that way. It's called 3ma and they have a triple colour code system.
If they do the key management for you, the conversation is coloured in red to say you're trusting us.
[46:23] If you and I have exchanged a key by sending it to each other through another channel or by scanning a QR code straight off each other's phones, our conversation turns green because we have definitely proven each other's keys. And if I have verified your key and if you have verified Alistair's key,
then Alistair goes yellow for me because I have an indirect connection to Alistair.
Very, very secure. Have we talked about this once before? We did. Or it was one of the chat services uses Threema, right?
Threema is a chat service.
Oh, oh, sorry. Okay. Okay. It's an alternative to Signal, WhatsApp, et cetera. Leo Laporte loves Threema.
So you get this color code of traffic light system so you know how confident you are in the key. I took care of it, the app took care of it, or it went only through my friends.
Give you the red, the red and the green on the two ends and the orange in the middle for it went through my friends. And that is very, very secure. And if I were a journalist working with sources or something, I would definitely like that level of control.
But why is 3-Man not popular? Because it's a giant pain in the hoop.
[47:28] It's just effort. And that's why it didn't take off. Now there is another approach you can take which is the approach taken by Signal.
Which is I would argue equally as secure.
Signal manages all the keys entirely automatically just like iMessage does.
But in Signal you can view the keys.
And it doesn't just tell you all the keys that exist which is mildly useful. It represents the keys as pictures.
So you have a direct mapping between the keys, bits and the picture.
[48:00] And if I look at the picture on my phone for our conversation and you look at the picture and they are the same, then we are using the same key.
[48:08] And so we can verify by, say, standing together and looking and going, oh great, our keys match, super. Or we can have a FaceTime and show each other our keys.
As long as we know that those two pictures are the same, by any means we trust, right, it's up to us to figure out how we decide they're the same.
We could email each other the screenshots, we could do whatever we wanted. As long as we know those two pictures are the same, we know for sure that forever more, unless the key changes, in which case signal will tell us the key has changed, we can communicate safely.
So that means it's all automatic, but if you need to prove it's true, you can prove it's true.
[48:42] That's what Apple have done.
[48:45] So they're going to keep managing the keys, but if you want to prove it, they are going to provide the interface to prove it.
So it's about trust. Yeah, the trust has been removed. We don't have to blindly trust. We can now verify. Verify. Trust but verify.
Precisely. So no loss of functionality, no loss of convenience, and for 99.99% of people we are never even going to bother our backsides with the verification because it's perfectly
fine for us to trust Apple. But if you are someone who is particularly at risk of being targeted, well you can verify. Without this feature you can't. Now you can. That is fantastic.
Because you don't have to trust Apple. And if Apple are caught once with their pants down, well, we'll know. That will be headline news, so all the rest of us can continue to just use the app.
[49:40] So I think this is fantastic. Best of both worlds. All of the convenience and we're not blindly trusting anymore. Super.
I never worried about it before, but I knew about it. But now I don't need to, I definitely don't need to worry about it because I'm, and I'm not in a position to probably be terribly worried.
But that's good. Good.
And the reason I wasn't too stressed about this was because of how heavily they fought the San Bernardino case.
[50:05] That sort of told me they probably wouldn't secretly add a key. But I was a trust, right? That was me trusting.
I was happy with the trust. So that's the first most complicated feature.
The second feature then is very straightforward. If you believe that your Apple ID is in danger of being targeted, you can configure two-factor authentication so that it will only authenticate you with a hardware authentication token.
[50:28] The press release is sparse on detail. I am almost certain this is the FIDO standard because I can't imagine in 2022 coming on 2023, there was anything but Fido still in use out there because it is the standard and Apple are a member of the Fido Alliance.
So I'm almost certain this means Fido keys, which could be a UB key or a Google key, whatever.
Okay. So you would be adding, you would still get your six digit token from your authenticator app and you would still have a username and a password and now you'd have a hardware key?
No. So you would replace the weaker two factor authentication with the stronger two factor authentication.
