Nc_2023_02_05
[0:01] Hi, this is Alice and Sharon into the NoCilicast Podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias.
Today is Sunday, February 5th, 2023, and this is show number 926.
[0:15] Well, I simply cannot start the show without first giving gigantic, huge, over-the-top thanks for Bart and Alistair for producing the shows while Steve and I were gallivanting off in foreign lands.
I think both of their shows were terrific, and I had a really good time listening to them on one of our many, many plane rides.
And it was also made possible because of Bruce from Tennessee and Steven Getz. Like I said, I really liked listening to these shows, had a lot of fun.
I'm so proud of our 17 year streak of never missing a single episode every week. I don't believe any other show can say that.
And I do say we because it clearly takes a village to keep this going.
[0:52] Well next week, I'm going to be doing a segment on tech and travel, but I did want to tell you what an amazing time we had.
We flew to Argentina, first to Buenos Aires, and then down to a tiny town called Ushuaia, which is referred to as the end of the world because it's the southernmost city in the world.
From there we boarded a 150 person cruise ship where it took two full days to get to Antarctica.
In preparation for the trip I created a very nice diagram, of course I did, and it was of all the places we were going to go and things we were going to see in Antarctica.
It turns out though when you're on an expedition cruise you have to be ready to just roll with the weather and end up someplace completely different.
We only saw one of the things we were scheduled to see on my diagram. But it turned out that was okay because everything we saw was amazing.
Imagine standing on a beach with 40,000 penguins. I'm not exaggerating. They went as far as the eye could see.
We saw three different kinds of penguins. It was just spectacular.
[1:50] On the second half of the trip, we saw Iguazu Falls, or Iguazú Falls as they say it, and That's the second largest waterfall area in the world, right behind Victoria Falls.
It's on the Iguazu River between Argentina and Brazil, and it was positively astonishing. It's 1.75 miles long with 275 separate falls.
Now we never pictured ourselves as world travelers, but we are absolutely in love with going to exotic places and learning new things. If you ever get a chance to go to a weird place, say yes.
[2:21] As you can tell, my voice is not up to its usual dulcet tones. I finally got rid of my laryngitis semi-cold from last time and while I was on the ship I got another cold back to back so I'm not going to do as much recording as I had planned but luckily we have a security bits with,
Bart and Jill from the Northwoods sent in a segment about Steam Deck not to be confused with,
Stream Deck and Bodie Grimm of the Kilowatt podcast did some interviews at CES just for us.
I gotta tell you it killed us not to be there to see him for his first CES but we had to stay safe as safe as possible to make sure we would be able to go to Antarctica. So we didn't go this year.
Hopefully we'll get to see him there next year. This week our guest on Chit Chat Across the Pond is Bart Bushotz with Programming by Stealth number 144. When last we recorded, Bart started
Ccatp #758 – Bart Busschots On Programming By Stealth 144
[3:09] teaching us the basics of shell scripting using bash. We learned how to collect terminal commands into a reusable shell script, but we didn't yet learn how to accept any kind of input.
In this installment, we learn how to take inputs either from the execution of the command or from user input and how variable names are created for the different ways of receiving input.
We also learn about exit codes, which are really more like error codes, and how they can be used in Boolean logic. Now this knowledge will come into play when we learn next time how to do conditionals and loops. It's a short episode, and as Bart says,
not a heavy lift, so I enjoyed it quite a bit for my first time back.
[3:48] And of course, as always, you can find Bart's fabulous tutorial show notes at PBS.Bartificer.net, and there's a link in the show notes directly to this episode.
Steam Deck Brings Back Gaming — By Jill From The Northwoods
[3:58] Hi, this is Jill from the Northwoods. When I switched over to Mac, I lost a lot of my Windows games.
That was the last piece that I couldn't seem to figure out how to get on my MacBook.
[4:11] Some of the games would play in Mac, like Minecraft or even Civilization, which are are two of my favorites.
But then there were other games. Mostly I buy them from Steam and most of them don't translate over to Mac.
So there I was, a bunch of purchased games that I really enjoy playing and no real way of playing them on my MacBook.
Now, one of the things about gaming is that it is the one thing I do for pure relaxation. I can knit and I can play podcasts and it's fun and exciting for me to do.
But if I really just need to relax, I'm just stressed out. I had one of those days the other day where I just sat there and played a couple of hours of video games and suddenly my stress was gone.
What am I supposed to do?
[4:57] Now the good news is one of my favorite games, No Man's Sky, is coming to MacBook, Inventura. What about the rest of the games? What other options did I have?
I could try Microsoft's Game Pass system and that works through a browser of all things, almost all browsers, and all the games that you buy through Microsoft or are provided through that Microsoft Game Pass are available for you to play. Problem is, one, I don't have that many games,
purchased on Microsoft. Two, you're streaming the game through a browser, which means that it may not be as responsive as you hope it would be. The last thing is it's a $15 subscription,
which is only going to go up over the course of years, every month. The last problem is I have an Xbox X controller, which does work with Mac. I've played other games with it, works fantastically.
However, it doesn't seem to work on Microsoft Game Pass with a Mac.
[5:56] Now, this was about six months ago and I haven't tested it since, but I couldn't get the two to work together. Since most of my games are over at Steam, which is owned by Valve, that also was a
big setback. Then, Steam announces that they're going to come up with something called the Steam deck. Not to be confused with the Elgato Stream Deck. This is just a gaming device. It's a lot
like the Nintendo Switch. A small portable handheld item. Maybe about the size of a loaf of bread if you sliced it the long way. Which also means it's very portable. So because the Steam Deck was coming
out, it was a natural obvious choice for me. All my games are on Steam. To talk a little bit about what the Steam Deck is. Again, it's a handheld gaming item. It has Linux on the system itself,
and is pretty easy to grip.
It has controllers and a very bright screen. It connects with USB-C. You can hook up a monitor through the USB-C.
You can use Xbox controllers, Bluetooth mice, keyboards. So if you're into computer gaming and you're used to all the commands you play to play some of your games, it's easy to do.
[7:12] Many of the games that are on Steam are available to play on the Steam Deck. There are a few of them that aren't available, But most of them actually do work even if they're not verified.
There's very few of them that error in any sort of way where it's unplayable.
I noticed that when I played Microsoft Flight Simulator, which is not verified to be on the Steam Deck, all you had to do is switch one of the loading settings, which I found on the internet, and it suddenly started playing.
Fantastic.
The bonus is that I can take it with me whenever I travel from work.
I even brought it camping and didn't use it that much because I really tried to do outside things. There was some bad weather at the end of my trip.
And what else was there to do other than to sit in my tent and play with my steam deck?
I also tried playing with it on my way back from California on the airplane and it was a good distraction. Although I was race car driving in fours of five and that caused me to be a little bit unstable when I drive around curves. I always drove right off the road every time we hit a bump on the plane, but that's pretty funny in and of itself.
[8:17] So the Steam Deck for me was the perfect solution. Portable, has my Steam games, and the price is not so bad. Plus it gave me a lot of availability to do other things.
The systems are all exactly the same except for how much storage they have on them. I have a lot of games, so I went with the 512GB system that went for $649.
That one also comes with a carrying case, it has a better anti-glare screen on it, along with the bigger storage.
[8:47] So for 529 you can get the 256 gigabyte version of it. You get a carrying case but not the exclusive carrying case. For 399 you can get the 64 gigabyte machine. It has a micro SD slot in it so that you
can increase the size of the hard drive space by using the SD card. I put another SD card in that one so I even would have a little bit more space. I have a lot of games on Steam and some of them
are pretty large. Forza 5, Forza 4, and Microsoft Flight Simulator are all really large games.
Most of the other games themselves take a very small space. You can also buy a dock for it. The dock is $89 and it gives you a resting point with a USB connector. And then
outside the back of the dock, it has a 4K 1440 HDMI 2 display port. It has some USB drives, a network port, and you can also charge the device through it.
So it is pretty handy and many times I play at home, I'm putting it through my computer monitors using the Xbox controller.
Their website even shows more things you can do with the Bluetooth.
But they say this is an AMD chip called an APU chip and it's optimized for handheld gaming.
