2021, Allison Sheridan
NosillaCast Apple Podcast

Edit Transcript Remove Highlighting Add Audio File
Export... ?


[0:00] Music.

[0:12] And this is show number 762. Well, next weekend is Steve and my 40th wedding anniversary.
So we're sneaking off for a weekend of wine tasting with our dear friends Dean and Suzanne, whom we met when they crashed our romantic dinner for two in Sedona on our 20th anniversary.
We won't be home in the weekend, so there will be no live show next week.
I'll tell the chat room, no live show next week, March 12th.
Now to give my voice every chance to heal, it's quite likely that the show won't come out until Monday, March 13th.
Don't panic, the show will go on.

[0:47] Hi, this is Allison's assistant, As you can tell, Allison's voice took yet another turn for the worse.
She asked me to tell you that we got some great listener content submitted this week, so she's going to hopefully move the content she had planned to next week so you don't have to listen to the gravel machine any more than necessary.
We've got a segment of security bits too, so it's going to be a great show.
We'll get to that content soon, but let's hear what she's been up to this week.

Allison On Dtns Antarc-Tech

[1:12] I got to be on the Daily Tech News show with Tom Merritt and Sarah Lane this week.
I haven't been on the show in ages, but not for lack of Roger trying to book me.

[1:21] All the trips we've been on have really gotten in the way of my guest appearances.
We had a blast doing the regular tech news and then we talked a bit about my advice for tech on travel.
Tom and Sarah and Roger have some bonus content they do for their patrons, which they call Good Day Internet.
Normally it's just a random discussion but this week Roger had a quiz for us and it was absolute anarchy and hilarious.
Tom would read a description of a movie that Roger had written and the question for each movie was what was the name of the computer Sarah Len Peralta and I were the participants and we barely got any right even though we knew these movies really well for of them Steve and I actually own and I still didn't get any of them right.
I'm not sure why it was so hilarious, but it really was fun.
You can find this episode of the Daily Tech News Show at the link in the show notes of your podcatcher of choice.

Allison And Barry On Let’S Talk Podcasts

[2:10] This weekend, Barry Fulk came to visit Steve and me. Barry is a good friend of the Apple community and was instrumental in the event that is now known as Macstock.

[2:19] When Bart put out his call for panelists for this Let's Talk Apple podcast, I realized Barry had never been on the show before, so I invited Barry and me to be on this month's show.
Barry had a great time together and Bart hopes to include him in the regular rotation of guests.
You can find this episode of Let's Talk Apple in your podcatcher of choice under LTA 114 or follow the link in the show notes.

Ccatp #760 — Rod Simmons On Migrating From Lastpass To 1Password

[2:42] Rod Simmons of the SMR podcast in Barbecue and Tech joins me to talk about password managers.
After the recent breaches, and more importantly, breaches of trust from LastPass, Rod migrated over to OnePassword and changed all 400 of his passwords.
We talked through what LastPass did wrong and what Rod appreciates about OnePassword and misses about LastPass. I found it a really interesting conversation about UI design, trust, and what makes an app feel right. I'm going to keep going with the AI voice because my voice is really painful to talk to you, but boy am I enthusiastic in AI, aren't I?

Ccatp #761 — Bart Busschots On Pbs 146 Of X – Shell Loops

[3:17] On Programming by Stealth, Bart continues our mini-series on shell scripting.
He explains the simplicity of looping and the four types of loops, while until for and select along with the simple syntax of do, done within a loop.
He walks us through a lot of examples that illustrate how each one of these loops works.
He ends by giving us a challenge because teachers pet Allison asked for homework last time, You can as always find Bart's fabulous tutorial show notes at the link in the show notes.
Okay enough of that. Let's get started with some actual listener content.

Tiny Tip - Filter Contact Fields When Sharing Ios Contacts – By Donna Campbell

[3:51] Hi, this is Donna from Southeast Michigan. I noticed something new in iOS recently and I shared it with Allison along with Dave and John at MacGeekGab, another great podcast. Allison asked if I would record this for this show so she could share it with her devoted followers. Here you go.

[4:09] I'm typically my mom's driver for doctor's appointments, but due to a broken shoulder, my husband has been helping out. I wanted to share contact info with him for one of her doctors so he could use maps, and I noticed something which is new to me anyway called Filter Fields.
It shows up when you open the contact card, scroll toward the bottom, and touch Share Contact.
This is great. When I only wanted to share someone's phone number or address before, I would copy and paste or send a screenshot. But now you can just uncheck anything that you don't want to include within a contact card and send only what you want to share. For example, you might not want to forward someone's contact photo, birth date, cell phone number, or their private email address.
In many of my contacts, I have a lot in the notes section, and I've heard before that those do not transfer when you share a contact card.
This doctor's contact didn't happen to have any notes, so I tried it with one that does, and notes didn't even show up as a filter option. I think that's probably a good idea to prevent accidentally sending private info.

[5:15] And here's a helpful tip I want to share. My mom sees a lot of doctors and I can't always remember their names, so I enter Mom after the doctor's last name and their specialty under company. I also enter Mom on the contact cards for her insurance agent, accountant, attorney, pest control, snow removal, lawn care, and even a few of her neighbors. It makes finding their info so much easier. I hope some of you find this helpful. Thanks to Allison, Steve, and Bart for all their hard work. I listen to a lot of podcasts and this is one of my favorites.

[5:51] This is great, Donna. I wonder how long the filter fields drop down has been hiding in plain sight.
Donna wrote this tip up as a blog post as well, and she's got screenshots walking you through how to do it, along with a sweet photo of her husband escorting her mom away to a doctor's appointment.
I hope all of you heal up quickly and thanks so much for bringing us this useful tip.
This is a real Alison checking in for just a moment. I did want to thank Donna for her kind words. The AI didn't think that was necessary, I guess. But that's very nice of you, Donna, I appreciate it.
After Donna sent this in, I also gave her another tip that Lindsay gave me a long time ago, which was the idea of using emoji in your contacts and that helps you be able to see visually the ones that you're looking for.
So she now put stethoscopes next to all of the doctors that her mother goes to.
So that was kind of another good visual aid.
And in the live chat room, Mike, also known as Grumpy, suggested making a mom contact group and dragging all the ones in that are just for her mom.
And that way she could see those contact groups. So that's another great tip and I appreciate that, Mike.

Private, Secure, And Free Dropbox-Like Experience With Syncthing By Bill Reveal

[6:57] For our second listener review, we'll be hearing from Bill Reveal.
Bill is the guy who helped me migrate my entire web server, fix the plaguing and coding problems I had in the database, and in combination with efforts by Bart to make it as fast as it is now.
I will be forever in Bill's debt for how stable and well-controlled is.
If you appreciate that as much as I do, think of Bill every time it makes you happy.
As if those contributions were not enough, Bill has a terrific review for us.
Greetings Allison, Steve, and my fellow Nocilla Castaways. I'm kind of wondering if you even have to be able to pronounce Nocilla Castaways to be a Nocilla Castaway.
Anyway, Bill here with too many problems to solve, but for one, I'm a grouchy, obstinate old geek that is headstrong when it comes to computers.
As the old saying goes, I hate all computers. I just hate my Macintosh the least.