[51:06] So username or password. I heard it described it was both, but it would make sense to have both because then it could fall back to it.
Right, but the press release is two paragraphs.
My reading of those two paragraphs is that you replace your two factor auth with basically the two factor auth must be a hardware token.
Well, it makes more sense because when I was listening to somebody say that, I thought, well, that's kind of weird because then that attack vector would still exist.
Exactly. Exactly. Yeah. this is because right now today you have support for a hardware token because Apple support the FIDO standard.
So you could, you could add a token for your convenience, but this feature is saying the only way anyone ever gets into my account is with a hardware token.
So if I worked for the government or something, I would want my Apple ID secured with something verifiable.
And the great thing with a hardware token is like you don't know you've lost your password. Because someone else having it doesn't deprive you of it. But a physical token exists in one place, unless there's been some sort of quantum tunnelling going on. So a physical token exists in one place so if someone else gets it you lose it so you know it's.
[52:18] Which is not true of a password. That's a really big difference between hardware and software tokens. So it's just, I'm not going to use it because that's an awful lot of hassle, but it's good that it exists.
So yeah, nice one.
And then we get to the third feature, which I am almost certainly going to use.
[52:35] And I would say this is the biggest deal because of its implications. So at the moment, there is a sort of a two tier system within iCloud.
So Apple use SSL to encrypt all of our traffic as it moves between our device and iCloud. So it is encrypted in motion.
[52:57] Apple encrypt all of their hard drives in their data centers, so is encrypted at rest. But Apple have and securely store a copy of the key so that if you forget your password,
you can go onto Apple's website and go jump through a whole bunch of hoops, which if you lose your things far enough means you have to send them a copy of your passport to get back in. But they can let you back in because they do have a copy of the encryption.
[53:27] Keys. If they have a copy of the encryption keys, they can help you recover your account.
[53:32] And they can be forced to recover your account on behalf of law enforcement. And it can be done through a FISA court, in which case there is nothing told to you about it, because that is how the FISA legislation works, they can be forced to hand it over secretly.
[53:47] That is true of almost all of your iCloud data, with two very notable exceptions. Your health data and your iCloud keychain.
Those are genuinely end-to-end encrypted. So if you lose your iCloud password and you go through the hoops to get a reset, you will get everything back except your health data and your passwords.
Because Apple do not have the keys. There's true end-to-end encryption. The key is in the secure enclave on your devices.
And so there is a different key for each of your devices. A bit like with the example with the chat, it's a multiply encrypted. And the keys are physically in your devices.
So your device is what has access. And that's where the end-to-end encryption is. And what's stored in the cloud is encrypted jubarish, which means they can't hand it over.
[54:36] What Apple are offering, starting it's in beta now. Actually, I should have said the first The first of those features is, whether I say, is available, quote, in 2023.
So the iMessage contact verification is in 2023. So take that for what it's worth.
The secure keys is early 2023, which sounds nearer. And this last feature is already in beta in the US and is rolling out to everyone else in early 2023.
So what Apple are changing is that you can have this level that we currently have for our passwords and our health data for everything except for, I think it's contact mail and calendar which is because mail is done through the SMTP protocol which is insecure-able really.
It's a pre-security protocol.
It's a postcard.
It's a postcard, exactly. And calendars use CalDAV and stuff so there's all these protocols for office apps that are meant for interaction with each other and stuff.
You can't end-to-end encrypt your.
[55:40] Groupware. It's just those protocols are just so old that they they are not secure. A bully would have to basically you'd have to use Slack or teams to get secure groupware because the old protocols are old protocols.
They're now they can't be retrofitted.
It's like, you know, no amount of putting you can't put a catalytic converter on Fred Flintstone's car. There's nowhere for it to go. Okay.
[56:04] Can't put everything apart from. Well, you could. It doesn't do anything. I was going to say it'd be some sort of, I mean it's got a precious metal so maybe it's an ornament.
