2021, Allison Sheridan
NosillaCast Apple Podcast

Edit Transcript Remove Highlighting Add Audio File
Export... ?


[0:00] Music.

[0:09] Apple bias. Today is Friday, December 23rd, 2022, and this is show number 920. Well, we made it to the end of 2022 without missing a show. This show is coming out a bit
early as I'll be doing Christmas festivities with family on the 25th. That means there is no live show this Sunday. It also means I'm a little bit lonely, but since I'm going to be reading the,
I'm still using it contributions from so many great Nocilla Castaways, I don't feel like I'm alone.
Anyway, we'll be back in the saddle with the live show on January 1st, so be sure to bring your New Year's Day frivolity.

Allison On Ipad Pros #161 With Tim Chaten

[0:44] Tim Chattin does a delightful show called iPad Pros, and I have the honor of being his guest for episode number 161.
His show is all about using the iPad for everything possible, so we dive into my uses for the iPad Pro, my pick of the Hash Photos tool for iPadOS and iOS, and we do get a little bit off topic by talking about how I use my Synology.
We talk about the iPad Mini and that no matter what I try to do with it, it just never seems to find a place in my workflow.
Anyway, you can find Tim's iPad Pros podcast in your PodCatcher of choice or you can watch a video version of our conversation over at

Tim Is Still Using Tivo

[1:24] As I mentioned in the introduction, today we get to hear from the Nocilla Castaways about the hardware and software they're still using after many years. This is actually part two of I'm
Still Using It and we have some rather extensive stories mixed in with brief moments of delight from the Castaways. We'll start with Tim Jarr and here's what he has to say. I'm still using my TiVo,
specifically my TiVo Romeo from circa 2014. First of all, if you haven't used a TiVo,
especially if you've used some other kind of knockoff DVR and believe me all of the other ones are knockoffs that copied TiVo you haven't really experienced how watching TV should be.

[2:01] The half hour buffer of whatever is live, the ability to record multiple channels at once, the best and easiest method for skipping forward or backwards in a program, the 30 second instant
replay button, the skip commercials button, the best grid for live viewing and picking programs to record, a dead simple, even my grandfather could learn it interface for recording and playback,
both individual recordings and the famous, off-copied, season pass for all seasons of a show.
I'm sorry, for all episodes of a show. It's all genius and basically, all of it was pioneered on TiVo and everyone else just copied a watered down version of the same. As an added bonus,
my model supports both cable TV and antenna, something that TiVo has sadly moved away from in recent years. So when I was living in rural places much of the last 10 years,
I could plug in that Comcast coax cable and be set to go. And with enough pleading, I could even get them to give me a cable card and configure it. The best way to DVR.
When I moved to the big city again and I could get the network stations over the air, I can plug my $10 Walmart antenna into this just as easily and record that way.

[3:10] Yes, streaming is likely the future, and I subscribe to several services and I love them, but they don't match the ease of TiVo, and none of them become even close to precision rewind and
fast-forward functions that you can stop exactly where you want. TiVo even pioneered the idea that there's some lag between when you see that your show is returned from a commercial and when your,
brain sends a signal to your hand to press the button and compensates accordingly by jumping back a few frames when you hit play so that you always land precisely on the frame you want to to land on.

[3:42] Finally, the TiVo remote might be the best designed remote control in existence. Why no one else has copied the peanut shape that actually fits comfortably in your hand is beyond me.
It's so comfortable and natural.
Your hands land naturally on the most commonly used buttons, and when you need to reach something at the top or the bottom of the remote, your hand easily slides the remote up or down in your hand without feeling like you're going to drop it.
Kara's even placed in things like having the instant replay and skip forward buttons in logical spaces, easily reached from the main play-pause select hub in the middle of the remote.
Heck, they even included four ABCD buttons below this for future improvements.
For years that seemed just like a myth, but then they made one of the shortcuts to turn on-off closed captioning and more recently converted the D button to a skip commercials button.
Then it vaulted TiVo even further ahead of the competition.

[4:32] In short, this remote was the exact opposite of the first generation Apple TV remote. You know the one you can't even tell if you've picked up correctly or if you have it upside down.
And as I say that, as a guy who hates this remote way less than a lot of reviewers.
And of course, the whole idea of time shifting TV watching to when it is most convenient to you was something TiVo was at the forefront of.
Turning on a game 20 minutes late, being able to catch up by the end by skipping commercials was the coolest thing ever.
Same with a TV show, with even less lead time needed. Sadly, the years haven't been kind to TiVo.
They tried to package themselves as hardware that cable companies could use for their own DVRs, but Comcast and the like followed their usual playbook, releasing far inferior products and charging their customers more for their poor man's version of a DVR.
In 2016, Rovi acquired them and immediately made their presence known by changing the UI.
Instead of a pleasing soft yellow highlight showing your active selection, we instead got a blinding white orb. They also dramatically decreased the number of days worth of upcoming TV listings while simultaneously being wrong about them consistently, especially if there were changes made closer to airtime, something TiVo used to excel at with its frequent guide.

[5:43] Updates. Then Xpery bought them in 2019 and another hallmark of TiVo, their fantastic customer service for the clients, also went to the dogs. So the brand and the joy that came from using it aren't the same anymore, but some version of it remains, and there's,
There's still no better remote, no snappier and easier to understand interface for watching standard TV, and I still love it for that.
Well, Tim, I agree with you 100%, and that is very rare for Tim and I to be on the same side of a discussion.
I'm really glad you still love your TiVos. Now, if it weren't for channels acting much like TiVo as my DVR for YouTube TV and saving $1120 per year, I would still be on TiVo today.

Kurt Is Still Using Ipod Nano

[6:27] Next up, we'll hear from Kurt Liebesite. Hi Allison, I'm still using an iPod Nano 6th generation MP3 player.
In fact, it is what I usually use to listen to podcasts like the NocillaCast.

[6:39] Your listeners have all almost certainly seen or even owned a 6th gen. It's a little square one with a color display and the touch interface that you navigate through with tapping and swiping.
The iPod Nano 6G came out in 2010. The one I use most of the time is not the original one that I got in 2010, but rather one I got off of eBay a few years ago.
I love the small size and the clip that fastens onto your clothing. I usually wear button-down shirts at work, and I clip it onto the front of my shirt down near my belly button, and then run the earphone cord up and around my neck before plugging the earbuds into my ears.
That's not the most high-tech of MP3 players. It doesn't even have Bluetooth, for instance, but it has just enough technology. You can navigate around to the song or the podcast you want, it holds enough content to be useful and the battery life is long enough that I hardly ever run it down too low.
How much do I love it? Well, let's just say that I have a fully functional backup unit and enough parts in reserve to assemble two more.
My runner up candidate for I'm still using it would be my 24 inch Apple Cinema display and my 2010 classic Mac Pro still running Monterey.
I know the display is not retina resolution, but it does just the job I need while looking darn stylish.
And the Mac Pro just keeps chugging along, handling everything I throw at it.
It seems like the 2010 era was a time when Apple put out some products of immense value.

[8:01] Wow, Kurt, you brought back a lot of memories for me with the sixth gen iPod Nano. I loved my red one. I used it for running, and of course it was filled with podcasts and not music.
I remember the first time I plugged it in and I was delighted that iTunes represented it as red. I thought that was so cool.
I think I remember breaking that one and I bought another one on eBay too, and I still have it.
Haven't used it in a long time, but boy, that was a great device.
I also still have an Apple Cinema Display chugging along, but it's not my original 24-inch.
That one died 35 months into the three years of AppleCare, and Apple replaced it for free with a 27-inch.
That was when I first discovered that Apple making displays that don't adjust up and down would be a problem for me.
While the 24-inch was the perfect height, the 27-inch was too tall for me to comfortably see without straining my neck.
It has a place in my home as the display for our M1 Mac Mini and I love the contrast and technical years between them.
So thanks for the memories, Kurt, and it's so swell to think of you listening to podcasts on that little iPod Nano.