[7:57] Despite being a long time user of Dropbox, there is one thing I have always hated.
Everything has to go into that one silly Dropbox folder.
ICloud has its own folder, OneDrive has its own folder. They force me to use their directory to use their syncing.
My Dropbox folder is a real mess. I need a syncing solution that allows me to say, sync this directory, that directory, and another one on this computer, but over on that computer, those same directories can be anywhere I want them to be, even with different names.

[8:40] Furthermore, I have a folder I want to sync with my friend over there and no one else.
Oh wow. How about something really silly? And this really just happened.
I want to synchronize a folder in Dropbox on my Mac with a folder in OneDrive on my friend's computer and a folder on a Linux server that doesn't have either. Ha! I need the power.
Enter Syncthing at Syncthing in simple terms is a private, secure, and free Dropbox limited only by the size of your hard drives.
Its only downfall is it has no iOS capabilities directly, although that doesn't stop me.
The Syncthing developers are very proud how Syncthing is very open, open, as in it is based on an open protocol, it is open source available on GitHub, open and active development, and open to discussion regarding that development.
Works on the Mac, Windows, Linux, several BSD flavors, and a couple others.
On the Mac there are two ways to install Syncthing.
You can download a binary installer, which turns a mostly command line app into what looks like a native Mac app.

[10:07] You can also install it using Homebrew, but it isn't very Mac-like.
I recommend the official binary installer found at GitHub.
It just makes life easier.

[10:19] Once installed, most people configure it using the admin GUI, which runs on a built-in web server that was installed and launched by Syncthing. You access it using any browser located on the computer on which Syncthing is installed. If you use the binary installer on the Mac, it is as easy as selecting open from the menu bar. You can also install it remotely say on a Linux server like I did using the command line. After installing, You make a couple configuration changes on the remote computer, primarily to give remote access to the admin GUI, after which you use a web browser to finish the configuration.
But when working on Macs, or for Windows I guess, the setup is mostly painless and obvious when you use the installer.
It is important that I point out, because Syncthing has a lot of options and ways of doing things, some people find it intimidating. However, the documentation is well written and provides all the answers you need to get up and running. I found that I could quickly get two Macs syncing with each other within 10-15 minutes using the basic configuration and very little reading of the docs.

[11:38] Because of the way it works, I didn't have to worry about IP addresses. Each computer is given a Syncthing ID which you use to connect the two, since part of Syncthing's protocols involves discovery servers and relay servers out there in the cloud, which makes connecting computers all over the place easy and, because everything is encrypted, secure. Once set up, it works just like Dropbox. If I do something on one computer, it is eventually changed on all the remotes.
Now, the keyword there you may have caught onto is eventually. Sometimes Syncthing isn't necessarily fast synchronizing. I truthfully haven't noticed it, but others sometimes complain about the speed. Apparently this is often due to someone incorrectly configuring Syncthing by messing around with things that ought not to be changed. But sometimes it is due to the way it moves data across a network. It encrypts and breaks the data up into blocks to transfer the data, sort of like BitTorrent, but it's not the same protocol, so no worries there. Ironically, because of the way it transfers data, the more computers you synchronize to.

[12:53] The faster each computer may be updated. Bonus. The data transfer method also means very large file transfers are not a problem.
As I said, I want the power and Syncthing does its best to give it to me with all kinds of options.
For example, I have Syncthing watch a directory that contains my active projects.
My projects mostly are Git repositories, but it can be a waste of space and bandwidth to synchronize the hidden.git directory, not to mention an occasional Git merge conflict.

[13:29] Syncthing allows one to exclude files and directories by name or even regular expressions per folder and per computer. That way, my local copy of a website under Git can synchronize with a website on a web server, but there it doesn't have those thousands of hidden Git files.
I have the power. I have been using Syncthing for several years with no issues and a lot of peace of mind that those things that I wanted synced are done so securely and without issues. As I have changed computers, added and removed folders to be synchronized, even replaced my main Mac after a catastrophic failure, I haven't lost any data that was, synchronized. So if you want your own private and secure and free Dropbox-like experience, check out Syncthing.

Support The Show

[14:25] I know i don't have the enthusiasm of expression of the real alison so i appreciate you bearing up with listening to me by the way services like eleven dot i cost money and if you appreciate the work i did to help alison out maybe you could throw her a dollar to buy going to pod feet dot com slash patreon or to pod feet dot com slash paypal thanks and let's get on with the show.
What's that time of the week again?

Security Bits — 5 March 2023

[14:48] Music.

[14:58] It's time for security bits with Barbu shots. How's it going today, Bart?
It is going good today. I managed to, I set out with the aim of doing a two and a half hour cycle and I got home and it said two 30 31.
So I was by 31 seconds. That was pretty good estimate.
Nice. Nice. Nice. That's good. Yes. It's actually raining here again.
Oh, wow. I've been driving.

[15:24] We passed our annual rainfall in two months. Well, on the whole, given you've had a drought for like a decade, I guess that's good.
Yeah. Except for those poor people up in the mountains. There's people who haven't been dug out yet.
They've been stuck up there for weeks now.
Yeah. It's not great, but yeah. Okay. Yay, no drought. Yeah.
Well, we have an odd show today. So there's very, very, very little news, but there's actually two quite juicy deep dives. So basically two deep dives and then like three minutes and we're done. I think this show is going to go.
Okay, sounds good. So the first thing we definitely want to talk about since we spoke about it so much over the last couple of months is LastPass. And it feels like someone took the entire leadership team at LastPass and replace them overnight with a whole new team of people.
Because this final breach report is so different to everything that's come before.
Different in a good way? Yeah. This is what I'm used to seeing.
Like this is an industry I work in day to day and this reads like what I'm used to reading.

[16:36] This is a normal document. This is what you would have thought would have happened when the first breach happened.
Yeah, exactly. this is how companies are supposed to respond to breaches.
This breach report has all of the things I'm used to seeing, all the usual euphemisms, and I've just realised there's one thing I should have put in my show notes that I didn't think of. Another thing that strikes me is...

[16:56] Even from day one their actual response was a lot better than your communication implied because the very first thing they did right back in the middle of summer for the very first breach was the employed mandiant who are probably the best company in the world.
Did you have this kind of a whole so even when they weren't communicating with us they were doing the right thing from day one by getting someone like man the answer to commit.
So that was good more of a comms problem than a procedural problem possibly. Possibly.
Yes, actually with hindsight now it looks like they, yeah, definitely comes.
And they admit that actually they say that in their own stuff that one of the biggest lessons learned is that they need to do better at comms and they do justify it by basically saying until we knew what we were talking about, we wanted to say as little as possible, but now in hindsight, we realized that wasn't a good idea.
It's like, yeah, you're dead right. It wasn't a good idea.

[17:47] So I am much more, I'm much less negative about the company than I was a week a week ago, which is interesting because they hadn't made me their friend.
But I like what I read mostly.
So we should say what they've done is they've released a lot of stuff. It took me...
An entire walk to read it all is how I judge these things. And only I read all of my stories on my morning walk on Sundays.
And today the only thing I got done on my walk and had to do all the other show notes when I got home, the only thing I got to read was what LastPass released.
Cause it was a blog post that linked to lots of other documents and I decided to read them all.
I did skim some of them because there's only so many hours in the day, but they released a blog post, which is linked in the show notes.
And that's the starting point. And read that, and it's not too long, and then it will jump out to all the different things and then jump to the ones you care about. I would very strongly suggest jumping to the one that says recommended actions if you are in fact still a customer.