But yeah. So basically everything apart from those legacy contact email calendar, everything else in your iCloud would be end to end encrypted.
So what you get is no way that Apple can share your stuff with themselves or with anyone. No seriousness of data breach in Apple could ever expose your data.
And if you lose your access, you are hosed.
It is gone. So you have just taken responsibility for not losing all of your Apple devices simultaneously and or actually and simultaneously forgetting your password.
As long as you have a device or a password, it should be recoverable.
But if you have no devices and you've forgotten your password, the data has become noise.
It is. No, I thought, correct me on this. I thought if you had assigned a, if you have a designated contact.
If you have a legacy contact and the key exists somewhere else, so assuming they haven't locked themselves out, then you could get at it that way.
[57:19] That is true, because what you're actually doing is you're entrusting someone you trust with a copy of the key. So at the moment Apple have the key and your trusted person has the key.
So if you stop Apple having the key, I think, although it doesn't say in the press release, So it seems sensible to me that if you do that they would also have the key, because that's the whole point of the feature.
But I haven't seen that confirmed, but I think the answer is yes.
[57:44] Logically, it should be yes. I think that's what I heard. Two problems here.
Okay. Number one, you have to be capable of running Ventura and iOS 16 and iOS 16.
[58:01] Right because there's going to be a whole new brain. Which means if you have a machine, if you have a machine that cannot run Ventura like my spare MacBook Pro, you can't do this.
I don't understand why it's restricted to an OS level.
I mean, I guess it's in the OS. This is a core OS feature that is being added to only the newest OS. This is an additional capability that is being added to one OS.
That really limits it. Now here's another situation. Steve can't go to it either, even though every device he has is capable of running the latest OS. You know why? No.
We have a shared library. Oh, okay.
[58:39] Oh, that, okay. Shared photo library. So if he's in, well, I don't know what would happen. It's possible I would be locked out of my photos.
[58:49] Or else that library would be exempted from the encryption because there's a second copy for you, right?
You're sharing, which means there's some sort of- Yeah, who knows? Who knows? That's an edge case that gets interesting, but it could be common, right?
If somebody's got an older iPhone that can't go to iOS 16, they're still running iOS 15 and they're in a family shared library.
Everybody else goes forward. You can't do it.
[59:15] We shall see that they're the kind of details that will fall out before this thing goes into production.
[59:21] So that is one to keep an eye on. Yeah. So don't get too excited.
Don't switch. If you're planning on sharing photos with anybody, I wouldn't switch.
Certainly not until there's more clarity. This is not a feature where I want to be in the early adopters group. The way I look at this, right, is I was talking about this recently in work with my security hat on.
It's almost impossible to take security and project it backwards in time.
What you do is you simply say that from this point forward, everything you will have this new feature.
And so by Apple saying everything from Ventura on will support this, what you're doing is you don't have the feature now, but it is on the way to everyone and it will arrive at for different people depending on their upgrade cycle at a different rate.
And to me that's perfectly fine to project forward. Just stop making the problem.
Just draw a line in the sand and move forward and say from here on out this is now available.
So I... Yeah. Yeah, slowly slowly catchy monkey on this one because if they mess this up,
Just imagine there's a catastrophic bug in this. This has to be done carefully. So I'm not sorry this is slowly, slowly catchy monkey.
And I also don't want them to backport it because it's never going to get the same level of TLC to backport into code no one's looked at in a year and a half.
Well you say that because all of your devices can run the latest OS. No.
[1:00:41] After you sell the one in the closet to Bryn. Ah yes, but I also have my work hat and my MacBook Adorable, I do not believe, can go And I do love my MacBook. But that's not logged into your personal iCloud account, is it?
[1:00:55] Yes, it is. Oh. It's logged into both. I have, I keep two accounts on my machine so that when I'm traveling for work or something, I use Apple's account switching to move between work me and not work me.
So it's the same laptop. But when I'm in the hotel in the evening, I'm on personal me and that's my iCloud has come down and all of my stuff.
