Hi, this is Allison Sheridan of the NoSilicast Podcast, hosted at podfeet.com, a technology
geek podcast with an ever-so-slight Apple bias.
Today is Sunday, May 28, 2023, and this is show number 942.
This week's programming by stealth wasn't a heavy lift, but I managed to get confused
a couple of times anyway, so expect lots of questions from me on this one.
Bart started the show by telling us about a clever tip from listener Jill of Kent, not
to be confused with Jill from the Northwoods about how to detect when the terminal is talking
to and from standard in, standard out, and standard error.
Then we learn about how to use the printf command to make nicely formatted output.
I especially like that part because I love me some organized output.
As always, you can find Bart's fabulous tutorial show notes at pbs.bartifacer.net and you can
find Programming by Stealth in your podcatcher of choice.
This week, Chuck Joiner published an interview he did with me for his Road to MacStock series
on his show MacVoices.
He's having many of the speakers on to describe what people can learn from the talk they will
It's supposed to get you excited about MacStock if you've already signed up, and jealous of
MacStock if you haven't, and to get you to sign up to go.
It's such a terrific trip, you really should check out MacStock Conference and Expo.
Anyway, the last time I spoke at MacStock, Chuck had me on for the same reason.
But as I started talking about my planned presentation, which was just weeks away at
the time, Chuck pointed out that I didn't sound that excited about my topic.
He was actually right.
I was really not thrilled at all about what I had chosen.
So we noodled a bit and we came up with an idea that I was very excited about.
I think it was when I decided to talk about mind mapping with iThoughts and I was super
excited about that topic because you know how I love a mind map.
Anyway, changing my topic that late really caused havoc for the organizer, Mike Pottern,
because the programs had already been printed for the show.
So anyway, this year I decided not to tell Mike what I'm talking about until after I
talked to Chuck.
I thought the conversation was great fun, even though Chuck wasn't always keeping up
Anyway, I put a link in the show notes, and you can listen at that link in the show notes,
Or you can watch the video at MacVoices.com.
And of course you can find Mac Voices where?
In your podcatcher of choice.
Well WWDC is coming up really soon on Monday, June 5th at 10am Pacific Time.
As is our tradition, Steve and I will be hanging out in the Nocillicast live chat room during
the keynote so we can chat with the Nocillicastaways.
We don't broadcast video and we don't impose our audio on anyone.
It's all just going to be texting and chatting in text.
it's actually in Discord. Now, if you haven't been to the live show before, the easiest
way to find it is to just go to podfee.com/live. This will take you to a webpage that has the
embedded video, which will not be live. I think it'll probably be like the day before
show, but there's also a window into the Discord channel where we'll be chatting. However,
if you want to go right to the Discord channel and join it, I put a direct link in the show
notes to the live chat channel there. Anyway, I hope you'll join us to be amazed, disappointed,
a laugh or two. And by the way, Bart usually shows up there too, so if you want to chat
with him about what they're talking about on stage, that's the place to be. See you
a week from Monday or Monday, June 5th at 10am Pacific time.
Just to prove to myself that I can write a review that is not 2000 words long, I'm going
to explain why you might need yet another charger for your devices. Now it's table stakes
these days that any charger you buy has to be made with gallium nitride or GAN. Compared
to the older silicon chargers, GaN chargers are lighter, can deliver faster charging,
and can handle high power without getting hot. So if you're traveling, lower weight
is the key ingredient in that list, so you might be interested in this.
When Barry Falk came to visit us a few months ago, he was packing the Anker Gallium Nitride
Prime 65W Charging Station. This charger sports one USB-A port and two USB-C ports, but it
also has two AC outlets on it. Since it has to be plugged into an AC outlet to work, that's
really only a gain of one. But it's still a big advantage because both of the outlets
on the Anker charging station have room around them so you can plug in your two big power
supplies. The Anker charging station provides 65 watts of power, so that's enough for charging
smaller laptops quickly or even power hungry laptops like the 14 and 16 inch MacBook Pros
if you have a little bit more time. They tend to like 100 watts, but you can totally do it
with a 65 watt charger. Now, as with all recent Anker power devices, it also has PowerIQ,
which they say intelligently identifies your device to deliver the fastest possible charge.
For this charger, Anker claim that you can charge a 14-inch MacBook Pro to 50% in just 37 minutes.
So maybe you don't need as much time as I thought. The form factor of the Anker charging station is
unique. It's an elongated oval with one of the AC outlets on one side and the
rest of the ports on the opposite side. The charger has a built-in 3-foot power
cable and it wraps around the charger for storage and travel. There's a
flexible rubber kind of skirt that goes around the oval to cover most of the
wrapped up cable. With it neatly wrapped away, you still have around 5 inches of
the cable with the plug on the end. Now again, with that 5 inches of cable, that
means you have those two outlets accessible way out from under from
behind a bed or behind a TV where you finally found a place to plug in your charger.
The charger comes in dark gray or white and it costs $70 US at Anker.com or on Amazon.
As soon as we saw berries, Steve and I each bought an Anker Gan Prime 65-watt charging
station for our travel bags.
Did you hear that?
379 words and I spent your money again.
Very good friend of the show and friend of Steve and mine, Frank Petrie, wrote an op-ed
recently on his blog YMP Now, where he suggests a different announcement from WWDC than anyone
else is predicting.
He had hoped to record it himself, but he's a bit under the weather and some things have
gotten in the way, so he asked me if I would read it instead.
I can't hold a candle to Frank in imitating his style of delivery, as you well know, but
I'm happy to bring this message to you as best I can.
Here's the op-ed from Frank.
Everyone is making a case for "one more thing" - Mac Glasses, Mac Pro, what have you.
As I look at rumors for "one more thing" and Apple Press releases, they all seem to
be pointing at one missing piece of the puzzle that I think will either be announced or debuted
at WWDC 2023.
Let's look at the timeline.
M1 and M2 iPads are released in the spring and fall of 2022.
Everyone agrees that these raise the level that you can perform video editing, rendering
3D modeling and other heavy lifting that you may have a need to do.
Now we need software.
But the more we cry for software, the more resolutely they seem to dismiss the problem.
And even worse, Apple appears to be leaning strongly into DaVinci Resolve for the last
Mumbling and grumbling begins that Apple may not be willing to tackle coding FCP or Final
Cut Pro for the beastly Silicon tablets.
Then in May, Apple, with a mere press release, announces the unheralded release of Final
Cup Pro and Logic exclusively for iPad M series. Huzzah! Let the birds sing and the babies cry!
Next, iJustine, fellow YouTube personalities, and select members of the press get a limited time
with the preview in the hopes that they will go back and scream from the mountaintops.
If you've watched any of the YouTube reviews, they were all very impressed with Apple's work.
With the exception of a few missing pieces, they were all rightfully impressed.
Apple announces it will be available for a subscription price on May 23, worldwide.
However, they all uniformly said they would try it but most likely not use it as their primary
editor of choice. The reason? Most of them perform their editing off of external drives
in order to save space on the internal drive, and there's only one USB 3 port on the iPad.
That's when I remembered a little rumor from several months back that everyone was laughing
at. But I propose this leads us to our one more thing. WWDC 2023 releases the rumored 16-inch
iPad Ultra. A 16-inch Liquid Retina display with ProMotion, True Tone, and P3 wide color screen.
Two, possibly three USB-C ports, Thunderbolt 4 optional, powered by an M3 chip and a 2TB
to 8TB SSD drive. Will it come with everything I want? Of course not. Will it cost an arm and a leg?
Yes, of course. Probably several internal organs as well. But think of it, Apple started by putting
M-series chips in the revered tablet. Then they announced the release of Final Cut Pro and Logic
for iPad's upper echelon devices. You now have everybody's undivided attention, and they're
They're drooling and grasping for their wallets with sweaty palms.