[18:48] Because that one you definitely should do. The other ones that are interesting is they have a really detailed breakdown now, data field by data field, about what it is they're storing, whether or not it's encrypted, and a little description about what it is. That's That's fantastic to have that level of detail.
So you now know exactly what's in the structure. What is in your vault?
What is stored in your account? It's all there now.
And then if you really care, if you want to know what happened as well as what you should do about it, then you have detailed reports on the two security incidents.
So we now understand big picture wise what happened. So in the first incident, the attackers didn't really get anything of any value.
So they used existing vulnerabilities in other apps. So the key word in the industry is endpoint security.
In other words, they had people working from home and the computers, the PCs being used by the developers were not as well secure as they should be.
So that's your end point, right? And that's one of the things COVID made a lot more difficult is endpoint security. Because when you were working in industry, you would go into a place.
There would be lots and lots of computers. They would be managed to it in an inch of their life.
You as the user could do almost nothing, right?
Right, right. How different is that to working from home?

[20:10] Right. Just a smidge. Just a smidge, right? Windows XP or something, right?
Exactly. So a whole big thing the industry is completely rethinking now is how to deal with what they call endpoint security.
And the answer is that you're going to end up running agents on your machines at home that are going to enforce a level. Basically, what the agent will do is it will check that everything's okay and only then allow you log into work resources.
So it's effectively an extra factor of authentication. the fact that your machine is not virus riddled.
And that's the answer to these things now.
But the thing is, that only happened in the last year or so.
So last summer, I can promise you there are many, many, many, many, many companies around the world who hadn't caught up with the new best practices.

[20:56] And so a lot of people would have been suffering from the same issue of endpoint security.
So one of their developers got some malware onto their computer at home, and that malware allowed a keylogger to be installed on the developer's machine, and that keylogger was able to listen in and basically learn secrets. And by learning the secrets, they were able to, get at the developer environment. So they couldn't access any real data in the summer.
The only thing they could do was to look under the hood at how developers work at LastPass.
And so they could see the source code, which may or may not have been interesting, depending on on whether or not it was good source code.
But it gave them insight into how the company works, not actual user data.

[21:41] So hang on, but didn't they get the developer's credentials through the keylogger?
Longer? Right, but the developer's credentials to the development environment.

[21:52] Okay, okay. And not to, I thought, I thought they got the developers credentials to the S3 blob or something.
No, that's second time. That's, that's take two, right?
That's the second. Oh, sorry. Sorry. I'm reading ahead. You're too, you're slightly ahead.
I saw the first attack they got in and the first thing they engaged Mandiant and they destroyed the development environment.
They just blew it up and started over, which is again, exactly the right thing to do.
If you know bad guys have gotten in, it's almost impossible to clean up.
So what you do is you rebuild clean.
And so they did all of that. But of course you can't extract out of the brains of the attackers the knowledge they have learned about who makes up the teams, who reports to who, how, what's normal, what's not normal, right?
So what you have is an insight into how this place works. You have an insight into the human beings and that's what they leverage for the second attack. technical thing, a people thing.
And they were able to use the people knowledge to construct a very convincing phishing attack which allowed another set of malware to come onto another endpoint that wasn't as well protected as it should be.
And this time they got the developers credentials for the cloud storage that stores the backup.
Which meant that they could download backups. So that is the story of what happened.

[23:19] And it comes down to, I guess, sort of your lessons learned are you need to get better at endpoint security, but that's you and all of planet Earth, frankly.
That is just, that is, that is where we are today.

[23:29] The other thing that I would argue they were, they were behind and based on what they have promised to do, they are about to get very caught up.
But another thing that's become a new, five years ago, this wasn't a thing, but today this is a thing.
Everyone who has a large organization should be collecting all the logs, like far too many, logs, more logs than any human being could ever do anything with.
And you don't give those logs to a human being, you just feed those logs into an AI.
And that AI has been trained on normal.
And that AI will alert to your human beings whenever the AI sees something that the AI hasn't seen before. And so your security team is basically relieved of a whole bunch of drudgery, but you need to have the log collection working.
You need to have the AI trained, and then you need to have the professionals respond to the AI's alerts to actually do the investigations.
So that involves tooling resources. So it's money, people, and time is what that involves.
And that is where everyone in the industry is racing to get to, because that is now the new normal.
But again, there are more companies on planet Earth not at that ideal than at that ideal.
Now you could make the argument that someone in LastPass's business should not be on the tail end of the distribution.
They should be on the other tail end of the distribution, right?
But again, I think the impression I get is not of a company that was bad at security, but a company that didn't have enough resources to stay current.

[24:57] So they weren't, they were doing what was good two or three years ago.

[25:03] Okay okay which i think is a resource is saying i'm part of their business model is the give a lot of it away for free maybe they gave too much away for free.
There is there is that is certainly thing and there also the fact that they were they were at the time i'm by venture capitalist who would have put an offer pressure on them to make returns which means that investment in the future becomes heavily discouraged.
Whether that be explicit or implicit, the pressures on people are to make money, make money, make money.
So that's not a healthy environment for proactive security.
An environment where you're told to cut corners. So that doesn't help.
But basically there wasn't a clanger in there.
There wasn't a auga auga, someone was negligent, auga auga, someone did something blatantly bad.
This is just, this is how corporate IT is in most companies.
And these people should have been ahead of the curve, but they were just on the curve.
And so you can complain that they shouldn't have been on the curve, they should have been ahead of the curve, but okay. So all in all, that seems pretty good.
The other thing that I took away is that their descriptions of how they are responding to this made sense.
So they have made, they have made promises for the medium term and the short term and they both seem realistic.
So they're not promising the sun, moon and the stars. They're promising actually concrete deliverables that I would read and go, yeah, that you could, do that in six months. they seem sensible.

[26:26] So that again is a decent response. Where was all of this six months ago, three months ago, right?
Maybe this was going on and they weren't telling us.
Either way, now that they've actually shown us the plan, it's a good plan.
Well, I mean, you can't really say why didn't you instantly know all of the root causes to why you had a problem.
Correct. It's not really realistic.
Absolutely. Yeah. Yes, the issue is they communicated as if they were clueless.
Whereas they weren't clueless, they were just being silent. Okay.
They could have done better to give us the impression that they were on the ball as opposed giving us the impression that they were covering their you-know-what.

[27:07] Right, right. So the final thing I do just want to sort of say is that if you're, if you've made the move to one password and you're not hearing me say things that are at the very least not negative, whether I'm not going to say this is not a, this is not me saying they're brilliant.
This is me saying they're grand.
Like this is so much, I thought these people were terrible. They're actually grand, but I'm not saying they're brilliant.
And if you were sitting there going, yeah, I moved to one password.
That was a lot of hassle. Was I hasty? No, you weren't.
Because even if they do everything they promise and they do it on time, their fundamental architecture is still inferior to the one one password developed.

[27:45] Because while they're doing a lot of work to encourage you, both with carrots and sticks, to make your master password better, the entire security still rests on that master password.
And you can still type 12 terrible characters into a password and it will still work.
So the human is still far too involved here.
Whereas one password's architecture is built where the password is a second layer sitting on top of a foundation, which is a truly cryptographically random key you can't control and you can't mess up, which guarantees the security of your account and the password is a bonus on top of that.
Because those two are hashed together, right? Those two are hashed together. They both become part of the final key.
So that tells me I should make my password on one password just monkey.
No, because that's what I meant monkey one, two, three.
That's protecting you from something else. That's protecting you from a random person sitting down at your computer while you have your back turned. Okay.