And then when I'm in work work, it's the other Apple ID. It's the other account and Apple ID I use.
So yeah, it is actually logged in.
[1:01:21] And it is adorable, and Apple do not yet make, even though they have these amazing M series chips and they could make that form factor again and it could make it amazing, it doesn't exist yet. Come on Apple!
Blow the dust off that design, stick the M2 in it, you'll have my money straight away. I'll just hand it over.
Oh, such a great form factor. Okay!
Man, 10 to 8. Okay. So yeah, big news. That is big changes here from Apple, I think.
So I am excited. Yeah. Like I say. Yeah. I will be excited when I can play. I'm just happy at the announcement, right? This is a roadmap. This is what have so... It's a bit like WWDC. You don't get it straight away, but you know what's coming.
And this is a nice roadmap. But it's pretty soon.
Early 2023 is in 19 days... Wait, I'm bad at subtraction. No. Yeah, 19 days. There's 31 days, right? December is a long one.
Okay, 20. I think it might be 20 days, yeah. Okay. Three weeks.
Let's ride it up to three weeks. That's not far in the future. Early 2023 is right around the corner. So, but yeah, I'll be sitting back and watching this one until I can figure out some spare MacBook Pro and or MacBook I need to buy.
[1:02:38] Yeah, well, I think round about next summer Apple might give an excuse to replace that last machine. Yeah, well, it's hard to... I don't regret the decision, but I normally give away my oldest machine to Lindsay.
But it was such a great machine that I couldn't see having it sit in the closet. So I actually gave away my... I gave her my next oldest one and now I have my oldest oldest one. So it's a 2016 MacBook Pro.
It's a great machine though. It has a place in your heart, a bit like my MacBook Adorable, that is nearly 10 years old. No, it's essential to if something happens to this computer and I can continue to work.
It's not emotional.
[1:03:20] No, no, why did you pick that one, not the newer one? You have to have a machine. Because Lindsay is precious to me, not because of the machine.
I gave Lindsay the 2019 because it was only two years old at the time.
OK, sorry, I misunderstood. I thought you kept the old one because you liked the older one better. But you actually like your daughter better. Which is, I think, quite good.
Yes. OK. Right.
All right. OK, so moving us on to regular service now resumes. Wait, really quickly, did you say that the FBI is deeply concerned about Apple's new security protections?
I did not. I think I implied it, but you're dead right. That is shock and or horror. They are at least a press statement. Yeah, deeply concerned is their quote from their short press release.
I love them, but sorry. You can't have this one. They wear two hats.
It's their job to protect people and to spy on people and their two hats are completely in conflict because this will make FBI agents safer and this will make FBI agents work more difficult and it may be the same physical human being who both benefits and loses at the same time. Yeah.
[1:04:25] So that's a difficult one. Anyway, yeah, so that's where we are. Okay, regular service, action alerts.
This, you can't make this up. First story, Chrome fixes 8th zero day of 2022 edge as well.
Number nine, Chrome fixes another 2022 zero day edge patched 2. That both happened in the last two weeks. It was like one a week since we last recorded. So patchy patchy patch patch. Although to be honest with Chrome, it's turned it off and turned it on again.
Is that a lot? People seem alarmed. Is it? Okay. For zero days, like for bugs that's not a lot, but for zero days that's a lot.
I think Safari may have had like one or two this year.
And you know, small numbers, rounding errors, but nine? We're approaching the wrong order of magnitude here.
Yeah, something going on with, there's some quality issues in their code base. I'm guessing some sort of technical debt to be paid down. Not sure why, but that is unusual.
[1:05:27] And then Apple have released a security update, iOS 16.1.2. The security notes don't tell us anything about what they fixed, apart from it has some security fixes. And it also apparently tweaks crash detection, so it may not go off while you're skiing quite as much. Because that's a,
thing at the moment. We had fun with that on Let's Rock Apple. And the good thing is the So the emergency services are telling people, yes, it causes false alarms.
No, do not turn it off.
