2021, Allison Sheridan
NosillaCast Apple Podcast

Edit Transcript Remove Highlighting Add Audio File
Export... ?


[0:00] Music.

[0:17] So, yesterday I picked up a microphone and I recorded the very first episode of the Nocella cast.
I'm very proud of the work I've done here, but you know what, I don't take full credit for keeping the show going with fresh episodes every single week.
I absolutely could not do this without the support of Steve.
He does nearly every chore around the house, which leaves me free to write the shows, record the shows, be on other people's shows, basically keeps the podcast going.
And of course, where would the shows be without Bart Boo Shots?
From security bits to taming the terminal to programming by stealth, he provides not just content, but he's a wonderful human being that I really feel honored to get to hang out with every couple of weeks.
We have so much fun together.
Without Bart and Alistair taking the reins while I'm gallivanting around the world, the, streak would not have continued either.
And I couldn't do it without all of the Nocella castaways who provide reviews for the show, that lower my workload when things get tight, you know, like when I want to go play with the grandkids.
Now, I'm not sure I would have kept going all this time if it wasn't for the live show listeners. They make it ever so much more fun to create the shows.
They're giving me a hard time right now sending pictures of sausage because we call it watching the sausage get made.
But you know, I know they'd throttle me if I missed a week, so I know that they're important to keeping this show going.
And if you're listening, thank you so much for staying subscribed.
All right, enough pats on the back. Let's get into the show.

Allison and Steve on Kilowatt Podcast

[1:40] This week, Steve and I both joined Bodhi Grim on his awesome Kilowatt podcast.
We got into a fascinating discussion on the use of deepfakes as a legal defense strategy, including their application by Tesla's legal team.
Check out Kilowatt in your podcatcher of choice, because it's a great podcast about EV news done by one of the most self-deprecating and hilarious people I've ever met in my life.
We both love Bodhi and we had a blast with him, so follow the link in the show notes, but you can just look for Kilowatt Podcast your podcatcher of choice.

CCATP #767 – Bart Busschots on PBS 150 of X – Bash Script Plumbing (Take Two)

[2:12] When Bart and I recorded Programming by Stealth 150 all about bash script terminal plumbing, neither of us was actually happy with what we did. I got very confused in the middle, and I mean way more confused than usual, and Bart decided that his original strategy might have been flawed, in which he assumed everyone had heard the Taming the Terminal podcast and remembered everything he taught more than four years ago. So he went back and he completely rewrote the show notes for PBS 150, and we re-recorded the entire episode. I gotta tell you, it was ever so much more fun, and I really understood what he was teaching this time through, not because I'd heard it twice, but because the show notes are that much better, and the explanations were very sequential, and he gave us the first principles. Like, when he does that, those are the ones that really work well. Now, he also realized after we recorded the first time that there was a bit of information he hadn't taught us, which was crucial to being able to complete the challenge that he had set for us. If you understood PVS 150 the first time through, and you want to jump right to the new part in the new recording, I put a chapter mark in the audio file that will take you right to where he explains, slash dev slash TTY. We're really proud to have done this a second time because we're both of the same mind that we need to stay committed to the quality of what we're creating here, both for the current listeners and for the future listeners. So if you look in your podcatcher of choice for Chit Chat Across the Pond 767.

[3:40] Or Programming by Stealth 150, you will find that the entire episode exists a second time, and it's called Take Two This Time Through. With any luck, if you delete the first one, it'll never come back. But if you want to keep it, I don't know, like as a collector's item or or something like that, you certainly could.

Dramatically More Engagement on Mastodon vs. Twitter

[3:58] If you're a happy Twitter user, I have no intention of trying to make you sad about that.
At the same time, I'd like to tell you why Mastodon is so much more fun for me.
I'm sure this is going to shock you, but I'm someone who loves conversation. I know there's a lot of people who just like to lurk and enjoy the contributions of others, but I simply have to contribute to the conversation, and I want other people to react in some way to the things iPost. A Mastodon sounds mysterious, but it absolutely is not. I use it exactly the way I use Twitter, but I'm getting so much more out of it. Let me explain by example. On Twitter, I have 3,673 followers. Let's call that roughly 4,000. Now that's not Taylor Swift kind of numbers, but that's a whole lot of people who could potentially read and enjoy the drivel iPost online. On Mastodon, I have only 680 followers, which is less than 20% the number of Twitter followers I have. To put that another way, my reach should be 5 times more on Twitter than on Mastodon.
Well, a couple of weeks ago, I wrote an article about the app PopFrame that allows you to add bezel frames to iPhone screenshots. You probably remember it. I sent the exact same post out on both Twitter and Mastodon. Here's what I wrote.
I think iPhone screenshots look silly without the frame around them, but it's too hard to add it, until PopFrame. And then I put the title of the post, make your iPhone screenshot stand out with PopFrame, and a link to the post.

[5:26] Both services expanded the blog URL nicely to show my pretty featured image. The only, difference between the two posts was that on Twitter I tagged the developer Rameek and his PopFrame account. Rameek doesn't appear to have a presence yet on Mastodon.
I watched the post for 7 days on both services to track engagement, and the results are in.
On Twitter, the post received zero comments. None, nada, nothing.
On Mastodon, the same post about PopFrame received seven comments.
Now let's look at likes and reposts. On Mastodon, my post about PopFrame got 17 reposts and 23 likes.
That's great, but on Twitter, it only got two of each.
And one of the accounts that liked and reposted it was the PopFrame account itself.
So other than the developer, Only one person retweeted it.
So think about that. This article got 1 eighth as many reposts on an account with five times as many followers.
That's a factor of 40 on engagement per follower on Mastodon versus Twitter.
In just two hours, a photo of my cat got seven times as many likes on Mastodon as my article about PopFrame did on Twitter in a whole week.

[6:40] Sure, of course, my cat is lovely, but it wasn't even Caturday. It was on a Tuesday.
In 12 hours, it had 14 likes.
I've been trying to figure out why I'm getting so much more traction on Mastodon than I've ever gotten on Twitter, and I have a few ideas.
The first thing I was thinking about was that now that I can't use a third-party Twitter client myself and I have to use the official Twitter app or log into the website, I have a lot of trouble finding the content from the people I follow.
Perhaps, the algorithm simply doesn't surface my content to my nearly 4,000 followers on Twitter.
Now, the second thing is, it's very possible that the vast majority of my followers on Twitter are actually just bots.
Maybe they aren't real people.
Or maybe the followers I have on Twitter aren't really there anymore because they perceive it as being more toxic.

[7:29] Like I said up front, if you're still enjoying Twitter or you want less engagement with your, followers, good on you.
But if you're looking for folks a lot more excited to engage with each other, and with way less rage, I highly suggest you check out Mastodon.
There are tons of beginner how-to's out there now, like the one from Mozilla that I linked to in the show notes, and they've made picking a server way easier now.
That was one of the big hangups a lot of people had. You basically, when you go to sign up, you get two choices.
They say, here's one of the main ones, or choose one of your own.
So if you just pick the main one you're offered, you can go in and start having fun.
Look for me, look for the people I follow, and start poking follow, follow, follow on those, and you'll start to find people who are really, really interesting.
And I just, I don't know, I find it great. I'm getting so much more fun out of Mastodon today than I do from Twitter.