A demographic ripe for the picking.
I think we've been played.
Like a violin.
Thanks for sending that in, Frank.
That one really made me think.
I hope you're right.
That would be so fun.
Back in 2015, I wrote an article entitled "Making Happy Audio" in which I walked through
the different technologies that I was using to create listenable podcasts.
In that article, I sang the virtue of a free, cross-platform tool called the Levelator that
will level the audio of an uncompressed recording.
It was a marvelous tool because it created audio files that wouldn't require the listener
to turn the volumes constantly up and down as one speaker was quiet and the next loud.
The Levelator went into maintenance mode in 2010 and I abandoned it.
In 2020, though, I wrote an article entitled "The Levelator is Back!" announcing that
it had risen like a phoenix from the ashes and was even in the Mac App Store.
Shortly after that, I had Doug Kay, the founder of the Conversations Network, on Chit Chat
Across the Pond #646, where he talked about how the Levelator had been created originally
and what brought it back.
I went searching for the Levelator a few weeks ago, and it appears to have been "removed"
from the internet.
And I mean removed.
While you can find the binaries and source code for the Levelator in the internet archives,
The publication date is 2005, with the latest update in 2013, which is a decade ago.
You have to really want to use this code to go down that path.
Now, it's sad that this free tool is essentially gone, but I want to talk to you about what
I use instead.
I've mentioned the web service Auphonic a zillion times on the show, and I actually
told you about the desktop app in that 2015 article about making happy audio.
Now, I don't use the desktop app any longer because of the power of Auphonic's web-based
I look back through the 18 years of blog posts I've done, and I couldn't find an article
where I actually explained Auphonic in its new form, how to use it, and why I have it
set up the way I do.
I decided it's high time I rectified that situation.
Even if you don't ever want to or need to do any audio processing of your own, I think
it'll be interesting to learn a little bit about what goes on in the background of producing
So let's start with what Auphonic actually does.
Auphonic automates a ton of different processes for me, including sweetening my audio, compressing
the files, sending them where they need to go, creating transcripts, and more.
All of this is automated through nice little templates, so it's literally a push of a button
for me to produce the show.
This automation makes everything go smoothly every week without hiccups.
Well, as long as I hand it the correct file and I haven't made any boo-boos in the recording.
For example, two weeks ago, I had the intro music way too loud.
And even though I noticed it while recording and I brought it up to the live audience,
I for some reason didn't put it together that its loudness was going to come through on
the final recording.
I actually turned down my headphones so it wouldn't be so loud for me.
But I should have thought, "Wait a minute, why is it too loud for me?"
Anyway, I passed that file with the audio way too loud up to aphonic and it did its
It's best to try to fix it, but it can't perform miracles.
Luckily, I always do a test listen after Auphonic is done, and I caught my mistake and so you
never had to actually hear it.
Now if you have really modest needs, you can use Auphonic for free for 2 hours per month.
Obviously I talk way too much to fit into the free plan.
If you need more than 2 hours, you can pay monthly for recurring credits or you can even
buy one-time credits.
It starts at $11 US for 9 hours per month and goes up to 100 hours per month for $99.
I used to only run the NoSilicast Raw Phonic, but last year I got tired of doing all the
work by hand for programming by stealth and chit chat across the pond light and now they
all get the kid glove treatment as well.
I can fit into the lowest plan with a little few extra credits here and there to supplement.
It's an interesting business model that makes a lot of sense as the service has continued
to get better and better with more features, the developer, George Holtzman, has never
raised the price. I wouldn't be surprised if he has to at some point, but I'm glad it's
been so stable.
The primary function of Auphonic provides is intelligent leveling of the audio you hear.
While much of the Nocellic cast is recorded by just little old me in front of a mic in
one sitting like right now, when Bart and I record security bits, the levels will be
far different from my solo recordings. We do work to get our levels close to each other,
But the absolute level won't be the same as me alone.
And of course we have our wonderful contributors, whose recordings will also be different from
Aphonix Adaptive Leveler corrects the differences between speakers and it can even tell the
difference between speech and music to level appropriately.
The other tricky bit that makes the leveling in Aphonix intelligent is that it doesn't
just make everything louder.
That would amplify background noise.
You can even tailor what's considered noise in your recordings.
While Auphonic's adaptive leveler is much more advanced than the levelator ever was,
the other primary function Auphonic provides for my shows is achieving consistent and specific
It turns out there's actually a specification for loudness in podcasting, and if everyone
adhered to it, you would never need to change the volume when you jump between podcasts.
Paul Figiani taught me about loudness a hundred years ago when it was a lot harder to meet
But now with Auphonic, you can just set it up once in your template and you know it will
always be right.
Now, a few years ago, I asked the audience if you really wanted chapters in the podcast
and I hoped you'd say no, but it was a resounding yes please from basically everybody.
I create the chapter marks inside my recording software, Hindenburg, but you can also create
them inside the Auphonic interface.
Auphonic takes my lossless M4A file, which is pretty big, and it encodes it as an MP3
for the podcast. It adds all of the metadata for me, like the image you see in your podcatcher,
the year it was made, and who made it. Then it uses secure FTP to send it along to Libsyn,
which is where I serve out all of the audio files for the show.
Now, I haven't ever announced this before, but did you know that you can get all of the
Podfeed podcasts on YouTube now? And you have Afonik to thank for that. When Jill from the
Northwoods started podcasting, I turned her on to Afonik, and then now she has taught
me how to do a lot of stuff in Auphonic, and one of those things was how to have it create
videos. These are not the most interesting YouTube videos you'll ever see. They're just
the logo with a waveform bouncing around while you listen. Evidently, a fair number of people
just play YouTube in the background anyway, so if you're one of those people, you have
yet another way to listen to the Podfeed podcast.
Last year, right before everything on earth got AI in it, George started letting us create
transcripts in Auphonic using the Whisper model by OpenAI to accomplish this feat.
And that's how we have transcripts of all of the Podfeet podcasts.
Guess what? He didn't even charge extra for this new feature!
I hadn't thought about it before, but in his documentation about the transcripts feature,
he points out that having a full transcript means the podcast is searchable.
I feed a mono M4A file to Auphonic, which means I don't take advantage of one feature of the tool,
and that's its ability to apply its talents to multi-track recordings. It can level different
speakers separately and even apply noise gates differently to the separate channels.
It can remove crosstalk between microphones and remove room reverb. That would be a great option
if you record in a public, less controlled setting than I have. The bottom line is,
I don't have to think about Auphonic much because it's simply an automation setup now.
that's probably the biggest compliment I can give it. When I tweeted out this article, I found out
from Michael Deweese that Auphonic has another feature I don't even know about, another way to
make this even more automatic. You can put your audio file into a cloud service like Google Drive
or Dropbox or OneDrive and have Auphonic watch that folder and automatically run all of the
automations of your preset on that file without you even having to tell it. So there's more
automation I could do with this than I even know.
So back to the automation thing and how I don't even have to think about it.
As soon as I hit the button on my stream deck to launch my "show's over" automation,
my web browser opens to Auphonic.com, I choose which show I've just recorded to get to
the right preset, I upload my file, and in a few minutes, everything is ready for me
to produce the podcast.
The next time you're appreciating the audio quality of any of my shows and how quickly
the show comes out, you should thank George Holtzman of Auphonic.
So many people keep this show going through so many different ways. Whether you contribute
by coming to the live show, or writing articles and making recordings for the audience, or
whether you just post fun things in our Slack, all of these people keep the community lively
and fun for everyone. I also really appreciate the folks who keep the show going financially,
because it does cost a fair bit of money to make this show work. If you can support the
work by going to podfeet.com/patreon or podfeet.com/paypal, I'd really appreciate it.