Bruce Is Still Using Emacs

[9:06] Next up is Bruce Wilson and we get to hear from him in his own voice.

[9:11] When Allison first announced the I'm still using it segment, my mind immediately went to an application I've been using since 1985.
That application is Emacs, which is a text editor for Unix and Linux systems. I joked in the general channel on Slack that I should write about this to start a religious war,
but in reality it's not a matter of religion for me. I'm just a curmudgeon who learned this this particular text editor almost four decades ago, and many of the keystrokes are muscle memory.
I'm still using it because it works. Why did I start using Emacs and wind up on that side of the Emacs VI divide? It's like a lot of things in science.
It was the tool that the graduate student a year ahead of me was using.
So that's the tool I started using.
However, what cemented it was learning how to use keyboard macros in Emacs.
I learned I could type Control X, Control Left Parenthesis, then type the set of commands I needed, then type Control X, Control Right Parenthesis to close the macro definition,
then Control X, E to execute the macro, Control X, then a number, then the E would execute that macro that number of times.
This was a great tool for massaging text files full of data, which is much of the grunt work in my graduate education.

[10:36] Emacs also had regular expression search and replace, which has been discussed over in Taming the Terminal.
The other killer feature for me was that Emacs had rectangular cut and paste.
That let me cut, for example, columns 30 through 42 out of a text file and either just delete them or move them to a different set of columns in the rows throughout the file.
By the way, did you know that Microsoft Word will do rectangular cut and paste?
Click and drag while holding the option key sometimes, though this is best done in a file formatted in a monospace font like Courier.
Emacs saved me months of time working with text files as a graduate student, so it still has a very warm place in my heart.
VI probably could have done the same things, but I learned the other tool.
And every once in a while I find a text file that needs some serious massaging and I get that trusty tool out of my toolbox.
So I'm still using it.

[11:41] This is great, Bruce, and I really hope somebody comes back with a response to your holy war throwdown.
Maybe William Reveal will jump in on this one.
When he donated so much of his time helping me fix those pesky character encoding problems in MySQL while migrating to a new database server, we spent a lot of time in VI.
Now I don't have a religious affiliation with VI, but I fell into it as you did with Emacs.
Somewhere back in my ancient history, I remember working on a device that was kind of a cross between a computer and a typewriter.
And I do remember that it had a flat plastic typewriter print wheel that you could change out, but I can't remember what it's called.
I don't remember, but I know that the keyboard part of it had a series of keys that were highlighted that I later on learned were the vi key commands when I learned vi for real. So I had been using vi but didn't know it.
When I finally needed to use vi, I found out it was pretty comfortable for me.
I wish I could remember what that was called or even what job I was working on, but I haven't shaken the cobwebs loose on that memory.
I'm definitely not proficient in vi as you are in Emacs, but it was fun and familiar to use it with Bill.
Thanks for sending that in, Bruce. That was really, really fun.

Lynn Is Still Using A Video Ipod

[12:55] Lynn York is up next and here's what she said. Hi Allison, we are still using a DLO Home Doc that we purchased in January of 2006 with a 5th gen click wheel video iPod from 2005.
It holds a copy of our owned music and serves up over 6,000 songs when we want music through our Devin receiver and Infinity speakers in the living room. We have iTunes match, not Apple music so this still works for us.
Getting our HomePods to play music from our library has been a frustrating struggle, but that will have to go into dumb question corner sometime. I look forward to hearing about the other golden oldies that still serve a purpose.
Well, Lynne, there's just something so joyful about seeing all these old iPods still standing, doing their jobs. I'm glad yours continues to provide value to you and Gary and that you get so much joy from it. This year brought a smile to my face.

Allister Is Still Using Hazel

[13:48] You'll recognize the next voice, we have Alastair Jenks.

[13:52] In a couple of months I will have been using Hazel from Noodle Soft for 10 years. It has done many different jobs for me over the years and while those jobs almost always become redundant in time, I always find new ones.

[14:07] I decided recently to export my entire big boy photo library of over 42,000 images into a folder of lower quality JPEGs in order to have an easily viewed catalog should something happened to me and my family been looking through my stuff.

[14:23] Because I am pernickety about my photos, this is not a straightforward job. I export the photos from Photolab to a fixed location using a preset.
But I want them in year month folders and I want to also export them from Lightroom and copy the Lightroom keywords to the Photolab exports.

[14:43] Right now, Hazel is churning through the Photolab exports, filing them into the right folders. and then when I export the same from Lightroom, Hazel will push those into the same folders,
and then copy the keywords across before throwing the unneeded Lightroom files in the trash.
Many of my other current rules work on images. The same keyword copying task occurs for photos I export for Flickr. A couple of special folders that I can export images to will cause Hazel to launch those files into a specific application where such native functionality does not exist.
And one folder runs an image magic script on each image. My downloads folder is purged of zip and DMG files beyond a certain age and also images and documents of a certain age are sent to my
pictures or documents folders. I forget many of the other rules I've had in the past but most will have been along the same lines. Some do often needed tasks on a few files, others work on masses of files. All of them provide me a level of automation that means I get the job done consistently,
and reliably. And that's Hazel in a nutshell, consistently and reliably making my life easier.

[15:56] Well, I've never looked back to see how long I've been using Hazel 2, Alistair, but I don't think it's quite as long as you have.
I think I started using it in anger when David Sparks did a video tutorial on how to use it to collect scanned bills, change the titles, and match the name of the company and bill due date and more.
I remember when I did a presentation at the Command D conference put on by Sal Seguoyan, and I explained how I have Hazel move my podcast files after they'd aged out from my local disk to my NAS.
There were two fun things about that. It turned out that the developer of Hazel, Paul Kim, was actually in the audience. He was tickled that I'd showcased it, and luckily I didn't do a botch-up job of explaining what it did.
The second fun thing was that Dave Hamilton was there, and when he heard what I was doing with it to clean up podcast files, he slapped his forehead realizing it was exactly what he needed for his own workflow.
It's not often that you get to do something Dave hasn't thought of, so that was a big moment for me.

[16:49] Just this week, Steve asked me what tool he should use to make sure that when he deletes the Drobo dashboard software that gets rid of all the cruft. I explained to him that Hazel, which he already uses for scanning and bills, would do it for him. He was quite,
pleased when he threw the main app in the trash and Hazel popped up and said, do you,
want me to get rid of this pile of plis and other glop too? Hazel is one of those tools that sits in the background cleaning up for you and doing the tasks that are tedious and,
error prone for humans. If anyone listening is not using it, head over to and give it a whirl. It is amazing. Thanks so much for this Alistair. It's the first
software I'm still using it that we've had. And after I just said that we have our second piece of software. This one is from Klaus Wolf. He says, there is no denying it. I'm,

Claus Is Still Using Flightradar24

[17:35] a bit of an aviation enthusiast. And while the app I'm about to introduce is very much targeted to this demographic, it is quite useful for many. I'm still using Flight Radar available online at
So what problem does it solve?
Have you ever wondered what airplanes are overhead and where are they going? Open Flight Radar 24 and it will let you know that and more.
If you stuck at an airport and wonder if your delayed plane has even left its previous airport, type in the flight number into Flight Radar 24 and click on the live map.

[18:10] On Thanksgiving day, I was waiting in Antalya for a delayed flight. As I wrote to Alison on Telegram to remind her about a visit to the Hollywood sign seven years ago, I watched my delayed aircraft leave Istanbul.
I mean, literally, I could see a little aircraft icon move along the runway as they departed.
And to me, that's really cool. But how do you know which flight comes before your flight?
Quite easy. You search for your flight, such as TK2409, and then you tap on Aircraft Info.
This will show some useful info about your aircraft, things like the aircraft type, registration, and even a picture.
But more importantly for this use case, other flights the aircraft has recently been on.