Make Your Mac’s Keyboard Klack like a Mechanical Keyboard

[8:21] Every once in a while, you come across a tech product that has zero value, but it just makes you smile. This week, I paid $4 for a macOS menu bar app called KLACK. It's spelled K-L-A-C-K.
KLACK's entire job is to make your normal keyboard sound like a mechanical keyboard.
It simulates mechanical switches, and it's awesome! You can customize which switch you'd you'd like to simulate, choosing between the Everglide's crystal purple or Oreo switches, or cream from novel keys.
You can change the volume of the keys between soft, balanced and loud.
That's literally it. I don't know why, but this makes me really happy.
I used Audio Hijack to capture the sounds of the keyboard as I typed out the classic typing class phrase, now is the time for all good women to come to the aid of their country.
Let's listen to all three of them.
This is the Crystal Purple Switches. This is the Crystal Purple Switches.

[9:26] Well, that's pretty fun, but it has a little too much complexity to it for my taste.
There's a lot happening with each keystroke. You can hear the switches moving around.
This is the Oreo Switches.
Well, I'm kind of liking that a little bit better. Oreo is a lot less complex sound, but the fact that the spacebar makes a different sound really kind of distracts my brain.
Let's listen to the final one.
This is the Cream switches. So I really like the high, clear clicks of that Oreo keyboard switches, and the spacebar isn't very different in sound from any of the other keys.
The good news, though, is that each of us can choose the keyboard we like best.
I'm going to stick with Oreo, but you can try the other ones if you like.

[10:28] Now, if you really like clack, but sometimes it's not appropriate to make so much noise, you can toggle clack off with a keyboard shortcut defined in settings. I've started to use that a lot because, you know, doing a podcast, maybe it's not the best idea to have it going in the background. Now, by default, the shortcut is set to Option Command K, but you can change it to something else if you like.
Now, the developer says at that clack has a high fidelity sound and even immersive spatial audio. I don't know about immersive spatial audio, but sure. Now, I hadn't noticed this until I read it on the website, but the keys actually make a different sound going down as they do going up. How fun is that? By the way, Clack is a native app created in Swift. Clack seems like something people with visual impairments might like because, well, turns out they like everything everyone else likes, right? I ran Clack through my usual tests and I was able to interact with the menu bar app without any difficulties changing the volume and keyboard options. However, settings for Clack wouldn't let me navigate to the different options. I dropped a note to the developer and I expect they'll get it sorted. There's not that much in settings anyway, so you can definitely use Clack until it's sorted.

[11:43] I know making your quiet keyboard artificially make noise is a silly thing to enjoy, but I really am enjoying it. If you've priced out mechanical keyboards, $4 might sound like a very reasonable price to get you at least a small part of the joy of a mechanical keyboard even if you can't feel it.

[11:59] Now, to prove that I'm not the only one who thinks this is fun, this is what Bill Reveal wrote in our Slack shortly after I posted about Clack.
"'You are so evil. Just spent my money to get it and I'm sitting here just loving the idiocy of hearing my Macbook clickety-clack away.
It will drive me crazy every so often, but it also lets me know I've actually typed something, which is a good thing.
Even this post is making me giggle with the sounds of a mechanical keyboard.
I swear, my keyboard even feels better.'" So proof, Bill Reveal gives it his sign of approval.
You can buy Klack in the Mac App Store or at

RTINGS Helped Me Find the Ultimate Ears WONDERBOOM 3 Waterproof Bluetooth Speaker

[12:36] A little more than a year ago, I told you about ShowerPower from Ampere, which is a hydro-powered Bluetooth shower speaker.
We bought ShowerPower through Kickstarter in October of 2020, and as often happens with crowdfunded efforts, it took forever to get the device, you know, where forever is defined as about a year and a half.
I guess we should count ourselves lucky that we got it at all because not everybody gets what they thought they were going to get when they do these crowdfunded operations.
So ShowerPower is a device that you put between the shower head and the pipe to which the shower head normally connects. So it kind of makes your shower head lower.
You then connect the Bluetooth speaker to the side of the ShowerPower.
The device has an impeller that generates energy from the power of the water coming through to charge the Bluetooth speaker.

[13:20] When we bought ShowerPower, we bought an extra droplet, which is what they call their Bluetooth speakers.
We thought the whole system was pretty cool, but over time we've kind of become disenchanted.
The device leaked, so Steve had to turn it to kind of an illogical angle that made it a little harder to hear the speaker and get to the controls, and the device did cause our showerhead to be lower than we actually wanted it to be. Since Bluetooth on a speaker is pretty much a nightmare to be used by two different phones, I always used the second droplet just by setting it inside the shower, and Steve used the one that was on the impeller that was actually on the shower power.
The other thing is that Bluetooth speakers last a long time on battery, so it turned out that having a speaker stay charged from hydroelectric power wasn't actually that big of an advantage.
Steve ended up getting rid of the shower power itself, and then we just used our droplets as independent devices, charging them from the mains.
But the audio quality on the droplets isn't quite what we hoped for either.
In my original review, I wrote, quote, Deep voices in spoken podcasts are a bit muddled for our tastes, but I didn't expect super high fidelity.
Now, most tech podcasts are created by men, or at least the ones I've chosen to listen to are, predominantly male voices, and it's often hard to understand what they're saying with the droplet unless I crank the volume way up.

[14:40] My birthday rolled around this year, as it seems to do every year so far, and my mother and father-in-law sent me an Amazon gift card.
I love these gift cards because I save them for something I do not need, but I just really want.
I wanted a new waterproof Bluetooth speaker appropriate for the shower.

[14:58] I found a terrific site called, so r-t-i-n-g-s dot com, and this is a place where they review a lot of different things.
They've got home entertainment, home products like vacuums and blenders, they've got computer peripherals they cover, and electronics such as headphones, speakers, and cameras.
Now, the categories for the review are not as broad as, say, the Wirecutter, but they go deep and deep in all the good ways.
So they have a page dedicated to the six best shower speakers of spring 2023.
They categorize the winners as best, best mid-range, best lower mid-range, budget, cheap, and smart. They also provide a summary table of 58 of the 113 speakers they tested.
That's a lot of speakers. Now, the reason I trusted the recommendation is that they test and score by a lot of different qualities. Specifically, they rate speakers for music.

[15:53] Videos and movies, outdoor sound, and most importantly, podcasts. So they get a rating on all those different types of things you might want to listen to. You can sort their summary table by how well these devices did by these categories.
I'm definitely not going to dig into the details of the six speakers they recommended, but I do want to talk about the one I chose and what I learned from the RTINGS review.
I ended up going with the Best Lower Midrange because it was close to my budget at $80.
Now that was on Amazon and it's normally $100, so it was $80.
The best lower-mid-range speaker is the Ultimate Ears Wonderboom 3.
Now I yelled it like that because it's in all capital letters, Wonderboom.
Anyway, I not only like the price point, but it also comes in hyper pink, which has value to me, great value, because it's a Steve repellent. Keeps him from stealing mine.
But the main thing that caught my eye was that it got a 7.9 out of 10 on Listening to Podcasts.
Now that makes it tied for third place of the 58 speakers they reviewed.
The only two that rated higher for podcasts were the $400 Sonos Move, and the other one was the previous generation of the Ultimate Ears, which was the Wonderboom 2.
Those two speakers were rated 8.1 and 8.0, so 7.9 is great for the $80 price of Wonderboom 3.

[17:20] The Wonderboom 3 is rated IP67, which according to the specs means completely protected from dust and protection from immersion in water for up to one meter for up to 30 minutes.
It floats in water, so this could be super fun in a pool, and it's supposed to have over 22 hours of playtime.
I wish it had USB charging, but sadly, behind a waterproof, i.e. water-sealed access door, it's still sporting the most annoying connector ever designed, micro USB.
Now, the full review page on RTINGS has even more information and scoring and it just gets super nerdy.
You can see the raw frequency response curve for the device and the frequency response accuracy.
I don't even know what that second one is, but the Wonderboom 3 gets a slope of 0.76 and standard error of 2.71 dB, low frequency extension of 88.5 Hz and high frequency extension of 16.0 kHz.
So that's gotta be good, right?
I don't know what any of that means. Anyway, you can see the soundstage and dynamics too if you know what those are.
Technically, you can probably see them even if you don't know what those are, but you know what I mean.