Yeah. I mean, falling while skiing can very much fit in that category of you really do want emergency services. Yeah.
But I think it was not falling. I think it was just skiing.
I think some people may be skiing a bit roughly. And I know sound plays into it. So I think as you're I think you end up the noises may sound car crashy as you're You're throwing yourself off a mountain with sticks on your feet.
It is a rough thing.
Moving on to worthy warnings then so the first one is getting some serious finger wagging from me because this is a really subtle thing google done here. So up until now google maps was on its own domain maps.google.com.
Which meant that if it asked you for location ability and you said yes it was maps.google.com got your permission.
They have moved it to be part of google.com.
So if you say yes to Google Maps, you have just said yes to all of Google's websites because they're all on the Google.com domain.
[1:06:56] So you cannot say, Maps can have my location. Nothing else can. It's one permission there. Seriously?
Seriously. By wrapping it into the one domain. That is the worst thing I've ever heard.
It is. Oh, it made me so cranked up. Oh my gosh.
And given that they just sent it into a consent degree. Either Maps doesn't know where you are, or everything knows where you are.
So cranky. So yeah, Apple Maps. To be honest, Apple Maps have been sending me less wrong less often, so I've been using it more.
But now I'm really sure that's what I'm doing. So with that out of the way, there was an issue in Twitter's API in January.
And we knew data had leaked, but it had been kept secret. The bad guys hadn't shared it publicly.
Well, 5.4 million records have now been shared publicly.
It's mostly just scraping off your public data, but it also includes your privately configured email address and the telephone number you use for multi-factor authentication.
[1:07:59] So little bit of a daily there for the five point four million people that is way more than five point four million twitter users so we're not all. Call up in this but that's a lot of people it's a lot of people.
[1:08:12] Can i get a six it's a million not billions of compared to yahoo. Drop the ocean always go back to that one right we do at last past then have yet again very proactively and very.
You know all in public they have said we have detected another hack.
[1:08:31] Someone used information stolen in the August hack to get back in. We're still investigating the full details but we can guarantee you they have not gotten your end to end encrypted passwords. We will update you when we know more.
So there is another shoe to drop. It may be that contact details have leaked or something. We literally have no idea and they haven't told us yet but we do know the most important thing your passwords are still safe and they're being very proactive about communicating.
So I have full faith that they will tell us what happened when they know.
And they have engaged in the mandiant. I was listening to the SMR podcast and Rob Dunwood was really upset by this, mostly because it just feels like they're repeatedly screwing up.
I felt that they were fairly connected, that it was, you know, it was, it was the second shoe in the same story dropping.
Explicitly, they actually say in their release that information taken in August was used to get back in through a third party system that they use.
Their actual press release lays it out that this is not me joining the dots.
LastPass have joined the dots explicitly. This is the same breach. Right. So it didn't seem to make things worse.
[1:09:47] No, and the fact that they're continuing to communicate. So they could have very easily said nothing until they knew everything. Most companies would.
The fact that they're continuing their approach of being open.
It was the opposite of making me more worried. It makes me less worried. This is what I, this is how you earn trust.
[1:10:04] So yeah, I'm not, I don't use LastPass because I prefer the UI on one password. But if I did, this wouldn't change anything.
Good. Good. Yeah. And then we have a listener supported story which at the point in time the listener posted it to podv.com forward slash slack it was a purely bad news story.
So you know the way with two factor authentication you're supposed to do your username and your password and they're supposed to match and then you're supposed to do the second factor.
Well Disney tried to roll out 2FA for their Disney Vacation Club but when they rolled out their 2FA they were failing to check the username and password so you could literally say username and the password boogity-boo, and as long as you pass the two-factor off they let you in.
So the entire security collapsed down to like a three-digit code or whatever, or a six-digit code, whatever number of digits they gave. That's not a second factor.
That's replacing one factor with another and arguably not that strong a factor.
[1:11:02] So they have rolled back their changes and will try again in a few months time. Good. By the way, this was from Mike Price.