[18:51] Flightradar24 also offers a lovely replay feature which will let you relive your epic flight to someplace far away and help you identify that landmark which you couldn't easily,
or readily identify before. All you have to do is remember the time. The app slash website operates on a freemium model and I enjoy the business account as I have a little raspberry pie that serves as one of the nodes providing data to their service. Well this is this sounds really neat. There's a lot of times I could have used this Klaus, this is cool.
You know there's a lot of quite a few aircraft enthusiasts in the no-selecast community, especially Alastair Jenks, so it's really cool to learn about it.
One of my favorite things about the internet is that we can now point our phone's camera at a flower and know its proper name or have our devices listen to a bird and tell us what it is or even find out what plane is flying overhead. Kenneth Berger brings us the next I'm Still Using It,

Kenneth Is Still Using A 30Gb Ipod Classic

[19:48] and you're going to start to notice a theme.

[19:51] He says, We won't discuss the Airport Express that I decommissioned a number of years ago, but we will talk about my 30GB iPod Classic, which was called a video iPod when it comes out.
I bought it around 2007, which was about two years after I bought my first Mac.
Both of my sons had Mac computers before that, but my 2005 iMac was my first one after spending about 10 years living with those wonderful blue screens of death on several Windows PCs.
Although I didn't know what a playlist was, I managed to figure out how to download music to the iPod that I had ripped from an assortment of CDs.
This now brings us to what I call the Great Podcast Conspiracy. I had heard of podcasts, but I didn't really know what they were. I certainly didn't know how to get them out of my iPod.
One day, after I completed my daily syncing process, I noticed something I'd never seen before on the iPod.
It was something entitled, Twit, this week in tech.
I didn't know what it was and I didn't know how it got there, but I listened to it. It appeared to be some type of panel discussion.
I listened to the whole program and didn't know quite what to make of it.
The following week another episode appeared and then I was hooked. My podcast list is now quite extensive.
It might have been on Twit's MacBreak Weekly that I heard about the Nocilla Cast, so I've I've been hooked on that too.

[21:08] My first iPhone was the 3GS which I bought in 2009 so I no longer needed to carry my iPod anymore.
Instead of retiring it, I bought a Sony Dream Machine Stereo Clock Radio which has a 30 pin dock connector and I set its sleep timer every night at bedtime and fall asleep to music being played by that 15 year old iPod.
Thanks for the show and have a wonderful holiday season. Wow, this is, I love this.
This is like this weekend I'm still using this iPod. I do love your conspiracy theory on podcasting. We did have a meeting and discussed how to get you started, but no one had ever caught on before that it was an insidious plot hatched by me and Leo.
It looks like it worked.
Now, while I don't listen to music myself, I'm so glad that after 15 years the iPod Classic is still singing you bedtime lullabies.

Kevin Is Still Using An Abacus

[21:59] I didn't know what to expect when I threw out the idea to the Nocella Castaways for this I am still using it series, but the next entry from Kevin Jones was probably the biggest surprise.
I thought the most ancient tech was going to be Bruce on Emacs from 35 years ago, but listen up. Here's what Kevin wrote.

[22:17] When I was in elementary school, a talking calculator with the four basic functions cost $500.
So in fourth grade, one of my teachers taught me how to use an abacus.
This was huge because math on paper in Braille was slow, difficult, and cumbersome. years later Sharp released a basic talking calculator costing $70, affordable to most
people including my parents for Christmas when I was in high school. Calculators were not allowed while taking the ACT test so I took in my abacus. The proctor was convinced it was electronic and took five minutes trying to find out where the batteries were and finally gave in and let me use it. More recently I found I could do math in binary on an abacus,
and used it on a Cisco networking exam.
No subnet calculators are allowed on those either.
With several computers around me as I write this, I still have an abacus on my desk. It's still more efficient for me to grab it and add up a few numbers than to open up a calculator program and leave where I'm currently working.
I know the abacus hasn't been updated in decades, but it still gets amazing battery, well, no, still no batteries.
When Alice asked for examples of old technology listeners were still using, I just couldn't resist.
Isn't that crazy? I had no idea that an abacus could still be handy. I am absolutely adding this to my list of things I want to learn.
Thanks so much for sending this in, Kevin. It was a real eye-opener, if you will.

Terry Is Still Using A Brother Daisywheel Printer

[23:44] Terry of Palo Alto brings us another blast from the past. He says, As a government certified old person, I'm still using some vintage technology.
For instance, I'm typing this on a 35-year-old Northgate 102 keyboard that has served about 20 computers along the way. Also, I'm proud to say I still own and maintain my first car,
which is a 1972 Datsun and I play a 1952 electric guitar.
These items are examples of superb engineering lasting over the years and enjoyed by lots of folks today. The car and guitar are now considered vintage
and collectible and at least Steve Gibson and I prefer the old Northgate 102 keyboard. Now let me turn to a piece of tech gear that is approaching 40
years old and is still working on a regular basis but this time I'll argue that it may be the last working example and that I may be the last person on the
planet using one. What is it? Let's start with some clues first. It was purchased in 1983 as part of my first computer system, an IBM PC with two floppy drives
instead of just one. About 20 years ago it suffered a catastrophic component failure but was fixed by a small piece of wood with a DIY repair. I use it on a monthly basis and it would be hard to replace it with modern technology. So what What 1980s technology could survive 40 years and still be uniquely useful?

[25:08] Give up? Well, it is a Brother HR-15 Daisy Wheel Printer. In 1983, I was working at the Stanford Accelerator Center and was the third person to venture out and purchase a personal computer.
My goal was to support a sideline business and I needed to write technical proposals. The computer was just to run a word processor and I got a Daisy Wheel Printer instead of of a dot matrix so that my proposals would look more formal.
In those days, Brother made traditional typewriters and the engineers simply made the HR-15 by removing the keyboard on the front and installing an LPT port on the back.

[25:46] All was good writing proposals, but as business needs grew, my attention turned to managing inventory and finances.
In those days, there was not much commercial software available outside of Lotus and a few word processors.
I heard there was something called D-Base, which had no useful user interface, but could be programmed to make your own.
So propelled by my intrinsic laziness, I started automating all of the typical business processes like inventory management and financial control.
The best part is that I could design my own user interface and get things done with the absolute minimum number of key presses.
It didn't take long to include printing checks in my chain of laziness. With one screen entry, I could capture the expense, print the check, log it in a searchable database, update account balances, and print out a year-end report for the accountant.
And thus began my long relationship with this printer.
My D-Base programs have evolved over the years and they still manage all of my financial records. The HR-15 still prints checks every month.
But sadly about 20 years ago it could no longer print. The printer used a hard rubber cylinder as the hammer that struck the daisy wheel and over years it cracked and fell off.
There didn't seem to be any prospect to get replacement parts so I just gambled and made an identical shape out of an oak dowel.
I installed the oak striker and it has been working fine ever since.
And so is the story of the venerable brother HR15 still pounding on after all of these years.

[27:13] While this is epic, Terry, I went out and found the Daisy Wheel printer in the Computer History Museum. I put a link to it in the show notes. I love the part about how you made a replacement part with an oak dowel. That is simply awesome. My father would have done that. I love it.
You also solved a mystery for me. Remember what I said about learning VI in response to Bruce and an E-Max, I said that I used a device that was kind of a cross between a computer and a typewriter.
And I do remember that it had a flat plastic typewriter print wheel that you could change out.
Guess what that was? It was a daisy wheel printer. I am so happy that you solved this for me.
Now if you could help me remember what I was using that was driving the printer at the time that actually had VI written on the keyboard, that's the other piece of the puzzle I need to know.