Well it's that time of the week again.
It's time for Security Bits with Bart Bouchat.
How grim is the world this week, Bart?
If it's being grim, it's doing so quietly.
But it's not empty show notes this week.
we have a little more to chew on.
- It's not empty, no.
I mean, there is still stuff happening,
but the world isn't on fire or anything.
And it's, yeah, I think I said to you it was a light lift
and we have a security medium to keep us entertained.
So the first thing we actually have is some follow-up news
on some longer running stories.
Now, the first of these is definitely not
in the happy, happy, joy, joy category,
but I guess the good news is it happened in 2002,
sorry, 2020 to 2022.
So it's not that something new has happened.
It's that we now know more detail about stuff we knew was going on anyway.
So the NSO groups Pegasus app was used with zero day exploits to successfully
take over people's iPhones in that sort of time period, 2020 to 2022.
And we knew that, but now we have a little more color.
Oh, I'm starting to sound like an analyst on a sales call.
We have some color to give on these quarters numbers.
Um, well, you can be a football analyst.
Oh, they have color commentary.
And that's where that came from, I thought.
I don't do sports ball.
So we now know that it was actively used during a war.
So it's being described as a weapon of war because I don't know how much it made
the news over over in America, but there was a substantial military engagement in
a place called Nagorno Karabakh, which is in Azerbaijan.
it's an exclave that's sort of Albanian.
And the Russians support one side and not the other.
And so before the Russians invaded
Why is my brain just gone blank?
Jeez, I hate when that happens.
The Russians big military thing was actually Nagorno Karabakh.
Nagorno Karabakh, this place, that was
where Russia was being the most militarily worrisome.
But, you know, it's no Ukraine.
But the foreign minister of Armenia had
their phone hacked by Pegasus 27 times during that war.
The foreign minister's phone.
Geez. The foreign minister.
So my sort of thinking is, you know, the way these things can survive a reboot.
So the advice to a lot of important people
is reboot your phone often because it will shove out any malware.
So I imagine that she was being very proactive here and she actually made a
point of saying, I went out of my way to be fully up to date and stuff.
So she was obviously rebooting her phone to keep it clean and getting
reinfected and reinfected and reinfected.
Anyway, so that's a Pegasus update you may or may not have heard of.
Another story we talked about a lot over the years is Apple suing a company called
Corellium, who are the good kind of cybersecurity company.
So not the NSO group style, not the grey hat type.
And Corellium sold a virtualized version of iOS for security researchers to hack on
so that they could test their exploits and stuff against a virtual iPhone.
And Apple tried to use copyright law to lock down this security tool.
It's the case is still not fully resolved.
There's still some trademark issues, which the appeals court
have sent back to the lower court to say, have another go.
But what the higher appeals court did resolve is that security research is fair
use in terms of copyright. Oh, interesting.
So one of Apple's claims has been nipped in the bud.
And I think that's a bigger deal.
The very concept that cybersecurity
research is fair use under copyright seems important to me.
Did I remember, though, that they were selling that tool?
They wanted to sell it.
if they start selling it, that's different, right?
If they sell it to people using it for some other reason other than security
research, what I don't believe they were selling it for other reasons.
Apple's basic claim was it is impossible for you to
virtualize our devices without breaking our copyright.
Therefore, I understand.
I understand that argument.
I'm not I'm not debating that.
I'm saying because that's what Sorelian was using it for.
But if they're selling it to other people
Corellium, if they're selling it to other people for other uses, like how do they
know what the other people are using it for?
I need to check into the exact details
of their product, but I haven't heard any sort of implication that it was being
used for anything else. I think it was part of a software as a service kind of an
offering, so I don't think it would be useful for anything else.
But I haven't directly seen their product, so I don't know how.
How locked down it is.
Anyway, it's, I liked that.
And meanwhile, in France, CNIL, which is their national regulator, at the end of
late last year, they ruled against Clearview AI, who are the company who went
around scraping social media sites to build facial recognition profiles of
people, so effectively biometric data, and allowed you to do a reverse search
where you would upload a photograph and they would then tell you who in the
real world matches that photograph.
And the French regulators were quite cranky with that, because as far as
they're concerned, if you build a biometric profile of someone's face, that
is personally identifiable information or PII, which falls under the GDPR,
which means you need informed consent.
That's an interesting interpretation.
It's personally identifiable information.
Yes, I guess so.
Is your, is your fingerprint PIA?
It is actually.
And medical and biometric is actually a special kind of PII on the GDPR.
It's like, you know, your name and your address is personally identifiable
information, but your health records are like super sensitive PII.
So they're actually more protected and your biometrics are also.
That's a health record.
Is your finger print?
Health and sorry, health and biometrics.
There's a few classes of data get like super plus plus and biometrics
is in that super plus plus category.
So when this is when the United States government did not successfully protect
the security clearances of millions of people who worked for the government,
including their fingerprints.
That would have been covered.
GDPR would have. Yes, they would have been liable under GDPR.
Can they can they charge a government?
I don't remember the exact details.
There was a lot of humming and hawing about that.
They can certainly find them guilty, but I don't believe they can necessarily
apply the same penalties.
But so the French regulators back in October
were cranky and basically said cease and desist.
This is this is not legal in France.
Therefore, you must stop doing this with French citizens and you must delete the
information you have and you must show us evidence of compliance within two months.
So that was in October of last year.
It's been a lot more than two months, but they have now, as of late April,
issued a formal ruling to say the company has not complied and they have started to
levy fines, so the initial fine was 20 million euro.
They have now been fined an additional 5.2
million euro, and in theory, they have the right to
fine them 100,000 euros a day until they come into compliance.
So we shall see how that develops, but they don't appear to be taking it lying down.
But they don't care.
Clearview AI is taking it lying down.
Apparently so. Yeah, whatever.
Apparently so, indeed.
Right. So that jumps us into our deep dive,
which is a new story that I have certainly seen get a lot of attention,
which is that we now have some new top level domains that we could go register.
If we felt like it, we could get like podfeed.zip
or podfeed.mov if we felt like it.
Well, I wonder if someone has registered MOV as a top level domain.
You probably can.
But the way we pronounce it is differently.
So I just want to make sure people knew this was about .zip and .mov.
So what people may or may not remember--
because I definitely remember talking to you about it at the time.
But goodness only knows in what context I've
been talking so long about so many things.
But anyway, in 2012, the rules changed from ICANN for top-level domains.
So it became possible for anyone with a deep enough wallet
to register any top-level domain they like,
which is why there exists .google as a top level domain, .microsoft as a top level domain.
You can get things like .photo and if you go on to your favourite domain registrar,
there's stupendous amounts of top level domains.
And that's because anyone can register one and then start selling them.
And that happened in 2012.
In 2014, Google bought two such top level
domains .zip and .mov and they kept them private.
They basically, they used them very limitedly and they sold, they may have
sold a few domains, you know, a few sub domains to people, but they didn't open
Well, they have now.
So you can now go to your favorite domain registrar and you can go
register yourself at dot zip or dot mov.
And what has some people in a tizzy about this is that those top level
domains clash with common file extensions.
So you can register a domain that looks like a file name.
So my crypto wallet, that's it or naughty movie dot Marv or whatever.
And then you can use that as part of social
engineering to try arrange a situation where you can present information.
So it looks like you're clicking on a file that's maybe an attachment to the email
or that's a file on your desktop or something.
But when you click on it, your computer says, ah, URL, OK,
And your computer goes off and fetches something from a URL,
which is probably going to be a Trojan or something.
So how does your computer know which one is which when you click on it?
Well, it will be a thing, right?
So it will be a URL or whatever.
So imagine it would be, you know,
the way in an email you can have the link you see as English.