[10:04] It's a Zen 2 Plus RDNA 2 powerhouse, which is enough power, they said, to deliver some of the biggest games out there.
Forza can be rather intense along with Microsoft Flight Simulator with resources and both of them work flawlessly on the system.
So it is handling some pretty high powered games that even my Windows machine struggled to play.
[10:28] It says that the CPU can do 448 gigaflops and the GPU can do 1.6 teraflops. I'm not much of a flops person, but if that means something to you, there it is.
It's pretty darn fast.
It has 16 gigabytes of RAM on board and it also has much more video memory available to it as well.
[10:50] The storage is what I said before, that you can buy storage with the device and you can add more storage using the micro SD cards.
The game controller itself is really nice. Some people talk about it being too big for their hands or too small for their hands. I have really small hands and it actually fits my hands very well.
[11:10] It has the standard ABXY buttons that you'll find on many regular controllers, that D-pad which is just the north, south, east, west controller, left and right triggers, left and right bumpers.
It has two touchpads on it, four assignable buttons, Steam buttons that will also take you directly to Steam Store, and your list of games,
and two analog sticks that you'll find on a lot of game controllers as well.
It has haptic reflex, which means it can vibrate when you're doing certain things. I haven't played around with this much. In the Forza game, every time I ran over the grass or a building or something, it would just vibrate, which would annoy me.
I mean, the whole purpose of driving games is to run over stuff, right?
[11:56] The display's resolution itself is 1280 by 800. I think the screen is very bright. I mentioned before that I have really bad eyesight, and I was worried that this little tiny screen was going to be a problem for me. However, the screen is so bright, it's IPS LCD,
and I can see great on it. In fact, I can take off my glasses and still play. And it's because of how far a monitor is away from you compared to how far a handheld is from you. I think it works great.
It has 400 nits for the monitor, and the display is about seven inches diagonal with a 60 hertz refresh rate. The screen is also a touchscreen, which gives you one more way of controlling
things. I find sometimes in Forza there's some menus that are there. It's much easier for me to just click on it than it is for me to route it through the controller itself. It supports Bluetooth
5. It has Wi-Fi for 2.4 and 5 gigahertz and stereo in it. But you can also hook it up to headphones if you want better sound out of it. It even includes a microphone for when you're playing,
games that are multiplayer and you need to talk to someone.
It has a head jack directly on the device itself, which makes it easy to hook up to other audio devices.
And it weighs about 1 pound 8 ounces, or 669 grams if you're in the metric system.
[13:19] So it's very portable, easy to pack, easy to use, super easy to take out on the airplane with no fuss just was a fantastic device overall.
[13:29] Sometimes the fan noise on it can get a little bit loud. People have complained about it. And because people complained about it, they came up with better ways of dissipating the heat.
I don't know anything about this, but the fan now is much more quiet, and you can tell they did something to make it better.
The biggest complaint that people have when they play it, and it's not such a big complaint for me, is that the battery can play for about two, two and a half hours just on battery power alone.
People feel that that's a little light. However, I think it's pretty good. I play it a lot of times when it's sitting in the dock, and you can hook up a battery pack to it if you want to do that.
I don't want to sit there and play video games all day long like I used to a couple of decades ago. For me, when the battery runs out, that's a good signal for me to get back and do something else for a while.
I read a lot of reviews and people felt like they wanted a better screen the next time. I think the screen's fantastic and I know I'm not a particularly picky person, so it wasn't a problem for me.
And then other people complained that they wanted a bigger drive, maybe a terabyte drive on the device, but you also can hook up a hard drive to it with the dock and just keep it there.
So when you're playing on the dock, you have all your games, while maybe you take it with you, you can just have some of your favorites.
The other fun thing is that if you want to, you can nuke the OS. the OS, this is literally a machine, I am planning on actually installing Windows on an SD card.
[14:58] I have a feeling that when some games come out and they're going to be Windows exclusive games, not through Steam, I'm going to be kind of sad.
So if I have a working Windows device on a micro SD card, I can play Windows games anytime I want.
To install Windows on the Steam Deck. It takes one micro SD card with at least 32 gigabytes of space or maybe even a thumb drive that you hook up to the dock. You also need a Windows
PC to create the ISO file, I think. And then you just need a keyboard and a mouse that hooks up through Bluetooth and you're good to go. And it runs the full blown Windows,
not even just the limited ARM version. I'm looking forward to this project. I think it's It's gonna be fun to run Windows off of there.
But I've seen people put other operating systems and other emulations on their Steam decks so that they can play Nintendo games to make it almost like a Nintendo Switch.
It is just a very small PC.
[15:55] The build, you can tell, is a very quality machine. I haven't seen one flaw in the build at all. This is a solid device.
And if you've never been to Steam, the games library is absolutely huge. They frequently go on sale.
Look at, you know, times like Black Friday and Christmas and other times of the year where they have amazing sales and you can get these games for only a percentage of the actual price.
[16:21] The other nice thing about it is I felt that the Steam button allow me to quit games and go into another game quickly. Or like when I was on the airplane, just quickly shut the whole thing down and put it back in the case, and then just pick it up when I pick up the game system later.
So it saves your game. If you're on the internet, it syncs it up to Steam so that your saved games are available to you everywhere.
So when I stopped playing Windows games, guess what? I put them on the Steam Deck and there's all my games exactly where I left them.
I was just thrilled by that. I wondered if I was going to lose anything at all, and in fact I didn't.
[16:58] The other thing about Steam is that Valve is great with customers. They're very attentive. They listen to what people are complaining about and responded to it.
So even the company itself is just fantastic when it comes to customer service.
[17:14] And what other fun you can have doing it is if you have a Steam Deck, you can call it a Stream Deck or a Steam Desk or a Stream Desk.
I mean, it's all getting confusing because everything just sounds the same all the time.
But it is as much fun to play as it is to say rightly or wrongly.
And at home, I never confuse my stream deck with my Steam Deck. two different things, even though they're sitting right next to each other.
And this is Jill from the Northwoods. You can find me sleeping in a tent, playing with my Steam Deck. But if you have any questions, please feel free to look me up at Allison Slack channel.
I'm around a lot of the times, and if you have games or things that you like to play on the Steam Deck, let me know. Well, I actually played that entire review for the live audience, and a lot of people were jumping on, saying they thought that the flight simulators wouldn't probably run very well on it because,
Steam tends to be a streaming service, but this is not a stream deck, it is a steam deck.
And these files are actually local, the games are local. So she said that the performance on the flight simulators in particular was really, really good. The audience was pretty excited about that,
two people for sure looking at buying them. George from Tulsa also commented on Jill's blog post,
and gave a link to some power banks that work well with the steam deck. But he also said said something interesting. He said, it can be used in full desktop mode running a customized GNOME desktop. And GNOME is what's on the mainline Ubuntu distribution of Linux. And.
[18:43] He said Linux desktop applications are available directly from Steam or can be side loaded with terminal commands. Is that crazy? This thing is a little computer for a pound. He,
did also make a note that the cheapest 64 gigabyte version has an EMMC drive and the larger capacity drives are the much better NVMe. So he's got a couple of
other links in there that are pretty interesting but yeah it looks like this one's stimulating a lot of interest. My grandson Forbes was listening and he got excited when he heard them talking about Minecraft on this.
Bodie Ces: Pysonic
[19:15] Hey everybody, this is Bodhi. Awkward intro. I had a chance to sit down with Dr. Adil Akhtar, who is the founder and CEO of Psionic. And what Psionic does is they make bionic prosthesis for,
amputees. And not only did I get to sit down with Dr. Akhtar, but I also spoke with Brian, who is an amputee, he lost his arm in a work accident approximately mid-forearm.
[19:47] Brian uses Psionic's Ability Hand, which works with his neuromuscular system. The Ability Hand's muscular system allows amputees to manipulate all five fingers and the thumb, which is pretty,
impressive. You can do different grips, you can do different hand gestures, even the rude ones.
You can even use the ability hand to charge your phone. It's a pretty impressive piece of tech.
[20:13] I'm not going to be able to explain this as well as Dr. Akhtar and Brian will. So, let's go ahead and listen to that interview. I'm here with Dan and Dr. Akhtar of Psionic.