[28:43] But it's not protecting you from a cloud breach. Your protection from the cloud breach is that really super strong key on your printed out recovery.

[28:51] Okay. And that is a fundamental difference between the two. And I know where I want my stuff to be.
I wanted to be with one password.
The other thing I would say is that one password have a track record of not just being on the curve, one password of a track record of being ahead of the curve.
They are on the very, very front edge of this and they have been for a long time.
Even as the company was sold, they have retained their age. They are like in the show notes later on as a new story linking to a video of them showing a preview of their passkey support.
Right. They are not trailing. You can use today.
You can actually use today. Oh, I missed that bit. Well, you can use passkey.
You can create a new one password account without a password.
I missed that this was already available. Oh, wow. I thought this was a preview of what's to come. Cool.
I thought that was you could already do it. Yeah. So back up a little bit.
One of the things that was problematic was that they didn't have enough passes through the PPDFK2. Yeah.
Yeah. Okay. So let me say that I get to PD and I run out of digits.
I have to mentally say it in my head. Question first.

[30:01] Let me ask my question first. So the problem was they didn't have people set to enough encryption passes.
And so for example, my vault was at 5,000.
Now they had started doing people at whatever it was, 50 or 100,000, but they didn't retroactively do it.
Now they said in this report that it's gonna be 600,000 and they're going to set it to 600,000 automatically for they're gonna retroactively change everybody's.
But if they lost your data when it was 5,000.
All of those passwords are vulnerable, right? Absolutely.
They're smart now, whether they're communicating well now or not, it doesn't change the fact that they lost that those data, that data is vulnerable.
Absolutely. Yes, absolutely correct. Right. So all you can do is make things better going forward.
You don't, they don't have a time machine.
They can't, they can't go back in time and undo past mistakes.
So absolutely everything they're doing now to encourage better master passwords, to everything they're doing now to make things better in the future.
Absolutely none of it provides any protection for the data that they have already lost.

[31:11] So let's talk about the backups themselves. One of the things you had said was that we didn't know the dates of the backups.
So the backups could have been maybe you had gotten changed to 100,000, but at some point in time, you were at 5000. When were those backups?
Do we know the answer to that now?
Yes-ish, kind of.
It turns out we actually can't really know the answer, and I should have realised that it wasn't so simple.
So I, in my mind, I was thinking a vault is a thing, right?
I was thinking of it as an atom, right?
There is a vault and they have taken a backup of your vault.
But actually what you see as your vault is a collection of different pieces of of information stored on different media.
And the backup is of the infrastructure.
It's not a backup of your vault, It's a backup of the vault.

[32:02] I'm not catching the distinction mark. Okay. So what you think of as a vault is actually made up is not an atom.
It's a molecule and each of those molecules are sitting in different things.
Some of them are database records. Some of them are files in a bucket.
They're in different places. The parts of your vault are spread out across multiple systems. Okay.
And the backups are of the systems. So there is a backup of the database.
There is a backup of the stuff in the vault. So my data in the database is in the same backup with your data in the database.
And your data is spread across multiple things. So your data is sharded is the technical term.
So your vault is actually lots of pieces and those pieces are with other people's pieces.
And there are backups of all of these pieces of everyone's vault here.
And there are backups of all these other pieces over here. So the concept of a date for your backup doesn't even make sense because, there are many dates for different pieces of your vault.

[32:57] Okay. But the question was, what was the number of passes when that backup was taken?
Right. But even then that doesn't help you very much because, okay, so let's say, let's even leave aside the fact that it's not atomic, which makes everything a hundred times more complicated, but let's pretend it doesn't do that. Even if it was just a file, there's still a second thing that I also should have grok'd, but didn't. So what is in the backups? Depends on two things.
The backup policy and the times that you edit it. So if the backup policy is retain the five most recent edits, then if you edit your vault once a year, then for you, if I steal the vault on a Thursday, it's five years ago is the worst backup I have kept for you.
But if I change my stuff every week, then for me it's only five weeks ago.

[33:49] So the backup policy plus your activity. Why wouldn't that be the case? That doesn't make any sense to me. They do a backup on a certain date.
Not necessarily. It depends on the backup policy. Backup policies are often on a per file level.
Right. If you, if you configure a backup policy on a backup server, you say, I need to keep these files. The last five versions of this file should be kept. Well, if that file is updated five times a day, then five versions back is a day's worth of backups. If that file is updated five times a a year, that same policy means that some files in the backup are five years old and some files in the backup are five minutes old.
So knowing the date the backup was taken from plus the policy is still not enough to know the date of specific pieces of data because the question is, well, how often was it edited?

[34:35] Well, so does that mean that LastPass users still need to assume that every one of their passwords is vulnerable?
Absolutely. Yes. So that is the bill I bolded in the show notes.
Don't even try to figure this out.
The worst thing you ever did in your entire time as a LastPass user, the silliest password, the poorest configuration, assume that is what you have and act appropriately and then you cannot go wrong.
Let's take it off the user, the least amount of encryption passes that they had. Right, exactly.
That's what I mean. Like assume the worst case because there is that is actually the only safe assumption and then react appropriately, which I think means that, oh, who's it you had the wonderful interview at last time and chit chat across the pond.
Well, just Rod Simmons. Thank you, Rod. Perfect. Yeah. So this week.
Yes. It was very recent. Yes.
That was a, that was a lovely interview. I had a little chuckle to myself when I was reading the data fields and one of them was equivalent sites. I was like, huh, I know someone who's very fond of that feature.
Anyway. So yes, we have to assume the worst and react appropriately.

[35:41] No, there is an advantage like no one only got into last pass very recently.

[35:46] And so he was like less than a year.
So he probably had enough. I know he had a strong password and he had enough passes through because the default was a hundred thousand then. So whatever it was.
So that's, he's probably fine. He's at very low risk because again, it's the old analogy.
You don't have to outrun the bear. You have to outrun your neighbors.
So there is millions and millions of, You know they're going to sort it by that number. Absolutely they are.
Of course they are. So just don't be the most vulnerable and you're very safe because the reality is there's a glut in the market here of vaults to crack. So yeah.

[36:23] And even- Whereas Rod had been with them for 12 years. That's changing every single password.
Right. But the other thing to bear in mind is there are still two factors, right?
So the first factor is the passes, but your password is still your password.
So even if you had one pass and you had a really good password, you're still actually very safe because they're going to spend so many dollars of GPU power.
This is all done in the cloud now, right? The bad guys are doing an economics exercise.
They are basically saying I'm going to spend a maximum of X amount of dollars of compute power to try each vault.
And if your vault outlives its economic value, it will not be tried any further.
So if you could have the least amount of rounds but a really good password, they will try it because you're, you're, you're on the list of people who are potentially vulnerable.
They will try you, but if they don't break you within an economically viable amount of time, they'll move on to the next one because the chances are someone had open one, two, three as a password. Okay.

[37:18] Okay. So low number of passes with a good password would not be as economically viable as low number of passes with a monkey one, two, three password. Yeah.
So you will get basically if you have a high number of passes, you probably won't even get tested. won't even try you because they could just spend their money elsewhere.
But if you have a low number of passes, they will try, but they're not going to try forever because there's so many vaults to crack, right? They're going to have a configuration in their script that says after I have spent this much money, move on.
Someone else will have a worse password, move on. So you're not trying to be perfect unless you're someone like, if you are the president of Intel and they know you are because they have your email address, what they're going to throw, like the economic value of that vote is so different, right?
But again, remember that the bad guys are not, they're not doing it for ideological reasons. They are profit driven.