It might say Microsoft dot com, but when you actually click on it,
the A H ref is actually evil site dot whatever.
That's been an age old trick.
Right, right, right.
But I'm saying if, let's say there exists a URL podfeet.mov,
and you email me an attachment called podfeet.mov,
how does my computer know what to do with it?
>>Well, so you wouldn't email an attachment.
>>Well, you absolutely could email me an attachment.
I'm saying if you email me an attachment.
I'm not talking about the nefarious thing.
>>I'm just talking about interpretation.
So I guess my computer would know it's an attachment
because it's an attachment.
And if it was merely a link,
it would know to follow the link.
- Yes, and it will be up to the client.
So there will be some social engineering involved,
but you could write an email in such a way that--
- I understand the nefarious method.
I was talking about just general use.
With nobody being doing anything bad,
how would my computer interpret it?
And I kind of answered my own question.
Yeah, it would definitely, if you write HTTPS colon slash slash, it would definitely know,
ah, that's a URL. If you don't stick it on, a lot of apps have regular expressions where
they try to guess, is it a URL? And those guesses are getting more and more useless
as the amount of top level domains get bigger and bigger and bigger. Because if I write
something.photo, will your app decide that that's a URL or not?
But it's kind of up to the app.
So that kind of guessing is getting worse.
So it is.
I am sure someone will find a way to do something interesting with this.
That seems inevitable that someone malicious will do something
strange and wonderful.
But it is also true that if you're using,
say Apple's products, it's going to be very hard to actually get away with this.
Because on Safari, for example, when you download a file, you get this pop-up,
which most people hate. You're about to download a file from this domain.
Do you want to continue?
Well, that's going to completely nip this kind of chicanery in the bud.
If you're paying attention and you're thinking about the fact that, wait a minute,
I thought I was going to a URL, not downloading something.
Or no, I didn't think I was downloading.
I thought this was a file, why am I downloading something?
No, if you think it's a file, it would download it.
You'd have to think it was a URL.
No, no, no, the trick is to make you download a URL
without realizing it.
So to convince you that it's not a URL,
but to make it be a URL, that's the trick.
Otherwise it's just downloading from a URL.
You don't download a URL.
So that didn't make any sense.
You'd give me a URL that when I click it, downloads a file.
Right. Yes, that that would be the malicious.
But the idea is that I would send you an email that you did not think was going
to download anything from the Internet.
You did not write the Internet.
You thought it was I thought it was a URL.
No, you thought it was a file.
You didn't think it was you or you thought it was a file that was your file on your
computer or a file in the attachment that you thought was not the Internet.
Only I'm going to trick your computer into getting it from the Internet, my
That is the chicanery.
What's the difference between emailing me a file and sending me a URL that downloads
a file? Those are both the same amount of equal maliciousness, no?
Not necessarily. Depending on how the social engineering is arranged, tricking you into
thinking that something is, say, a file sitting on the company share versus it being a URL
you're downloading could potentially be quite different. So you'd have to do some social
engineering and it would have, it's just, it's another way of adding some fudge.
So to make, it's a way of getting an expectation not to be true, which you
can cleverly engineer to try trick a user into downloading when they
didn't think they were downloading.
It's all hypothetical.
Well, I think I see the, uh, so let's say I get this, uh, this thing that
looks like a zip file I'm going to download from the company internet from,
and I click it, and it opens a URL
and then offers to download a file,
I would still think, oh, I'm downloading that file
that I was trying to download from the company internet,
but it was actually getting it from someplace else.
That's the scenario I think you described.
- No, it's not.
The scenario is that I'm going to,
you are going to not think it's a URL, right?
That is the whole point.
You are going to think this is not a URL,
But it is.
- So then it should take me to a webpage.
- Well, no, but it will--
- And if it's gonna download something,
then it'll look just like the download I was expecting.
- Okay, but a URL doesn't have to lead to a webpage.
A URL can just be a straight file download.
If I give you the URL to a zip file,
you're gonna get a zip file.
If I give you the--
- I don't think we're ever gonna understand
each other here, Bart,
'cause I believe we're saying the exact same thing,
and you keep saying I'm saying it wrong.
So I guess we move along,
'cause I'm hearing you,
And I hear you saying what I'm saying.
- And I'm hearing you say the inverse
of what I'm trying to say,
and I'm not sure which of us is getting it wrong.
Anyway, the point is, this allows some--
- Violently agree. - Fuzziness.
This allows some ambiguity that didn't exist before.
- And does a lot of people seem like a big deal?
- My initial thought was, ooh, this could get interesting.
But then I did a bit more reading,
and I sort of, I didn't set my hair on fire
because I never do that.
I always get a few more opinions before I make up my mind.
But my initial reaction was kind of like, hmm, I don't like this.
But the more I've thought about it and actually the more I've read from more
intelligent people, the less the less my hair is anywhere near matches.
So I think Troy Hunt sort of summed it up.
He's like, well, people are terrible at URLs.
People have always been terrible at URLs.
Exactly what chicanery is being used to trick people with URLs doesn't really matter.
The people who click on URLs are going
to click on URLs and the people who don't are not going to.
So I predict this will have no change in the amount of people getting infected
with bad stuff.
And he's probably right.
Well, that's so yeah, it's interesting, though, that's for sure.
Yeah, maybe I kind of like the idea that maybe, you know, if you if you're
you could have like Dell.zip is where you go to download your various drivers
I mean, it could be useful top-level domain.
And the other--
>>So don't click on links without knowing what they are and being 100% sure, and maybe
go to the URL yourself if it's something you can do that for.
>>Yeah, so what we always say is don't trust stuff in email.
And so the new answer is don't trust stuff in email.
So keep doing what you're doing.
The other thing that's sort of of note, I think, is that this may be very short-lived
as a kerfuffle, because there's quite a concerted effort in corporate IT to nip this in the
bud by simply blocking the entire top-level domain on corporate routers.
Just basically decide that we will block all .zips, therefore there will be no legitimate
use of the .zip TLD, therefore Google will stop selling it because it won't sell.
Now, they've done some interesting things with the URLs, though.
I'm trying to remember what I heard on a podcast, but I can't remember what those exciting things
There was someone who managed to make a not GitHub URL look like a GitHub URL by doing
some chicanery, which Troy Hunt actually linked to.
He said, "Read this first, and then read my take from a few years ago on humans and URLs."
It is a URL that should always look suspicious.
That looks like a direct download from someone's Git repo, which is not a kind
of thing I expect human beings to understand, which is actually not a direct
download from GitHub, but a download from a .zip domain instead.
Not like I say, I promise you, people will find ways to do fun stuff, but I
don't think in terms of real world effects.
And it won't hit the no silica aster ways
'cause we're all smarter than that now.
I'd like to think so.
The other interesting thing is that the SANS Institute
decided to have a wee survey
to see what the domain is being used for.
And I don't know what this says about humanity,
but at the moment, the biggest use of,
the biggest non-legitimate use
of the top-level domain .zip is to rickroll people.
Anybody who doesn't know what the Rick Roll is, that's where you trick somebody
into clicking a link that takes you to Rick Astley singing,
what is it, Never Gonna Give You Up?
That's the one. That is the one.
I think Rick Rolling might be the best thing the Internet ever invented.
I just I love it when I get caught.
I love it when I catch other people.
I love everything about it.
It is the best thing ever.
Yeah, and it's kind of a nice sort of way
of saying I could hypothetically have hacked you and here's my proof.
I'm going to play you this song.
You know, it's you know, the old thing used to be to make calculator
.exe pop up on a Windows machine to prove remote code execution.
I think Rickrolling is more fun.
So that brings us to action alerts.
Apple have released a whole bunch of
important security updates for basically everything.
So iOS 16 has gone to point five.