[20:24] Dr. Akhtar, why don't you tell us what Psionic does? So, Psionic develops advanced bionic limbs that are affordable and accessible for everyone. Okay. And then how did you get into this? How did this become your passion?
Yeah, this is something I wanted to do my whole life ever since I was seven years old. My parents are from Pakistan. I was born in the U.S.
When I was visiting, I actually met someone with missing a limb for the first time.
She was my age, living in poverty, missing her right leg and using a tree branch as a crutch. That's what inspired me to go into this field. And how long have you been doing this?
We've been working on this stuff for seven years and we released the Ability Hand, which is a bionic hand meant for people who have lost their hand.
In September of 2021, it's FDA registered, it's covered by Medicare in the US, and it's the fastest hand on the market.
It's the first one to give users touch feedback as well.
[21:09] Oh, it gives you touch feedback. That's super cool. So.
The demonstrations is very hard for an audio podcast because this is a very visual demonstration. You guys actually stopped at the South Hall.
You had people stopped at the front door blocking people because they were so impressed with what you guys were doing.
How does it work? Yeah, so Dan, actually you want to explain how you're actually able to control the hand. So you lost your hand in an accident back in 2009.
I lost my hand in a work accident. I made a deal in 2020 and that is when I started using the Ability Hand.
And I've had many hands, or I shouldn't say many, but I've had two hands in the past and nothing compares to the Ability Hand.
So I'm able to use it with sensors that are on my muscle. So as I manipulate my muscle, I'm able to open and close the hand.
I'm also able to manipulate through different grips that we offer, which is about 32 grips that we have on an app.
I'm able to connect to my app and I could change my grips when I want. And, you know, I can have anywhere from like four to six at a time that I could use. How do you find like fine voters?
[22:23] We're able to pick up small objects. We've done raspberries without crushing them. I'm able to pick up fine things off of the table.
[22:32] I would say they're great. We talked about straight. You said you were able to pick up objects that are about 75 pounds.
I could about 50 to 75. We start maxing out at 75 before the handle disconnects from the arm, but the hand itself can handle it. It's just the arm, the prosthetic itself is maybe the problem.
[22:54] But working out, I could do about 50 pound kettlebell swings and I could bench press. That's no problem. Awesome. Is there anything else Dan that I should have asked you that I didn't ask you?
I would just say everyday life, this definitely helps out. I mean I'm able to cook with it, do things with my kids, I can even tie my shoe. It's definitely a helpful tool.
And you've even broken boards with it as we just demonstrated. You know what, I will say, the biggest thing I've noticed between this hand and other ones I've used is the durability. But like Adil said, we broke boards and it keeps working,
where other hands may bump into a table and they stop working.
It's more durable. Dr. Akhtar, is there anything that I should have asked you that I didn't ask you? So we're actually in the middle of an equity crowdfunding raise right now.
And anyone who wants to invest in the company, we've made the company itself accessible to everyone. So if you go to psionic.io slash invest, you can actually get in on the action.
Okay, all right. So that's awesome. Thank you, Bill, for coming on the show.
[24:09] I hope you guys have a great CES. Thank you.
[24:12] So my audio gets a little bit quiet during the interview because I only had two Lavalier mics, so I gave mine to Brian because what Dr. Akhtar and Brian were saying was significantly more
informative than the questions I was asking them. I want to thank Brian and Dr. Akhtar for agreeing to be interviewed. And the cool thing about this group, there's probably five or six of them running around CES and they were everywhere. I saw them three or four times in different places.
[24:43] Everybody on this team was energetic. Even at the end of the day, they were energetic and they were smiling and they'd make sure to say hello every time you saw them. They recognized you. It was
just, they're a very cool company. And if you know somebody that needs a prosthesis or you're just interested in this kind of tech, I would go to psionic.io.
Wow, this is great, Bodhi. You know, I love to do accessibility interviews at CES, and sometimes it's hard to find really good ones, but this sounds fascinating. I love it when the guy said he could break things, and what was it he said he could tie his shoe? That,
is some serious dexterity. That's really, really interesting. I can't wait to go over and see if I can find some videos on this. And thank you so much for doing this, Bodhi.
This is great.
I think Steve, maybe we don't need to go to CES. We just have Bodhi do all our interviews. He did a great job.
Now I was going to play two, but we actually have a really long security bits because it's been a while and Bart and I've had a lot of fun just being together after a long time apart.
So I'm going to cut this off and I'm going to save the other interviews Bart, sorry, save the other interviews that Bodhi did until next week.
And Bodhi, I just love your introductions. His awkward is his favorite thing to say about himself.
Support The Show
[26:01] I am so grateful to all of you who help pay the bills that keep the podfeed podcast shows running.
Whether you're a patron by going to podfeed.com slash patreon and pledging a weekly or monthly amount or if you like Kenneth and you send in an amount of your choosing using podfeed.com slash PayPal on a schedule of your choosing.
Kenneth really made me laugh this week when he sent his PayPal donation and he does a regular donation and he wrote, sorry I'm late.
How fun is Kenneth?
In any case, I thank all of the benefactors of the Podfeed Podcast.
Security Bits — 5 Feb 2023
[26:35] Music.
[26:44] Well, it's that time of the week again. It's time for security bits with Bart boost shots. Anything go wrong while I was gone Bart?
Um, mostly fine. Although I had one of those, I had one of those weeks in work where in hindsight, it was a good week, but at the most, at the time it was a very stressful week.
So our users never realized how close they came to having all of their internet access disappear, but our DMS infrastructure reached a tipping point.
It was like, I am fine. I am fine. I am not fine. It was just, just, you know, the capacity just reached up and it just really hit a tipping point.
So I ended up re-architecting our entire DNS infrastructure in a week.
But I learned a lot and it was good.
[27:25] Helma will be pleased. So it didn't fall over in a heap, but it wanted to. Oh, it was so close, Alison.
[27:31] It was so close. We just about managed to limp through until I could get the new infrastructure Spunno, but Helma will be pleased. Everything was done using Ansible. So that is a wonderful new concept.
Infrastructure is code.
So don't build the server. Build the Ansible playbook to build the server, which is just a bunch of text files, and then use Ansible to build it for you.
So it's obviously a cluster to make it a highly available system. So do all the work on the first element in the cluster, build it up as an Ansible script, and then literally stamp out a second server in five minutes.
I want another pair we can start it again it's brilliant first time you done that. I've been playing with answer for smaller projects.
[28:19] The first time since i started to become good at ansible that something really big came along one of the fun things is that day without everything is idem potent which is a wonderful word. Item potent.
Item potent. What it means is that you can reapply the same setting.
If it's already in compliance, it will do nothing.
So it is safe to just reapply. So if you say make the server a DNS server, and it already is, it will just report back and say, I've done nothing. So it's completely safe to keep reapplying your template over and over again, which is the property of item potence.
[28:53] Interesting. That's a fun phrase. It is a fun phrase. with your previous hat as a vanilla sys admin or your new hat as a security specialist?
Oh, that is definitely me going out on a bang on my old hat. My replacement is getting very, very close to starting work. So I'm very close to losing my old hat and full time having my new hat.
Lots of fun stuff with the new hat as well. But actually, while you were away, I had a lot of fun. Got to watch an attack in real time from some naughty people in Lagos and watch them bang into Microsoft security features and fail utterly to get through them, which was nice.
[29:29] Oh, yay. Yeah, that's the one you want to see, right? I was really fun. I was able to give a report to everyone else on staff. So yesterday they tried to attack us from Lagos and here's how they failed at this hurdle and here's how they failed at this hurdle and here then they tried this and that failed too it was really nice
Oh, that's cool. Yeah. The problem is what you don't want to do in your job is have nothing reported. Right.
[29:51] Right. You need to tell them, yes, they're attacking and here's why it worked all the time, because otherwise it becomes like, you know, you expect the water to come to your house through the pipes every day, you know, and they won't realize that it's takes effort to have it do that.