[28:02] We have four more I'm Still Using It segments and they're just as great as the ones you've heard.
We got a security bits coming up in this show so I'm saving these last four for the January first show.
I know it's a tease but you're just going to have to wait.
The I'm Still Using It segments you just heard are piled into two long blog posts but in the audio you should also find chapter marks to each person's contribution with a link to one of those two blog posts.
Thank you so much to all of the contributors. I loved all of these segments.
For this week's pledge break, as Frank likes to call it, my request is that you have a safe and happy holiday.
I know it's rough goings weather-wise for a lot of you out there and maybe you won't be able to get to go where you planned, but please stay safe and at least have a relaxing time.

Security Bits — 23 December 2022 ��

[28:49] Music.

[28:57] What's that time of the week again it is time for the last security bits of 2022 how you doing today Bart. I'm good you can't see this dear listeners but I'm in my Santa t-shirt if you watch Chuck joiners Mac gift guide I wear I wear something stupid every year and it was the same t-shirt that I wore but that was recorded a month and a bit ago so I have launder that since.
And we have a little Christmas tree icon to make the security bits look a little more friendly, right?
Yeah, we do actually. I put it in the show notes. I was just in that kind of a mood today. What can I say? And my one bit of HomeKit is working again. I can walk into the house and when I shout jingle bells, all the Christmas lights go on and when I shout home bug, they all go off.
Perfect. And the third one, when I shout neighborhood cheer, just the ones outside go on.
But the ones inside go off. So when I'm leaving the house, I shout neighborhood cheer and then I leave.
Oh, that's perfect. Anyway, security stuff, security stuff. Some follow ups to start the ball rolling.
Apple have released to United States customers their opt in advanced data protection for iCloud.
If you live in the US, if you have only the very, very latest devices, and if you are brave enough, you may turn it on.

[30:15] I don't have the option. If I did, I wouldn't. Because you want everybody else to go first? Yeah.
It's, this is one of those cases where what's most likely to hit you? Are you most likely to need Apple's help to recover your vital family pictures? Or are you more likely to end up the victim of some sort of state sponsored attack?

[30:36] If you're the CEO of Intel, or a politician, or a journalist, yeah turn it on. But you know for the rest of us, maybe just sit back and let the first round go.
Maybe just let some people be the beta testers on this one. I think so. Well, you and I both don't have the option of going because we have spare devices that are a little longer in the tooth and so we can't go. So we didn't even have to make the decision.
Yeah. If you're still thinking of going for it, there's another article linked in the show notes from Apple Insider. They're basically pointing out that there are Apple devices without screens, which become much more complicated to set up out of the box for a while.
Because they may have shipped from Apple's factory with an older version of iOS, but they're now arriving for Christmas.
And if you've just enabled this feature, you then have a chicken and egg problem where you may have to use someone else's Apple ID to get the device patched and then search it up.
Yeah. Oh, yikes. Now that is an interesting conundrum. So if you get a Mac Studio or Mac Mini, it doesn't have a display?
Particularly, well you would have a display, but it's the HomePod in particular, the tricky.

[31:48] One.

[31:48] Oh, the home pods are in the game too. Yeah, they need to be on the base. OK, I see what you're saying.
Yeah. Oh wow. They're all fit into your iCloud, right? They get your calendar and all that kind of stuff. And they're all fully integrated.
So they all need to be updated too. So like I say, this is an early adopters game. And unless you're game for being that, sit back, sit back.
You know, it's only America. It's only in beta. Well, I think it's a fissure out of beta, but just don't rush in.
Similarly, if you really are a beta person, if you're actually running actual beta software, where iOS 16.3 beta has been released because 16.2 went public.
And you can now, if you like, use a physical security token with your Apple ID, if you are on the beta.
That was another one that was announced. The other shoe that's been hanging in the air that we have known we would learn more is LastPass.
So when last we left this story, they had released an initial report to say, We were rehacked using information taken in last summer's hack.

[32:47] We now know a little bit more detail. It was basically a successful spearfishing attack against an engineer based on information taken in the previous attack, which allowed them to construct a very well-focused attack against the engineer. So it really was a second attack.
Yes, it was the second wave of the same attack. They're related, but not the same, I guess. But yeah, definitely related.
And they got quite a lot of stuff, actually. So the biggest danger, so the takeaway, if you're a LastPass user, is that you need to be really, really, really aware of the possibility of very convincing phishing attacks.
Because the attackers were able to get the customer database. So they have your email address. They have potentially your phone number.
They also have your IP addresses you regularly use, which could really be used to construct a very convincing address.
Like we usually see you connecting from, you know, one, two, three, dot, four, five, six, but now we've seen you from the blah, blah, blah, is this you?

[33:50] That could really, that could feed into making a very believable fish. Interesting, okay.
I'm not sure they would, if you think about most users, wouldn't have any idea what their IP address is. I wouldn't know what mine is.
I never looked at it. OK. The second, maybe the IP address is less important. They have your email address. They know whether you usually use a Mac or a PC, because again, they have your regular usage data. So they have enough to say that we normally see you from Safari and Windows, and now we've seen you.
Or even they could even say, we know you're normally in Ireland and we've seen you from Jamaica. The IP address could be used in all sorts of ways. I wonder whether they'll be...

[34:32] That's interesting. I think that it's likely that they would do that. But on the other hand, my experience with most of these attacks when they do a broad swath of people is they aren't particular. They send Mac users or somebody on an iPad,
they send them a picture that's a Windows screenshot that's got the X in the upper right, you know? And so they don't seem to tailor per user.
It depends on the data set the bad guys have available to them and the competence of the bad guys. The bad guys have a data set that tells them. Well, the finesse that they choose to use. Yeah.
Yeah. Yeah. I mean, they certainly have the ability to do it.
Yeah. And it depends on the value of you. Right. And they may be able to tell the value of you. Like your email address may give away that you work for Intel or that you work for.
Your email address could give away a lot. Right. That could really help target you down.

[35:23] The other thing is, so the secrets in people's vaults were not compromised, But the actual encrypted vaults were leaked this time.
So the bad guys have the encrypted vaults.
The encrypted vaults are obviously protected by your one password, which is not called your one password, but you know what I mean, right? Your master password. It's called your last password.
It's called your last password, okay.
If you followed LastPass's rules, LastPass have laid out their full algorithm. They had already laid that out before, but they have reiterated their full algorithm.
If you had followed the rules and used a 12-character password, it really will take the age of the universe to correct your account. So you really are fine.
But if you ignored all of their advice and you set yourself a weak password, you may need to go change all of your passwords everywhere because those encrypted vaults are very high value.
They're going to be so the encrypted vault as downloaded at the time is protected with the password you had at the time.
So changing your password now doesn't do you any good. Not no, not not your last password.
You never go change your passwords everywhere. No, that's what I'm saying. The reason you can't go to LastPass and change your password now and protect that vault because that vault is encrypted with the password you had when it got when it got hacked. Yes. Yes.
Because actually what the bad guys got into was the backup system.
So they were able to restore from backup.

[36:46] So they didn't get into the live production environment. but of course a good live production environment is backed up for everyone's safety so they get into the backup system. Right now if you're a one password user or a what's the other one that's gaining bitwarden?
Don't don't sit back with a little smirk going well my password manager is better than yours and I don't have to worry about this if you don't have a long strong password on that go change that now because this is just
again, one of those when not if, I mean, maybe those companies are doing something better than LastPass did, maybe LastPass made some mistakes, but this is like blaming somebody for getting COVID is what it feels like to me. It's like, well, you know, it's certainly, it's, I mean,
you can be stupider, but you also can't, maybe can't be smart enough.