Ventura has gone to thirteen point four.
The older versions have been updated.
So we have a fifteen point seven point six for iOS and we have a Monterey
and a big Sur update, and we have a Safari 16.5
for even older OSes.
So everyone got some love, but the interesting thing
is that we now know more about our friends,
the rapid security responses, which had just
come out when we last spoke.
So they patched two zero days, and those zero days
are patched in iOS 16.5.
So if you didn't do the rapid response,
but you did do the normal updates, you're now caught up.
And I think that's sort of what we expected would be the case
with the rapid responses,
that they would be temporary sort of a holding position,
and then they would get wrapped into the next real update
as a permanent fix, and that is what happened.
And also the older OSs contained those hot fixes backported.
So iOS 15.7 contains the same fixes
as were in those rapid responses.
And there was a third zero day
that was not even rapidly responded to.
So the actual real updates fix three zero days,
but the rapid response fix two.
So patchy, patchy, patch, patch.
- There you go.
Watch OS 9.5 as well.
- Oh, I missed one.
- Maybe it just wasn't listed in those.
I just always have to look back at this
and every single time applaud how well Apple
keeps older devices and older OSs patched.
I mean, I was just, I don't know, some country somewhere,
probably the EU, somebody's yelling at Apple again
about planned obsolescence
and that they don't let you replace your battery.
And it's like, but they keep the phone alive
for a very, very long time versus anybody else.
I mean, it's just, it makes me crazy
when I hear those stories.
It's just not right.
- It reminds me of when Greenpeace used to give Apple
a hard time for not making silly promises,
but only doing stuff.
And like Dell would release a press statement promising the sun, moon and the
stars and Greenpeace would go, yay, whereas Apple have promised nothing.
But Apple were busy actually doing things.
And now after about a decade, Greenpeace
are like, yeah, everyone else didn't do their promises, but Apple actually did stuff.
They came around in the end, right?
No, they did. They did come around.
But I thought it was hilarious that they were praising companies for making empty
promises and complaining that Apple wasn't making empty promises.
And I'm thinking that's not how you should judge these things.
But like you say, they came around.
Now, unfortunately, moving on to worthy warnings.
This is not a good news story.
This may affect quite a few Nostella castaways,
because I think a lot of our audience
are early adopters of smart home stuff.
And I think I have definitely heard our community mention
the WeMo as smart plugs.
I have notes that I want to talk about it.
You do have a diagram.
So what we know is that there is a nasty vulnerability, which has been nicknamed
Friendly Name, it is not friendly, it is in version two of the WeMo smart
plug, and I am led to believe the smart plug is now on version five.
Ah, Alison is showing me a WeMo.
You're version two.
You guys' little holes look like a face.
Look like a little sad face.
We have different shape holes here.
Oh, yeah, I guess it is a little sad.
And Belkin have said, ah, yeah, no, that's obsolete.
So there is no patch coming.
So if you have a version 2 of these Wemo switches, I would be applying it to the bin, if it were
So I'm holding up for Bart.
I have a Wemo...
Now here's the real problem.
This is a Wemo Mini, and it is a part number F7C063, and for the life of me, I do not know
if this is version 2.
It looks like version 2, but the newest ones they have are little bitty things, or Wemo
plug minis or something, the little tiny things. This one's pretty wide, has a button on the front.
I can't even get Belkin to tell me which one I have. They said I have to call support.
Oh, for God's sake.
I'll give you the part numbers. What one is this? Here's my serial number. What is it? But they
wouldn't... I just tried to talk to somebody today. But anyway, I don't... Actually, I'm not angry at
Wemo for not supporting this plug and doing an update to it because it is pretty old.
I don't know, four or five years old maybe.
I'm not really sure how old it is,
but they have given me phenomenal support
on super old plugs, way out of support.
They spent two and a half hours trying to help me fix
this one plug that they had that we have on our water heater
and eventually we figured out on our own
that it was the 2.4 gigahertz problem.
So we fixed it separately from them
and when I called back, they said,
"Oh my God, this is great information.
"Okay, exactly what did you do?"
and they like took notes so they could be sure to help the next person.
I love this guy.
Belkin, Wemo, I think they're great.
However, I did a little bit of pricing and searching here.
The Wemo Mini V2, which is I'm sorry, that's the one that's not good.
The the new Wemo with thread
is out and it's 30 bucks and it's got thread.
Yay. That's great.
But it will never get matter.
So I don't know that it's worth investing in that if it's not going to get matter,
if it got thread, but it didn't get matter. So that doesn't make sense.
So one of those is $30 instead. Uh,
I don't know if you remember, but, uh,
Steven gets did a review a long time ago about a company called Maros and we
have started buying their plugs. I got four, uh, Maros plugs, smart plugs,
no thread, no matter for $35. So for these for $35,
one of those for 30, okay, it's got thread,
But the one with thread is HomeKit only.
It doesn't do Alexa or Google, but the Maros ones do all three.
If you buy the right one, they do all three.
They have them that don't do HomeKit.
But no matter what, you always get Alexa and Google.
So you got to watch for the HomeKit sticker.
But $35 for four or 30 for one.
I bought four and I am going to be binning today are Wemo plugs.
I'm trying to decide whether I should give them away.
be, would that seem to give them away?
That seems a bit like here, have a security vulnerability.
Are you gifting someone?
Do you like the person?
Yes, I do.
Well, then no.
Throw them in the bin.
Yes. Or responsibly recycle, I believe is the correct phrase.
Whatever the appropriate thing to do with electronics in your neck of the woods.
Yeah, so I could put links in the show notes to the two options that I looked at
so you can look at them yourself, but thirty five bucks for four.
And actually there's a coupon if I bought it today on Amazon for three bucks.
like 30, 32. Yeah.
So I'm going to I'm going to give a thumbs up to the mirrors as well,
because there are a whopping three smart home devices in my house,
and all three of them are mirrors plugs.
There's a four way strip with two USB ports.
So that's like six plugs.
And there's two little one plug.
And OK, I'm
mostly they're set up for my Christmas lights, which is fun.
But the other thing they do, this is a really cool trick.
So you know, the way the Apple TV can sometimes get itself into a mess
and there's no power button.
And when you try to plug out the power at the back,
it'll jump out and you'll scuff your knuckles off
whatever's behind your television
and you'll do a lot of swearing.
I have my smart plug on my Apple TV
and I have a shortcut saying Apple TV stupid
and it reboots itself.
- That is such a sad statement about the Apple TV.
I don't have that problem that often.
One of mine was doing that a lot,
but it hasn't done that lately, but I do like it.
In, I remember when we first talked about
your Christmas lights with the Ameros,
I know you've got a Baham bug to turn off your Christmas lights and ho ho ho I think it is to turn them on
Jingle bells. I hope this doesn't help anybody break into my house, but my garage door is now open sesame
And all I had to do was was name it sesame because it wants to open my garage door
So all I say open sesame even from my watch and I can open it as I'm walking up to my house to go get
My leaf blower or whatever I need in the garage when I walk up
Yeah, so I named a shortcut Jingle Bells, and then I just say the name of the shortcut,
and the shortcut is turn on the Christmas lights.
So that's how I did it.
I like that.
And I can say Home Bug, and again, it's a shortcut named Home Bug, so I don't have to
say like, you know, turn on Home Bug or anything, I just say Home Bug.
Why did you make a shortcut?
Why not just a Home Cut scene?
I may have made it a scene and then told Siri
to give it a shortcut with me saying humbo,
but it may be both.
Yeah, oh, who knows, right?
And you'll never be able to find out the answer to that question.
I still, to this day, I do not know how the lights turn on
in my room when I walk in.
What they do?
I've got a Hue motion sensor.
I got two Hue lights.
There's no automations in my Hue app.