Exactly. And also these tools, they're not cheap, right? You know, a good, the good software tools you get to protect yourself on a modern enterprise. They don't come cheap. That's, you know,
Microsoft can give away a lot of stuff for very cheap to a lot of people, but they make their money on the other side with the big organizations. So yeah, you pay for the tools. And so when you can see the tool, make sure your bosses know that they're getting the money's worth. Yes, exactly.
Oh, it's so much easier to ask for money for stuff. And you can say, and by the way, it did this, this, this, this, and this much nicer. So yeah, it's been fun. Well, in the security front,
I did want to report one thing. I was completely and utterly unable to use, uh, PIA VPN when sharing shipboard wifi at, uh, whatever it was, 20 kilobytes per second or whatever the bandwidth was.
I don't think the attackers could do much against you at that speed. I think, you know, they're not the thing you have to outrun, you know, don't be attempting to target guys on the ship.
[31:01] What if, what if, uh, those other shipboard people were evil, you know, they could have got what was on your machine, but they couldn't have done much else because they they weren't getting anywhere with you.
[31:12] Right, right. Anyway. Right. Well, I did. We get stuck in.
I was going to say I did keep the ship going while you were away, if you'd excuse the pun there, but yes, some more stuff has happened in the last two weeks, so some follow up on some longer running stories to start us off.
[31:30] Anchor have come clean and admitted what we already knew. Their eufy cameras were never encrypting stuff properly.
We knew this because we could watch the video streams if you knew the secret URL in VLC.
That means it wasn't properly encrypted or that would be physically impossible. So you're okay. Great. You've come clean. You've told us what we already knew and you promised this time you're going to fix it.
Yeah. Seeing is believing on that one. I'm getting tired of quitting people and quitting companies. I'm running out of companies.
You know, yeah, that is annoying because particularly because I kind of like anchor for all the other stuff and it made me very cranky I know they bought you fee and so maybe it's like when Amazon bought ring maybe they bought some baggage and maybe now they're going into clean house and maybe it'll be fine.
[32:16] Prove it to me. Yeah, prove it to me. We shall see. We've also talked a lot about Apple's upcoming improvements to iCloud security over the basis going to be rolling out as 2023 goes on.
Apple have promised us three things have been slowly rolling them out to different parts of the world. And in January, we got FIDO tokens.
So hardware tokens for two factor authentication for iCloud for those people who need it. So I think it's important to stress the audience for these advanced security features Apple is rolling out.
[32:50] They are for journalists and industry leaders and lawyers working on human rights stuff or political leaders or campaigners. They're for people who have a reason to believe they are at extra risk and they come with a loss of convenience.
Right. You're someone who knows you need more protection than your average person.
Therefore, you have to accept certain caveats. And in this case, very similar to the last one, as you discovered just before Christmas, you have to have all of your devices on the latest OS before you can turn on,
two factor hardware, two factor OS, because if your device can't support the hardware token, then it can't play ball. Right. So then it falls off iCloud.
Well, that's not going to work. So, you know, you need to have one device. device below level and everything else working, that device just no longer has access, right?
Right, exactly. Because this is your iCloud protection, which spans everything. So you also need to have two hardware tokens, because otherwise if one of them breaks, you're completely
locked out. So Apple force you to have two or more tokens, which is very smart of them to do that. But you do need to have multiple tokens. You have to have all of your OSes up to date. And at the moment, Windows support isn't in place yet. So you cannot use the Windows iCloud client if you turn this on.
[34:13] No, I don't know if that's a windows issue or if that's an apple issue and I'm sure it will get resolved at some stage but right now today they are the caveats so you get the inconvenience of having to have your hardware token whenever iCloud wants authentication so forget your keychain no iCloud for you today,
And, you know, so, you know, again, it's a nice feature for those who need it, but don't everyone assume that this means every single person who uses Apple products must immediately turn this on.
No, just make sure you have two-factor authentication turned on.
That is what most of us need. By the way, when you said if you lose your keychain, you didn't mean iCloud keychain, you meant the keychain that has your fob on it. Yeah, sorry. The thing it's named for, the actual thing in real space where the virtual one is named for.
I find that a funny thing to talk about since the two people having this discussion don't have keychains actually, right?
For cars anyway. No, no, it's true. I just walk near mine and again it unlocks its magic. It's not magic, it's Bluetooth, but anyway, it's still cool.
[35:16] And then we talked a fair bit about Mastodon over the last couple of months. And one of the things is I showed you a way of hacking around so that you can have,
Your GitHub profile linked from your Mastodon so it goes green by doing it indirectly by linking to your GitHub.io page rather than your real GitHub page and having that be an automatic redirect to your GitHub page.
No need to do any of that anymore. GitHub have rolled out a new feature. If you edit your GitHub profile, there's now a section at the bottom for social media links.
And if you paste in a Mastodon link, it is smart enough to do the right thing to put in the appropriate tag so that it will just validate.
[35:57] Oh, nice, nice. And to replay this to people, this is to get a green validated check mark that says that you are the one controlling the website that you have linked to your profile. It doesn't mean
that you're Bart Bushot's, it just means you are the person who controls this website that is supposed to be owned by Bart Bushot. Correct. So basically when my mastodon profile says that this person on GitHub matches this person on mastodon, that is what's been proved. It just just means that the Macedonian account matches the GitHub account.
Right, right. You only have three links there. So I've only done pod feed.com or four. I did pod feed.com, but I have so many podcasts.
I wanted to put links to the podcast too. And it does, those don't, I just put names, you know.
Yeah. I, because I have, let's talk is a completely different domain. I have that one.
I have basically my personal site, let's talk and GitHub. So I'm only using three out of my four, but they seem like the most important.
So anyway, it's a nice touch. It's a little feature, but it's nice of them to do that. So that just makes everyone's life a little bit easier. It's another step that Mastodon is really taking off though, isn't it?
It is. And there's been another push to go at all the various polls. So Elon has decided that the API should be available for no one unless they pay him like,
$150 a month, which is insane because those apps that post off to Twitter, that's adding,
content into the network.
He should be paying them.
[37:23] Yeah, the biggest downside to that that I heard was a lot of the emergency alert systems that have been set up, they are bots, right?
But like, like there's a flash flood warning coming, you know, you can follow that bot to know when that's happening and where you live. Those emergency things are just all going to disappear.
Unless just erasing content.
Right. Unless the government's all started. I mean, just just imagine going through procurement to get a monthly.
[37:52] Just even getting that bill, that invoice paid, that's not going to work in the public sector. Right. Well, and they do a lot of them, you know, they don't just do one, they do a ton of them.
So that it could be enormous expense. And like you say, I always find it really funny when I was working that I could spend $150,000 on my signature, but I couldn't spend $50 a month.
Right. Because it's recurring cost.
The funniest one was one time a company paid me back for a piece of equipment that turned out to to be hot garbage and they gave me a check for like $40,000.
And I looked at going, I only know how to spend money. I don't know how to put it back in the company. It was the funniest thing. You took it down to the cashier and you put the source code for your organization in there and the money went right back in.
It was the weirdest thing.
[38:38] Yeah. Anyway. Finding out how to spend money is very difficult. It's just not thinking things through, but then, hey, look, It's his next interest payment is due shortly and that's going to be fun.
And if that one doesn't sink the sip, the one after that three months later, probably will.
So I'd say, I also saw that he hasn't been paying, um, his rent payments for how, uh, the, the buildings. Correct.
And, and one of the buildings is, is owned by the crown.
Oh yeah. Yeah. Yeah. Well, a lot of things are owned by the crowd and like, that's how he's not Prince Charles anymore. That's how King Charles, King Charles was a business genius when he came to the Duchy of Cornwall, he made a fortune and he was a landlord to a lot of people.
So they own a lot of stuff. He's now suing Elon Musk for not paying his rent. Darn tootin'.
I also, after making everyone come into the office and making such a big hoo-ha, he's also making people around most of the world work from home so he doesn't to pay the rent on the Ruffer Space.
[39:36] You to anyway enough enough yeah no i'm not sure if you see there so where was i yes so get a good shiny happy and i have one deep dive which is more of a medium dive but it was worth talking about because it's been. What's been a lot of news lately about passwords vaults not being in your having issues.
We obviously had LastPass, which still wins. LastPass wins the award for being the biggest screw up of 2022, I think, that goes to LastPass.