[18:28] Artings have also detailed sections explaining the scores for style, portability, build quality and controls.
I would agree with their assessment on the Wonderboom 3 as a 9.3 on portability.
It looks kind of like a shorter version of a big girl home pod and has a nice fabric look hook on it to hang on a shower caddy. They gave the Wonderboom 3 a 9.0 on build quality, which is also great. I'd even agree with their 6.6 rating on the controls on Wonderboom 3.
There are three buttons on the top and I haven't been able to reliably remember to figure out what each one of these buttons do. I know the big center button is a play pause button, and I read in the manual that double pushing it will skip forward, which is nice for skipping commercials, but the other two are more mysterious. I don't understand why they did them this way.
One is a small bump with a hole for a light to shine through, and the other one is an indented button with a slot for a light to shine through there. And I think the slotted indent is to turn it on and off, and I think the bump is to pair it, but I've also gotten it into pairing mode accidentally using the indent button. I swear I did it one time. On the side of the Wonderboom 3, there are giant plus-minus buttons, which even I can figure out, are to turn the volume up and down. They're harder to push than I would like, but at least I can figure them out.

[19:49] On the bottom of the Wonderboom 3, there's a button with an evergreen tree on it, and you use this button to turn on an outdoor mode. They say it's specifically tuned for the great outdoors.
I tested this mode, outdoors of course, and at higher volumes my podcast got louder and more clear.
When I did it at lower volumes, I couldn't actually tell the difference with and without the evergreen tree button pressed. But I am looking forward to knowing my neighbors with outdoor mode. Now if you've got visual impairments, all of these buttons are very touchable. You can tell where they are, you can feel the difference between them, so that's a big advantage I think.
Even if I can't figure out which one's which, you probably can.
Now Wonderboom 3 makes a lot of different noises to let you know what it's doing.
Let me turn it on for you here and see if you can hear it. I'm gonna wait, that's the wrong button.
I pressed the wrong button right away. Let's see. Okay, that was turning it on. If I turn it off.

[20:46] I think that was turning it off. Yeah, that was turning it off. It had extra sounds. And then it's got a different set of noises for pairing. And it will turn itself off if you forget about it for a while, and you'll actually hear it turn itself off. Now, I was originally going to say that the Wonderboom 3 doesn't have a battery charge indicator because there's no set of lights to look at, but again, in something that's better for people with visual impairment or helps people with visual impairments, there is a way to do it.
In a desperate move, I finally read the tiny paper fold manual and it said to hold down the plus minus buttons at the same time.
I did that and here's the sound that it made.
Okay, that's nice, but what does that noise mean? Is that full? Is that empty? Is it somewhere in between? I don't know. So in an even more desperate move, I did some of the Googles and I found an Ultimate Ears webpage with some FAQs, one of which expanded to explain the three sounds. The sound we heard meant that the battery was half full. If the battery is fully charged, it sounds like this.
And if it's running low, it makes a sound that I think we're all used to hearing.

[22:01] Yeah, we're all used to that sad sound. So the one that kind of goes up with a, at the end, that's the one when it's full. And the one that's just kind of mediocre kind of sound doesn't seem to convey any information. That's the medium one.
So it is actually really good at telling you what these different levels are.
And don't use lights, which drive people who have visual impairments crazy, because I can't see the lights, but hopefully you can hear the sounds. If you're audio impaired, I think you're going to be out of luck. You're actually not going to know. But this has 22 hour battery life, which is pretty good. So, you know, plug it in every couple of weeks. Probably you'll be fine. Probably the most extraordinary feature of the Wonderboom 3 is one that was promised in the RTINGS testing, but I did not believe it before I bought it. This speaker will pair to two two devices at the same time. I am not kidding. Two. And it actually works. I paired it to my iPhone first, then my iPad, and I was able to play on one, stop, then play on the other, all without going into Bluetooth settings to connect. I'm not joking. It actually worked.
It was miraculous. I remember when we had our Acuras and switching devices was so hard with Bluetooth and so time-consuming and failed a lot that we instituted a rule that the owner the car got to use Bluetooth, but the other person had to use a wired connection in that car and the opposite in the other car. It was the only way to achieve peace in our family.

[23:31] Now, Steve paired his iPhone with my new speaker and that pretty much destroyed everything, proving that the miracle does not extend to more than two devices. As soon as I disconnected the iPad, then we were able to toggle back and forth between the two phones with ease.
He thought that's how I was going to keep things so he could use my new speaker, too. He was wrong.
I sent him a link to buy a boring black Wonderboom 3 for himself and he said, oh good, because That pink is awful.
Mission accomplished. So after all this yapping, I realized I haven't talked about the sound itself of the speakers.
I can say that podcasts are much easier to understand now with Wonderboom 3.
My main test is the Accidental Tech podcast, where really often I could not understand John Syracuse when using the shower power droplet.

[24:18] We do have trouble hearing John when we play ATP on the car on road trips too, so maybe Maybe some of the mix has just got him in a muddled state, but with Wonderboom 3 his voice came through really clearly.
It was slightly harder to hear Casey Liss, who has a higher pitched voice, in the cast, but I just boosted the volume a little more and I was able to hear them both with ease.
Steve is very happy with the audio quality on his as well, really happy that he was able to get one. And by the way, he ordered it this morning and I'm holding it in my hand and showing it to the live audience right now. Amazon delivered it to him same day.

[24:53] The Ultimate Ears Wonderboom 3 meets all of my needs, including repelling Steve with HyperPink and especially delivering my podcast for ear easy and clear listening.
Being able to pair to two devices at once is a dream I did not know would be realized in my lifetime.
You can learn more about Wonderboom 3 on the Ultimate Ears website, but if you go there and you buy direct, you'll actually pay more.
I highly encourage you to check out the detailed reviews of shower speakers on and and use their affiliate links because we want these people to keep doing this kind of testing.
And you can go in there and play around in all of the other categories they review and test.
Again, that's Well, it's time for pledge break, but instead of asking for money this week, I'd like to

Support the Show

[25:37] thank all those who support the show financially for making it easier for me to do the show.
Keeping going for 18 years, I'm telling you, it really makes a difference to know that you get enough value out of the show to actually plunk down your hard-earned money to support the work we do here. You have made 18 years of podcasting possible.

Security Bits — 14 May 2023

[25:57] Music.

[26:05] Well, it's that time of the week again. It's time for Security Bits with Bart Bouchotte, but I am telling you, we cannot catch a break. Like nothing's going wrong right now. This is horrible.
It's an interesting way to look at the universe. Content creators have the strangest problems.
Well, I love Security Bits. I love chatting with you about the latest disasters and what we can do about it, but this might be the shortest one possible unless I can stretch it out by asking dumb question. So we'll see. We'll see how that works out. Bart only did a small cup of coffee today, so I don't have full reign. Well, you say that there may be more here than it looks like.
There may be more here than it looks like. But anyway, we have some follow-ups. So I don't think we were off the call for more than a few hours when everyone's phone and computer started to get a notification about the first rapid security response we had been using about the fact that that they had put out 16.4.1 and not as a rapid security response.
And then, hey, presto, our first rapid security response.
And I don't know about you, but the reboot was real quick.