[38:13] And then actually you cost a lot of money to crack yours. Yeah.
You want to make it cost a lot of money for them to crack. Yeah.
And it also means that you can think about it in terms of am I worth it?
Right. And if I have a really strong password, then actually it's just not worth it.
It's not economically viable. and these people are thinking purely in terms of economics.

[38:31] That's really interesting. I can say, follow the money.
One thing we haven't mentioned in all this conversation going from LastPass to OnePassword is that OnePassword will honor the amount of time you had left on your contract with LastPass.
Clever. So if you were six months into a one-year subscription, they're going to honor that for the next six months.
That's, I mean, that doesn't cost them a lot of money, but it's very good PR.
So that is, that's thinking. Oh yeah.
Up there for thinking, you know, that's good going. Yeah, I think so. Just looking at my own show notes, something else I just thought it was worthy of sort of hanging my hat on here. So when I was interviewing for my new job, one of the things I spent a lot of time doing was reading the threat reports for the previous year. So what were the large cybersecurity companies reporting as having actually succeeded at attacking people. So what is it like out there in terms of the environment?
And over and over and over again, all of these reports had the same final paragraph, like the executive summary always had the same bit at the end.
Basic security hygiene protects from the vast majority of attacks.

[39:44] The basics are still the most important thing. So how did the bad guys get in here? here.
Vulnerable software. Not enough software updates. Not enough patchy patchy patch patch.
On end machines that were allowed to connect to a trusted system, but there was nothing verifying that they were fully patched before they were being allowed to connect.
In other words, no end point protection. Basically you're equivalent of Microsoft Defender or whatever wasn't running on the machines.
Basic basic stuff. Once they were authenticated, they weren't being continuously re-challenged.
So the modern zero trust idea is that you constantly re-challenge for authentication and you make people prove they are who they say they are and you make people prove they are secure.
So again, the modern tooling wasn't quite deployed.

[40:26] And then the other thing is that you assume breach and you have monitoring in place to find the breach that you know must be happening.
So there's your lots of logs, lots of proactive monitoring of it and that kind of stuff. But these are just the basic.
And I say just. That last one is the thing that Rod talked about. I'm not sure he talked about it on my show, but he talked about it on some other ones was why didn't they notice that this particular user was downloading this giant file? Yes.
Yeah. And that is what the modern tooling will flag to you.

[40:56] Right. Right. So I see this stuff in action. That's an unusual blip. Bing, bing, bing.
And that should generate an alert as long as you know, anomalous user activity.
It'll probably have a stupid type like that, right? But that will in a modern system generate an alert.
And that alert, generally speaking, will actually have a diagram.
So the way these tools work these days is there's now a standard for these things.
It's called the attack framework, where the A is an at symbol.
I don't know why, but anyway it is. And there's actually a way of graphing these data.
So you actually see a picture representing the mailboxes, the files, the processes, the users, and how they're all connected to each other.
And the IP address is involved. And so you'll be presented with an email that says, there's a new alert, blah title.
And it will give you a list of all the things that make up, that made it suspicious, and a graph showing how it's all connected. So this IP address was all of a sudden doing this, this, this, and this. And it will tell you, there will be a column called the tax story.
And it will tell you, this is the first time this user has ever connected to this SharePoint.
This user downloaded two gigs of data. Normal usage for this SharePoint is 500 megs a day.
This user has never before connected to this shared mailbox and they've just downloaded thousands of emails.
And so when you read that as a human being, you immediately go, oh, oh.
And then probably at the very, very bottom of the text story is, there was a phoneable version of VLC found on this computer.

[42:13] Then you go, ah, I see how this came to be.
These two things shouldn't be together. Yeah. And so that is the kind of tooling that's in use these days.
But again, you have to, you have to pay people to acquire, configure and operate these tools.

[42:30] So it's just resources, right? It's just resources, right?
So you need to have enough staff so that they have enough time to actually continue to learn, because what you need to know today is not what you needed to know a year ago, is not what you needed to go a year ago.
So your security staff need to have 10, 20% of their time available for learning.
Your staff need to have 10 other 10, 20% of their time available for review, re-evaluating the current architecture to refresh it.
So if you don't have enough people to do one and a half times the work, you don't have enough people.

[43:07] Oh, wow. Right. So I say just because it's not rocket science. It's just resources.
Just resources, that's all.
Because people like to think that these kind of big hacks happen because a really smart hacker has found a zero day and they've done some amazing nation-state level hackery.
No, it was a vulnerable version of VLC at an endpoint without antivirus.
That's it.

[43:32] It's really boring 99.9% of the time. So you can flip that around and say that the silver lining is that we know how to fix this.
You just have to put the resources into the basics.
Okay. So, you know. That's all. That's all.
Yeah. Just. Right. My most evil word on planet earth. So anyway, I think that covers the basics of where we are with the last pass thing.
And did I miss anything? Yeah. Nope. That's what I wanted to know.
Cool. Deep Dive number two then is triggered by a story in the Wall Street Journal by the wonderful Joanna Stern that has gotten a lot of attention online for a very good reason because while this- Oh, I don't want this to be true.
I don't like this one. I don't want to hear it.
Actually, I think it's another one where the simple stuff protects you perfectly.
So, okay, fine. The backstory is there have been anecdotes and anecdotes are terrible because they can be easily dismissed and you don't really know what to make of them.
But there have been anecdotes about people swearing blind that they had a good iCloud password with multifactor authentication.
And when their phone was stolen, the attackers somehow managed to disable find my unlock them out of their iCloud.
And there were anecdotes. And so people had two reactions to those anecdotes.
Either the zero tech reaction, these people must have reused passwords, or they must have really bad passwords.

[44:54] Or the other approach, the other people jumped to the conclusion that, oh my god, these attackers have like those gray key devices that only law enforcement could buy, they must be leetax orers.
But they were the two responses, either they have no tech or these bad guys are amazing, they're James Bond villain level of attackers. And now we know the truth, and it's way more banal.
It is neither of those things. So I remember this happening, it's probably about 10 years ago.
But Apple added a feature to make it easier to get back into your iCloud account when you inevitably forgot your password, that if you had a phone that was logged into iCloud, that phone had the power to reset your iCloud password.
That feature still exists today. You can go into your phone...
Because you're already logged in?
Because you're already logged in on a device that you have proven control of because you have it in your hand, So you can today go into your iPhone go to settings click on the iCloud icon at the very very very top of the settings Page and go and click change password and you can change your password without knowing your current password, What you will be challenged for is the pin or password to your phone Not the painter password to iCloud.

[46:05] So. So you're right. But it's always asking me for my password.
That's in the normal run of things, but you can change it there.
Right. So if you forget it, you can change it there.
So that means that the security of your iCloud account rests on the security of your physical iPhone.
So the way this has been working is that people, the attackers have been working in gangs.
So they go to a busy nightclub and some of them are just shoulder surfing.
They are watching people use their phones and when they see someone enter a four digit pin into an iPhone, they memorize it and then they steal the iPhone later.
That person there in the blonde, we know their pin code, you can nick their iPhone.
And they're just working as a team, floating around a room, shoulder surfing, targeting people for theft. Shoulder surfing, targeting people for theft.
So then they have the physical phone and they know the passcode.
So all they do is they log in, they change the password, and then they disable FindMy.
And if they can do that within five minutes, which is quite easy to do, they have probably locked you out before you know your phone is gone.