[1:11:10] So thank you for sharing, Mike. You'll be glad to hear that. Yeah, at the time when Mike posted it, the story was, this is broken. And now the story is we've rolled it back because we know it's broken.
We un-broke it. Good.
We un-broke it. Yeah. Then we have a notable news, just one thing to be honest that caught my eye here. Digital car keys are becoming more of a thing.
So I think it's important that Google added some features to their Pixel phones that allow a digital car key as implemented by BMW and one or two companies, you can share the key,
between iPhones and Pixel phones.
[1:11:50] So that means you can be a family with a mix of pixel phones and iPhones and share your digital car key. I presume this is a precursor to the same feature coming to Android in general as opposed to just pixels.
Probably only to Androids that have secure enclaves. There's probably going to be some caveats on that for genuine security reasons.
But I think this is good because as we move towards this kind of a keyless future this becomes important. So I thought that was good news.
[1:12:20] And then, excellent explainers, yet again, yet another tip of the hat to Tom Merritt. Why not have Tom explain Paschies to you?
That was a great episode of Know a Little More. Yeah, I mean, arguably I knew it all, but it was so fun to hear it laid out so well,
that I felt a hundred percent confident in sharing that clip to anyone who asked me about pass keys.
And that says a lot.
Right, exactly. For me, it was just great to have it additive. You know, I need to hear these things several times. I'll probably go back and listen to it a third time or a second time.
Well, hopefully he does that cool thing where he updates stuff as news changes, because I think that's a great way to remind myself when he does an updated version.
That's why I cared about Wi-Fi 5 and Wi-Fi 6. Thanks, Tom.
Okay, well that then brings us on to palate cleansing. There's two from you, so do you want to do one and then I'll do my one and then we can jump back to you?
[1:13:25] Yeah, sure. I've been finding a lot of great content for astronomy on Mastodon. I started following, well you follow NASA of course, but a bunch of astronomers.
You can follow a hashtag, so I follow the hashtag astronomy and just the pictures of everything coming back. One of them was an amazing gallery of images of Jupiter, but these are photos taken by the Juno probe and they're just spectacular. It's of Jupiter and its moons.
Those are really, really good. There's a link to NASA there. But the really funny one to watch now is there's a satellite called ESA Mars Express Orbiter that's been going around Mars that I I didn't know.
I didn't even know it was there. But anyway, it's pointing at Mars and it's got this video. It's looking at Mars and all of a sudden the moon Phobos goes right in front of the screen and it's huge because it's really close.
So it's just sort of like, you know, you're just going, oh, there's Mars, there's Mars. Whoa, what is that?
It's a very surprising one. I got that one from Mastodon too. So that was pretty fun.
Yeah, no, that is cool. And it's nice to see those Europeans manage to do some space stuff.
[1:14:35] Well, actually we have pretty good rockets too, now that I think about it. But yeah, it's cool to have a European mission. Yeah. And then my theme is the same as your theme.
And it is now a thing where we have rovers and stuff taking selfies. I think one of the first, the Mars rovers started the trend and I was listening to a podcast interview just this week with one of the scientists who proposed the selfies from the Mars rovers.
[1:14:59] Actually it was the people who made the documentary, Good Night Opie or Opie, which I haven't watched yet, but it's on my list.
Oh, I was going to recommend it to you. Yeah. It's just so we can interrupt really quick. It's about opportunity. The Rover opportunity is the subject of it.
Yeah. And one of the scientists who's featured in the documentary was interviewed on one of the science podcasts I listened to and I listened to far too many to remember which one. And it was
such a fun interview. And one of the things that came up was the subject of proposing to a bunch of scientists that we should do a selfie and they're like, what's the scientific value? And And much to her surprise, the reception from the scientists was,
Oh yeah, that's cool.
[1:15:42] By the way, it's on Amazon Prime. Goodnight, Oppie.
[1:15:47] And so now that's a thing where rovers and things we send out of space take selfies. So America, with the help of Europe, I discovered we are partners on Artemis, which is cool.