[27:13] Yeah, yeah, I see that you've got a link to the article by Adam Angst and tidbits.
And he actually timed it.
And I can't believe he did this. That shows you his dedication to the sport as he did it on four devices.
And just imagine running a timer watching scroll bar of indeterminate length, right? Just staring at it, knowing this could be an hour, this could be 10 minutes, I don't know. But they were, I think the longest one was something like 13 minutes from door to door doing it. I don't think any of mine were that long.
I guess I have faster machines or something. I was pleasantly surprised.

[27:47] Yeah, most of his were shorter, you know, four minutes, those kind of numbers, I think.
But I just really applauded his dedication to sit there timing it, you know.
I'm not getting distracted. I think one of them might have been an older iMac.
Yeah, I don't get distracted. Oh, yeah, that's what I do.
Yeah, I start the timer and then a half hour later look back and go, oh.
Especially because he didn't know how long it would be, right?
Yeah, and then I end up writing something like, definitely less than an hour.
Could have been two minutes, could have been 58 minutes, but definitely less than an hour.
Yeah. One of the cool things that he described exactly how to do is you can actually remove the rapid security response update.
And he did it. He went through the process of doing it on two different kinds of devices so that he could prove it could be done because these are little barnacles on the operating system that you can tear off and put back on.
Well, yeah, because he actually, I'm almost certain it was his article.
One of the articles I read explained very nicely, because something I think people haven't realized because Apple have done it so cleverly, is that the important parts of your operating system are actually what's called immutable.

[28:55] They are read-only, which is a fantastic protection from malware, because if the malware can't change the operating system, it's very hard to infect things.
And how do you do a quick update to something that is immutable?
So the reason a normal software update takes a long time is because you're actually getting a full image down, you're temporarily thawing out the OS, replacing the old image with the new image, and then refreezing it to make it immutable again, which is why it takes so long.
But these are actually little disk images that sort of get mounted on the side, and because Apple invented the overlay file system, so since I think two OSes back, maybe three, If you go in and you expand all of the views in disk utility, make it hide nothing from you, make it show you everything, you will see that Macintosh HD is two.

[29:48] Right. And that's because Apple developed the technology that allows you to overlay two file systems and they present as one file system, but half of it is read only and half of it is normal.
And they sort of, I always think of it like, you know, the old transparencies on the overhead projectors.
It's like they have two transparencies for your hard disk. One of them is the one you can write on, it's the one where your home directory is and everything.
And the other one is the system one and it's immutable.
And they literally put them on top of each other and you see one file system with one folder structure.
And these little software updates are like a third layer on the transparencies.
That's just a small little disk image that gets merged in with the other ones.

[30:27] So are you saying you actually can see it if you go into Disk Utility?
You can see the third one, or no? I don't know if you can see the third one, but in terms of how it actually works under the hood is what I'm saying, is that it gets layered into the overlay file system.
Okay, right, right, right. Yeah, I remember that being really disturbing when there became Macintosh HD data and Macintosh HD volumes, and I do notice that they have changed the naming convention from when they first did it.
They have. And it's a snapshot of the real operating system.
So it isn't even the real one.
Oh, snapshots are all different things.

[31:07] There are so many weeds here to get to. If you read Adam's article.
Yes. Well, but if you read his article, he talks about the fact that it is a snapshot.
You want to read the way Adam describes it.
But I was really surprised at that. And they actually do denote it as that.
So it's funny. It says Apple SSD.
Inside that, I've got a Container Disk 3. Inside of that, I've got Macintosh HD volumes.
Inside of that, I've got Macintosh HD, which is grayed out, and below that, this is now four levels deep from the top, Macintosh HD snapshot, and then up one level is Macintosh HD data.
So they really have done some interesting chicanery here to make it more secure.
Yeah, and it looks like, as far as you're concerned in the Finder, it's just, you just have a hard disk, but there's so much going on here.
And snapshotting, which is a copy-on-write concept, is also genius, and the overlay file system is genius, and the immutable...
This is really high-end computer science. The Mac isn't just secure by obscurity anymore.
The Mac is secure by design, by really good design.
Yeah, yeah. Not invulnerable, hence rapid security response update 16.4.1a and 13.3.1a, right?
Precisely, precisely. But it is very impressive computer science.
A long way from the days when I was taught operating systems.

[32:26] Yeah, I think it's also important to note one of the reasons these updates are so quick is they're small.
So people like Bob Goodrich, who's pretty active in our Slack community and a listener to the show and very security conscious, when there's a big software update, he has to take his iMac and put it in his car and drive it an hour and a half to an Apple store because he doesn't have the bandwidth out in the woods where he lives.
So I think these kind of updates will be a happy joy joy for Bob.
Or people who are traveling and who are having to make use of mobile data and stuff.
It's just a good idea.
Yeah, that's a good point. Yeah, just make them small. Make them what they need to be and no more.

[33:07] So yeah, that's the first follow-up. Then we had a conversation about how attackers were turning their mind to the Mac last time, and then you and I continued that conversation on Let's Talk Apple, and I can't remember what we said where.
I do know that the third, I think we did two stories here last time, and that was the third one, which we got all three in Let's Talk Apple.
But one of them, the listeners here haven't heard.
So just to prove that this is a trend that is continuing, there is now another.
Now, it is again a Trojan.
I'll preempt your question, because I know you're going to ask me, how do we catch this?
Yeah, it's still a Trojan.
In this case, so you have to you have to go get it. You have to go get it or be tricked into getting it.
Correct. It's pretending to be a PDF viewer. The malware has been named Rust Bucket by Intego.
We know that it is by a group of attackers called BlueNoroff, who are a part of the Lazarus group, who we are as certain as one can be that they are the North Korean government.
And they are targeting actively the Mac. So again, we are on an OS that is really well designed, that is very well looked after, that does security well, but it's never perfect.
So what if you're if you are tricked to downloading this pdf viewer?
This supposed pdf viewer, what happens to you?
Well you need to be tricked into more than downloading it, you need to be tricked into installing it and then clicking ok to all of the various pop-ups granting an access to things.

[34:37] Right, but if you think it's a real pdf viewer you might do that, then it does...
Basically they can do whatever they want. Code execution? they can do whatever they want.
So that gets them in the door and it will then phone home and say, so what do you need me to do? So it might be steal all of your crypto if they're in a money making mood.
It might be spy on you if they're in if you're a diplomat or something.
I mean, OK, this is a tool that is a mechanism.
Correct. Yeah. It's it's the mechanism to get in. And once they're in, they're going to do whatever it is they are motivated to do to you.
And at that time, well, what's the problem to be solved? Basically, they need access, they need to get in, and this is the front door.
This gets them in, and then bad things happen. We also talked last time about the fact that things were not looking good for MSI, and at that stage we were still thinking in terms of... Who's MSI again?
They are a company that make motherboards. For big companies, you may have heard of like HP and IBM and those kind of...

[35:39] So a home user would be building their own PC, might buy an MSI motherboard, is why we would care.
Extremely likely to buy an MSI motherboard. And someone who buys a PC is quite likely to have one anyway. They're a major vendor. Oh, OK. So not home builders just inherently already having it. OK.
Yeah, MSI are just a big player in this space. They make good stuff. Unfortunately, they appear to have had a catastrophic security failure. Right. The bottom line stays the same. So the bottom line we came to last time was only install firmware that you yourself of download from MSI's website, and that is that remains the bottom line, for home users, for corporate IT.
I think the bottom line is you take all of those PCs and you throw them in the bin. Because why?
So your motherboard to protect it from malicious firmware has literally burned into it.
It's called a fusing system. It's a write once and it happens with a hardware.
If you the act of writing, it breaks the circuitry.
It can never be rewritten.
So the public key is burned into your motherboard.
And that private key is used to sign valid firmware. That is the private key they have lost.
There is no way to update your motherboard.