[47:13] And so you say five minutes because at that point you realize your phone is gone, you would go to another device to try to lock it out?
Yeah. I mean, how quick can you type? I mean, you could probably do it in less than five minutes.
I've been very generous there. If you've practiced this and you know all the strokes, you can probably take a phone, tap, tap, tap, tap, tap, tap, tap, tap, for tap and get through the whole process in a minute.
If you, if you're the kind of attacker who's gone to the effort of learning this, you can probably do it in a minute.
But my point is you can, very quickly, they disable, they disable.
They find my two things. So the first step in the attack is to change your iCloud passwords.
They now have your iCloud password, but you don't. Then they disable find my.

[47:53] Okay. And disabling find my is what disables your ability to declare it stolen?
Yeah, because they have basically stolen.
That's where the somebody stole my devices. Yes. Okay. Yes. So they basically get to pretend to be you.
Therefore all of the usual theft protections are now gone because they have your ID password, because they just changed it.
So then they are now the owner of the phone effectively, as opposed to the, to the loser of the phone.
And a side effect, because they don't care about this, right?
They're interested in your phone, which they're going to sell, because it is now an unlocked phone, that can be sold because it can now be assigned to a new Apple ID, because it is not activation locked anymore. So they have what they want, but as a side effect, to get it, they had to lock you out of your iCloud account. So all of your photos, all of your contacts, all of your calendars, if you're using iCloud for your email, all of your email, you've been locked out of that too. And you may or may not get that back. You possibly can, if you post a scanned copy of your passport to Apple and stuff, I'm sure you can eventually recover.
But this is not a minor inconvenience. This is a pretty major inconvenience. Everything. Yeah.
So the lesson is don't think of the pin on your iPhone as being a small matter.

[49:11] Pinnier iPhones really bloody important. And so I very, very strongly recommend you follow the advice that ZDNet and many others are giving.
Change to an alphanumeric because you don't actually have to type it in very often anymore because with biometrics, the biometric will do it for you automatically until either your face, triggers, you know, either you failed a few times because you weren't really looking at your phone and it fired anyway, or because you're wearing a mask or something. So you might have to enter it it once or twice a week and I think every five days they make you enter it just to prove you're still about. But other than that, you don't really have to enter your passcode very often anymore. So if it is an eight character...
I have to enter my passcode daily. At least daily. If not a couple times a day. Something happens that causes that.
Maybe you leave it at a stand where it constantly thinks you're looking at it and then fails a face ID because if it does that three times that'll lock you out.
That it's like I just know I don't know it just fails.

[50:10] OK. Well, my experience is it does that very rarely. Sometimes it will do it when I leave it on my charge stand and it's looking at me, but I'm not looking at it.
And then it's failing to do Face ID and then it's go, I'm not sure about you anymore.
Do you want to just prove yourself to me again? But you don't have to set a password that's 50 kibillion lines long.
Right. What you want to happen is that when they ask you for the passcode, you get a keyboard, not a giant big number pad.
So immediately shoulder surfing has just gotten way harder.
And then you want it to be six, seven, eight characters. Like really, how hard is the shoulder surf?
It really doesn't have to be huge because at the end of the day, I would also recommend you turn on the setting that says wipe my device after 10 failed tries, so that protects you from the old fashioned I've stolen your phone and I'm just going to have a go.
So you can't be shoulder surfed because you now have this tiny little keyboard and at least six characters to type in. So that makes shoulder surfing all but impossible.
And again, this is a gang operating in a nightclub with thousands of people.
You don't need it to be impossible to get in. You just need to not be the easiest to attack.
Right. We're back to the whole economics of it. Right.
So don't be the person. The other thing is, I think John Gruber's response was, do you remember when you first got your first ATM card, how you covered that pin pad?
Treat your phone the same.
So that people don't show up.

[51:32] And that's all you have to do. So you don't need to panic. Right.
This, and to me, this is really good because that mystery of those anecdotes has been niggling at me.
Each anecdote on its own is dismissible and each anecdote on its own is impossible to make an inference from.
But there have been a lot of these anecdotes and I've felt a bit uncomfortable that there's a shoe here.
Is it going to hit me on the head? And now we understand where those anecdotes were coming from.
So on the whole, this is a good warning. we can action. So I don't see this as a bad news story.

[52:06] I guess so, except I didn't want to change my passcode. That's all I was complaining about.
There is another trick. So Cult of Mac and a few other places have recommended this.
Parental controls is a different password.
So if you enable parental controls on your own phone, you can't get into the iCloud settings, with just the phone's pin.
You need the phone's pin plus this other password. So this other password is never going to be shoulder cert because you don't enter it in the normal flow of things. So it can be 111111. Oh, that's funny. That's funny.
What else do you lose when you turn on parental controls? I think you're going to end up having to type the stupid password sometimes.
So if you make it 11111111, it won't get in your way a lot, but you don't do that normally.
So it can't be shoulder surf because you don't type it in.
So it can be stupid, right?
It can be a stupid password. It just has to be not the same as your pin. That's interesting.
So it's an interesting hack. Unlock with Apple Watch. If you had your Apple Watch on and they grabbed your phone, they could unlock it right while they were near you.
But that won't let them change your password because as soon as you go to iCloud to go, change my password, you have to enter the PIN.

[53:21] Oh, that's right. They do need to know what it is. They do need to know what it is.
They always have to know what it is. So the shoulder surfing step is required.
So again, good hygiene. up your screen when you're putting in your passcode and have a passcode that's hard to filter surf. Even if you turn on alphanumeric and just make it be 11111B, right? Even that makes you way harder to get than regular folk with a four digit passcode, right? Just have the keyboard appear is so is such protection.

[53:54] The thing I think I've said this about 85 times, I'm going to say it again, is I've always thought about at our gym, they got rid of the locks where you could put your own lock on. And they put in this thing where you set these four digits. And so when people go up to their lock, they unlock it, they put in the four digits, they don't, a lot of them don't scramble it afterwards, because they've just gotten into the lock. And I guarantee you that that's their ATM code.
Probably. And it's their iPhone code, right? Right, which are both in there.
So if you shoulder surf them, you get into the thing and then the chances are the same digits are going to get you into all the other things you're doing right.
And their ATM card is in their wallet. Yeah. So you've got, you've got their bank and everything.
Um, one thing I don't know that this is a fact, but on MacBreak Weekly, when, uh, Leo and the gang were talking about this, uh, Joanna Stern's article and what happened, Leo kept saying over and over again, this is also true of Android.
It is also true of Android. I have heard that from reputable sources that are not Leo Laporte, but are security publications.
Not that he's not disreputable.
No, no, he's not an expert in the field, right? Additionally, yeah.
Yeah. Yeah. I mean, Leo is well-meaning and often right, but he's not a cybersecurity expert.
Right. So yeah, no, he is unfortunately right.
And the reason is very simple. Before this feature was added, the amount of people who were opening support calls because they were locked out of the right cloud was huge.
And this, this made Apple's life massively easier and frankly, also the users.

[55:23] This is one of those features that on balance is a good thing, but the downside is we need to be careful of our pins.