[37:35] Yeah, there is no such thing as perfect security. I know this is literally my job now. All you can do is your best and someone is perpetually moving the goalpost.
So you're always running at a target that never stands still long enough for you to arrive and you always get to where you needed to be last year.
But the problem is now is this year and you need to be somewhere else. And so you will never catch up and even the best... Skating to where the puck is, right? Yeah, exactly. Where it will be.
It never ends. And the other thing to point out is that these last passes vault does something that I don't know if one password still does but I know for a fact it used to do so
There are plain text pieces of information in your last pass vault, because that allows the browser to search for which passwords are available for it to fill.

[38:27] Oh, so that metadata would tell them that there is a password to Bank of America? Yes. And now think about the phishing you can do when you combine that with everything else that's been leaked. So that is the real sting in the tail here. Last pass of basically, last,
The last past have lost their belts and their suspenders and the only thing holding them up is the braces of their Zero Trust design.
They are now actually completely reliant on the Zero Trust design model, which I mean, there was always a case that that was the last line of defense, but that is now the only line of defense.
So this is like the drawbridge and the moat and the alligators, but now they're down to just the moat is all that's left.
Or the castle keep if you want to keep to the analogy, right? The rest of the castle has fallen, but the keep is still standing.
Assuming someone remembered to lock the door.
If he stretches it out, it'd be really too far. Just to make sure everybody leaves this story with no optimism whatsoever, quantum computing is coming along and that age of the universe problem starts to change as quantum computing exists, right?
Not necessarily. Not necessarily. It would depend on the algorithms used because only some algorithms are prone to acceleration through quantum techniques and it's the key crypto that has the issue.

[39:52] So I actually don't think quantum is an answer to... So basically the algorithm involved here is PBKDF2, which is password based key derivation
function two, which takes your password and does millions of iterations of a hash to turn it into a key and then that key is used to encrypt your data.
And I do not believe that quantum speeds up PBDFK2.
So I actually don't think that's a good thing. Oh, well that's good. Oh, I'm glad I brought it up then because I would have gone to, I would have left this story still queasy, but that's better. It is better. Definitely better. No, I think if you have a good password, you are fine.
The whole point of their architecture was that if the worst happens, you'll be fine.
The worst has happened. You should be fine.
Right, right. As long as you put made a good password, as long as you went over to created a long, strong, memorable password and you use it religiously.

[40:47] Pretty much. And like you say, Alison, another really good takeaway for everyone who was not at a last pass user, now is the time to make sure that your one password or your bait warden or whatever the hell you're using, make sure it is good because it is doing the same job.
So you can change it now before it gets hacked. You need to. Right.
Our second deep dive is kind of a follow up. And I wasn't sure if it was a deep dive. And then I tried to write it as a quick bullet point. And then I realized it was too much to it. So what the hay, I've made it into deep dive.
So when last we spoke, Twitter were about to relaunch their Twitter blue thing with the tick marks, the get you a blue checkbox.
And we had said that at that moment in time, what Elon was proposing seemed sensible and good and it pretty much actually has come to pass, but it is actually worth looking at exactly what is and isn't being offered.
And if I'd been a little more forward thinking I would have put a link to the most recent chit chat across the pond where we talked about what it means to be verified because it's important. But Alison will put a link to it. Thank you.
It's important to understand what is being promised because the tick cannot deliver more than is being promised.
So the TLDR version, you know, is does this mean that Twitter accounts are verified again? The TLDR version is that no, if you see a blue tick market does not mean the account is verified, but the gold ones and the gray ones might be verified if you trust Twitter.

[42:11] Maybe.

[42:11] Anyway, we'll get to that. I'll justify that sentence. Okay, one second. So what Bart just referred to is we did do a deep dive on what verification means and how it's done in different systems and what does that check mark mean in different systems?
Not only how is it created, how is it managed, but what does it mean when you see it? So that's what I'm going to put a link to in our chit chat across the pond.

[42:35] Yeah, which we start with a really big question of what does it actually mean when someone says this is verified. You have to ask yourself what is the claim that they're making? What is the evidence? How is the evidence being checked by whom and how is that being communicated? So,
when you run all of that against what Twitter are doing, you get to the conclusions I'm going to bring you towards now. So the first thing to say is that only five countries get to play and a lot
of Nassila Castaways will get to play, but not me. I'm entirely sure I want to play, but if I wanted to, I couldn't. Australia is in so Rose can play along if she would like. Canada is in so Stephen
gets gets to play along. New Zealand is in so Alistair gets to play along. The UK is in so that's loads of people get to play along and the United States is in so that's lots and lots and lots of Nacilla Castaways. But that's it. It's just those five countries at the moment. If you buy a blue, if you buy Twitter blue you have the right to a tick mark but you won't get it immediately.
So you'll pay your money but you won't immediately see a tick mark. What will happen instead is that that your account will be put into a queue to be verified by a human.
Not validated, verified.
Actually, sorry, reviewed. All right, let me check my...
Yeah, reviewed is the wording Twitter use.
They are not checking that you are who you say you are. That is not the promise that the blue tick mark is making. They are not saying that you really are Alison.
What the only thing they are asserting is that your account does not appear to be deceptive, appear to be deceptive.

[44:00] So basically if there's a giant big obvious, you're pretending to be Elon, you're going to be out, but you'd want to be doing something fairly obvious really for this to sound much of a chance. So this will definitely get rid of the jokers, but it isn't, it isn't a very strong claim. It's a very, very weak claim.

[44:16] Yeah.

[44:18] I wonder what the reviewing to say, whether or not you appear to be deceptive. I mean, if I'm really sincere that I'm claiming to be the president of the United States, that.

[44:29] I don't know. I don't know what criteria you'd use for that. Well, they've told us two criteria, but not really much about them. They've given us two hand-waving things they're going to be checking for. They want, they should, the account should quote, show no evidence of being misleading. So show no evidence of is again, a weak bar of being misleading. It also sounds like a lawyer wrote it.
It does. And show no evidence of being an automated bot engaged in platform manipulation or spam.

[44:58] Them. Wow. Okay. That's it. That is the bar. They do not tell us how they validate people against the bar.
We do know how they communicate that they have validated them. They give you the blue tape, but that is it. So they're saying that you're not obviously deceptive.
You're not obviously misleading and you're not obviously a bot.
Other than that, that's it. That is some total of what the blue tick mark means. It kind of sounds like the old validation except the other one, the original one was also and you're maybe kind of famous.
Like you're worthy. Both, no, no, they verified your identity. You're worthy. No, no, they verified your identity. So the other one was asserting that if it said that you were, that you were Tom Jones, you were Tom Jones. If it said, so they were asserting identity. That's a very strong point. Oh, and they're not doing that at all now?
No, no, no. There is zero. No, no, it is only that you're not deceptive, that you are not misleading and that you are not a bot, right? That is all that is being asserted.
It is very, very, very weak.
They are not telling us how they are doing this review.

[46:01] They are not telling us what evidence is feeding into this review. So the only things we know is the claim and how it's being communicated. It's being communicated with the blue tick and the claim is just that very weak thing I've said. Everything in the middle is missing.
So from our four things we need to understand, two of them are completely missing. So it's basically trust us. We're making a weak claim, trust us, and we'll show a blue tick mark when we have done our whatever it is we do to verify the weak claim.

[46:26] So, you know, it's, that's what it is. So, okay, not that strong. Now, maybe there is some strong validation happening all the same on the platform, because they also announced two other programs.
So they also announced a, they're calling it a test, not a beta. They're calling it a test for a corporate version of Twitter Blue.
And these will be, they use the word verified and these verified companies will get a gold tick mark. Now, the verification is probably in the form of we got a check and it had the company's name on it is probably how that verification is done.
I'm guessing there's money changing hands and that helps make all this easier.
But they are claiming verification of these corporate identities, but they're not explaining how whatsoever what these companies have to do. They're just saying that you can apply here and that's kind of it.
So really, I don't know. Not even the corporations, they're not telling us what they're doing for that?