[36:58] But we just said that for home users you just make sure you get the correct firmware updates from the vendor. Why isn't that true for corporations?
It is true for corporations but for corporations if you are traveling about and you have corporate information of value on your laptop and you're traveling around that's not enough.
If I'm the CEO of a company that's not enough.
Someone could physically grab my machine in the hotel room or whatever.

[37:27] And download the other firmware? Put any other firmware in it and the machine will accept it as valid and boot.
So not only rootkits, but bootkits.
So if you were signing the checks for the throw it in the bin strategy, would you say all laptops or would you say all the desktops too?
I would have to do a risk assessment and what I would probably end up doing is saying that And anyone who works in finance or a few or maybe on research is particularly sensitive, can't have these are machine, you know, our public access machines for the students or whatever we are, that's fine.
You know, machines that are doing, you know, customer support. Fine.
I think you'd probably want to triage it because you don't want the bill to be too huge.
But for if you're a journalist, if you're a lawyer, if you know, if you're basically If you're someone who knows that you're supposed to be careful, you just can't use one of these motherboards.
Because you can't be careful. And that is a huge company, right?
I mean, a lot of companies use MSI motherboards.
Hey, maybe the PC market will pick up because of this. They've been lagging.
It's not a particularly good way to make people upgrade and feel happy about it, right?

[38:41] Not exactly. Probably want other strategies. Yeah, pretty much.
And this is actually a really good segue into our first real story.
So it has been Patch Tuesday, and Microsoft have released patches, which include a whole bunch of zero days.
And one of those zero days is in the other side of that same firmware functionality we were talking about.
So your motherboard has all of these keys baked in and stuff and the operating system can leverage the security from those public keys to boot itself in such a way that it can't be tempered with.
There was actually a bug in Windows and Microsoft had to change out some keys and stuff.
And so basically, if you're in corporate IT, you need to apply the latest Windows updates, and you have a manual process to perform on every laptop that you need to have Secure Boot working on.

[39:30] Oh, jeez. So again, you're triaging the same triage process I just described.
You're doing the same thing again, and you're gonna triage.
So Microsoft are promising an automated update within a few months, but for now, if you need to get Secure Boot re-enabled immediately, you have to visit each machine and manually do it.
So again, you're going to triage it. You're going to start in the finance department, CEO's office, and you're going to apply your resources as appropriate. But again, for us home users, I don't think there's any reason to go and stress out about it because Secure Boot may not even be enabled.

[40:05] So what exactly is Secure Boot? Secure Boot cryptographically, your iPhone does Secure Boot.
That's why you can't run an OS on your iPhone that isn't from Apple.
So it's cryptographically signed from the hardware all the way up to the point of the operating system boot, so you can't run non-Apple OSes.
The same is possible on a PC. But the Macs don't have that though?
They do if they have an M-series processor. If they basically, if they have...
So wouldn't the T2 chip... The T2 and basically you need to have a T1, basically you need to have a T chip or an M chip.
So you can have an Intel machine with the T chip doing that work or you can have an M chip, which has the function.
The T chip is basically an iPhone chip sitting next to the Intel chip, pretend, you know, helping it do its thing.
And the M chip just has that functionality baked right the way in because, hey, it's Apple Silicon all the way down.
So if you have a Mac with a T chip or an M chip, you have secure boot on your Mac as an option that you can disable in your.
It's not called a BIOS, it's UEFI, but you can disable it. So you can actually run Linux on your Mac on your iPhone.
You can't disable it.
PCs, if they have a high end enough motherboard, can have the same kind of cryptographic assurance that your operating system has not been tampered with.
It's called secure boot.

[41:25] It's something that you need to turn on. I don't think typical home computers would come with it turned on, because it means you can't install Linux.
If you have Secure Boot on, you can't install Linux. So I don't think it's on all the time.
But in corporate IT... Even with the, what is it, Linux subsystem for Windows?
That's not installing Linux, that's part of Windows.
Oh, OK. You're booting Windows. So they can have Linux if they want to, even with Secure Boot.

[41:58] That's got the best of both worlds. But you're still booting Windows, right?
So if you think Windows is a big pile of bloatware that's eating up way more of your RAM than it needs to, you're doing that and running a Linux on it, so that's not really efficient.
I suppose. Yeah. But no, so again, us home users, probably not all that relevant, but corporate IT are not having a good week of it.
But I appreciate you doing the translation into terminology.
I can understand them, between Windows and Apple.
Apple. Okay. Where was I? Okay. Scrooge Scrooge. Notable news then. So AI is kind of a thing that we haven't talked a huge amount about because it's sort of background noise.
I bet to the relief of everybody because it's talked about on every single show.
It is. But I do think it's worth pointing out that one of, he's described as the godfather of AI. Now, this is a guy who's been researching neural networks since the 1970s. So he has has earned some jobs here. Dr. Geoffrey Hinton. He won the Turing Award, which is considered to be the Nobel Prize of computer science, because obviously when Alfred Nobel was around, there were no computers. They were humans. They were not devices yet. So there is no actual Nobel Prize. But he's a pretty big deal on the technologies that we now take for granted. And he's been with Google for some time since Google bought his company.

[43:21] And he stayed very quiet in the last couple of weeks when the various open letters were doing the rounds and stuff, because he's one of these people who, old-fashioned in the nicest possible way, he was like, well, I'm not criticising my employer.
So he gave Google his notice, worked out his notice, didn't say a word, had apparently a nice conversation with Sundar Pichai on the way out, and now he has left Google.
So now he's saying, and I am now dedicating the rest of my life to campaigning for the proper management of AI to protect us all.

[43:48] He is also still complimentary of Google that they're going slowly.
He is. He's just afraid that unless there's an outside regulator to apply the brakes, the inevitable forces of competition, which is usually in our favor, right? We love the fact that Samsung compete with Apple because it makes both of them be better. But if you're afraid that AI is running ahead of our ability to control AI, then at the moment you're panicking because you have ChatGPT, you have BARD.
These are like there's real competition here at the moment. And so this is now the time to start raising your voice if you believe it's time to be careful.

[44:32] So it was very interesting to me to watch Jeffrey Hinton because he, I heard about it first on DTNS because they cover the tech news, and then I blinked and he was everywhere I turned. I mean, he's like on the NBC nightly news. You know, he's on network TV talking about AI. And I think it just caught fire because people love to talk about the danger of AI. I mean, that's just that's just chum in the water for newscasters who like to get us spun up. So I think his message is certainly getting out there, that's for sure. But it was shocking what detail-level nerdiness suddenly made national news or international news.
It's funny, if you can tie it to a hot enough story, you can get the most amazing computer scientist onto the most mainstream of news stories. I wonder if we could do that for less terrifying things.
Right. No, no, no. That's no. We got to be terrified that that's what we want to watch a train wreck.
No, no. There is another one. We could be angry either, but that's not really any good.
In fact, I'd rather be terrified than angry. No, I just rather not make that choice. Yeah.
Occasionally, if you do it well enough, it can be a pull at the heartstrings can do, it, you know, a story that's just so adorable you can't stand it.
You know, that's why there's all those videos of of like a cat raising, raising a duck, a duckling or something.
Yeah, there was a gay set of penguins somewhere that made it for a while as well, wasn't there?
That was a thing for a while.

[46:01] I don't know. They had funny names and stuff. People just love.
Staying in the United States, the Federal Trade Commission has started the process of updating their settlement with Facebook slash Meta, so they made it with Facebook, but now it's with Meta.
So in 2020, they came to a settlement in their suit against...
About what? Privacy Invasion.
Was this the, oh shoot, I can't remember. Which one? The 2020 one.