I've sent a rocket around the moon, preparing the way for human beings to go back to the moon.
And while on the far side of the moon, Artemis I took a selfie which has Artemis I in the foreground with his giant big NASA logo very prominently displayed, the moon in the, I guess we'll call it the mid-ground. around.
And the little marble, the blue marble planet Earth sitting in the background. So our spaceship, the moon and us all in the one selfie.
Very good. I love it. So it's like when you have to hold your arm up real high and kind of at an angle to get everybody in the shot.
[1:16:30] It is and it's very wide angle lens because there's very obvious distortion in the bit of Artemis one we can see. So it's obviously a wide angle camera stuck out in an arm, but it's still so cool to see the three together like that.
The pictures from Artemis were just tingly all over and it splashed down right before we started recording. Oh cool. It's come safely back to Earth.
Well, its job was to prove that it was ready to take people. So it went up safely, went all the way around the moon safely and came back safely. Yay!
No explodey bits yet. The best kind.
The best kind. Excellent. I look forward to celebrating the first woman on the moon.
Ever. Yeah, yeah, me too, me too. Just one last little tidbit.
I just learned that Japan is going to send a non-space-oriented or privately owned rover to the moon, and they took off with a little test flight today on a Falcon 9, and it just
went into a low Earth orbit, a stable low Earth orbit, but went up on a Falcon 9 today.
And Canada's involved. I forget what Canada is doing. Canada is part of it and so is Japan.
The only thing I know is that Canada made the arm for the International Space Station because the Canada arm with the giant big red maple leaf was just, it was always in shot. That's marketing of all time.
I know very little of it, you know.
[1:17:58] When we went to the Johnson Space Center in Houston, we got to go and do a simulated 747 that had the shuttle on top.
I'm sorry, it was a simulated shuttle. It was a real 747. They didn't, Houston oddly enough didn't get one of the shuttles. But they had the Canadarm in there, so I took a picture for Steve and Gatt.
Excellent. That was masterful, masterful marketing, the Canadarm. With the amount of publicity, you'd think that the arm was more important than the space station or the space shuttle itself. It's more memorable.
You remember that and the fact that Hubble needed contact lenses because my very own company didn't grind the mirror quite right.
Well, they exactly grounded us to the wrong spec.
They're perfectly wrong. Exactly. All right, we've probably been going on long enough, but I had fun. I learned a lot. This is, this was excellent Bart.
Excellent. Well, do we meet again before the holidays in this venue? Yes, we're going to do one more before the end of the year.
One more before the end of the year. In that case, folks, enjoy the run up. Hopefully you're winding down, relaxing, and we will talk to you soon. And until then, remember to stay patched, so you stay secure.
[1:19:08] Well, in theory, there will be a transcript of this episode, including security bits so you can hear all of the lively discussion we read all of the lively discussion we had there.
I suppose you just heard it. Anyway, I hope it works. Like I said, I'm having a problem with the one of the chit chat one. So anyway, in any case, it is going to wind us up for this week. Did you know you can email me at allisonapodfee.com?
Do you know what you're going to email me?
You're going to email me with the title, I'm still using it and tell me a story about something you're still using and why. And start working on those reviews for Alistair and Bart, they're really going to need those. If you have a question or suggestion, you can also send those on over.
You can follow me on Twitter. I'm not tweeting very much, so maybe you want to just jump on over to Mastodon where you can read everything I do at podfeet at chaos.social. If you want to join in the fun of the conversation, you can join our Slack community at podfeet.com slash slack,
where you can talk to me and all of the other lovely Nocilla castaways. You might be noticing a pattern here, everything good starts with podfeed.com. You can support the show at podfeed.com,
slash patreon or with a one-time donation at podfeed.com slash paypal. And if you want to join in the fun of the live show where next week will be the last 2022 live show, head on over to,
to podp.com slash live on Sunday nights at five p.m. Pacific time. and join the friendly.