[47:25] Nope. I read the full docs. There is a paragraph. It says that verified companies can get a gold tick mark.
Okay. Thank you. Wow. Okay. Even, even more fuzzy is that people vaguely remotely connected with government of any form, anywhere can get a gray tick mark.
And they again say that they will be verified as being, I think it's government agencies, government offices, government employees, official spokespeople, elected representatives, the staff of elected representatives, like the criteria is very, very, very, very broad, but they do use the word verified.
But again, there's nothing between this is what we're claiming and this is how are showing it by having the grey tick mark. So how they're verifying any of this is completely
up in the air. And they also say local and national government. So if I run for office in the local town council here in Minuth, I theoretically am entitled to a grey check mark. How would they even verify that there is a town council in Minuth? Let alone that I'm on it.

[48:22] Wow. So I don't know how much stock to put in either of those two tick marks. I think all we can do is wait and if they screw up, we'll know.
There will be much finger pointing and laughing and then we will know. And you know people are going to try, right? That is the one thing we can be guaranteed of. This will be tested.
So we shall see.
But I would not be in the market for gambling on whether this will be a success or not. So in other news on the whole checkmark verified thing, or the, I'm sorry, paying the fee to
to be verified, you know, that Elon has been taking polls to make decisions, policy decisions.
In fact, one of the polls was, should I step down as CEO? And 17 million people voted, which is a lot more than he has followers.
And they said he should step down. But after that, someone said, why are you letting people who are not verified have a vote?
You should only let people who pay vote. And he said, okay, we just made that policy change.
So you can only vote in his little polls on policy if you pay him money.

[49:32] I in the abstract, I actually don't think it's a bad idea that people with a stake are the people that get to make the decision. Yeah.
In the case of this particular clown show, I'm not sure it helps. Yeah.
I really thought I was on Mastodon as just a, you know, give me a fun place to play until Twitter comes back to its senses.
But I don't know. It's not feeling good.
Do you know what I've been up to this week?
There's another, there's another real breath of fresh air to Mastodon that I hadn't appreciated until now that have been there a while. There's no algorithm. You just see the stuff in the order it happens. There is no one trying to make you outraged.

[50:12] You know, I miss that whole outrage because I always use Tweetbot, which just shows you chronological. So I've never seen an ad on Twitter and I've never, except for when somebody sends me
a link and it opens in a browser, then I'll see it. But I never see the forced order algorithm nonsense so I've been insulated from that. Okay so for you this is a new for
me this is a whole new experience. Oh that's it gets better and better right? It really does yeah. Oh my god now I remember why this is better this is like
old Twitter. Yeah it really does feel like Twitter to me except without the creepy. Yeah here's yet another reason Mastodon is good. When,
somebody posts something they can put a CW in it that is a content warning and and it hides it.
So if I'm reading my feed and I'm reading somebody that I really like that, you know, they post funny things or they post astronomy, but then suddenly they want to rage at the government, they could just put a CW on it and people do.
And so, and you can use it for spoilers of movies, things like that. So I see a fair number of CWs and I just don't click them usually because I don't want to be outraged. Just to make it clear to people, the CW, you as a person get to describe what it is you're hiding.

[51:25] Right. So you can say, yeah, I don't always see that. Maybe, maybe. Yeah. It's like movie spoiler or politics rant or yeah.
Yeah. It requires the politeness of people to do it, but they do it.

[51:41] And again, you're only seeing content for people you choose to follow. So if people fail to or abuse the system, well, just don't follow them, right? Because there's no algorithm shoving
anything at you that you haven't asked for. So you kind of in full control. I just love the idea that you get this blank box and the person who wrote the post gets to decide how to describe what it is they're not showing. So it's just, if you want to be polite, they've given you,
all of the tools to be nice. Yeah, yeah. It's good. Okay. So on to regular business then.
Action alerts. It has been busy since last we spoke. Patch Tuesday has been and gone.
So in Microsoft land, that means it has been a big update with two zero day bugs patched. And there was also a bit of a kerfuffle where some malware was out in the wild that was,
digitally signed as a driver, which means it has really low operating system access.
And Microsoft have now revoked the keys, but it's still not quite clear how exactly that happened and how exactly Microsoft is going to stop it happening again.
So they have solved the short term problem, but I'm not clear on the long term implications of this patch.
Patch. Yeah. Well, another thing on the zero days, uh, one of them at least is an actual honest to gosh worm. So for a refresher, a worm is something that you can catch not by any user action on your part.

[53:07] My understanding is that the worm actually wasn't from this patch Tuesday. Was that a week ago? So basically we now know that a, that a vulnerability that was fixed in September,
was actually wormable. That is extra news about a previous vulnerability. So people didn't patch in September are available to the worm.
Yes, but the problem was that Microsoft marked it as, you know, you should probably do this one, not as, you know, danger Will Robinson, you have to do this one.
It escalated its importance. So if you were like, well, I can take my time on this one because it just says, you know, I forget what the terminology was, but it was less alarming than it should be.
Yeah, I have to say that the emerging consensus is that you apply all patches because the risk of patching is much lower than the risk of not patching.
Sure, sure. But not everybody follows that advice.
Well, certainly home users don't spend time triaging fixes, right? Home users just apply them. And that approach is now spreading into the corporate world.
There was certainly a time where it would be someone's job to check every windows update and decide whether or not to bother rolling it out.
B, you couldn't hire enough people to do that well. And B, the risk arithmetic has completely flipped.

[54:24] I'd really like to know what that's like in my old company, because that was definitely not the case before that you just did it.
A program manager could call you and say, no, we're too busy, you can't apply it. And we had to follow that rule.
I don't know what it will be, but it won't be quite that. I can promise you it's changed. I have no idea what it's changed to. And then over in Apple land, it was also busy. Apple basically patched everything.
So iOS 16.2, iPadOS 16.2, MacOS 13.1, WatchOS 9.2, TVOS 16.2, and then the older OS has got backported fixes.
So Big Sur, iPadOS 15, and iOS 15 also got patches, and Safari got a patch as well.
So lots and lots of patches. Oh, I didn't know that.

[55:11] I need to fire up the older Mac and run those updates. I didn't realize those had come out.
By the way, I very, very, very rarely run into a problem with an OS update. So I'm a big old, why haven't I gotten the update yet, person? And I make sure I hit it right away.
But last week's show, Bart and I were struggling a little bit with the audio because the Mac OS 13.1 update broke all of the rogue Amoeba apps.
It broke audio hijack and sound source and loopback.
And the ACE component, it was all broken, but it is all fixed now.
So there was, it was basically whack-a-mole trying to figure out where the audio had gone and trying to get it into the right pipe. And we eventually got there, but it was, we lost about 45 minutes trying to get my audio to Bart.
I don't even remember where we ended up in the end, but we did do one of the parts of it out. I think it worked.
Yeah, we recorded it three ways. We recorded it three ways. Oh yeah, we went into Zoom and then we went into StreamYard and then I think we ended up back in Zoom in the end.
I think we did. And I think was Skype effort in the mix either way. We hit the record in the meeting.
We hit the record button on my end and we hit the record button on your end. And, you know, belt suspenders and braces. We did get there, which was interesting.