[46:37] Yeah, I just don't know what the case was. They said that Facebook were not following the rules in terms of people's privacy, and they came to settle the debt accord. So this wasn't Cambridge Analytica?
Don't believe so. It was something after that.
2020 is too recent to be Cambridge, isn't it?
Yeah, yeah. Anyway, they started the process to do what then?
To update the settlement to block Facebook from launching any new products until they come into compliance with the settlement, because right now they are not in compliance.
Whoa. Wait, no new projects or products? No new products.
No releasing, no data-based products. Wow, that's great. That's pretty big.
That is pretty big. Now Facebook have, sorry, Meta have 30 days to formally respond, but their initial PR response has been, how dare you regulate an American company?
Look at TikTok over there.
And everyone's going, yeah, have you seen what the American government are threatening to do to TikTok?
Are you sure that's a good idea?

[47:36] Sorry, I made you nearly spit your coffee on your screen there.
Yeah, I was drinking when he said that.
So anyway, 30 days, we shall see how that develops.
And then switching to the good news column, Google and Apple have worked together again.
And they did this at the start of COVID when they brought out the COVID trackers that never quite lived up to their promise because I think.

[48:00] The virus moved too quickly for the idea, but they nonetheless— Oh, can I give you a quick update on that?
I got a notification from the state of California saying, yeah, that's over now.
Yeah, me too. Not from California. We've disabled it. We're no longer tracking your phone.
Yeah. Yeah. But I think they did it concurrent with the WHO saying that the international health crisis was over. COVID's not over.
Yes. But the international health crisis is over. Yes.
Announcement because it also said, by the way, just in case you're wondering, it's going to be with us here until the next one. So just, you know, settle in.
It is endemic pandemic, but not an emergency. Yeah. Yay. Anyway, so now what if Google and Apple done together?
So I have said every time we talk about the topic of how do we deal with these new AirTag like trackers? And it's not just AirTag, you've Tile and you've, you've other companies doing them to. And Apple products are really good at telling you when an Apple tracker is following you, because Apple can talk on an Apple device.
Yeah. Yeah. The Apple products are very good at telling you when an Apple tracker is near you.
Your iPhone, et cetera, is good at that.
But in order for that to work universally, you need to have a protocol that is not vendor specific.

[49:17] And I have been I have sort of expected Apple to open source what they're doing.
But that would then involve people who make other trackers sort of agreeing to do things that way.
But actually, what Apple have done is they've worked with Google to develop a formal standard, and they have now submitted it to the Internet Engineering Task Force, the IETF.
So it is now with the IETF for public comment. And if everything goes on schedule, it should become a formal standard by the end of the year.
And all the big players are on board.

[49:45] I'm sorry, did you say what IETF stood for? Internet Engineering Task Force.
I'm pretty sure I did. But either way, the IETF people, they're the people who do things like HTTP and TCP, IP, the kind of, you know, slightly important technologies.
Yeah, that is a proper standard. I like that because obviously both companies want that to exist.
I mean, why would you not?
Yeah, exactly. And humanity wants it to exist.
So it's just I just like this is how it should be.
You know, you compete on what makes you different and you work together on what makes what doesn't make you different and makes everything better. It's grown up, right? Grown up behavior. I like it. And then finally, Google have rolled out support for pass keys across their large array of services. So that brings us a dramatic step closer to pass keys going from hypothetical to practical. That's a lot of humans on planet Earth have a Google account.
Yeah. So like everybody else, I was super excited about this and I discovered something, surprising, and it leads me to a change I need to make, and it also opens up another question for me.
So I was hoping I could just spring this on you without any warning or chance to do any research.
When I went to Google, it said, yeah, do you want to use PASCs?
I said, yes, I would. And it said, okay, here's a QR code, scan this with your phone.
Now, right away, that concerned me because I don't understand why I had to have a second device in order to do it.

[51:14] That may be something to do with their implementation. That may be because you're...
Because you were not in a position to actually use passkeys because of something you haven't turned on yet that we're getting to.
I don't think the APIs were working right.
Because it's supposed to be that the browser should immediately go, ah, I see this site is offering you a passkey.
Yeah, so it said I had to scan this QR code, so I took out my phone and I held it up, and it said, you know, tap this to get to your passkey, and I tapped it, and things spun for a little bit, and then it said, no, I can't find anything in iCloud Keychain for this.

[51:51] And I don't use iCloud Keychain, because I use one password.
I don't want to use iCloud Keychain.
That actually sounds like you tried to log in with...
Because that's the workflow for logging in with a passkey, rather than the workflow for creating a passkey.
That's correct. I'm saying after I said turn on passkeys, it said, okay, got it, now use your phone. And I have to bypass the QR code and tell it no, get in another way now. So that's not working as designed.
It's definitely not working as designed. I don't know the steps you did to get into this position where you do not have a working passkey set up.
I definitely don't. So I'm reading it right now. It says, Google, use your passkey to confirm it's really you and it gives my Gmail address. It says your device will ask for your fingerprint, face, or screen lock. And when I tap continue, it does not ask me for my fingerprint, face, or anything else. It says scan this QR code with a device running iOS 16 or later, or another compatible device to sign into So I have a passkey.
Did iOS offer you?
No, you have half a password. I'm on my Mac.
I'm on my Mac. You're on your Mac, and you don't have iCloud Keychain enabled, and where did you create this passkey? On my Mac.

[53:19] But it's asking me to scan the QR code, and the only thing I know to scan the QR code with would be my phone.
I don't think you've created a passkey. I think you've told Google you'd like one, but I don't think you have one.

[53:31] OK, it thinks I do. It's saying that I do. It says you've enabled passkeys.
OK, without a time machine, I can't help you here. But it's so I also don't know how to make it go away.
I should be able to log in. It doesn't give me any move it.
So, you know, the way in Google, there's a page that lets you set all of your different authentication mechanisms.
So whether you have a phone registered, your secondary email, like Google lets you have many, many doors to the same account.
So in there, one of your doors will be your passkey. So if you if you had We should be able to turn it off.
If you had a hardware token, it would be in there. So your passkey will be in there and you just remove it from your account.
Like you would a phone or whatever.
So if I did, I've just sent you the screenshot of what I see just so we can be on the same page. I sent it in Telegram.
But if this was working, I shouldn't need my phone to log in with my Mac.
But if I wanted to log in with my phone, I would probably have to have iCloud Keychain turned on.

[54:36] Okay, let's keep things simple. So let's start off with you have a Mac and you have a Google account and everything is set up correctly.
You go there with your Mac and you turn on pass keys and then you will never see that screen because your Mac will be talking the pass key APIs and Google will be talking the pass key APIs and it will all just magically happen.
You then go to a phone that also has iCloud Keychain, and then it will also be completely seamless.
But then you go to an internet cafe. And obviously, it's not your computer.
So even with everything working perfectly, you wouldn't be able to authenticate on that device because it's not your device.

[55:23] So the mechanism Passkeys provides is that your phone can do the authentication for you.
And in order to do that handoff between the device you're on and the device that's going authenticate you, you have to scan a QR code.
Yeah, so that makes sense, but that phone would have to have the passkeys as well, which I believe requires iCloud Keychain.
Now what surprised me about that was I thought we were going to be able to do that with 1Password, but 1Password hasn't done it yet, I think.
I think you're too early. They've got it where you can create an account with a passkey, but you can't store your passkeys in 1Password yet.
Yes, you can use the passkey to authenticate yourself to your vault on your phone, which.