And there's nothing in HomeKit that talks to them.
I have no idea.
It used to.
used to be in there in the Hue app, but it's not there anymore.
So I don't know. So it works really well.
So in the firmware of those devices, they're still being told to do something.
But the actual brains of the operation doesn't know it's given that order.
They left the building.
Yeah, I heard there was a change to the Hue app that they took a lot of that out.
But I don't know.
It just it works really well.
Maybe the UI is gone, but the actual underlying config is still in there.
Yeah, there's a there's a JSON file in there somewhere just doing its little job.
That's exactly what I was thinking.
A little JSON or a PLIST file or something.
There's no UI to it anymore, but you still have the file.
I never wanted to do something else.
I guess a firmware reset or something
would wipe it out if you want to stop turning on the light.
That's the other thing. You don't have an automation you can't kill.
It's a zombie.
That's right. Well, if no, but if I leave the room, it turns off.
Okay, so anyway. Okay, so that is our worthy warning, just the one. Notable news then.
Apple have released their 2022 App Store Transparency Report. So if you're curious
about how many apps they delete and all that kind of stuff, it's all in there,
including how many law enforcement responses. But I thought it was noteworthy that what Apple
chose to push in their press release was that they prevented $2 billion of fraud
and that they blocked 1.7 million bogus apps.
Because this is clearly part of their campaign
not to have regulation forced on the app stores.
Yeah. I heard people mocking this.
That's still, I think that's pretty phenomenal to think of the volume of work.
There was, there's also some stats, it's probably in the Apple Insider
blog posts that you linked to, but of how many fraudulent accounts they blocked.
I mean, this is an ever present vigilance. I mean, it is phenomenal volume of work going on to,
or of garbage going on that they have to respond to.
Yeah, they're basically showing their homework here. They're basically saying,
look, we've told you we're doing a lot of work. Actually, here, have a look. This is the lot of
work we're doing. So I think it's wise of them to share their homework like that. So that was
That was noteworthy.
Elon decided to pop into my news feed this morning.
So the EU have had a voluntary code of conduct for social media companies in
anticipation of the Digital Services Act and pre-Elon Twitter signed up for this
voluntary code of conduct. I think it was after the 2016 elections
they signed up, but it doesn't really matter when.
Pre-Elon Twitter signed up.
Elon has now said, yeah, we're not doing that anymore.
And the European Commission has went, that's fine, dear.
But when the Digital Service Act goes
into effect, you're doing it again because it's not voluntary anymore.
It's the law.
So temporarily, Twitter is not doing
not doing what Europe want in terms of blocking misinformation.
But they'll be doing it again or getting sued in 2025.
You probably fired all the people who are doing the work.
So it's probably only just admitting what's been true for the last couple of months.
I don't think anyone's doing it.
Yeah, actually that's a good point. Now it's just honest, right?
Yeah. It's like that television paid for by advertisement, by selling all of your data.
At least they're honest.
We will spy on you and give you a cheap telly.
Actually, we didn't talk about that on the show, but
if anybody hasn't heard about it, there's a company giving away a free TV that has
a secondary display below it that will show you ads.
And they are absolutely 100 percent collecting your data and selling it.
And I love it.
I think it's fantastic.
Because if nothing else, it's gonna highlight the fact
that that's what the other TVs are doing too,
but they're just not telling you about it
and they're making you pay.
You pay less.
I mean, I enjoy sticking it to the man
by buying a really expensive, or really cheap, I should say,
really cheap smart TV.
I've got, what have I got?
I got a Vizio in my room here.
And I never, ever, ever tell it the password to my Wi-Fi.
I don't plug it into the internet, into the ethernet here.
And I plug in my Apple TV.
and I just got it for half the cost it cost them to build it
because I'm not letting them spy on me.
It just makes me so happy.
- Vizio have gotten into a lot of trouble for that.
Vizio are actually some of the worst offenders
because they are doing the business model of this,
was it T,
well they had a, I can't remember,
the TVO or TELIO or something,
ah, I was listening to a podcast about it.
- I don't know which company you're talking about.
- But the one that's being honest,
the one that you talked about on Clockwise
and the one that the Apple context machine
spent the entire episode talking about today.
These are being like they're collecting,
I don't think any more data than Vizio are.
Now, the second screen is obviously different.
But other than that, they're collecting about as much.
Only they're being honest.
And they're giving you the telly for free, free instead of for cheaper.
I think I think it's lovely.
I think it's I think it's from Pluto, the guy who started Pluto TV.
But I don't see the name of the company.
The other thing I was thinking about is, you know what?
Just just knit yourself a little little cover for that lower display and you won't see the ads either.
Ah, they were talking about that on the context machine.
But part of the terms of service is that they actually have a sensor in there
to monitor how many people are watching telly.
So if you block it off, I would imagine the sensor will know.
So find the sensor and don't cover the sensor up.
It's funny you say that, because that's what they were saying.
You'll find where the sensor is and cut a hole in it.
And they mentioned that most cheap webcams pick up IR and should show you where the sensors are.
And my immediate thought was, what about a one way mirror?
Just stick a one way mirror in front of it.
so I don't even know why that came up.
Anyway, the next story in the show notes, I have no idea why I popped that in there,
but it just came into my head.
We have I have been a bit mean about the Irish Data Protection Commissioners a few
times because many large American multinationals are
quartered in Ireland because our tax regime is quite friendly to large multinational corporations
and our government employs something called light-touch regulation which some people translate
as no regulation and I have been pretty cranky that the Irish Data Protection Commissioner
says hmmm. Anyway, I take it back. Meta have been fined a record 1.2 billion with a B euro
for breaching the GDPR because in 2020 the European Court of Justice struck down an arrangement
called Privacy Shield which was allowing for European data to be transferred to America
ostensibly under GDPR compliance. And the court was asked to rule whether or not Privacy Shield
really was compliant with GDPR and the court ruled in 2020 that it was not.
Metta's response was to go la la la la la la la la la and to just keep doing it.
The Irish data commissioners have now...
How's that working out for them?
Well, 1.2 billion badly and they have five months to comply.
They are expected to appeal or rather they have said explicitly they plan to appeal.
So yeah, they are going to have to change something.
You're okay with this?
They should be.
They should be obeying the law.
one of the biggest differences, like
people say, well, the cloud is everywhere, but that's not really true because cloud
providers can choose how to manage their clouds.
So in terms of the end user experience,
there's not really much difference in a OneDrive or a Google Drive.
They don't feel any different to you as a user.
But OneDrives are geo.
One drives stay within geographic areas for their cloud.
So my one drive doesn't leave the EU.
It's spread across lots of different data centers across Amsterdam and Dublin.
To be fair, that's only because Microsoft was sued into doing it.
Right. Sure, sure.
I mean, but I'm just in some way it didn't used to be.
Yeah. But yeah. Right.
Well, actually, no, no, actually, no.
Sorry, Microsoft weren't forced into it.
Microsoft did it as a way of getting business.
So Microsoft offered it as a feature, which got them a lot of business in Europe because
they were able to say, well, we can promise you that your data stays under GDPR. Therefore,
your legal department doesn't have to worry about it. So they were doing it as a business proposition.
Whereas Google are explicitly saying this is impossible. The cloud is the cloud. And I'm going,
no, that's not true. And Facebook are trying to do the same thing. It's like, oh, it's just,
It's just the cloud is the cloud and they're going to have to stop doing that.
They're going to have to start keeping European data in Europe or
respecting everyone's privacy everywhere.
Either is good by me.
Yeah, yeah, I would think so.
I remember the Microsoft story differently.
Is it possible you're remembering a different Microsoft story where the US
government tried to sue Microsoft to force them to give European data to the
American government and Microsoft stood up to the US government?