And the minor issues with password reuse on Norton last month, I mean, it pales in comparison to LastPass.
And this keypass thing pales in comparison to the Norton thing.
But you probably saw headlines about it, or at least if you went to the Antarctic, you probably saw headlines about it. The listener is probably still headlines about it because password manager vulnerability, that's link bait there.
So it is true. So KeyPass is another password manager? KeyPass is an open source password manager, a cross-platform open source password manager.
It's been slowly bubbling away in the background for a long time. It suffers from the by nerds for nerds thing where the UI just drives me potty. I did experiment with a few years ago.
And it's cross-platform. It's up to you to figure out how to sync it, stuff like that. So a lot of people will throw their KeePass file in their Dropbox and let Dropbox take care of the sync. And then they just have the client on the different machines.
[41:05] So you do that kind of thing. But yeah, it's basically a well-encrypted file. Anyway, there is an active CVE number against it. So CVE is a catalog, for want of a better term, for tracking known vulnerabilities.
And.
[41:20] The security community say this is a vulnerability and the open source developers of key pass say it's not a bug it's a feature. I'm not even paraphrasing here they genuinely say no no that's a feature we wanted that way.
[41:36] Hello okay so it's complicated is what i put in the show notes which i think is the fairest thing i can say and i think it's probably worth digging into a little so. There is, when you run keypass, there is a settings file for you in your home directory,
it's an XML file, and it defines how you want your keypass to behave.
And one of those settings will instruct keypass to run this code when you unlock your vault. It's an event handler for I have just unlocked my vault.
And so you can use it to automate what happens when you unlock your vault.
But that's not in the vault. In fact, that's probably how they should secure it. They should probably have the event handler code in the vault so it doesn't trigger.
So it can't be edited unless you know the password. I think I've just solved the problem for them, but it's not in the vault. It's sitting in your home directory. Sidecar. Yes. Unencrypted.
So if someone manages to get some code execution as you, they can edit this file to add a line of code that says next time the vault unlocks, take all of the secrets, put them in a CSV file and email them to me.
So the moment you unlock your vault, it's a booby trap.
[42:49] Everything gone. Yeah. They say, no, no, no, this is a feature. Yeah. Well, we want people to have the automate stuff. I mean, if some bad guy gets on your machine, the show's over anyway. so there's nothing lost here.
And five years ago, I think I'd have agreed with them. I would have said, yeah, you're right. If someone's on your machine, then it's already show over.
But that's not the world we live in today. We live in a much less binary world between everything's fine and everything's terrible.
Defense in depth is your approach now. So you're always trying to limit the damage that can be done by any piece of malicious code.
Why did Apple put so much work into sandboxing apps? It's so that if one app gets compromised, the app can't reach out and do anything.
So something as vital as your password manager should be doing everything it can to protect itself from every threat, even a rogue piece of software on your computer, because we have a lot of software on our computers.
[43:48] Right. Well, a perfect example on this one would be sure if somebody owns my machine, they could put a key logger on the machine and then they could capture me logging into my bank, but they would have to wait until I logged into my iCloud.
They would have to wait until I logged into my insurance company, till I logged into my school. And this is just handing them the whole thing tied up in a little bow.
It is, and worse than that. So on the Mac, if you get to run code as random apps, so let's say you've installed a Solitaire app that's actually malware, and the Solitaire app reaches out to a command and control server and executes whatever code the command and control server tells the Solitaire app to execute.
That's a very realistic scenario. On the Mac, that Solitaire app cannot install a keylogger because a little pop-up came up saying this app is requesting access to your accessibility features,
and go into settings to allow, like we have to do for TextExpander, like we have to do for all of these tools. So on the Mac, actually, that piece of software couldn't Steady password to the key locker.
But it can write an XML file. doing that. Yeah, but it can write an XML file in your home folder.
[44:57] Um, doesn't it have to ask for access to documents to do that? It would if it was in the documents folder.
But your settings are not in the documents folder, they're in your home folder. So your home folder is a sibling of your settings, not yeah.
Documents and desktop are next to your settings and stuff. Not your settings aren't in documents.
[45:19] Especially the Linux style ones, which are in a dot folder sitting in your home directory. So in this case, it wouldn't. The only thing I'm worried about is we get asked that so many times when it's not obvious why they need it.
[45:31] And you're just like, okay, it needs that. Let me go check that box. It is still a very effective barrier because a lot of people get so put off by it, they just never do it. Um, yeah, yeah.
And they click cancel or whatever and the app works fine because it's a solitaire app and it shouldn't be doing any of this stuff anyway. So it'll still be a solitaire app.
So you do have to sort of think about it. I mean, I've had a few apps say, Hey, can I have access to your contacts? No, you don't have a right to do that. But calendar app, can I have access to your calendar? Why?
Yes, you can. You do have to make sure you keep thinking. What is it asking you? Yeah.
But it, at least it gives you the opportunity, right? It is another gate. So to me, as a Mac user, the argument that this is not a vulnerability is hogwash, but over on the Windows side, they're not as wrong.
But I still think that as a password vault...
[46:26] Even an operating system that doesn't have the extra protections the mac does. The vault should be protecting itself as best as it possibly can i think you're a password manager for goodness sake you you should be doing the absolute best so i just disagree with the developers.
Stop.
I think that they're thinking a decade ago way of thinking and they're thinking is if they're running.
Basically the thinking like they have ever note which is a little library of stuff. Yeah, you have a little library of stuff. All of my secrets.
You have a higher responsibility than Evernote does.
[47:02] Now, you can turn it off system-wide by editing a setting in the applications folder. And unless you're running your Mac as an admin user, you can't...
A random piece of malware can't mess with that because it would need to escalate privileges first. And in Windows land, you would get that UAT pop up that says you're about to do an admin thing.
So again, you would be protected from that. So if you go edit the setting at the app level, not the user level, then you can't protect yourself from this. So basically disabling those event handlers.
But it's a bunch of faffing about. And this brings me to the other obvious thing. If you think it's so important for one or two percent of your power users to do this kind of weird fancy pants thing, make it an opt in feature.
[47:54] Yeah, oh yeah, yeah, yeah. Not an opt, not an on by default feature. They just, they have a little bit of work to do here and at the moment they're trying to defend the indefensible, and they are going to fail.
[48:06] Like they're going to see the light on this. The question is how much shouting has to happen first. Well, and how much loss of credibility happens between then and then.
Yeah, exactly. So we shall see how it ends up. It's not the end of the world. This is nothing like what happened to last pass.
This is absolutely positively. So if you're a key pass user, you now understand the situation. You know, this setting exists and you should act appropriately and you should make your own decision.
But this is not a catastrophe like last pass. So let's keep it in context, folks.
Even if I think they're wrong.
[48:40] Right, right. OK, so normal business can resume. Action alerts.
Oh, can I tell you one last thing? Sure. On the on the ship, I met a woman who had all of her passwords written down on a piece of paper in her purse with her iPhone.
[48:56] Well, I'm not actually against writing them passwords, but the with her iPhone in her purse is where it breaks down. Just a touch.
Yeah, well, the thing was, uh, she also, um, had a pattern like blah, blah, blah. 2323 blah, blah, blah. 2323.
Look at the piece of paper. What do you think her four digit code was to open her phone?
2323 2323.
[49:22] Yeah. Yeah. Oh, sweetie. Okay. I'm going to help you with this little problem you're having here, but you're going to do this when you get home. called onepassword.com.
[49:34] Yeah, because a lot of people mock password log books and stuff, but actually if you keep a password log book in your house, that's actually for a lot of people that's the most likely they are to do something securely for goodness sake.
Don't make it an Excel file for goodness sake. Don't put it on the computer unless it's in a password vault. If it's on a piece of paper, you cannot hack a piece of paper remotely.
[49:56] And if someone, if someone steals a piece of paper, unlike someone stealing something digital, you've lost it.
It's gone. You know, it's gone because it isn't here anymore.
Right. That's the problem with digital theft. You don't know it's taken. Whereas with physical theft, you know, it's gone. This is an important difference.