[56:05] Is a good way to authenticate yourself on your phone.
A good, strong authentication on your phone. But they don't have it to the point where they are managing passkeys for other websites, which is, that is coming, right?
They're going there. We're early, yeah.
Yeah. So talking about the reason I haven't ever done iCloud Keychain, actually, no, let me wait one more minute on the Gmail thing and thinking about this in a holistic form.
If I've got authentication to a site, such as Google, with Passkeys, can that be shared with Steve Sheridan?
So Steve uses this account to do some of the live show stuff because this is the account that runs the YouTube videos.
So the answer is yes, and you can do it the right way or the wrong way.
So with modern authentication, you need to get out. So the way we're used to thinking about things is that an account has a password.

[57:02] That's not the way you should think about things in the 21st century.
So the correct thing is that you add to the one Google account, two passkeys, your passkey and Steve's passkey.
You don't share the passkey. That's your passkey.
What you want him to share the account.

[57:19] And the way he would do that is on his Mac, log in with the password into my Google account, and then say, turn on passkeys.
Yes. So then when you go to that screen where you get to have your phone and your alternate email address, you would see two passkeys. And you could then revoke one of them if one of you lost your phone or whatever.

[57:41] Okay, okay, good. That was one of my concerns. Once I got this, I was like, well, wait a minute, How is that ever going to work?
So now stepping back further to the, if I can't use 1Password yet, and I'm now, I really want to try this out, so I'm going to turn on iCloud Keychain.
One of the things that's really kept me from doing it is I didn't want to manage passwords in two places.
So if I go to and I change my password, 1Password goes, hey, do you want me to update that login?
And I say, yes. Do I now have to go over to iCloud Keychain and manage it there?
Only if you want to store it in two places. Don't store it in your iCloud keychain.
The past keys can be in your keychain, but if you never put a password into your keychain, if you never put a password into iCloud, it won't be in iCloud.
Oh, so you may... See, I literally have never used this intentionally.
I think I accidentally did some early on, but then I was like, ugh, and I got rid of everything, I think.
So you have to agree to let something be in iCloud keychain.
So I was afraid that as soon as I turned on, it was going to go bleh, and then barf everything into iCloud Keychain where I didn't want it to be.
No, it's like the standard Safari thing, because it is the standard Safari thing.
It'll pop up and say, hi, do you want me to save this password?
And if you just say, no, don't actually, then it won't.

[59:01] Okay, I think I've successfully beaten Safari into submission to stop asking me.
But somehow I have to tell it that it's okay to store that passkey.
I guess I'll find out when I turn it on. I haven't used Passkeys myself. I've seen videos of it in action, but it should be the operating system offering you to do its thing, and it should be very automatic.
Okay. All right. Well, I will certainly give that a try, and I will report back. But, yeah, it really does feel like something broke on the day I got in.
I don't remember being asked any questions whatsoever about how it was going to work.
I remember going, you want PASCIs? Uh-huh. Click. And then I got in that state. The very first thing it did was ask me to scan that barcode. I could be misremembering. That has happened maybe once in the past.
It's definitely not right. Not entirely sure how it got wrong, but it's definitely not rice.

[1:00:03] Okay, good. I do see one passkey there. Oh, good lord. It says I did it on my Motorola Moto G7?
Okay, this is confusing. I will do this on another time. Okay.
But I appreciate you answering the questions, and I think that's of value to people to think about the repercussions and how this works.
And also, just sort of what occurred to me when you asked me the question, even though you didn't give me a lot of prep time, I did have some time to noodle.
You were very much against turning on iCloud quite a few years ago, because back then the reality was very different.
Right. If you had iCloud keychain turned on and you had passwords in it and I picked up your phone, you had left your phone down and you hadn't locked it because you put it down for a second and I picked up your phone, I could log into things.
Because right, it just took the passwords. But today, even if you had passwords in there, and you put your phone down without locking it and I picked your phone up and I tried to log in as you to something, it would do the face ID thing and it would, stop me and I couldn't go into the key chain app because it would do the face ID thing and it would stop me.
So the level of access that was implicit, the level of trust that was implicit when you decided against it has changed completely, so you made a very sensible choice.

[1:01:20] When the universe was different, and so my advice is, you know, don't worry too much about turning it back, turning it on now because you were not wrong to turn it off then.
But then is not now. So don't think that I'm not sure I'm saying what I'm trying to say very well.
But the decision you made then was perfectly sane, perfectly reasonable.
And doing the opposite now is not choosing insecurity. it's everything's changed.

[1:01:48] Okay, I do still hate the idea of having to manage passwords in two places though.
Don't manage them in two places. I don't understand how people, but I know people who do.
I know Dave Hamilton talks about how he does both. I do both.
I do too. So you change it in one place, you have to change it in another, but you change it in two separate systems. Ah, the browser does it all for me.
Because it'll say, do you want me to update in iCloud and it'll say, and the plug-in will do update in the other?
Yeah, I just go, yeah. Okay, well if it does that, not too bad.
It's a less frictiony, but there's no, I only do it because I like the safety of having them in two places.
It's just, I sort of think of it as, you know, I have one secure place and I have another secure place and then there are two places and I feel better.
But I don't think you need to do that. I don't advise people to do that.
I do it because it just makes me feel better and I'm not even sure it's wise.
I just, I just feel better.
Okay. Well, that sounds good. I definitely understand a lot more and I might turn it on.
If nothing else, I will try to turn off the.

[1:02:52] Pass keys right now for Google just so that I can get in without having to go through a second step.
Yeah, I just removed that authentication mechanism and you should be good to go.
Yeah, I haven't found it yet in my poking around while we're talking, but I did find a place where one of your options that is turned on by default is to not show you the password option.
So you have a toggle and that's turned on, that's saying don't show me the password option, because, well, because you got a passkey, why do you want to bother looking at that, I think was the idea, except that it's not working, so it always forces me to go an extra step.
Ah, yes, of course. I'm not sure, I don't, I'm not that certain I know how to get rid of this passkey.
I can see it, that it's there, Don't know how to get rid of it, but I'll find out.
Moving on then, we have a top tip. So we've talked a few times about the importance of having your own email domain, because otherwise it's really easy to get locked out of your everything.
And if you're not going to have your own one, probably the worst possible thing you could do would be to use one provided by your ISP.

[1:03:58] So if you'd like to hear someone else explain exactly the same thing with different words, Apple Insider have a lovely article, why ISP email services are terrible and what to use instead. So it's not one for you or I, but it's one to keep in your bank pocket for your family members who send you, oh, yeah, no, I have everything connected to my Cox dot whatever.
Comcast. Yeah. You know, I was really pleased. Steve's mom and dad are just so smart because they listen to us and they do what we suggest after we explain it to them. I wasn't going say they do what we tell them to do. We suggest things and they jump on board, is they had their email with Comcast. And I explained that, you know, that's not portable. If you move, you know, that's not going to work. And they said, okay, what do we do? Okay, well, let's start by forwarding your email to Gmail. And when you write to people, write to from your Gmail account. And I got them going on that. And then over time, got them to just shut down and go into their services and make sure they turned off, you know, switched it all over. And that took them months and months and months to get done, but they went through the work. And about six months later, they decided to to move. They didn't have to add that to the worry of finding a place to live, packing all the horrors of moving, and they were fully able to move without losing any contact. Actually, Steve's mom said, yeah, anybody I didn't tell, I actually don't care if they ever write to me again.
It's been six months. If I haven't heard from you, I don't need to hear from you.

[1:05:21] Right, right, right. Yeah. Yeah, I don't know. I like to have these links in my back pocket. I have a little folder in Pocket called For Reference, and that one went in and I thought it would be worth sharing with people.
Yeah, good one. Another interesting follow-up. So the internet collectively went mad on telling people about juice-checking, and I was pretty cold about it.
I just sort of pointed out that there's been no change, there's no added risk, and that just because it was making the media, I didn't... So again, juice-checking is plugging in at the airport to charge, but somebody's actually stealing your data.
Yeah. You did say it was a danger, though. It just wasn't a danger.
It's a hypothetical risk. But at the time, we didn't really talk about it as being merely hypothetical.
We talked about it that you really shouldn't do it.
Yeah, I didn't throw enough cold water on it. It's garbage.
It doesn't actually happen on planet Earth.