[55:29] So you don't think Apple's going to undo it after all this publicity?
They might tweak it a bit.
They might make it opt in or no, they might make it opt out of.

[55:40] So they're not going to get rid of it. Okay. Cause this would lose all value if it was up there.
Right, because the people who need this kind of help are the people who will never go in to find that setting. But you can make it updatable, that's easy.
And maybe you can have an option where you have to have like a different reset code or something. But I think just making it updatable is all you need to do because if you have a legacy contact, I'm perfectly happy with my legacy contact set up to turn this feature off.
If there was a switch, I would have pushed it.
So if Apple's response is to make this an updatable feature, I'm done.
I'll just go in, I'll updatable and that'll be that.
And I will. Yeah. Yeah. So yeah.
Right. I think that covers us off on that one. So that gets us into our normal service, which like I say, there wasn't a lot of normal service, but it's not zero.
I just have a few things to say. So worthy warnings is where we start.

[56:31] This was enough. This was enough filing to the Securities and Exchange Commission.
So when we talked about bad communication, GoDaddy deserve so much shouting at for doing a security notification to a federal regulator of their finances.
That's how important they think cybersecurity is, they put it in their SEC file because that might affect their earnings.
Oh, but not to users? Not to users. Like we found about it because it was in a regulatory filing about their stock price.
Oh, wow.
They have had people in their system for years with the ability to inject malware into people's hosted websites.

[57:12] Wow. That is earth shattering. So they had the, they were injecting malware into people's hosted websites for years and go down your response.
You said you're saying years, but the article you linked to says it happened in December of 2022.
Oh, I read 2021 somewhere. Apologies.
It says in December 2022, an authorized third party gained access to and installed malware on our cPanel hosting servers.
I am delighted to have misread that date. I read 2021. Okay, good.
Phew. Well, no, I'm sorry. Almost everything I said holds.
The appropriate venue for this kind of disclosure is not an SEC filing because your worry should not be your stock price.
Your first concern should be your users. Your secondary concern should be your stock price.
Right, because your reputation is what drives your stock price.
Yeah, it's just, oh my God.
So if you're a GoDaddy user, definitely read this article.

[58:13] There are many great cloud providers. I shall say no more.
Also on the worthy warnings category, so this is sort of more anecdotes than anything else.
So we keep saying SMS is a very poor second factor.
We now have reports based on someone infiltrating cybercrime telegram channels, telegram groups.
There are at least 100 separate data breaches into T-Mobile which were used to power SIM swapping as a service cybercrime operations.
So at least 100 times they managed to steal credentials for the back office systems that power T-Mobile.
In other words, the system where you go in to change the SIM card associated with a phone number.
In other words, SIM swap portal. So this is why we say that SMS is not secure.
Hundred times in 2022, hundred separate successful attacks.
The other thing to say is there's a lot of people now starting to rethink their password managers and stuff.

[59:16] So some security researchers went looking to see are there malicious apps in the Google Play and Apple app stores, or at least grayware apps trying to cash in on this new found interest in password security? The answer is yes, there are. There are apps promising to be your second factor, your code generator apps.
The best case scenario is they charge you like $40 a month recurring stupid subscriptions, so they're just milking you.
Worst case, one or two of them have been found sending copies of the private key behind the the two-factor authentication to the developer's GitHub account.

[59:53] So what are we going to do about that? I presume report the apps, but I think basically do not download a security app that does not have a reputation and has come recommended to you from somewhere.

[1:00:05] Okay. And then just a timely reminder seem to be just the thing of the week.
So there is another random piece of Mac malware that is not news.
The reason I put in the show notes is because how is it spreading?
Pirated copies of Final Cut Pro.
So, don't pirate software, it's not free, it's infested.
So that jumps us onto notable news then. So Facebook have joined the club of having paid for verification.
I don't think they've done a bad job. So the first thing to say, so we talked with the Twitter one about what does it mean to be verified.
In this case what it means is that you must provide government ID.
So when Facebook give you a tick mark, they're not just asserting that you own the account, they're asserting that you are the human being you assert to be because they need government ID. So this is strong authentication.
This is actually this verification means something.
They are also offering you identity protection.
So if you prove that you really are Alison Sheridan, then if anyone else tries to sign up to pretend to be Alison Sheridan, you can use your you basically get premium support.
You can basically flag it under premium support and they will take the person down because they know you are the real Alice in Sheridan. So they will protect your reputation proactively because they have verified you really are you.

[1:01:28] And that's all for the low, low sum of? 11.99 per month or a little bit more if you sign up on iOS.
So Twitter blue is a better deal.
Doesn't give you anything of any value. I would say the people who I would recommend this for are influencers.
They are people whose financial wellbeing rests on their social media accounts.
If you make your living off social media, this is a pittance.
If you're making three, four thousand dollars a month on social media, This is a pittance and it will protect your identity and your brand.
This is a really good idea if you're a professional social media person, which is a thing now. It's a career. You can be an influencer. It's a job.

[1:02:08] So it's good for those people. Another thing that caught my eye is that someone has built a little tool that will scan for air tags. So you can literally use this tool to see is there an air tag hiding here because basically they're all emitting RF, right?
So of course you can scan for them with RF. So someone has...
That's kind of fun. Yeah. So I think that's cool.
And I'm hoping law enforcement buy a cabillion of these because it's a really useful tool. Holy cow is it ugly.
Oh yeah. It's a very utilitarian device.
That is revolting. It's beige with a baby blue rim around it.
It's got red, it's got green, it's got black, it's got yellow and that baby blue and words everywhere and an Apple logo.
Well, they're not going to be allowed to do that. Probably not, but yeah, so anyway, I think it's good to see this kind of thing coming and hopefully a more tasteful one comes out, but I want law enforcement to have these kind of things so they can just, if someone comes, I think I'm being stalked by my ex-husband, that law enforcement have the tools to actually genuinely put you at ease.
And I'm really, really, really hoping someone builds a scanner like this for those stealth tiles we talked about last time.

[1:03:17] Right right right and then this is this is a bit nerdy in some ways but i thought it was with noticing so since nine eleven the american government of how to know fish or cyber security strategy and every couple years the update the strategy which is why.
And the new strategy is just coming under two important things that caught my eye in the strategy so the first thing is that.
The administration would like to work with Congress and industry to remove the ability for software companies and cloud services providers to give blanket immunity to themselves in their terms and conditions.
So when you open a software license, they all say, and we completely indemnify Microsoft from all harm that could come from using this software.
They all say that because that is currently legal. What they're saying is we should move away from that to a model where there is a baseline that every company should do and if you meet the baseline you get safe harbor.
So if you're not being negligent you still have blanket protection but you have to earn that blanket protection by doing the bare minimum. And so they now want to enter into the process of figuring out what is a reasonable bare minimum.
And then you end up basically with the equivalent, like with copyright protection, you have to respond to takedown notices and then you get safe harbor.
In this case you have to do certain baseline security stuff and then you get safe harbor.
Seems like a sensible approach to me.

[1:04:38] Yeah, I know I read a lot of the terms and conditions that people make you sign and one of my favorite was a horseback riding thing where it said, you know, no matter what happens to you, including death, it's not our fault even if we were negligent.
Yeah. And I talked to a lawyer about that and they said, yeah, they can write that.
Yeah. Even if we are negligent, it is not going to stand up very well in court.
No, no, it turns out not so much. But yeah.
And then the other thing that caught my eye is that the official assessment of the US government is no longer that the biggest threat to both public sector and private sector cyber infrastructure in America is not Russia anymore.
Is China.
So the biggest threat actor is China. It's neither yay nor nay.
It's thing, right? Fact.