Today we are--this is from Microsoft in 2021.
Today we are announcing a new pledge for the European Union.
If you're a commercial or public sector customer--
that's not a home customer--
we will go beyond our existing data storage commitments
and enable you to process and store all of your data in the EU.
They did not promise that to BART the regular human.
That's fair. When I was in the room being promised that, I did not have that particular
hat on. That is true.
It was well before 2021.
In other words, we will not need to move your data outside the EU.
Yeah. Now, even right. So you use a cloud service to host podfee.com and you chose which
data centers that went into. So even you...
By default did, I have no idea. They could be in Berlin. I have no idea where they are.
All I know is they don't answer the phone on the weekends.
- Oh, okay, I guess my point is that even stuff
like Linode and stuff allow you,
when you're spinning up a WeVM to run your website,
allow you to choose where the data goes.
- Oh, oh, oh, sorry.
I was talking about Libsyn for the files,
but yeah, you're right.
But yeah, I don't, no, I did pick the United States.
You're right, for pyfeet.com.
- Yeah, and you picked one close to you
for your stuff to be speedy for you.
But if you were to decide to use their CDN service,
then you could choose to have it also in Europe
And they're going to have to either, like I say, respect everyone's privacy everywhere.
There's a lot of companies have simply said, we're just going to apply the GDPR.
Not only to Europeans, we're just going to apply the GDPR.
And they're going to have to either, like I said, respect everyone's privacy everywhere.
And so they're going to have to either, like I said, respect everyone's privacy
everywhere, and they're going to have to either, like I said, respect everyone's
privacy everywhere, and they're going to have to either, like I said, respect everyone's
privacy everywhere, and they're going to have to either, like I said, respect everyone's
privacy everywhere, and they're going to have to either, like I said, respect everyone's
Europeans, we're just going to apply the GDPR.
And there's other companies that have responded and said, we're going to treat
you guys differently to you guys, which is also legal.
So we're going to have to do one of those two.
Well, but you've got to realise, Bert,
that Facebook has that problem of not being able to track us in the app and stuff
because of stupid Apple not letting them do it.
I mean, they're in big trouble.
Yeah. And it's interesting how not allowing
to track without consent is being represented as not being allowed to track.
They have every right to track.
They just have to tell us.
I mean, Apple's change was not to block--
Well, no, not tell us.
They have to ask.
OK, yes, that is a very valid correction.
They actively ask for permission.
Yeah, they are not being prevented from tracking.
They are prevented from tracking secretly.
And if your business model is built on lying by omission--
yeah, I'm-- where's the world's smallest violin?
Let me go dig that up there.
Anyway, in other news that is, I think, significant.
The US Supreme Court had a chance to overturn a very important piece
of legislation governing the online experience of, frankly, planet Earth.
Section 230 of the Communications Decency Act,
which is also called the Safe Harbor Provision.
It allows a website to.
be a service provider that moderates without having to be held liable for
every single thing said on their platform, even though they moderate.
It is a widely understood law and it's one of those bizarre things where extremists
on all sides agree it's terrible, but they disagree by 180 degrees on why it's
terrible and neither of them really understand what it actually means.
So the first thing I would say is know a little more.
The amazing podcast by a friend of the show
whose name was just aced at Tech.
Tom Merritt, thank you.
It's funny how names just go away.
I don't know.
I'm just happy to see it happen to you, because it happens to me all the time.
So Tom had already done Section 230, but he updated it after the Supreme Court
ruling, so there's now like a new and improved plus plus version.
You know, it's 90 percent the same, but it does reference a decision and stuff.
And so it helps you put it into context.
So that's linked in the show notes.
The things Tom has chosen to explain are often so complicated that you need to listen to
them more than once.
I could give a vague hand-waving about what section 230 was about because I listened to
the original episode.
I will absolutely go back and listen to this one again so that I have a faint chance of
being able to reproduce some of the explanation.
But I've listened to the one on explaining mini-LED about 28 times, and I'm about a quarter
of the way able to reproduce what he taught me.
So it's a really good show.
- I have them filed away where if I need to remember
why Wi-Fi 6 is important, I know Tom explained it to me
and I will go listen.
So I sort of have this mental file of things Tom has told me
that I will go dig up again when I need to know.
But I always re-listen when he updates.
- Yeah, yeah, yeah.
Dave Hamilton has a really good explainer on Wi-Fi 6 too.
That's a really good one.
- I might get you to pop that in the show.
- Or 6E.
Oh, even better. Do you remember where that was?
Actually, you guys did a really good
discussion on the Nosyllicast as a chit chat across the pond.
Or chit chat. Light.
That's where I'm thinking it was. Yeah.
And then light with the world's heaviest air quotes.
But it was officially in the light feed.
It was excellent. Light is light is French for not programming by stealth.
Kind of is really, isn't it?
There was no terminal
or F and stuff, but no terminal.
Yeah. Anyway, so the Supreme Court had the
opportunity to really change things and they basically chose to say "we have no opinion,
everything stays the same". So they basically punted. There was a lot more legal gymnastics
but they basically chose to let the status quo stand. So it is as it was.
Montana took the lead in banning TikTok. And on cue the lawsuit started to fly. The law
The law is due to go into effect on the 1st of January 2024.
It will be in court long before then,
whether it ever happens, good or so he knows, but stay tuned.
grab your popcorn, it's on.
It's really the main point of saying that.
Do you understand how a piece of software can be blocked in a state?
And you're saying that, though,
I'll talk about they banned it.
I'm going, yeah, I could ban it.
Well, no, I could ban it in my house.
I could do that on my router.
But, you know, how do you ban it in a state?
It's especially when you have something
called interstate commerce, which is constitutionally protected as a federal
remit, I don't think this stands up.
The federal government hypothetically could.
But I I am not a lawyer,
but my understanding of the American legal system is that this doesn't hold any
water. So I would be very curious to see what happens here,
but we shall see.
Well, I'm, I'm not even talking about that. I'm talking about,
how do you technically do it?
App stores. The, the app stores are American corporations.
So you make the apps.
So you require the app stores to block it or you do not allow the app stores to
make any money in your state.
How do you block an app store from a state? I just, I just don't.
there already are.
So you already have differences in tax and stuff from state to state, right?
So if, if a company is selling something to the residents of California,
California do actually get to have some say in that sale, right?
You give Californian sales tax.
So online stores.
You don't pay sales tax on apps when we buy them.
You, I mean, it might be buried somewhere inside.
Maybe there, maybe that's because there isn't sales tax on apps, but there is no
reason California couldn't impose a sales tax on apps.
So if you're selling something to Californians.
How do they know I'm in California?
So you would have to have your registered address for the credit card.
So the workaround would simply be to have an out of state credit card.
I mean, this thing will be leaky at a technical level.
This thing will be leaky as a sieve, right?
Well, and plus, TikTok is a website, TikTok.com.
So you could then hypothetically start to ask the ISPs who are who are doing business
estate to block the DNS entries for it, which again will be bypassed by a VPN.
Based on the IP address.
Leaky is another sieve.
I mean, it's legally shaky, technologically leaky.
But stay tuned.
The popcorn, you know, grab your popcorn because this is going to be fun.
I have a feeling my place of joy is going to be shut down by the country fairly soon.
So anyway, we shall see.
We shall see.
Don't count your chickens,
especially in this case, since the chickens, you don't want them to go away.
And then the last story, I think it's important to note
that the Surgeon General of the United States, Dr. Vivek Murthy,
has released an advisory warning parents that there are negative effects
on children's mental health from social media.
And I think it's important that we start to talk about this.
that, you know, kids.
It's an important thing for parents to be aware of.
So I'm going to try to pull this up as quickly as I can,
but I was listening to Alan Alda's fantastic podcast,
which is, of course, going to escape my mind right now.