So anyway, but yeah, one, one last thing on this. Um, so, uh, Lindsay and Nolan were on, uh, last pass and they switched over to one password.
Lindsay keeps telling me over and over again, how much more she likes one password than LastPass, which really surprised me because I always looked at them as pretty
equivalent. I thought it was a little bit nerdier in LastPass, but she just said, it's so pretty and it's so easy and the way it fills in passwords is better. And she said that the conversion from one to the other, I sent her a link to the tool they have to import as a CSV. And she said, it took me maybe 35 seconds to move all of my stuff from one to the other.
[50:55] And I have to say, I changed them all. So I do not believe there is anyone else doing a password manager with as much,
thoughtfulness on the user experience. Not raw features in a spreadsheet, but thoughtfulness in terms of how it feels to use the app. Yeah, yeah. Now they did. They have had some.
[51:16] Some janky problems with version eight and they've just published a blog post about how, yeah, we heard all those things that were irritating you. We are fixing all of these There's a lot of stuff that's fixed in there.
Like you can actually reorder items.
Like, you know, it's got two websites and you want one above the other and you would have to delete it and add it. They've put that back in.
The other thing they've done is if you have subdomains on the same domain, it won't keep offering you every password. So we have an awful lot of stuff on the subdomain of our university domain.
And when I go to some of our websites, it just gives me hundreds of spurious. It's like, no, you have a password for this exact subdomain. Stop telling me about these other subdomains.
You can also set a default vault, which is nice for people who have a work vault and a home vault.
But the thing I'm looking forward to most is the version 8 will actually work on my iPad.
There was a bug where it just asked me to type in my password every single time I accessed it. And I wrote to them and they said, yeah, go back to 7 for a little while. We're working on that one. And so I'm looking forward to going back to 8.
The other thing that's still missing that we used to have in 7 was when I would unlock When I would unlock one password both of my vaults would unlock my work vault on my personal vault Now I have to unlock them separately.
[52:32] Really now that's true on my machine without touch ID That's not true on my machine with touch ID touch ID seems to unlock both But typey typey password does not.
[52:44] Which is really annoying weird It's a subtlety.
Because I believe under the hood they used to keep the password to one of your vaults in the other.
And so you would unlock one and that's how it would have the password to unlock the other.
I don't think they're doing that anymore. They've changed something in the architecture. And the other one that's driving me nuts and I'm hoping that rearranging fixes this.
But I have accounts where there are multiple multi-factor authentications.
Right? Oh really? I have single sign-on credentials that have many different front ends that they go to, the same username and password at the very, very, very, very back end, right?
Active directory sitting at the back of it all. But some of them have Google Authenticator and some of them Microsoft Authenticator.
So the second factor is different.
And so when I open that account, I see four six-digit codes.
I can't choose the one that sticks to the top.
And auto fills. And it's wrong. It's the one for password recovery that sticks at the top, which is the one I never need.
The three I need all the time. Maybe if you could rearrange them, maybe you can fix that. Yeah.
That's what I'm hoping. I'm fingers crossed on that one because that would make my life so much easier if the right one were to auto populate. But anyway, yes, one password is continuing to improve. You posted that in the Slack and I had to read and I liked a lot of what I saw.
[54:06] So that should be nice. Right, so our first action alert is a fire extinguisher. If you have basically any Linux, you should allow OpenSSH to update itself.
And you should do it just because it's best to have the latest OpenSSH. But there's no need to panic.
There is a very subtle bug in there.
And they have very responsibly disclosed it. It is patched.
It's also not exploitable by any means anyone has figured out. Now attacks only get better, so six months from now, someone might figure out how to possibly exploit it.
But for now, it's just let this patch when it needs to patch. But if you read something about OpenSSH bug, yes, there is a bug, but there is no need to panic. It is under control.
Farbogator on scene. Everything is fine. Just work along as busy. Dumb question. How would I know if I had an OpenSSH on my server?
Oh, you do. Can you SSH to it?
[55:04] Yes. Yeah, then you almost certainly do. It is conceivable that there is someone somewhere not using open SSH. Well, I'm not aware of any major distro that isn't using open SSH. So can you put it on your checklist to tell me how to do that?
Well, you have your own updating itself automatically all the time. It's just going to come out in the wash. Do I? OK, I knew that.
You do, because otherwise you would have hundreds of security updates behind. Then you do not. OK. OK. So, yeah, you have to do nothing. You just have to. Yeah, you have to do nothing. It'll happen.
Let us let it do its thing. It's great automation. Good. As you know yourself.
[55:40] So that's the first one. Apple have also patched pretty much everything everywhere. So let all of your Apple devices update themselves.
And they have also backdated some of their patches to older versions of iOS. So right back to the iPhone 5S, there is now a security update available.
Yes. So how many said like nine years? It's a long time ago the iPhone 5s, if I had, if this wasn't my new Mac I would have Mac tracker installed and could tell you very subtly but I don't.
But yeah, it's a long time ago so patchy patchy patchy patch and all of your Apple goodness. Moving on then to worthy warnings, so remember we've already mentioned last pass a few times,
owned by a company called Goto. And it turns out they didn't only lose their last pass stuff,
they also lost a whole bunch of really important data for various Goto products.
And just like with the last pass disclosure notifications, they're a bit low on detail.
Very low on detail with things like, there are some two factor authentication settings have been been stolen.
[56:55] Home another bar? What precisely do you mean by two-factor authentication settings? And quite what could an attacker do with this information you haven't told us exactly what it is? And also on some accounts it was somehow encrypted.
How? How strongly?
[57:16] So yet again, the assumption we have to make is that they've lost everything because They're not giving us enough. If you don't tell us, you probably it's probably bad news. If it was good news, you'd probably have told us.
So the other main product is then is go to meeting, right? Correct. So I'm sorry to say, Alison, you have some homework.
You need to reset two factor authentication. So you need to reset your password, reset two factor authentication, start from scratch and make sure you generate new recovery codes, because your old recovery codes could well be the metadata that was lost.
[57:49] If one had go to meeting, if one had go to meeting, go to webinar, any of the go to products. Are we not on go to meeting? I do. Oh, no, we're sorry. We're on that other one. I don't like.
I'm sorry. It's one of those blue icons. I don't like, I got all confused.
[58:07] Sorry, you're fine then. No homework for you. You're all good. But yes, so basically, and also if you are using SMS based two factors indications, almost certainly your cell phone number is one of the things that has been leaked, which would definitely put you in danger of SIM swapping as a way of attacking your stuff if you're valuable enough.
So the advice from Naked Security is to switch away from SMS based two-factor authentication to app based two-factor authentication, especially if you had it turned on.
So good advice, really.
Wow. Oh, to answer the question on the iPhone 5S, it started in 2013 and was sold until 2016. So the youngest one would be, what is that, four, seven years old?
And the oldest ones are literally a decade old.
Seven and ten. Yeah. That's kind of impressive. Wow. Nice one, Apple.
That's really impressive. Yeah. I probably should have put a fire extinguisher icon next to this story as well, actually. So GitHub have lost an encrypted version of the private key for the certificate that signs their app.
[59:15] So if an attacker succeeds in decrypting the key, then the attacker could use that key to sign malware as if it was officially from GitHub.
And so Windows and the Mac, etc. would see it as validly signed, they would not give you a warning saying this is from an unknown developer, and would run the malware as if it was from GitHub, which would be bad.
But thankfully GitHub kept their keys encrypted, so while the attackers were able to sneak in and get some stuff because of an errant API key.
They were not able to get the unencrypted version, so that's again security working as it should. So GitHub have responded very responsibly.
They gave everyone a week to let their app auto update, and then they revoked the key.
If you didn't update your app in that week, it's not a catastrophe. It's a minor inconvenience.
Auto update will not work for you because the signature will fail because your app doesn't know about the new key because your app didn't get the update in time.
So your app will think that every valid update is malware because it's a different key.
You simply go to GitHub's website, you redownload the app and away you go because your settings are fine. it's just that you need a new copy of the app.
[1:00:24] I wonder, will it be obvious to people who've downloaded an app that that's what's wrong with it? It may or it may not, but thankfully the community of people who use the GitHub app are also the community of people who are quite nerdy, so I'm hoping it's a fairly minor.