[1:05:24] Yeah. So it's just a changing scenario. China is well resourced. Russia's busy.
Yeah, frankly, yes. Ended up becoming soldiers, probably all those script kiddies.
Right. And their economy is crashing around them in a heap.

[1:05:37] They don't want to be in. Yeah. Yeah, exactly.
So sorry, but China is on the ascendancy with a lot of resources and they're quite interested in industrial espionage and espionage espionage they're interested in a lot of it and they're good at it so yeah I'm not surprised this is the number one threat but it's official the biggest threat to America is China in terms of cyber security and then we've already mentioned the nice preview of the passkey's support in one password which just rocks. Yeah now I might be wrong by the way about that already being available to create an account without a password.
I thought the future tense was used. I saw it quite a while ago.
I thought the future tense was used, but either way, whether this is now or shortly, or whether it's in beta and that it's that we're both right, that it is available, but not universal.
Either way, this this looks real good. And it's a nice video too. It's I like it.

[1:06:30] So that brings us on to palette cleansing. So the first one I have is what I immediately thought of of you Alison. The moment this happened I thought of you.
So I have been working very hard to minimise the amount of news I'm exposed to so I'm not living in a sea of negativity. But I don't want to be ignorant.
So I've settled on a half hour or twice a day from the BBC World Service with the World News. And I've been tolerating that. But they have just done something to cheer me up every weekend. They have decided that on Saturdays one of their two daily shows is going to be dedicated 100% to good news.

[1:07:08] Oh, I love it. I love it. So they used to do this once a year on Christmas Day, so they didn't have to work on Christmas Day.
And now they have made it a weekly feature.
And it is, like today's was the first one.
It was so nice. An entire half hour of good news from all over the world.
Every week. I love it.

[1:07:28] So because they never tell us that stuff and there's a lot of good news. There really is.
Oh, it was so nice. It was genuinely, yeah, it was just such a good idea.
And as soon as I heard of it, I thought about you and you're getting so cranky about bad news, bad news, bad news.
So here you go. Once a week, a dedicated episode of nothing but good news.
So BBC World Service.
So then you have a picture. So I've got one.
Yeah. So the magic of the influencer, if you will, CGP Grey, and when he does his videos, is he takes a topic that you probably think you know something about and you realize you you don't know anything about it.
Like one of them, once he did, was on the border between the US and Canada.
I know exactly what that looks like. It's a smooth arc that goes from one side of our country to the other, and it divides the two countries, and it's perfectly normal. How hard can it be?
And it is ridiculously complicated, and it's hilarious because the deeper he goes, or if you think you understand the United Kingdom, no, you don't, because he takes it to an absurd level of every bit of it.
Well, he did one on the simple secrets of runway digits, I got this from Barry Falk, but you told me that you had just told me about it recently.
Yeah. I don't remember. So do you remember last time you picked the AI one and I said, And by the way, he's just done one on Runways It Rocks.

[1:08:43] Oh, okay, okay. So basically it starts with, there's runway numbers. You see a runway, it'll have like an eight on it. What does that mean? And I sent this to a bunch of my friends and including Steve and Steve said, well, that's the direction, you know, the compass direction. I say, yeah, but it's more complicated. Yeah, but yeah, but it isn't.
And it's like, it's 30, no, it's 18 minutes long and it gets deeper. You end up diving down into iron molecules to understand why the runways are numbered the way they are.
It's hilarious. It's really, really good. I enjoyed it quite a bit.

[1:09:17] Yeah. So I love that video and I'm also like Alistair, I'm a bit of an aviation geek.
So one of the things I love to do when the wind is from the Northeast is my cycle takes me towards the airport.
So air traffic control is public. The whole point is it's supposed to be public so that everyone knows what every airplane is doing, right?
So there's a community of people that are volunteers and they run like little Raspberry Pies and they have little radio receivers connected to the internet and they publish on a website and an iPhone app the live feed of air traffic control.
So when you're near an airport you can tune into air traffic control on your iPhone and you can hear what's being said while you're watching the airplanes overhead.
So I'd like to play a little game where I try to see if I can recognise the airline, how my eyesight is doing before I hear the pilot in my ears, because I'll hear the pilot announce themselves as Shamrock 123 or whatever it means, Aerolingus, and I'll try to guess what they're going to announce before they announce it.
And then if you really want to learn how this stuff works, right, you can listen.
There's a great app called Flight Radar 24 that shows you the airplane.
So you can listen in to what's happening and you can actually watch the stack of airplanes and then you can see how logical air traffic control is.
It's English, but it's so meaningful. It's like a little protocol.
It's almost like negotiating a connection over TCP or something.
Because the first word has to be the word hello.

[1:10:40] Klaus just did a review of Flight Rider 24 for the show. Brilliant. There we go. So this is so much synergy here.

[1:10:49] So I was thinking about this just the other day because Dublin opened the new runway.
So for years and years and years and years and years, there was one major runway in Dublin.
It was runway 10 because it points east.
And so for years I would have listened into, you know, runway, established runway 10, whatever.
And now there's two and they're parallel.
So now we have runway 10 right and runway 10 left. And so I'm still listening into network control and for the first time ever, I was there while they were using the new runway.
And so these controllers have obviously been working in Dublin for decades and there only was one runway.
So they have learned in their mind.
The last thing you say to an airplane when you've when it's landed is you basically tell at who to go talk to in the ground controllers.
And this has been the same in Dublin for so long that I think the air traffic controller see it as one word. So the word is contact ground 121 decimal 8 goodbye.
But they see that as like a single atom. If you land on the new runway, it's one to five decimal eight.
Not one to one decimal eight. 100% of the time when I was listening, I heard them say contact ground 121 correction, contact background 125 decimal 8. Every. Single. Time. That runway's been in use for 5 months. Human factors are a thing!

[1:12:11] Anyway, two bonus picks and a little bit of trivia around Dublin Airport.
The other thing of course is that Dublin Airport at the moment is being...
I was at the airport the day before and there were no airplanes in the sky.
And I was so disappointed because I'm finally going to see the new runway in use and there were no airplanes.
Came home. All flights in Dublin Airport grounded due to drone activity.
Some gumbin flew a drone close to the airport. And Dublin Airport have drone detection devices, but they don't yet have drone disabling devices.
So they know every time a drone is launched and they can't do anything about it, so they, have to shut the airport every time some idiot launches a drone.
Ugh. Anyway, so there we are.

[1:12:58] Well, we managed to milk that for almost an hour Bart. Well, as the listeners know, your poor voice needs a rest, so there we go.
Free content and hopefully people enjoyed it. I did. Thanks Bart. Excellent.
Alright folks, until next time, stay patched, so you stay secure.
That's going to wind this up for this week. Did you know you can email me at allison at anytime you like?
If you have a question or a suggestion just send it on over.
You can follow me on mastodon at podfeet at
Remember everything good starts with If you want to join the conversation, you can join our Slack community at slash Slack, where you can talk to me and all of the other lovely Nocilla Castaways.
You can support the show at slash Patreon, or with a one-time donation at slash PayPal.
And if you want to join in the fun of the live show, head on over to slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocilla Castaways. Thanks for listening and stay subscribed.

[1:14:01] Music.