I was going to say he has two.
Right. But what's the main one called?
All of a sudden it's there it is clear and vivid.
He had a woman named let's see.
Oh, where is it?
Okay, I'm gonna keep looking for it while I chat.
She's a researcher who decided to dig deeper
into whether there's any correlation
with social media when these things were introduced,
like Instagram and TikTok and these other things,
to specific things that are indicators
of mental health problems in people.
So what she did was she pulled the data from hospitals
of overdoses and suicide attempts
and hospitalized for fear of self-harm.
And she did it regionally,
so she did it in different countries.
She did it across, she and the team
did it across different countries.
And at best, you can find an extremely weak correlation
to the introduction of these social media platforms.
And she said, "I'm not saying it's not there,
But I don't think that we have proof that it is there at this point.
So that was really interesting to me.
I mean, it's one of those things that when you say it out loud, it smells true.
But is that really the cause?
I'm not sure.
So kids have always been evil to each other,
and they now you do it through this mechanism.
So I think as a parent, so kids have always bullied each other
and they just do it through whatever the mechanism is available.
And now it means that you need to be aware of what's going on on social media
so that you know if your kid is being targeted through that vector.
But it doesn't mean that there's more bullying.
It just means it's different would be my take.
But I like data, right?
I like I like knowing whether
the problem with this kind of thing is you go after trying to solve it
when you don't have the data to show whether you have solved it.
So if you don't have something you can actually accurately measure,
then you don't have a way to tell if you fix it.
Oh, I won't disagree with that at all.
I will just give a point that is adjacent to not
not in any way meant as as an argument against, but just I think.
It is one of the ways in which your children
are interacted with is through their social media.
So as a parent, you do need to keep an eye that there isn't something going on there.
It's not because social media is the problem,
but social media is a thing in their lives and like everything else in their
lives, whether they're in, you know, if they're in a sports team or something,
you need to be sure that there isn't something dodgy going on in the sports team.
It is a part of their life that you need
to remember exists would be my advice for.
Yeah. Oh, yeah.
Like anyone ever asked me, but you know what I mean.
But I mean, when you're, this can end up being regulation,
you know, it can be things that go down the regulation path.
And I think being able to know what you've actually,
what is actually happening based on data,
then you can go from there to whether you can find
the right solution, can you measure whether you have
solved the problem?
So that's kind of, but you know, I am not finding this.
I know I didn't dream it, but I'm wondering whether
it might not have been out on all the shows.
- If it wasn't out on all the show,
It's a show that we both have in our podcatchers because it rang many bells.
OK, so now all we need to do is do a correlation between our two.
I'll send you mine because yours is longer.
I was going to say mine is very long,
which thankfully sets us up for two.
Actually, no, sorry, I have interesting
insights first before I go to palate cleansing.
you've probably heard me pirating on about
this obsession I have with following the money.
If you want to understand what the bad guys are up to, follow the money.
And one of my favourite cybersecurity podcasts
dedicated an entire episode to that concept.
The Malicious Life podcast has an episode called The Economics of Cybersecurity,
and they have experts on explaining how the money works
in cybersecurity today in 2023.
So I thought it was a fascinating episode.
So I just wanted to thank people for that.
So the next story I have then is, it's an angle of this whole chat GPT thing
that I was oblivious to. I thought I was fairly in the know about this stuff,
but I was missing a whole aspect of how these things work.
So before chat GPT gets released to the public, they say that they train the AI,
they sort of correct the AI with some human intervention.
That's humans, right?
And it turns out that those humans are working for such spectacularly low pay
that you could make the argument that slave labor and they're sitting in Africa
in a call center being literally traumatized.
I had no idea this was a thing.
So the episode is called He Helped Train Chat GPT It Was Traumatizing
with a chap called Richard Mathenge.
it's the interview is
fascinating in the bad kind of way, I guess.
I learned a lot. I was oblivious.
I was I didn't realize any of this.
So I felt if I don't know this, I'm
guessing lots of people don't.
So I thought it was worth sharing.
Yeah. Hey, I found it.
It was Ezra Klein interviewing Gene Twenge.
And I found the I found the transcript
of the article and from there you can listen to it.
Excellent. I'm a huge fan of Ezra Klein.
Definitely. I think you turned me on to that show.
That's possible, actually, because Ezra is quite dorky.
civics dork is what Ezra is.
I love him for it, but it's not light.
I love it.
But, you know, may not be everyone's taste.
And then I do actually have a palate
cleanser, which is unusually cybersecurity related.
But it's so well, no, because we like to do it as something, you know, completely
different, right? But this,
it's rare that you see a piece of online journalism that makes you go, wow,
that's genuinely creative.
So it's an article by the Australian Broadcasting Corporation's online website.
And it's about how sort of the point of the article is to illustrate to people how
lots of little data breaches add up to a big problem for you because the bad guys
effectively fill in a jigsaw of your identity.
But to make the point, they have partnered with Troy Hunt,
and it's powered by the Have I Been Pwned database.
And so you enter your email address,
it looks you up in Have I Been Pwned,
and then it tells the story saying that for you,
this process started with this breach on this date,
when this got leaked.
For you, things were then quiet for X amount of months
until this happened, until this happened.
And there's an animation of the different parts
of your identity filling in.
And it's telling you, for you,
this happened on this date from this breach.
And it's interspersed with pieces
that are obviously generic information,
where there's a cybersecurity expert telling you
about the concept in general.
But because it's filled in with your information,
it's a very compelling way of telling a story.
It's like a choose your own adventure.
In a very clever way.
Yeah, I have a feeling mine's really long.
And mine had a sort of a yada yada sort of a point where it said, and then skipping
forward until 2020, by now you have been.
And it just gave this like summary of everything that happened for like a
decade to get me sort of caught up, because I think otherwise my article would
have been infinite as well.
Oh, I just did it.
And I actually knew where the first breach was.
And I was correct. It was Gawker back in 2010.
It's a story I always tell about how I changed my password after that breach.
I changed it everywhere except Skype and forgot that I had Skype set up to auto load money
from my PayPal account.
I did end up getting all the money back from PayPal, by the way, after somebody used it
to make long distance phone calls to India, but I knew it was Gawker and I was right.
Well, not yay, but I just don't know how many more there have been.
Cause at that point I was like, all right, well I'm done.
It's, it's just, I, I like the cleverness.
I like how they tell the story and it's the kind of thing where it might actually
help engage people who would not otherwise read a story on cybersecurity.
That's fun. Sorry, you can keep talking, but I'm going to keep watching this fun animation.
Oh, look, LinkedIn leaked it. That's good.
I saw a lot of big names as well fly by.
It's like, oh, I remember talking to Alison about that.
And I remember talking to Alison about that.
And I, you know, there we go.
Oh, E-Fight. E-Fight did a lot of them.
Anyway, so that's all I got for this week.
But despite short show notes, we've had a good old conversation.
So I guess that's good.
But of course, folks, always, always remember, stay patched.
So you stay secure.
Well, that's going to wind us up for this week.
Did you know that you can email me at Alison at Podfeet dot com anytime you like?
If you have a question or suggestion, just send it on over.
You can follow me on Mastodon at Podfeet at Chaos dot social.
Remember, everything good starts with Podfeet dot com.
If you want to join the conversation, you can join our Slack community at podfeet.com/slack,
where you can talk to me and all of the other lovely Nocella Castaways.
You can support the show at podfeet.com/patreon or with a one-time donation at podfeet.com/paypal.
And if you want to join in the fun of the live show where we are really missing seeing
Frank wheels, head on over to podfeet.com/live on Sunday nights at 5pm Pacific time and join
the friendly and enthusiastic Nocella Castaways.
Thanks for listening and stay subscribed.