Oh, you're just talking about the GitHub app itself, not apps you've written and put on GitHub. No, no, just the GitHub app. Every app we've written on GitHub.
No, no, no, no, no, it's the GitHub app from GitHub. So it's a small audience, it's a well-contained problem. And I mean, I think some people are probably losing their mind, because again, you can have a headline, you know, GitHub lost a key.
Although most of the headlines just say they lost the key.
They don't actually say that they lost an encrypted copy of the key, which is a significant difference.
And the whole point is their security worked because this could have been a catastrophe if they hadn't have had good security in place.
But they did. So it isn't. So it's a good news story. This is just the marching along. This is what we do.
This is we had we had contingency plans for if the worst happened, the worst happened. We're now doing our contingency plans.
Good. Nice. Well done. Yeah. And this is somehow I managed to get it updated while I was gone, because I opened the GitHub app and it didn't seem to complain.
Oh, good. Good, good, good.
[1:01:42] I suppose if I get an update, though, that's where you're saying I would find you may find that the next time it tries to update itself, because This doesn't check out.
[1:01:52] OK. The last worthy warning I have is an unusual one, but we have talked a lot about air tags, so I do think it's worth mentioning.
[1:02:01] There are people, actually, there are companies selling various ways of attaching air tags to pets, which implies that this is a safe thing to do.
Do not seems like a reasonable thing to want to do. Yeah, the problem is pets are ingenious, pets swallow things, and air tags contain very toxic batteries.
[1:02:26] It could literally kill your pet. How do you get an air tag off of your own collar?
Well unfortunately there is a lady in the States who buried her dog because the dog was cleverer than me.
I don't know how, but the dog succeeded chewed the thing apart and is dead.
[1:02:47] Well, so you shouldn't put any kind of tracker on your dog. Yeah.
Nothing battery operated on your dog. I think is really the key because it's those batteries. You know, the way that you have to buy very specific ones for the airtight that,
don't have the childproof coating because otherwise they actually don't make contact with the right parts inside the airtight reason those childproof coatings exist is because those batteries, if they end up in stomach acid, not good.
Right. Right. Not good. And so this, this is actually, it's unusual. about all the different kinds of, I mean, I've got a light up collar.
[1:03:22] That light up collar has got a battery in it. Would you ever leave that on the dog when the dog is not in your presence? I wouldn't, but I could see somebody doing that.
Yeah. So I guess the warning is valid. I guess if you can't see the dog, don't have the dog with a battery tied to it, because dogs are ingenious.
They are geniuses. Like they are absolute geniuses.
[1:03:43] My dog's dumb as a stick, but you have a great personality. You only think that, although I was convinced I had the words. She licks soap.
I wouldn't, I wouldn't put one on Dodger, but I'd put one on Tesla.
[1:03:55] His dog is a genius. He can open doors, sliding glass doors, turn door handles. You have to turn and then pull towards you.
Wow. Um, he used to turn on the stove. Wow.
They decided he was trying to kill him, but they ended up having to put chow proof locks on the, uh, on the handles on their stove. So is he what, an equivalent of a three year old?
[1:04:15] Yeah, exactly. Tessa doesn't know how to go through a door that is a jar in the direction she would have to push it to walk right in.
She will stand at that door all night long and not go through it.
Okay.
She's excessively polite. We don't know which. Yeah, either way. I think we had the world's dumbest cat because it was the only cat I knew who didn't understand gravity.
Lie at the top of the stairs, stretch, roll and then go end up at the bottom of the stairs with this look of what?
How? That happened anyway. As I recall, he only had one eye. So watching him jump was entertaining as well because he didn't have depth perception. That was later in life. Yeah. He had a very clever thing. We'd bob his head left and right to get the depth perception and then jump.
So it's actually kind of cool to watch because initially after the operation, we lost the eye, he, he would just miss.
It was hilariously tragic or tragically hilarious.
And then after a few weeks, bad laughing, but you still did. Yeah. After a few weeks, you just watch him just, just Bob his head left, right. And jump. And he was perfectly.
Once you just learn the left, right?
[1:05:18] My brother only has one eye and when he was in high school, they did a depth perception experiment with the kids where they had him cover up an eye and look at two boxes, one close and one far away and try to guess which one was which. And the teacher watched Grant notice he jiggled his head.
Right subconsciously. Just as a little tiny quiver. Yeah. Yeah. And that's all it needs. That just breaks the illusion of they're the same distance. No, they're not. I've just moved side to side and now I can see the difference. Yeah, it's cool.
Ok, so that was Worthy Warnings. Notable news then.
[1:05:47] The United States is suing Google over its monopoly on the ad market. That seems significant to me.
8 US states and the US Department of Justice on that court case. We shall see how it progresses.
And in the Very Strongly Good News column, the Federal Bureau of Investigations has cooperated with the Dutch authorities and the German authorities to wrap up the Hive ransomware,
which was frankly wreaking havoc around the world. It was one of those ransomware as a service where you could pay to have the bad guys extort people for you. And they were one of the groups who felt it was perfectly fine to go after hospitals. And schools and things.
Oh, that one. Yeah. One of the ickiest ones. So nice to see that wrapped up. An eek little, you know, arrest bow. Well, actually they got the servers rather than the humans, but either way they have significantly disrupted some nasty malware. So that's good.
In terms of top tips then, Apple, because it was data privacy day a few weeks ago, Apple released a bunch of resources, primarily a very fun video and some today at Apple sessions.
I have no idea what the today at Apple sessions are like because that would involve having an Apple store, which I still don't have. But the video is fun. It's about five minutes long, which I think is probably a good length. It is with Nate from Ted Lasso.
And it is funny but informative. It's information rich, but at no point do you feel like you're learning.
[1:07:16] It's really nice, actually. So I think it's a great one to send to friends and family. I mean, you and I won't learn anything new, but it's a really good one to share what actually your iPhone is doing to protect you. It's well done. I liked it.
And it was fun. So if you're a Ted Lasso fan, watch it because it's fun and share it to actually get the security message across.
In terms of interesting insights then, I absolutely positively wanna give a hat tip to Glenn Fleischman over at Tidbits for two amazingly good articles.
I think they started as one article in his brain and he very wisely decided to split them into two because they both got quite long.
So we have talked a lot about Mastodon.
So the article that's probably of the most interest of the most people is his article on Mastodon and new hope for social networking.
[1:08:02] It is a very clever way of explaining master onto people he's a very fun analogy of a flotilla of boats to describe all the different servers and how you can safely hop from boat to boat and if you're in a big boat things are different from a small boat if you're small book is the trouble just hop over on the boat that's clever actually was nice and very human friendly. But of course, Mastodon is just one example of something called the Fediverse.
So Mastodon sits on top of an open source infrastructure that could be used for any kind of social app, which is called the Fediverse.
And that actually also opens up some interesting possibilities. So the second article dives into the possibilities. I mean, there's no guarantee any of this will happen, but it is an interesting vista that is open to techie people to explore.
So I thought it was a very good description of what the Fediverse is and what the potential this for it. So two excellent articles from Glenn Fleishman that I really just want to plug.
[1:08:57] So when you get onto Mastodon, you'll look at your follower count and it'll be maybe a tenth of what it was on Twitter. So dialing these numbers down, I'm getting way more engagement than I ever was.
Infinitely more. Infinitely more. Because it's not a bloody algorithmic timeline, it's also valuable.
Yeah, yeah. But Glenn Fleischman is coming up on 10,000 followers on Mastodon, which is massive. But as a celebration of that, he's giving 10% off of all of his books and
written things that he's created. So if you follow Glenn Fleischman on Mastodon, you can see he's updating it. I saw a new update today of how much closer he is to 10,000. And he's got a bunch of, if you like really cool printed stuff, he's got really cool printed stuff.