[1:06:12] Yeah, which I did not know until Ars Technica talked about it, that they said, yeah, this doesn't actually happen, has not happened. There are no reports of it in the wild.
The other thing that has changed in the last couple years is kind of like the iCloud conversation.
The reality of the phones have changed.
So it used to be the case that if I took your, say, your generation one iPhone, and if I plugged it into my computer, I could just get your stuff.
I could just download your stuff. So if I replace that computer with some sort of dongle, I could just have it automatically steal your stuff. And people successfully hid that kind of functionality in a cable.
They're like hacking cables.
But Apple responded to that, and so did Google with Android.
So when you plug your phone into a device that it has not been cryptographically paired with, it won't talk to it.
It just won't talk to it. So the danger is really, really hypothetical.
You would have to have a zero day to work around the blocking that's happening.

[1:07:15] And then if you're afraid of even the zero day that no one knows about, which has never been found to exist, you can buy a thing called a data blocker, which is like a USB sleeve that goes over a USB port that physically doesn't connect the data cables.
So the only pins connected in this little shoe are the power ones.
So if you buy one of those little overshoes and the coolest ones are actually transparent so you can see the gap, you can look through the casing and see that the cables are not connected.
And then you're absolutely completely fine because data can't magically.
So you're protected by hardware.
And even if you weren't, there is a strong firmware level protection.
And even if that wasn't there, the actual device itself, it's...

[1:08:03] You can make your own data-only cable by splicing, cutting a USB cable and peeling back the shielding and then don't connect the data connectors, the data cables, and just connect the power and then wrap it back in electrical tape, which by the way is how I met Tom Merritt.
I probably told the story the last time we talked about this, but he liked it so much he put it on his top five many, many, many, many years ago, and that's why we became friends.
Now what I want is the opposite thing.
I would like a data-only cable.
And I'll tell you the problem to be solved is, what's the continuity thing that allows you to use an iPad as a second screen to your Mac? Oh, Sidecar.

[1:08:43] Sidecar. So Sidecar is completely unreliable for me on Wi-Fi.
I don't know why, but I like to sit outside on the, no, I know why I like to sit outside on the back deck.
But if I'm sitting out in the sun, I'm relaxing, I want a second screen, if I try to use my iPad, it'll connect, it'll be all great, I'll be working along and all of a sudden, it's just gone, it just gives up.
So I can connect it over USB-C, Thunderbolt, whatever you want to call it that day, and it works great, but the iPad sucks the battery out of the laptop.
Now you may have heard me mention that my battery doesn't last on my laptop, and so here's this giant battery in the iPad, so unless I've charged the iPad to 100%, you know, and as it uses power, it starts sucking it out of the Mac, and I don't want it to do that, so I want the opposite, so I might need to get out my scissors.
Yeah, have a go. I don't know how much more difficult that is than USB-C.
Because the opposite should be possible.
Yeah, but remember the amount of... Remember that USB-C has a computer...
The circuitry and all that.
It has a chip in each end of the cable and they negotiate stuff. I don't know how they'd feel, about suddenly having some of their connection interrupted. I'm not entirely sure you'd get away with that one.
Yeah, I might have to look. I actually did try to look for or data-only USB-C, and I don't think I have yet found that.
You'd imagine there's a low-level API call somewhere to tell the little controller not to send power.

[1:10:06] I would imagine that the APIs allow it, and someone just has to write an app, like, you know, juice blocker or something.
Because I am almost certain that software-wise that should be conceivably doable, but not, with my skillset. You would think so. Yeah. Well, I will keep on the hunt.
Indeed. Okay, well that is it. That is all the stories we got.
Nope. I came up with the palate cleanser while we were talking.
Oh good, actually, because I forgot one.

[1:10:35] This is so delightful, and it just shows the level of depth of nerdery that we have in in the Mozilla Castaways that I just love.
So the best channel in Slack is Delete Me, by far.
It's funny, it's clever, it's wonderful. Alistair Jenks basically owns the channel, and that's fine, we're all good with it, because every once in a while I get one that's almost as good as something he's posted. But Ian Lessing posted one that was just wonderful.
This is a screenshot he took on his computer years and years and years ago from an iPhoto library migration.
The screenshot says, upgrading thumbnails, time remaining about 2147483647 hours.
I don't know how many digits that was, but we all had a good laugh about it, but that's not where it ended.
Alistair, because he is such a nerd, writes back, that number can also be written as 2 to the 31st minus 1, which means it is the largest positive number in a 32-bit integer.
In other words, it was not expecting it to take nearly 245 millennia, but in fact, an infinite amount of time. It just couldn't find the, and he wrote words, but he crossed it out, it just couldn't find the numbers.

[1:11:50] Yeah, that is one of those magic numbers. Yeah, I am fooled.
But the fact that he saw it and went, oh yeah, I recognize 2147483647 hours, that's obviously 2 to the 31st minus one.

[1:12:05] I recognize some of those magic numbers, But not as many as Alistair does.
I think his mainframe experience helps him out.

[1:12:12] It does remind me of when i knew a really nerdy guy from caltech and he walked into my office one day and he said do you realize that your office number is the product of the first five prime numbers no what's wrong with you i'm the kind of person who finds myself buying things and then when i get only when i get home do i realize why it's because their powers of two.

[1:12:34] It's like there were four different loaves of bread i could have bought why did i buy the one that cost $2.56. Oh. Really? Really. Like those are the pleasing numbers.
Honestly, I find myself with stuff in my shopping basket that's slightly more expensive because it's $1.28 or $2.56. It's ridiculous. But yeah. And it's subconscious. And I only want to get home. That's funny. Do I notice? Oh. Well, you know what's going to really bother you? I read that Mark Gurman is predicting that the new M3 Macs, which are supposed to be announced any day now for maybe end of the year, will have 36 gigabytes of memory, not 32.
How's the extra four? I'm guessing it's like graphics RAM or something. No, you're right, it does look slightly cranky. No, no, that's going to be upsetting.
Well, it does divide by two, but it's not a power of two. Yeah. No, don't like it. Don't like it. Mind you, more RAM, more good.
All right, well, I managed to stretch out the shortest show notes of all time to 47 minutes. And you're probably out of coffee by now, so I will let you go.
But that was a lot of fun.
Yep. He's showing me his empty mug.
I'm out of coffee. And I also have the opposite problem. I need to go visit a little room.
So, wait, this is Security Bits. Therefore, I need to remind you, because it's been so long since we talked about security here. Remember, folks, to stay patched so you stay secure.

[1:13:59] Well, after 18 years, that's going to wind us up for this week.
Did you know you can email me at allison at anytime you like.
Lots of people write to me and I love engaging with people. You can tell.
Remember the whole thing I said about Mastodon.
I like people to talk to me. So send me an email anytime you like.
If you have questions or a suggestion, just send it on over.
You can follow me on Mastodon at podfeet at Of course, there's a link in the show notes.
And remember, everything good starts with If you want to join in the fun of the conversation, you can join our Slack community at slash slack, where you can talk to me and all of the other lovely nocella castaways and enjoy Alistair Jenks' Delete Me channel that we were just talking about.
You can support the show at slash Patreon or with a one-time donation, slash PayPal.
And if you want to join in the fun of the live show, head on over to slash live.

[1:14:49] Music.