[56:29] And also in very similar news to the Microsoft news, we have also learned that an older update to Apple's stuff also patched a bug in the past, which has now been revealed in detail.
So the book was discovered by microsoft and it was responsible disclosed to apple who passed the book and now that the book is passed microsoft have released the details so that's all has it should be.
But it's back from Mac OS 11 and 12. So that's Big Sur and Monterey.
Interesting. But they just kind of wanted to say, hey, look what we found.
As I understand that it was patched recently in those older OSes. It was just not in the other OSes. Oh, oh, okay.
So just for extra confusion.

[57:13] It never affected iOS. It doesn't seem to have affected 13, but it's a recent fix in the older OSes. So your notes say that it was similar to a Windows bug?
Yes. So one of the zero days fixed in Windows is a bug which stops the... In Windows they have this thing called the mark of the web, which sounds,
ridiculous. If you download a file from the internet on Windows, it gets a special piece of metadata. And if you try to run that file, Windows will pop up a warning that says, woo, you downloaded this from the internet. Are you sure you want to run this file? And so that stops the drive by download from running automatically. So the mark of the web is kind of important for protecting you.
It's part of a chain of attacks. It's not enough to get you hacked on its own, but it is enough to make something run. And then if there's another vulnerability that they can leverage for previscalation or something, you chain them together and you get a real attack.
So the mark of the web is important and there was a logic flaw in how the mark of the web was being applied. So it was possible to bypass the mark of the web.
Huh. Okay. Apple have something really similar called gatekeeper, which is the great things like not let you run software that isn't properly signed.

[58:24] And there was a logic problem and it meant that it was possible to craft and executable that it wouldn't flag up the usual warning of this is from an untrusted developer.
Therefore it could be used as part of an attack chain when chained together with another vulnerability dot dot dot dot dot dot right. It's basically the same thing.
It's not a catastrophe because for most of my life we didn't have any such a concept as signed software. Greetings!
It is nice that Apple give us these extra protections over what we used to have, and so having the extra protection disappear is not nothing, but it's not the sky is falling. It's a medium severity one.
The Microsoft engineers had a sense of humor, and they named their blog post The Achilles Heel of Mac OS. And the media didn't bother with the facts or the details.
Why would they? They went with the most hyperventilating headlines about this major fundamental Mac flaw, and if we weren't patched, you were doomed.
I just really enjoyed reading the NAIC Security article going, we thought we'd missed something, but we've read everything.
There's very, very little here apart from a cool name. But that does seem to be enough to get the headlines going. So if you heard something about it, can you feel?

[59:32] Microsoft just poked Apple in the eye for whatever reason.
Well, the thing is, if you read the actual blog post, it's not even hyperventilating. It's just they went with too clever a title.
Right. Well, that's what I mean by poking them in the eye. They didn't need to do that. They could have come off as the good hats and looked like heroes, but they had to poke them in the eye to get it.
Oh, well, I guess. I guess. I don't know. I think it was just some of a sense of humor. But anyway, if you heard something about the Mac being doomed, no, it wasn't.
And anyway, patchy patchy patch patch and you're all good.
It was a post facto release of something that's already fixed, which is the way I like it. That's responsible disclosure. We like that.
Moving on then to our worthy warning section. This is the bad news bit of the show.
Because why would I warn you about something nice? So the first bit of news we have is that Epic have managed to set another record.
They have paid the biggest fine for quote, or not quote, for the way it was described by the headline.

[1:00:34] Epic Games has to pay $520 million for tricking kids and violating their privacy. They used dark patterns to trick people into in-app purchases and they violated Copa.
And Copa was the child online protection something? Privacy and protection act?
Something like that. Yeah. So I don't put this one in the bad news category. They did it. They got caught. They paid $520 million.
We knew they did it before, right?
Did we? I guess I haven't had a particularly good opinion of that company for some time, but I think being that Fortnite was one of the most popular games on planet earth ever and that was targeted at kids. This is... this is ick.

[1:01:17] I guess you're right. Yeah, we'll give you that. But the good news is they're caught and that's a huge fine. That is one of the biggest?
The biggest so far, yeah, of its time. Wow. Good.

[1:01:27] Record setting. Epic. Epic win there, guys. Anyway.

[1:01:32] Meanwhile, Equifax, that story that doesn't stop giving. The settlement is being paid out at the moment.
So there are legitimate emails going out to people affected by the Equifax breach with their share, allowing them to claim their share of the money.
For most people it works out like five dollars is the way these things are. This is the breach where they lost all of the social security numbers like eight years ago. Your credit score for basically all of America yeah. But yeah not just our credit score it had our social security numbers in it,
that was why that that's the one that's the one I really care about. Yeah. Every possible piece.
Yeah so assuming you you you you did the paperwork to claim your share of the money You should never be getting an email helping you claim your share of the money.
At the moment, the emails going around are legitimate, but Brian Krebs has pointed out quite rightly that it is probably a matter of hours until the scammers start to fake these emails.
So he is a blog post describing how you verify that the email you got is the real one and that you are not being not being yet again, you know, violated while trying to get your compensation for having been violated. So if you're going to do the Equifax thing, read Brian Krebs's article.
It will help you navigate those rocky shores.
They should have made them send paper mail to pay 50 cents a paper mail.

[1:02:53] Yeah, but think of the trees.

[1:02:56] Yeah, there's that.

[1:02:59] And then another thing, definitely this falls in the worthy warning category. So Naked Security are reminding people and they have basically Naked Security do this thing where they get spam emails and they click on all the links to see what happens and then they take screenshots so we don't have to.
Basically, we click on them so you don't have to, is their theory.
And it's a timely reminder that the bad guys will fake anything.
Right. So a trend at the moment is fake. We have noticed a suspicious login email.

[1:03:28] So that is immediately making you think that this is the good guys trying to help you. Oh, we've noticed someone tried to log into your Facebook account from Paris. Was that you?
Only it's a fake one of those emails and they go through the whole step. So remember, even emails pretending to be alerting you to a security problem could actually be fake and could in fact be a security problem.

[1:03:48] And the way you always start is by typing the URL into the address bar and never clicking on a link in an email ever, ever, ever, ever, ever.
Right, right, right, right.
The, uh, I, uh, a friend of mine just got hacked for the third time, third time he fell for a scammer.
I have great sympathy the first time, I have some sympathy the second time, but the third time! Well, the first time it happened, he's got a PC and he told me after it was done that it was okay because he had someone clean everything up for him.
And when I talked to his wife after the third time, I said, yeah, you know, back when that happened, I remember telling him, there's no way to actually clean it up, you have to burn it to the ground and start over.
And he didn't and I don't doubt he has yet. So for all I know, they've still got a key log around there and there'll be a fourth time.

[1:04:39] I told her to get him an iPad. Don't let him use a PC. Absolutely. If you do not need the power of an operator, of a completely open operating system that can do anything, don't run an operating system that can do anything. Cause it's probably doing things you don't want it to do.

[1:04:56] They are basically, they are now specialist devices that unless you know what you're doing, you should not be using a general purpose computer.
Yeah, that's an interesting point. They're a power tool. They're a power tool. Yeah. You don't wear the appropriate goggles to stop your eyes getting destroyed.
Bad things will happen. Notable news then. TikTok appeared to have done an Uber, is the best way I can describe it.
So Uber would abuse the fact that they had location data for people to notice when government regulars were trying to watch them.
And I think they called it, I think they called the system black ball just to really be as on PC as they could possibly be.
Um, well, tick tock have been caught using the location data from the tick tock platform to watch Forbes journalists to try to figure out when a Forbes journalist and a tick tock employee came into contact because that way the tick tock employee was a leaker.

[1:05:55] Oh, so there are That's interesting. Utterly abusing the information they have access to for their own personal reasons.

[1:06:03] The obvious argument would be that they could do this on behalf of, they could do this if the Chinese government told them to as well, which is also true. But in this case, it really is corporate malfeasance. I was just instantly reminded of Uber, not of state stuff.
This is just corporate.
Yeah, that's when they were using location data from the cars.
Yeah. Yeah.