[1:09:47] Excellent. Yeah. He's a cool guy. I really like, he's very good at writing. He writes very well. Very big fan. Um, just because it's cool. So the only real takeaway for our
listeners is Google have made DNS a bit less insecure. Like DNS is one of those protocols from the, I think it's from the eighties. No, it's probably from the seventies. Never
about it. It's bloody old. It's from the days when we were kind of just happy that the internet worked as opposed to anyone thinking about securing the bloody thing. So we have done
a lot of proactive work to retrofit security like the Dan Kaminsky hack a few years ago made us really change things up and Google have found a new way to add more entropy into DNS queries to make them harder to spoof, which is called DNS cache poisoning, which It sounds really bad, which it is bad.
If someone manages to convince you that another IP address is PayPal.com, that's not good. So cash poisoning is bad.
So you need as much randomness in the query so that it's really, really hard for a bad guy to sneak a forged response in because there's no encryption to enforce the security. Your only chance of security is entropy.
[1:10:56] Make it hard to guess a plausible answer. And the DNS protocol is officially case agnostic.
If you give it a query in any case, the answer should be converted to lowercase, then queried, and then you get back the result.
So you are also supposed to, according to the spec, preserve the case in your reply.
[1:11:18] So if you randomize the case of P plus DNS queries, then the attackers need to randomly guess the right case in their poisoned answers.
So it adds massive extra entropy to long domain names.
So Google have started to randomize the case and throw away answers where they don't get the same randomization back.
That's clever. It's very clever. And the explanation over on naked security is fantastic.
So it's a really good job of explaining why Google are doing it. And it also gives you a little short history of everything that's come before.
Like we started randomizing port numbers and stuff to add entropy. So it's a really good explanation.
If you're curious about how we've had to be clever to make an insecure protocol acceptably secure for the 21st century, this is fantastic.
And I should note that all of this hackery, as cool as it is, is all just a stopgap for the future, which is both, I think, DNSSEC, which is an extension to DNS that adds actual encryption, actual cryptography to actually digitally sign things, and DNS over HTTPS,
which is actual encryption.
So you have actual digital signatures and actual encryption on the way, but Google are back filling the gap with this new approach, which is very cool.
[1:12:32] And everybody gets the benefit of that? Yeah. If you're using Google...
No. who uses Google's DNS resolvers, which is a heck of a lot of people program into the routers. If you've configured your router to use 8.8.8.8, then you're getting this. Okay, so if we're using Cloudflare, we're not getting this.
That is correct. 1.1.1.1. Well, I don't know for sure that they won't copy this by next week. But...
Exactly. If it's good, they will. Almost certainly. And in fact, Google, everyone was... This idea is 15 years old, but everyone was afraid to go first because what if the DNS servers don't follow the spec? And what if we end up breaking our DNS resolution.
But Google are such a big player that the fact that Google have done it and it hasn't broken Google.
That means everyone else is going to feel a heck of a lot more comfortable following Google.
Don't be first. Just, you know. So I think you'll see this rolled out to all the major providers. So I do think one dot one dot one is very likely to follow.
Also, one dot one dot one dot one are good supporters for things like DNS of HTTPS and so they're very on the ball. They I don't trust Google.
Therefore, I use 1.1.1.1.
[1:13:38] It's as easy to remember as 8.8.8.8, which is also important because I used to use OpenDNS, but I can't remember their servers. It's no good to me.
And then we have palette cleansers and you, I have had a palette cleanser sort of in my back pocket for a month and a half that I was like, yeah, maybe it's too nerdy. Maybe it's not appropriate, but it is the perfect companion to your palette cleanser.
So I've snuck in, I've basically gone in your coattails.
[1:14:05] So do you want to describe yours? Can I do mine? Yeah. Yeah, yeah. So one of my favorite things I follow on Mastodon is called Nixcraft, N-I-X-C-R-A-F-T,
and it's kind of nerdy, but often just really quick little clever fun things you can do.
And they give a tip on how to access wttr.in, which is an API that will print out in ASCII your weather. And it's really, really fun to look at because they're drawing clouds,
with ASCII characters and like the sun peeking out from behind a cloud, but it gives you your seven day forecast. It'll give you the hour by hour weather where you are morning, noon,
and night kind of thing. And it's super nerdy. And if you just look at the link, you'll get a kick out of it, whether you decide you want to do it in the future. So I definitely recommend following
Nick Scraft. But also, as Bart reminded me, and I did remember at the time, we covered this in learning JavaScript in programming by stealth and Bart has put a link in the show notes to installment 80 where where he taught it to us so pretty cool stuff I got a big kick out of it.
The API is even cooler than Alison's made it out, right? So on the terminal, it doesn't just draw a picture of the cloud. It uses the escape characters for color in the terminal.
So it actually gives you like color terminal output.
[1:15:27] And if you take the same URL and put it in your browser, it gives you HTML. Because the API is actually smart enough to look at the user agent. And if the user agent is curl, it gives you back terminal output. And if the user agent is Safari or Internet Explorer, it gives you back HTML.
And when we did it with programming by stealth, we explicitly said, please give me back JSON files so then you have raw data that you can process.
So this same API can give you the weather in terminal, in HTML, in raw data, and it's all for free. It's just so cool. And it's basically, you know, take all the vowels out and it's weather.in. So in other words, the weather.in forward slash Dublin will give you Dublin weather,
the weather.in forward slash Los Angeles will give you Los Angeles weather. It's so cool. Big fan.
[1:16:11] A lot of fun. Exactly. Now there's a similar API that is also designed to be accessed from the terminal using the curl command that also returns nicely formatted ASCII with all the various color codes.
It's called cheat.sh which is a whole bunch of cheat sheets for nerdy stuff. It covers both terminal commands and common programming languages. So you can basically use your terminal to get like,
oh sugar, how does the ls command work? If you would prefer to have a human write something human friendly instead of the man page, which involves, I mean, you will learn to speak man page ease, but it is a different language, right? It's some sort of jargon. It's not,
it's not human speak. And you will eventually get good at man pages, but a lot of people prefer not to read man pages. So cheat.sh is perfect for humans and all the details are linked in the show notes. And again, that will work in the browser or from the command line and it will be sensible and give you sane output regardless of how you go to it.
So another cool use of a web based API.
[1:17:13] Very good. Very good. Those do fit. Those do nestle quite nicely together. I've been wondering how, because I thought like if I'd come out with that cheat that SH1 without you having something else that was similar, I don't think it would have gone over as well. So this is perfect.
[1:17:28] All right. Well, that's all I got. Does that wrap us up? It wraps up my content. Unless you've got some more. I'm all out. All right. Well, this was fun. It's fun to get back in the saddle with you, Bart.
It really is. That sounds weird. It does a bit. No, but we're so out of practice. It's just hilarious folks. We were yacking away forgetting to do a test recording. I was like, wait, do I put the file again? We recorded yesterday.
I couldn't even remember that was Dropbox I was supposed to use. Completely out of practice. But hey, we're back now. I couldn't even say the date correctly yesterday.
Is also true. But yes, we're back in practice by next time, I'm sure we'll be absolutely fine. But anyway folks, remember, until then, stay patched, so you stay secure.
[1:18:11] Well, many thanks to Jill and Bodhi for not making you listen to this voice any longer than necessary. I truly hope that I have my real voice back by next week, but we are going to wind it up for this week. Did you know you can email me at allison at podfeed.com anytime you like?
If you have questions or suggestions, just send it on over. You can follow me on Twitter at podfeed, and you can find me on mastodon at podfeed at social.
Actually, I'm not sure why I'm even saying my Twitter handle anymore. I haven't been writing there for weeks. So more than a month since I posted there.
Now that I don't have a Twitter client, I don't feel like going to the web. So I am on Mastodon at podfeet at chaos.social.
If you want to join in the fun of the conversation, you can join our Slack community where you can talk to Jill as she said, and you can go to podfeet.com slash slack to do that. In there you can talk to me and all of the other lovely Nocilla castaways.
Remember, everything good starts with podfeet.com.
You can support the show at podfeed.com slash patreon, or with a one-time donation or a regular donation like Kenneth at podfeed.com slash paypal.
Be sure to let me know if you're going to be late though.
[1:19:19] Anyway, and if you want to join in the fun of the live show, we had a hoppin' show since we'd missed a couple of weeks.
You can go to the live show by going to podfeed.com slash live on Sunday nights at 5pm Pacific.
[1:19:29] Music.
[1:19:45] Time.