[1:06:21] So anyway, it's ick. It's just not the ick I was expecting. Yeah.
And all the details are reported by the journalists themselves from Forbes.
Right. Yeah, that's interesting. So they figured it out that it was happening to themselves.

[1:06:40] Pwn to own has been and gone. 53 things got hacked with 63 bugs and there was a million dollars given out in bounties, which sounds really cool.
I can also tell you that no one successfully hacked the iPhone, Pixel phones, any of the major smart speakers. No one got into a HomePod. No one got into an Alexa, nothing like that.

[1:07:00] Which at first glance sounds fantastic. No one tried. No one attempted to get those bounties.
So that means one of two things.

[1:07:10] Either no one had an exploit they were prepared to stand up on stage with and embarrass themselves because they weren't confident they could actually exploit the devices, which is the sunny side of the coin.
Yeah, that's the rose colored glasses view.
The other is that the black market for these bugs is more lucrative than Pwn2Own.

[1:07:31] And therefore it's just not worth revealing the bugs at the Pwn2Own conference. But we don't know. We do not know. We do not know.
So the Pwn2Own was once one of the most important things in security. I fear this is evidence that it isn't the driving force it once was.
Because it was a time when the prestige of winning Pwn2Own was enough to make you, because the prices for Pwn2Own could never compete with the black market. They never could.
But it was such a prestigious conference, people did it anyway. We seem to have left that world.
Oh, here's a delusional optimistic point of view. What if the bounties that Apple and Google are giving on their phones were worth it and that's why they didn't do it at Pondone?
That could have happened, right?
It is absolutely possible. There's also, there's also grey hat companies and there's also arguably white hat services where you can report a bug so that you don't, they act as a middle person so that if you're afraid the company will react badly, you report it to a middle person who reported to the company and you get to be anonymous.
There are... Interesting.
It is an information vacuum.

[1:08:40] And the chances are the answer is yes. All of those things are happening.
Is probably the actual answer. The question is I have no idea what the ratio is. But it didn't say, this didn't say that Macs weren't shown as being hackable or PCs.
Exactly. If anyone tells you... You could write a factually correct and utterly misleading headline that no one succeeded in attacking the iPhone.
Yeah. Yeah. Well...

[1:09:09] But we know that the whole Apple platform has an Achilles heel, right? Oh yeah, there we go. That's it, exactly, yes.
Then we also have an update from Australia. A few months ago, the Australian e-safety commissioner asked all of the major companies to tell them what they're doing to prevent CSAM.
And they got all of their answers and they are now digesting the answers. And they have released reports on the first two they have digested, which were Microsoft and Apple, and they're not happy.
I think they could be doing so much more. And CSM again is the child sexual abuse materials. Material, correct.
They are enraged that Apple are not scanning everyone's iCloud all the time.
They probably should check the news and scroll up in these show notes because I think they may be able to blow a gasket over there. Yeah.
Yeah. Apple's new approach is to prevent the creation as opposed to continuously scan for the existence.

[1:10:05] My understanding was that even with it, even if you had everything encrypted and Apple did not have the key to the encryption, they could still tell from metadata whether it was like from the hash, they could tell whether it was CSAM.
End to end, not if it's end to end encrypted.

[1:10:24] Okay, I heard otherwise. That was all the controversy about Apple system, right?
Apple system, the controversy was they would scan the hashes before they left your phone, before they were end-to-end encrypted, because once they're end-to-end encrypted, it is pseudo random gibberish.
You can't get hashes out of it.
So it was on the Accidental Tech podcast. And I think it was John Siracusa talking, which would be, there's, there's something there. Well, you would have to scan it before you do the end to end encryption.
Which is what Apple were proposing to do. And then they got told in no uncertain terms by privacy advocates. That was a terrible idea.
They were uploaded massively by child protection advocates for that same idea.

[1:11:07] But they have abandoned that idea. Okay. Let's assume that Bart is 100% right. And if I find out otherwise, I will make a correction later. But I'm 98% certain Bart is right. So let's just go there.
Okay. And if not, there's a very, very subtlety and it's way more complicated than either of those two answers.
Okay. All right.
Last thing then is a bizarre story. So we know that it's against Netflix's policy for you to share a password and that Netflix are entirely within their right to boot you off Netflix if you share your password.
In the United Kingdom, it is now the official government opinion that it is also against UK law to share your Netflix password. And at the moment there is no one prosecuting this crime but they could if they wanted and Netflix could press criminal charges.

[1:11:57] So that is an interesting data point that password sharing. Why would that not have been an obvious statement?
I mean, I just assumed if it's in their terms and conditions, that makes it illegal. No, terms of service aren't illegal. They're just grounds for terminating your service.

[1:12:14] Hmm. Okay. They're like, there are many, you are not allowed to swear on many platforms in their terms of service. It's not a crime.
Just not let swear on their platform.
You're not a criminal. You're just in breach of their terms of service. they can boot you off and you have no recourse.

[1:12:28] Okay. Hmm. I thought there were, I was, I guess I thought there were aspects that would be considered illegal. But anyway, keep going.
In America you have the Computer, in America you have the Computer Fraud and Abuse Act, which, which criminalizes breaches of Terms of Service. That is an American thing. That is a terrible idea. People are trying to repeal that insane law from the 80s or the 90s.
But that is a really American thing. Most of the world is not criminalized breach of Terms of Service.
Okay. So I think that's what you're thinking of the CFAA, which is a train wreck of a thing.

[1:12:59] Oh, I have lots of empty sections. Oh, we're down to palette cleansing. Oh, good.
One of the earliest games that I remember playing on my iPod touch was a game called Jelly Car.
And it's a physics based game and it's just really good fun. It's a squishy little car. It's really childlike and playful, but they're all physics puzzles you have to solve to get your car to do whatever it needs to do.
They have made a new version of the game called Jelly Car Worlds, which is on the arcade, Apple Arcade.
So if you're an Apple Arcade subscriber, you can just get Jelly Car.
I promise you it is so much fun to waste some time over the Christmas holidays. It is just a pure fun, physics-y game.
You could argue it's even educational. Definitely fun for kids. I think it's fun for everyone.
I just, it's just such an adorable game. So Jelly Car Worlds is now available on Apple Arcade. Well, that sounds like a great one.
It has nothing to do with security, but I love it.

[1:13:57] I'm downloading it now. Yay! Well we love physics.

[1:14:02] Always love a good physics game definitely. All right Bart, well I guess that wraps us up for 2022. We will see you in the new year right? We will talk to you next year and let us hope there's
no security issues for the whole rest of the year. Fine for the whole rest of the year. But seriously though, you know when you get all of your new tech do remember to patch it so that you stay safe.
And above all, just have a good time, enjoy your family, do fun things and you know, start 2023 all relaxed and revitalized.
So until we chat again, I'm going to, I'm going to, I'm going to cheat on this one. I'm going to wish everyone happy computing.

[1:14:42] Well that is going to wind up the last Nocilla Cast for 2022. I hope you had fun along with us. Did you know you can email me anytime you like at allison at pod
If you have a question or a suggestion, or better yet a review, just send it on over.
You can find me on mastodon at podfeed at chaos dot social, and I'm occasionally on Twitter at podfeed.
If you want to join in the fun of the conversation, I highly recommend joining our slack community at slash slack where you can talk to me and all of the other lovely no silica asta ways.
Remember everything good starts with
You can support the show at slash Patreon or with a one time donation at slash PayPal.
And if you want to join in the fun of the live show, the next one will be on January 1, 2023. Head on over to slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no-cello castaways. Thanks for listening and stay subscribed!

[1:15:38] Music.